VARIoT IoT vulnerabilities database

In Apple iOS 7 through 9, due to a BlueBorne flaw in the implementation of LEAP (Low Energy Audio Protocol), a large audio command can be sent to a targeted device and lead to a heap overflow with attacker-controlled data. Since the audio commands sent via LEAP are not properly validated, an attacker can use this overflow to gain full control of the device through the relatively high privileges of the Bluetooth stack in iOS. The attack bypasses Bluetooth access control; however, the default "Bluetooth On" value must be present in Settings. A collection of Bluetooth implementation vulnerabilities known as "BlueBorne" has been released. These vulnerabilities collectively affect Windows, iOS, and Linux-kernel-based operating systems including Android and Tizen, and may in worst case allow an unauthenticated attacker to perform commands on the device. Apple iOS and tvOS are prone to a heap-based buffer-overflow vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial of service conditions. Following products and versions are vulnerable: Apple iOS 7 through 9.3.5 Apple tvOS. The vulnerability stems from the fact that the program does not correctly verify audio commands. An attacker could exploit this vulnerability to take control of the device. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-5-13-5 Safari 12.1.1 Safari 12.1.1 is now available and addresses the following: WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and included in macOS Mojave 10.14.5 Impact: Processing maliciously crafted web content may result in the disclosure of process memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2019-8607: Junho Jang and Hanul Choi of LINE Security Team WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and included in macOS Mojave 10.14.5 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6237: G. Geshev working with Trend Micro Zero Day Initiative, Liu Long of Qihoo 360 Vulcan Team CVE-2019-8571: 01 working with Trend Micro's Zero Day Initiative CVE-2019-8583: sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_) of Tencent Keen Lab, and dwfault working at ADLab of Venustech CVE-2019-8584: G. Geshev of MWR Labs working with Trend Micro Zero Day Initiative CVE-2019-8586: an anonymous researcher CVE-2019-8587: G. Geshev working with Trend Micro Zero Day Initiative CVE-2019-8594: Suyoung Lee and Sooel Son of KAIST Web Security & Privacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab CVE-2019-8595: G. Geshev from MWR Labs working with Trend Micro Zero Day Initiative CVE-2019-8596: Wen Xu of SSLab at Georgia Tech CVE-2019-8597: 01 working with Trend Micro Zero Day Initiative CVE-2019-8601: Fluoroacetate working with Trend Micro's Zero Day Initiative CVE-2019-8608: G. Geshev working with Trend Micro Zero Day Initiative CVE-2019-8609: Wen Xu of SSLab, Georgia Tech CVE-2019-8610: Anonymous working with Trend Micro Zero Day Initiative CVE-2019-8611: Samuel Groß of Google Project Zero CVE-2019-8615: G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative CVE-2019-8619: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab CVE-2019-8622: Samuel Groß of Google Project Zero CVE-2019-8623: Samuel Groß of Google Project Zero CVE-2019-8628: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab Additional recognition Safari We would like to acknowledge Michael Ball of Gradescope by Turnitin for their assistance. Installation note: Safari 12.1.1 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlzZrUkpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3EGGBAA jan3x6GxZzcawJskOhoEVDuZTcb19c+K9Q+jHPbG6szt2ChRkpZfN2fX+fqG8q7Y Itu63uFCfhWMKRbQrwIvzBceEUsNCbgiKNrIJGtEJkmvZjp84ETTjp5WYjMGCTCI 8pe/ij5TtFwJWWXKboO3rVfxfFcfI/67g/wx05l3h2YFoC9Fm52isUkycaAi0siP M4/nTeoA5BTAuv+7J6ohw5TgcYR8NEENpaVTQcUIMLyO3E/wlRcEoHLRtHnMjR89 CGwZg1/LIF/Ae3hJmg5O9PQMIDU6u8ILi/BVK4LGZ4u3x8Qfvg7fm556J6wBEUuP YZ2Mne5Gg1ayUGw/glTbpAkP1XFymvPloyC6/41r3b46X/nExXER86RC2uNJNNe3 8doCYGznFWWbsGBAAVrWut0sS80nOyjSpoAifkkhqZEXbo8pyvjqfGVGijwzcKcd iTdzhpcYahJ1WUIAIXbxjFlHJ8muFxyKrEuqrjnXqM+EjyYP/tu8VOCl2blTOGLP vPmF6ZBHoP3Dtqk9Z+XNusJFGWo7Nm+HLzXTyQsdbnGu8EnP6ywLHBrmBVu03men Os4rHHH1zueO42iPnATC60y9jvyFt2ofnQHCkPl7FdWS8Ek9nVgIhtzaLokrSQM7 TZ10USIZOmz/2BQs133z+fA30SgDUNDyMIE47x6x3HI= =bWtO -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

An authentication bypass vulnerability on iBall Baton ADSL2+ Home Router FW_iB-LR7011A_1.0.2 devices potentially allows attackers to directly access administrative router settings by crafting URLs with a .cgi extension, as demonstrated by /info.cgi and /password.cgi. iBall Baton ADSL2+ Home Router Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. iBallBatonADSL2+HomeRouter is a router of iBall India. An authentication bypass vulnerability exists in the iBallBatonADSL2+HomeRouterFW_iB-LR7011A_1.0.2 release. An attacker could exploit the vulnerability to log into the admin panel by building a URL with a .cgi extension

SEIL/X 4.60 to 5.72, SEIL/B1 4.60 to 5.72, SEIL/x86 3.20 to 5.72, SEIL/BPV4 5.00 to 5.72 allows remote attackers to cause a temporary failure of the device's encrypted communications via a specially crafted packet. The IPsec/IKE function in SEIL Series routers provided by Internet Initiative Japan Inc. contain a denial-of-service (DoS) vulnerability due to a flaw in processing certain packets. Internet Initiative Japan Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Internet Initiative Japan Inc. The following products and versions are affected: Internet Initiative Japan SEIL/X version 4.60 to 5.72; SEIL/B1 version 4.60 to 5.72; SEIL/x86 version 3.20 to 5.72; SEIL/BPV4 version 5.00 to 5.72

Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a userManager.addUser request to the /RPC2 URI. The attacker can login to the device with that new user account to fully control the device. Honeywell NVR Devices have vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Honeywell NVRdevices is a network video recorder device from Honeywell. There is a security hole in the Honeywell NVR device

EE 4GEE WiFi MBB (before EE60_00_05.00_31) devices have CSRF, related to goform/AddNewProfile, goform/setWanDisconnect, goform/setSMSAutoRedirectSetting, goform/setReset, and goform/uploadBackupSettings. EE 4GEE WiFi MBB The device contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. EE4GEEWiFiMBB is a mobile wireless router device from EE UK. A cross-site request forgery vulnerability exists in versions prior to EE4GEEWiFiMBBEE60_00_05.00_31. A remote attacker could exploit the vulnerability to tamper a user to a malicious website to perform unauthorized operations

EE 4GEE WiFi MBB (before EE60_00_05.00_31) devices have XSS in the sms_content parameter in a getSMSlist request. EE 4GEE WiFi MBB The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. EE4GEEWiFiMBB is a mobile wireless router device from EE UK. A cross-site scripting vulnerability exists in versions prior to EE4GEEWiFiMBBEE60_00_05.00_31 that caused the program to lack input validation or encryption. A remote attacker can exploit this vulnerability to inject arbitrary web scripts or HTML

EE 4GEE WiFi MBB (before EE60_00_05.00_31) devices allow remote attackers to obtain sensitive information via a JSONP endpoint, as demonstrated by passwords and SMS content. EE 4GEE WiFi MBB The device contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. EE4GEEWiFiMBB is a mobile wireless router device from EE UK. A cross-site request forgery vulnerability exists in versions prior to EE4GEEWiFiMBBEE60_00_05.00_31. A remote attacker could exploit the vulnerability to tamper a user to a malicious website to perform unauthorized operations. There are security vulnerabilities in EE 4GEE WiFi MBB versions prior to EE60_00_05.00_31

On Samsung NVR devices, remote attackers can read the MD5 password hash of the 'admin' account via certain szUserName JSON data to cgi-bin/main-cgi, and login to the device with that hash in the szUserPasswd parameter. Samsung NVR Devices have vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SamsungNVRdevices is a network video recorder device from South Korea's Samsung. There is a security hole in the Samsung NVR device

Make or Break is a parenting blog. There is an authentication bypass vulnerability in Friends in War Make or Break. Allows attackers to bypass login verification by injection.

Make or Break is a parenting blog. There is a SQL injection vulnerability in Friends in War Make or Break. Attackers can use this vulnerability to obtain sensitive information such as data.

An authentication bypass vulnerability on UTStar WA3002G4 ADSL Broadband Modem WA3002G4-0021.01 devices allows attackers to directly access administrative settings and obtain cleartext credentials from HTML source, as demonstrated by info.cgi, upload.cgi, backupsettings.cgi, pppoe.cgi, resetrouter.cgi, and password.cgi. UTStar WA3002G4 ADSL Broadband Modem The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. UTStarWA3002G4 is a modem from UTStarcom, USA. There is an authentication bypass vulnerability in UTStarWA3002G4. UTStarcom UTStar WA3002G4 ADSL Broadband Modem is a modem of UTStarcom company in the United States. # Exploit Title: UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass Vulnerability # CVE: CVE-2017-14243 # Date: 15-09-2017 # Exploit Author: Gem George # Author Contact: https://www.linkedin.com/in/gemgrge # Vulnerable Product: UTStar WA3002G4 ADSL Broadband Modem # Firmware version: WA3002G4-0021.01 # Vendor Homepage: http://www.utstar.com/ # Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass Vulnerability Details ====================== The CGI version of the admin page of UTStar modem does not authenticate the user and hence any protected page in the modem can be directly accessed by replacing page extension with cgi. This could also allow anyone to perform operations such as reset modem, change passwords, backup configuration without any authentication. The modem also disclose passwords of each users (Admin, Support and User) in plain text behind the page source. How to reproduce =================== Suppose 192.168.1.1 is the device IP and one of the admin protected page in the modem is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi Example URLs: * http://192.168.1.1/info.cgi a Status and details * http://192.168.1.1/upload.cgi a Firmware Upgrade * http://192.168.1.1/backupsettings.cgi a perform backup settings to PC * http://192.168.1.1/pppoe.cgi a PPPoE settings * http://192.168.1.1/resetrouter.cgi a Router reset * http://192.168.1.1/password.cgi a password settings POC ========= * https://www.youtube.com/watch?v=-wh1Y_jXMGk -----------------------Greetz---------------------- ++++++++++++++++++ www.0seccon.com ++++++++++++++++++ Saran,Jithin,Dhani,Vignesh,Hemanth,Sudin,Vijith,Joel

Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. Devices that make use of Das U-Boot's AES-CBC encryption feature using environment encryption (i.e., setting the configuration parameter CONFIG_ENV_AES=y) read environment variables from disk as the encrypted disk image is processed. An attacker with physical access to the device can manipulate the encrypted environment data to include a crafted two-byte sequence which triggers an error in environment variable parsing. This error condition is improperly handled by Das U-Boot, resulting in an immediate process termination with a debugging message. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector and improper handling of an error condition may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data. Das U-Boot of AES-CBC Multiple vulnerabilities exist in cryptographic implementations. Das U-Boot of AES-CBC Multiple vulnerabilities exist in the encryption implementation: CBC The initialization vector value used in the mode is not random (CWE-329) - CVE-2017-3225 Das U-Boot of AES-CBC In encryption, the value of the initialization vector 0 using. The attacker Das U-Boot Information may be obtained by performing a dictionary attack on the encrypted data created in. As a result, an attacker could decrypt the content on your device or possibly tamper with it.An attacker with access to the device may be able to decrypt the content on the device. An attacker can exploit these issues to gain access to sensitive information or may perform certain unauthorized actions; this may lead to further attacks

CG-WLR300NM Firmware version 1.90 and earlier allows an attacker to execute arbitrary OS commands via unspecified vectors. CG-WLR300NM provided by Corega Inc. is a wireless LAN router. CG-WLR300NM contains multiple vulnerabilities listed below. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.* A user who can access the administrative console of the device may execute an arbitrary OS command - CVE-2017-10813 * A user who can access the administrative console of the device may execute arbitrary code - CVE-2017-10814. There is a security hole in the CoregaCG-WLR300NM with firmware 1.90 and earlier

Buffer overflow in CG-WLR300NM Firmware version 1.90 and earlier allows an attacker to execute arbitrary code via unspecified vectors. CG-WLR300NM provided by Corega Inc. is a wireless LAN router. CG-WLR300NM contains multiple vulnerabilities listed below. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.* A user who can access the administrative console of the device may execute an arbitrary OS command - CVE-2017-10813 * A user who can access the administrative console of the device may execute arbitrary code - CVE-2017-10814

The Fixon K2 (PSG1218) router is a new-generation wireless router necessary for entry-level users. The Feixun K2 wireless router has an unauthorized access vulnerability. An attacker can use the vulnerability to obtain detailed information of all terminal devices in the LAN without logging in. They can also perform unauthorized operations, such as modifying the speed limit value of connected devices and preventing them from surfing the Internet.

Zhengzhou New Cape Electronic Data Gateway Equipment is a network equipment product. An information disclosure vulnerability exists in the Zhengzhou New Cape Electronic Data Gateway device. An attacker could use this vulnerability to obtain sensitive information.

Fizen Router Android App is an app for managing Fizen router. There is a logic flaw in the Phenom K2 wireless router. An attacker could use this vulnerability to obtain the router administrator username and password in an unlogged state, and then control the router.

Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data. Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector. This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data. Das U-Boot of AES-CBC Multiple vulnerabilities exist in cryptographic implementations. Information leakage due to differences in processing time (CWE-208) - CVE-2017-3226 Das U-Boot of AES-CBC The encryption process is deficient in the process when reading the encrypted environment variable. As a result, an attacker could decrypt the content on your device or possibly tamper with it.An attacker with access to the device may be able to decrypt the content on the device

Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to download arbitrary local files via the url parameter. Synology Photo Station is a set of solutions from Synology for sharing pictures, videos and blogs on the Internet

An Uncontrolled Search Path or Element issue was discovered in i-SENS SmartLog Diabetes Management Software, Version 2.4.0 and prior versions. An uncontrolled search path element vulnerability has been identified which could be exploited by placing a specially crafted DLL file in the search path. If the malicious DLL is loaded prior to the valid DLL, an attacker could execute arbitrary code on the system. This vulnerability does not affect the connected blood glucose monitor and would not impact delivery of therapy to the patient. SmartLog Diabetes Management Software is software for tracking and monitoring individual blood glucose levels by connecting a blood glucose meter to a computer via USB. i-SENS SmartLog Diabetes Management Software has a code execution vulnerability