VARIoT IoT vulnerabilities database

OSRAM SYLVANIA Osram Lightify Home through 2016-07-26 does not use SSL pinning. OSRAM SYLVANIA Osram Lightify Home Contains vulnerabilities related to security features.Information may be tampered with. OSRAM SYLVANIA Osram Lightify Home is a set of open IoT platform for automatic control lighting equipment of German OSRAM company. Attackers can use this vulnerability to perform man-in-the-middle attacks to obtain SSL encrypted traffic

Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 and 7/8 before 2.21.21.21 allows directory traversal. Dell iDRAC6 , iDRAC7 and iDRAC8 Contains a path traversal vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. Dell iDRAC is prone to a local directory-traversal vulnerability. Exploiting this issue will allow an attacker to gain sensitive information and perform unauthorized actions. The following products are vulnerable: Versions prior to Dell iDRAC6 2.80 Versions prior to Dell iDRAC7 2.21.21.21 Versions prior to Dell iDRAC8 2.21.21.21

Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has a format string issue in racadm getsystinfo. Dell iDRAC7 and iDRAC8 Contains a format string vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. Multiple Dell iDRAC Products are prone to a remote format-string vulnerability. Remote attackers can exploit this issue to execute arbitrary code in the context of the application or cause denial-of-service conditions

Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 and 7/8 before 2.21.21.21 allows attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long SSH username or input. Dell integrated Remote Access Controller is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary-checks on user supplied data. Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition. iDRAC7and iDRAC8 versions prior to 2.21.21.21 are vulnerable. This solution provides functions such as remote management, crash recovery and power control for Dell PowerEdge systems. A buffer overflow vulnerability exists in Dell iDRAC 6 prior to 2.80, 7 and 8 prior to 2.21.21.21. An attacker could exploit this vulnerability to cause a denial of service

Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has XXE. Dell iDRAC7 and iDRAC8 Is XML An external entity vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. A cross-site scripting vulnerability exists in Dell iDRAC 7 and 8 prior to 2.21.21.21. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML

Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 allows remote attackers to execute arbitrary administrative HTTP commands. This may further aid in other attacks. Versions prior to Dell iDRAC6 2.80 are vulnerable. This solution provides functions such as remote management, crash recovery and power control for Dell PowerEdge systems

Dell Integrated Remote Access Controller (iDRAC) 6 before 2.85 and 7/8 before 2.30.30.30 has XSS. Dell iDRAC6 , iDRAC7 and iDRAC8 Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Multiple Dell iDRAC products are prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. The following products are vulnerable: Dell iDRAC6 versions prior to 2.85 Dell iDRAC7 versions prior to 2.30.30.30 Dell iDRAC8 versions prior to 2.30.30.30. This solution provides functions such as remote management, crash recovery and power control for Dell PowerEdge systems. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML

AXIS Communications products allow CSRF, as demonstrated by admin/pwdgrp.cgi, vaconfig.cgi, and admin/local_del.cgi. AXIS Communications The product firmware contains a cross-site request forgery vulnerability.Cross-site request forgery may be executed. AXIS is a webcam

Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 allow Embedded_Ace_Set_Task.cgi command injection. The Sierra Wireless GX440 is a gateway device from Sierra Wireless, Canada. The SierraWirelessGX440 has a command injection vulnerability that can be exploited by remote attackers to submit special requests and execute arbitrary commands. An attacker could exploit this vulnerability to inject commands

Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 have weak passwords for admin, rauser, sconsole, and user. Sierra Wireless GX 440 Device ALEOS The firmware contains a vulnerability related to the management of certificates and passwords.Information is acquired, information is falsified, and denial of service (DoS) An attack could be made. The Sierra Wireless GX440 is a gateway device from Sierra Wireless, Canada. The SierraWirelessGX440 has a weak password vulnerability that can be exploited by remote attackers to submit special requests and recover passwords

Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 allow Hayes AT command injection. The Sierra Wireless GX440 is a gateway device from Sierra Wireless, Canada. The SierraWirelessGX440 has a command injection vulnerability that can be exploited by remote attackers to submit special requests and execute arbitrary commands

Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 do not require authentication for Embedded_Ace_Get_Task.cgi requests. Sierra Wireless GX 440 Device ALEOS There are authentication vulnerabilities in the firmware.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. The Sierra Wireless GX440 is a gateway device from Sierra Wireless, Canada. A verification problem vulnerability exists in the SierraWirelessGX440 device using version 4.3.2 ALEOS firmware, which was caused by the program not requesting authentication for Embedded_Ace_Get_Task.cgi. An attacker could exploit this vulnerability to gain root/shell access

Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 use guessable session tokens, which are in the URL. Sierra Wireless GX 440 Device ALEOS The firmware contains a session deadline vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. The Sierra Wireless GX440 is a gateway device from Sierra Wireless, Canada. A security vulnerability exists in the SierraWirelessGX440 device using version 4.3.2 ALEOS firmware. An attacker could exploit the vulnerability to access a management web application

Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 store passwords in cleartext. Sierra Wireless GX 440 Device ALEOS The firmware contains a vulnerability related to the management of certificates and passwords.Information is acquired, information is falsified, and denial of service (DoS) An attack could be made. The Sierra Wireless GX440 is a gateway device from Sierra Wireless, Canada. The SierraWirelessGX440 has a weak password storage vulnerability that can be exploited by remote attackers to submit special requests for sensitive information

Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 execute the management web application as root. Sierra Wireless GX 440 Device ALEOS Firmware contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. The Sierra Wireless GX440 is a gateway device from Sierra Wireless, Canada. The SierraWirelessGX440 has a privilege escalation vulnerability that can be exploited by remote attackers to submit special requests and escalate permissions. A security vulnerability exists in the Sierra Wireless GX440 using ALEOS firmware version 4.3.2. An attacker can exploit this vulnerability to operate and manage web applications with root privileges

XiongMai uc-httpd has directory traversal allowing the reading of arbitrary files via a "GET ../" HTTP request. XiongMaiuc-httpd is an HTTP protection program used by cameras from cameras such as XiongMai. A directory traversal vulnerability exists in XiongMaiuc-httpd

In ARM Trusted Firmware 1.3, RO memory is always executable at AArch64 Secure EL1, allowing attackers to bypass the MT_EXECUTE_NEVER protection mechanism. This issue occurs because of inconsistency in the number of execute-never bits (one bit versus two bits). Remote attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions. ARM Trusted Firmware through 1.3 are vulnerable; other versions may also be affected

In ARM Trusted Firmware through 1.3, the secure self-hosted invasive debug interface allows normal world attackers to cause a denial of service (secure world panic) via vectors involving debug exceptions and debug registers. ARM Trusted Firmware is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause a denial-of-service condition, denying service to legitimate users. ARM Trusted Firmware through 1.3 are vulnerable; other versions may also be affected

Directory traversal vulnerability in the web interface on the D-Link DWR-116 device with firmware before V1.05b09 allows remote attackers to read arbitrary files via a .. (dot dot) in a "GET /uir/" request. The DWR-116 is a wireless N300 multi-WAN router from D-Link. (double point) in the \"GET/uir/\" request. D-Link DWR-116 is prone to an arbitrary-file-download vulnerability. An attacker can exploit this issue to download arbitrary files from the device filesystem and obtain potentially sensitive information. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190. PoC: aaaaa a $ curl http://routerip/uir//etc/passwd aaaaa The vulnerability can be used retrieve administrative password using the other disclosed vulnerability - CVE-2018-10824 This vulnerability was reported previously by Patryk Bogdan in CVE-2017-6190 but he reported it is fixed in certain release but unfortunately it is still present in even newer releases. The vulnerability is also present in other D-Link routers and can be exploited not only (as the original author stated) by double dot but also absolutely using double slash. 2 Password stored in plaintext in several series of D-Link routers aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa CVE: CVE-2018-10824 An issue was discovered on D-Link routers: aC/ DWR-116 through 1.06, aC/ DIR-140L through 1.02, aC/ DIR-640L through 1.02, aC/ DWR-512 through 2.02, aC/ DWR-712 through 2.02, aC/ DWR-912 through 2.02, aC/ DWR-921 through 2.02, aC/ DWR-111 through 1.01, aC/ and probably others with the same type of firmware. NOTE: I have changed the filename in description to XXX because the vendor leaves some EOL routers unpatched and the attack is too simple. The administrative password is stored in plaintext in the /tmp/XXX/0 file. PoC using the directory traversal vulnerability disclosed at the same time - CVE-2018-10822 aaaaa a $ curl http://routerip/uir//tmp/XXX/0 aaaaa This command returns a binary config file which contains admin username and password as well as many other router configuration settings. 3 Shell command injection in httpd server of a several series of D-Link routers aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaa CVE: CVE-2018-10823 CVSS v3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) An issue was discovered on D-Link routers: aC/ DWR-116 through 1.06, aC/ DWR-512 through 2.02, aC/ DWR-712 through 2.02, aC/ DWR-912 through 2.02, aC/ DWR-921 through 2.02, aC/ DWR-111 through 1.01, aC/ and probably others with the same type of firmware. An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals. PoC: 1. 2. Request the following URL after login: aaaaa a $ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20 %2Fetc%2Fpasswd aaaaa 3. See the passwd file contents in the response. 4 Exploiting all together aaaaaaaaaaaaaaaaaaaaaaaaa CVSS v3: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) Taking all the three together it is easy to gain full router control including arbitrary code execution. Description with video: [http://sploit.tech/2018/10/12/D-Link.html] 5 Timeline aaaaaaaaaa aC/ 09.05.2018 - vendor notified aC/ 06.06.2018 - asked vendor about the status because of long vendor response aC/ 22.06.2018 - received a reply that a patch will be released for DWR-116 and DWR-111, for the other devices which are EOL an announcement will be released aC/ 09.09.2018 - still no reply from vendor about the patches or announcement, I have warned the vendor that if I will not get a reply in a month I will publish the disclosure aC/ 12.10.2018 - disclosing the vulnerabilities

Dataprobe iBootBar (with 2007-09-20 and possibly later beta firmware) allows remote attackers to bypass authentication, and conduct power-cycle attacks on connected devices, via a DCCOOKIE cookie. Dataprobe iBootBar is a set of remote power management solutions from Dataprobe Corporation of the United States, which provides serial ports, optional internal modem and DTMF audio dialing control, etc. A security vulnerability exists in Dataprobe iBootBar using the 2007-09-20 beta firmware