VARIoT IoT vulnerabilities database

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. TP-LINK TL-WR741N and TL-WR741ND 150M Wireless Lite N Router Contains a vulnerability related to input validation.Service operation interruption (DoS) There is a possibility of being put into a state. TP-LINKTL-WR741N and TL-WR741ND150MWirelessLiteNRouter are wireless router products of China TP-LINK. A security vulnerability exists in the TP-LINKTL-WR741N and TL-WR741ND150MWirelessLiteNRouter using 3.11.7Build100603Rel.56412n firmware and WR741Nv1/v200000000 hardware. The vulnerability stems from the program failing to properly verify the 'SSID' parameter in 'WirelessSettings'. An attacker could exploit the vulnerability to inject malicious code that would prevent the user from changing the wireless settings. 'SSID' parameter in Wireless Settings'

An Information Disclosure vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.8 and 5.2 all versions allows SSL VPN web portal users to access internal FortiOS configuration information (eg:addresses) via specifically crafted URLs inside the SSL-VPN web portal. Fortinet FortiOS Contains an information disclosure vulnerability.Information may be obtained. Fortinet FortiOS is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. The following versions are vulnerable: FortiOS 5.6.0 to 5.6.2 FortiOS 5.4.0 to 5.4.8 FortiOS 5.2 through 5.2.12

A local privilege escalation and local code execution vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.8, and 5.2 and below versions allows attacker to execute unauthorized binary program contained on an USB drive plugged into a FortiGate via linking the aforementioned binary program to a command that is allowed to be run by the fnsysctl CLI command. Fortinet FortiOS Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Fortinet FortiOS is prone to a local privilege-escalation vulnerability. Local attackers may exploit this issue to gain elevated privileges. The following versions are vulnerable: FortiOS 5.6.0 through 5.6.2 FortiOS 5.4.0 through 5.4.8 FortiOS 5.2 through below. Fortinet FortiOS is a set of security operating systems developed by Fortinet Corporation for the FortiGate network security platform. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSL VPN, Web content filtering and anti-spam

An Information Disclosure vulnerability in Fortinet FortiClient for Windows 5.6.0 and below versions, FortiClient for Mac OSX 5.6.0 and below versions and FortiClient SSLVPN Client for Linux 4.4.2334 and below versions allows regular users to see each other's VPN authentication credentials due to improperly secured storage locations. Fortinet FortiClient Contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Fortinet FortiClient is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks. Fortinet FortiClient Windows, FortiClient for Mac OS X and FortiClient SSLVPN Client for Linux are all products of Fortinet. Fortinet FortiClient Windows is a mobile terminal security solution based on Windows platform. FortiClient for Mac OS X is a version based on the Mac OS X platform. FortiClient SSLVPN Client for Linux is a Linux-based VPN client for connecting Fortigate devices. An information disclosure vulnerability exists in several Fortinet products due to improper secure storage locations. An attacker could exploit this vulnerability to view other VPN authentication certificates. The following products and versions are affected: Windows-based Fortinet FortiClient 5.6.0 and earlier versions; Mac OSX-based FortiClient 5.6.0 and earlier versions; Linux-based FortiClient SSLVPN Client 4.4.2334 and earlier versions

An improper access control vulnerability in Fortinet FortiWebManager 5.8.0 allows anyone that can access the admin webUI to successfully log-in regardless the provided password. Fortinet FortiWebManager Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Fortinet FortiWebManager is prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. FortiWebManager 5.8.0 is vulnerable; other versions may also be affected. Fortinet FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc., to ensure the security of web applications and protect sensitive database content. FortiWebManager is one such application for managing firewalls. An attacker could exploit this vulnerability to gain access to the administrator's web user interface

A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4 and below versions under SSL VPN web portal allows a remote user to inject arbitrary web script or HTML in the context of the victim's browser via the login redir parameter. An URL Redirection attack may also be feasible by injecting an external URL via the affected parameter. Fortinet FortiOS Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Fortinet FortiOS is prone to a URI-redirection vulnerability and a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input. Attackers can exploit these issues to execute arbitrary script or HTML code, steal cookie-based authentication credentials, and conduct phishing attacks. Other attacks may also be possible. Fortinet FortiOS 5.0 and prior, 5.2.0 through 5.2.12, 5.4.0 through 5.4.6 and 5.6.0 through 5.6.2 are vulnerable. Fortinet FortiOS is a set of security operating system dedicated to the FortiGate network security platform developed by Fortinet. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSLVPN, Web content filtering and anti-spam. SSL-VPN portal is one of the VPN management interfaces. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code. The following products and versions are affected: Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.6, 5.2.0 to 5.2.12, 5.0 and earlier

A Denial of Service (DoS) vulnerability in Fortinet FortiOS 5.4.0 to 5.4.5 allows an authenticated user to cause the web GUI to be temporarily unresponsive, via passing a specially crafted payload to the 'params' parameter of the JSON web API. Fortinet FortiOS Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Fortinet FortiOS is prone to a denial-of-service vulnerability. Attackers can exploit this issue to cause denial-of-service conditions. FortiOS 5.4.0 through 5.4.5 are vulnerable. Fortinet FortiOS is a set of security operating systems developed by Fortinet Corporation for the FortiGate network security platform. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSL VPN, Web content filtering and anti-spam. A denial of service vulnerability exists in Fortinet FortiOS versions 5.4.0 to 5.4.5

In Apple iOS 7 through 9, due to a BlueBorne flaw in the implementation of LEAP (Low Energy Audio Protocol), a large audio command can be sent to a targeted device and lead to a heap overflow with attacker-controlled data. Since the audio commands sent via LEAP are not properly validated, an attacker can use this overflow to gain full control of the device through the relatively high privileges of the Bluetooth stack in iOS. The attack bypasses Bluetooth access control; however, the default "Bluetooth On" value must be present in Settings. A collection of Bluetooth implementation vulnerabilities known as "BlueBorne" has been released. These vulnerabilities collectively affect Windows, iOS, and Linux-kernel-based operating systems including Android and Tizen, and may in worst case allow an unauthenticated attacker to perform commands on the device. Apple iOS and tvOS are prone to a heap-based buffer-overflow vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial of service conditions. Following products and versions are vulnerable: Apple iOS 7 through 9.3.5 Apple tvOS. The vulnerability stems from the fact that the program does not correctly verify audio commands. An attacker could exploit this vulnerability to take control of the device. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-5-13-5 Safari 12.1.1 Safari 12.1.1 is now available and addresses the following: WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and included in macOS Mojave 10.14.5 Impact: Processing maliciously crafted web content may result in the disclosure of process memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2019-8607: Junho Jang and Hanul Choi of LINE Security Team WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and included in macOS Mojave 10.14.5 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6237: G. Geshev working with Trend Micro Zero Day Initiative, Liu Long of Qihoo 360 Vulcan Team CVE-2019-8571: 01 working with Trend Micro's Zero Day Initiative CVE-2019-8583: sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_) of Tencent Keen Lab, and dwfault working at ADLab of Venustech CVE-2019-8584: G. Geshev of MWR Labs working with Trend Micro Zero Day Initiative CVE-2019-8586: an anonymous researcher CVE-2019-8587: G. Geshev working with Trend Micro Zero Day Initiative CVE-2019-8594: Suyoung Lee and Sooel Son of KAIST Web Security & Privacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab CVE-2019-8595: G. Geshev from MWR Labs working with Trend Micro Zero Day Initiative CVE-2019-8596: Wen Xu of SSLab at Georgia Tech CVE-2019-8597: 01 working with Trend Micro Zero Day Initiative CVE-2019-8601: Fluoroacetate working with Trend Micro's Zero Day Initiative CVE-2019-8608: G. Geshev working with Trend Micro Zero Day Initiative CVE-2019-8609: Wen Xu of SSLab, Georgia Tech CVE-2019-8610: Anonymous working with Trend Micro Zero Day Initiative CVE-2019-8611: Samuel Groß of Google Project Zero CVE-2019-8615: G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative CVE-2019-8619: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab CVE-2019-8622: Samuel Groß of Google Project Zero CVE-2019-8623: Samuel Groß of Google Project Zero CVE-2019-8628: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab Additional recognition Safari We would like to acknowledge Michael Ball of Gradescope by Turnitin for their assistance. Installation note: Safari 12.1.1 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlzZrUkpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3EGGBAA jan3x6GxZzcawJskOhoEVDuZTcb19c+K9Q+jHPbG6szt2ChRkpZfN2fX+fqG8q7Y Itu63uFCfhWMKRbQrwIvzBceEUsNCbgiKNrIJGtEJkmvZjp84ETTjp5WYjMGCTCI 8pe/ij5TtFwJWWXKboO3rVfxfFcfI/67g/wx05l3h2YFoC9Fm52isUkycaAi0siP M4/nTeoA5BTAuv+7J6ohw5TgcYR8NEENpaVTQcUIMLyO3E/wlRcEoHLRtHnMjR89 CGwZg1/LIF/Ae3hJmg5O9PQMIDU6u8ILi/BVK4LGZ4u3x8Qfvg7fm556J6wBEUuP YZ2Mne5Gg1ayUGw/glTbpAkP1XFymvPloyC6/41r3b46X/nExXER86RC2uNJNNe3 8doCYGznFWWbsGBAAVrWut0sS80nOyjSpoAifkkhqZEXbo8pyvjqfGVGijwzcKcd iTdzhpcYahJ1WUIAIXbxjFlHJ8muFxyKrEuqrjnXqM+EjyYP/tu8VOCl2blTOGLP vPmF6ZBHoP3Dtqk9Z+XNusJFGWo7Nm+HLzXTyQsdbnGu8EnP6ywLHBrmBVu03men Os4rHHH1zueO42iPnATC60y9jvyFt2ofnQHCkPl7FdWS8Ek9nVgIhtzaLokrSQM7 TZ10USIZOmz/2BQs133z+fA30SgDUNDyMIE47x6x3HI= =bWtO -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

An authentication bypass vulnerability on iBall Baton ADSL2+ Home Router FW_iB-LR7011A_1.0.2 devices potentially allows attackers to directly access administrative router settings by crafting URLs with a .cgi extension, as demonstrated by /info.cgi and /password.cgi. iBall Baton ADSL2+ Home Router Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. iBallBatonADSL2+HomeRouter is a router of iBall India. An authentication bypass vulnerability exists in the iBallBatonADSL2+HomeRouterFW_iB-LR7011A_1.0.2 release. An attacker could exploit the vulnerability to log into the admin panel by building a URL with a .cgi extension

SEIL/X 4.60 to 5.72, SEIL/B1 4.60 to 5.72, SEIL/x86 3.20 to 5.72, SEIL/BPV4 5.00 to 5.72 allows remote attackers to cause a temporary failure of the device's encrypted communications via a specially crafted packet. The IPsec/IKE function in SEIL Series routers provided by Internet Initiative Japan Inc. contain a denial-of-service (DoS) vulnerability due to a flaw in processing certain packets. Internet Initiative Japan Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Internet Initiative Japan Inc. The following products and versions are affected: Internet Initiative Japan SEIL/X version 4.60 to 5.72; SEIL/B1 version 4.60 to 5.72; SEIL/x86 version 3.20 to 5.72; SEIL/BPV4 version 5.00 to 5.72

Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a userManager.addUser request to the /RPC2 URI. The attacker can login to the device with that new user account to fully control the device. Honeywell NVR Devices have vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Honeywell NVRdevices is a network video recorder device from Honeywell. There is a security hole in the Honeywell NVR device

EE 4GEE WiFi MBB (before EE60_00_05.00_31) devices have CSRF, related to goform/AddNewProfile, goform/setWanDisconnect, goform/setSMSAutoRedirectSetting, goform/setReset, and goform/uploadBackupSettings. EE 4GEE WiFi MBB The device contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. EE4GEEWiFiMBB is a mobile wireless router device from EE UK. A cross-site request forgery vulnerability exists in versions prior to EE4GEEWiFiMBBEE60_00_05.00_31. A remote attacker could exploit the vulnerability to tamper a user to a malicious website to perform unauthorized operations

EE 4GEE WiFi MBB (before EE60_00_05.00_31) devices have XSS in the sms_content parameter in a getSMSlist request. EE 4GEE WiFi MBB The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. EE4GEEWiFiMBB is a mobile wireless router device from EE UK. A cross-site scripting vulnerability exists in versions prior to EE4GEEWiFiMBBEE60_00_05.00_31 that caused the program to lack input validation or encryption. A remote attacker can exploit this vulnerability to inject arbitrary web scripts or HTML

EE 4GEE WiFi MBB (before EE60_00_05.00_31) devices allow remote attackers to obtain sensitive information via a JSONP endpoint, as demonstrated by passwords and SMS content. EE 4GEE WiFi MBB The device contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. EE4GEEWiFiMBB is a mobile wireless router device from EE UK. A cross-site request forgery vulnerability exists in versions prior to EE4GEEWiFiMBBEE60_00_05.00_31. A remote attacker could exploit the vulnerability to tamper a user to a malicious website to perform unauthorized operations. There are security vulnerabilities in EE 4GEE WiFi MBB versions prior to EE60_00_05.00_31

On Samsung NVR devices, remote attackers can read the MD5 password hash of the 'admin' account via certain szUserName JSON data to cgi-bin/main-cgi, and login to the device with that hash in the szUserPasswd parameter. Samsung NVR Devices have vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SamsungNVRdevices is a network video recorder device from South Korea's Samsung. There is a security hole in the Samsung NVR device

Make or Break is a parenting blog. There is an authentication bypass vulnerability in Friends in War Make or Break. Allows attackers to bypass login verification by injection.

Make or Break is a parenting blog. There is a SQL injection vulnerability in Friends in War Make or Break. Attackers can use this vulnerability to obtain sensitive information such as data.

An authentication bypass vulnerability on UTStar WA3002G4 ADSL Broadband Modem WA3002G4-0021.01 devices allows attackers to directly access administrative settings and obtain cleartext credentials from HTML source, as demonstrated by info.cgi, upload.cgi, backupsettings.cgi, pppoe.cgi, resetrouter.cgi, and password.cgi. UTStar WA3002G4 ADSL Broadband Modem The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. UTStarWA3002G4 is a modem from UTStarcom, USA. There is an authentication bypass vulnerability in UTStarWA3002G4. UTStarcom UTStar WA3002G4 ADSL Broadband Modem is a modem of UTStarcom company in the United States. # Exploit Title: UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass Vulnerability # CVE: CVE-2017-14243 # Date: 15-09-2017 # Exploit Author: Gem George # Author Contact: https://www.linkedin.com/in/gemgrge # Vulnerable Product: UTStar WA3002G4 ADSL Broadband Modem # Firmware version: WA3002G4-0021.01 # Vendor Homepage: http://www.utstar.com/ # Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass Vulnerability Details ====================== The CGI version of the admin page of UTStar modem does not authenticate the user and hence any protected page in the modem can be directly accessed by replacing page extension with cgi. This could also allow anyone to perform operations such as reset modem, change passwords, backup configuration without any authentication. The modem also disclose passwords of each users (Admin, Support and User) in plain text behind the page source. How to reproduce =================== Suppose 192.168.1.1 is the device IP and one of the admin protected page in the modem is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi Example URLs: * http://192.168.1.1/info.cgi a Status and details * http://192.168.1.1/upload.cgi a Firmware Upgrade * http://192.168.1.1/backupsettings.cgi a perform backup settings to PC * http://192.168.1.1/pppoe.cgi a PPPoE settings * http://192.168.1.1/resetrouter.cgi a Router reset * http://192.168.1.1/password.cgi a password settings POC ========= * https://www.youtube.com/watch?v=-wh1Y_jXMGk -----------------------Greetz---------------------- ++++++++++++++++++ www.0seccon.com ++++++++++++++++++ Saran,Jithin,Dhani,Vignesh,Hemanth,Sudin,Vijith,Joel

Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. Devices that make use of Das U-Boot's AES-CBC encryption feature using environment encryption (i.e., setting the configuration parameter CONFIG_ENV_AES=y) read environment variables from disk as the encrypted disk image is processed. An attacker with physical access to the device can manipulate the encrypted environment data to include a crafted two-byte sequence which triggers an error in environment variable parsing. This error condition is improperly handled by Das U-Boot, resulting in an immediate process termination with a debugging message. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector and improper handling of an error condition may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data. Das U-Boot of AES-CBC Multiple vulnerabilities exist in cryptographic implementations. Das U-Boot of AES-CBC Multiple vulnerabilities exist in the encryption implementation: CBC The initialization vector value used in the mode is not random (CWE-329) - CVE-2017-3225 Das U-Boot of AES-CBC In encryption, the value of the initialization vector 0 using. The attacker Das U-Boot Information may be obtained by performing a dictionary attack on the encrypted data created in. As a result, an attacker could decrypt the content on your device or possibly tamper with it.An attacker with access to the device may be able to decrypt the content on the device. An attacker can exploit these issues to gain access to sensitive information or may perform certain unauthorized actions; this may lead to further attacks

CG-WLR300NM Firmware version 1.90 and earlier allows an attacker to execute arbitrary OS commands via unspecified vectors. CG-WLR300NM provided by Corega Inc. is a wireless LAN router. CG-WLR300NM contains multiple vulnerabilities listed below. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.* A user who can access the administrative console of the device may execute an arbitrary OS command - CVE-2017-10813 * A user who can access the administrative console of the device may execute arbitrary code - CVE-2017-10814. There is a security hole in the CoregaCG-WLR300NM with firmware 1.90 and earlier