VARIoT IoT vulnerabilities database

Use-after-free vulnerability in the Doc object implementation in Adobe Reader and Acrobat before 11.0.14, Acrobat and Acrobat Reader DC Classic before 15.006.30119, and Acrobat and Acrobat Reader DC Continuous before 15.010.20056 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0934, CVE-2016-0937, CVE-2016-0940, and CVE-2016-0941. This vulnerability CVE-2016-0934 , CVE-2016-0937 , CVE-2016-0940 ,and CVE-2016-0941 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of the Doc object. A specially crafted PDF document can force a dangling pointer to be reused after it has been freed. Failed exploit attempts will likely cause a denial-of-service condition. Adobe Acrobat DC, etc. are all products of Adobe (Adobe) in the United States. Acrobat DC is a desktop PDF solution; Acrobat Reader DC is a set of tools for viewing, printing and annotating PDF. A reuse-after-free vulnerability exists in the implementation of the Doc object in several Adobe products

Adobe Reader and Acrobat before 11.0.14, Acrobat and Acrobat Reader DC Classic before 15.006.30119, and Acrobat and Acrobat Reader DC Continuous before 15.010.20056 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted FileAttachment annotation, a different vulnerability than CVE-2016-0933, CVE-2016-0936, CVE-2016-0938, CVE-2016-0939, CVE-2016-0942, CVE-2016-0944, CVE-2016-0945, and CVE-2016-0946. This vulnerability CVE-2016-0933 , CVE-2016-0936 , CVE-2016-0938 , CVE-2016-0939 , CVE-2016-0942 , CVE-2016-0944 , CVE-2016-0945 ,and CVE-2016-0946 Is a different vulnerability.Crafted by attackers FileAttachment Arbitrary code can be executed via an annotation or denial of service ( Memory corruption ) There is a possibility of being put into a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The flaw exists within the handling of FileAttachment annotations. By setting the point attribute to a specific array, an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process. Adobe Acrobat and Reader are prone to multiple memory-corruption vulnerabilities. Failed exploit attempts will likely cause a denial-of-service condition. Adobe Acrobat DC, etc. are all products of Adobe (Adobe) in the United States. Acrobat DC is a desktop PDF solution; Acrobat Reader DC is a set of tools for viewing, printing and annotating PDF. Security flaws exist in several Adobe products

NETGEAR JNR1010 devices before 1.0.0.32 have Incorrect Access Control because the ok value of the auth cookie is a special case. NETGEAR JNR1010 The device contains a session expiration vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NETGEAR JNR1010 is a wireless router from NETGEAR. NETGEAR JNR1010 versions prior to 1.0.0.32 had an access control error vulnerability that originated from a network system or product that did not properly restrict access to resources from unauthorized roles. No detailed vulnerability details are provided at this time. Hi, Can you assign CVE id to this flaw? Details ================ #Product Vendor: Netgear #Netgear GPL: http://kb.netgear.com/app/answers/detail/a_id/2649/~/netgear-open-source-code-for-programmers-(gpl) http://www.gnu.org/licenses/gpl.txt #Bug Name: Broken Authentication & Improper Session Management in Netgear Router JNR1010 Version 1.0.0.24 #Software: Netgear Router JNR1010 Firmware #Version: 1.0.0.24 #Last Updated: 10-06-2015 <http://kb.netgear.com/app/answers/detail/a_id/29270/~/jnr1010-firmware-version-1.0.0.24> #Homepage: http://netgear.com/ #Severity High #Status: Fixed <http://kb.netgear.com/app/answers/detail/a_id/30177/~/jnr1010-firmware-version-1.0.0.32> #CVE : not assigned #POC Video URL: https://www.youtube.com/watch?v=vd7Ffy0edYg Description ================ Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users. Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Technical Details ================ *Authentication Bypass:* Try Accessing the URL which the normal user have no longer access without credentials with auth token value as* “ok” *and HTTP Basic Authentication header with password value *Improper Session Management:* Create a fake Session ID and submit the request to the server with the credentials. Whereas, you can see that the session id has no change even after getting logged in and during logout process. For more, also refer - https://github.com/cybersecurityworks/Disclosed/issues/14 Fix ================ Regenerate the session-id of the end user during login and logout process. Invalidate all the initialized session variables during logout process. Check for unauthenticated access to all the pages inside login. Remove Basic HTTP Authentication and Implement any other authentication technique. Advisory Timeline ================ 28/10/2015 - Discovered in Netgear Router JNR1010 Firmware Version 1.0.0.24 28/10//2015 - Reported to vendor through support option but, no response 30/10//2015 - Reported to vendor through another support option available here <http://support.netgear.com/for_home/default.aspx>. But, again no response. 03/11/2015 - Finally, Technical Team started addressing about the issue after so many follow ups through phone/mail. 13/12/2015 - Vulnerability got fixed & case was closed. 30/12/2015 - Netgear Released updated version 1.0.0.32 <http://kb.netgear.com/app/answers/detail/a_id/30177/~/jnr1010-firmware-version-1.0.0.32> Credits & Authors ================ Sathish Kumar <sathish@cybersecurityworks.com> from cybersecurityworks Pvt Ltd <http://www.cybersecurityworks.com> About Cybersecurityworks ================ Cybersecurity Works is basically an auditing company passionate working on findings & reporting security flaws & vulnerabilities on web application and network. As professionals, we handle each client differently based on their unique requirements. Visit our website <http://www.cybersecurityworks.com> for more information. -- ---------- Cheers !!! Team CSW Research Lab <http://www.cybersecurityworks.com>

The HTTP server in Trend Micro Password Manager allows remote web servers to execute arbitrary commands via the url parameter to (1) api/openUrlInDefaultBrowser or (2) api/showSB. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. Trend Micro is a global leader in network security software and services, leading the trend from desktop anti-virus to web server and gateway anti-virus with superior forward-looking and technological innovation. It demonstrates the forward-looking trend of Trend Micro with the unique service concept. And leadership. There is a default password management software installed when the user installs Trend Micro anti-virus software on the Windows version, and it is self-starting. There is a loophole in the execution code when multiple http rpc ports of node.js process API requests in the java environment. Allows an attacker to exploit this vulnerability to execute arbitrary code. The program helps users easily access all of their online accounts, and supports the simultaneous management of online credentials across multiple devices in the cloud and more. Attackers can use these vulnerabilities to execute arbitrary commands in the context of an affected application or to leak sensitive information. It has proved the industry's foresight with unique service concepts And leadership

The DCERPC Inspection implementation in Cisco Adaptive Security Appliance (ASA) Software 9.4.1 through 9.5.1 allows remote authenticated users to bypass an intended DCERPC-only ACL by sending arbitrary network traffic, aka Bug ID CSCuu67782. CiscoAdaptiveSecurityAppliances is a set of firewall devices from Cisco Systems, USA. The device also includes IPS, SSLVPN, IPSecVPN, anti-spam and other functions. CiscoAdaptiveSecurityApplianceSoftware has a security bypass vulnerability that allows a remote attacker to exploit the vulnerability to bypass security restrictions and perform unauthorized operations. This may aid in further attacks. This issue is tracked by Cisco Bug ID CSCuu67782

Untrusted search path vulnerability in Apple OS X before 10.11.1 allows local users to bypass intended Gatekeeper restrictions and gain privileges via a Trojan horse program that is loaded from an unexpected directory by an application that has a valid Apple digital signature. Supplementary information : CWE Vulnerability type by CWE-426: Untrusted Search Path ( Unreliable search path ) Has been identified. Apple Mac OS X is prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions and to execute arbitrary code in the context of the user running the affected application. The vulnerability stems from the fact that applications using legal Apple digital signatures can load Trojan programs from specific locations. A local attacker can exploit this vulnerability to bypass established Gatekeeper restrictions and gain permissions

Directory Utility in Apple OS X before 10.11.1 mishandles authentication for new sessions, which allows local users to gain privileges via unspecified vectors. Apple Mac OS X is prone to a local privilege-escalation vulnerability. Local attackers may exploit this issue to execute arbitrary code with root privileges

libxml2 in Apple iOS before 9.2, OS X before 10.11.2, and tvOS before 9.1 allows remote attackers to obtain sensitive information or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2015-7115. Successful exploits will allow attackers to obtain sensitive information that may aid in further attacks. Apple iOS is an operating system developed for mobile devices; OS X is a dedicated operating system developed for Mac computers; tvOS is a smart TV operating system. Libxml2 is one of the function library components based on C language for parsing XML documents. A security vulnerability exists in libxml2 of several Apple products

libxml2 in Apple iOS before 9.2, OS X before 10.11.2, and tvOS before 9.1 allows remote attackers to obtain sensitive information or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2015-7116. Successful exploits will allow attackers to obtain sensitive information that may aid in further attacks. Apple iOS is an operating system developed for mobile devices; OS X is a dedicated operating system developed for Mac computers; tvOS is a smart TV operating system. Libxml2 is one of the function library components based on C language for parsing XML documents. A security vulnerability exists in libxml2 of several Apple products

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Proface GP-Pro EX. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of D-Script data by ParseAPI.dll. When processing a malformed file, it is possible to write D-Script data beyond the bounds of a heap buffer. An attacker can leverage this vulnerability to execute arbitrary code under the context of the process. Proface GP-Pro EX is a human interface HMI software used on multiple platforms. Proface GP-Pro EX has a security vulnerability in ParseAPI.dll processing D-Script data

This vulnerability allows remote attackers to disclose information on vulnerable installations of Proface GP-Pro EX. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within BeginPreRead processing. When handling malformed 0x7f77 type fields, it is possible for an attacker to force an out-of-bounds read. An attacker can leverage this vulnerability to disclose arbitrary memory. Proface GP-Pro EX is a human interface HMI software used on multiple platforms

This vulnerability allows remote attackers to disclose information on vulnerable installations of Proface GP-Pro EX. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within BeginPreRead processing. When handling malformed 0x7f77 type fields, it is possible for an attacker to force an out-of-bounds read. An attacker can leverage this vulnerability to disclose arbitrary memory.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Proface GP-Pro EX. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within BeginPreRead processing. When handling malformed 0x7f77 type fields, it is possible for an attacker to force a stack-based buffer overflow. An attacker can leverage this vulnerability to execute arbitrary code in the context of the process. Proface GP-Pro EX is a human interface HMI software used on multiple platforms

Pro-face GP-Pro EX EX-ED before 4.05.000, PFXEXEDV before 4.05.000, PFXEXEDLS before 4.05.000, and PFXEXGRPLS before 4.05.000 allow remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via unspecified vectors. Pro-face GP-Pro EX is a set of HMI screen editing and logic programming software from Pro-face, USA. There is a security hole in Pro-face GP-Pro EX. Digital Electronics Proface GP-Pro EX is a programmable human-machine interface product from Digital Electronics of Japan. A security vulnerability exists in Digital Electronics Proface GP-Pro EX. An attacker could use this vulnerability to execute arbitrary code in the context of an affected application or leak sensitive information. Other attacks are also possible. GP-Pro EX 1.00 through 4.0.4 are vulnerable

Heap-based buffer overflow in Pro-face GP-Pro EX EX-ED before 4.05.000, PFXEXEDV before 4.05.000, PFXEXEDLS before 4.05.000, and PFXEXGRPLS before 4.05.000 allows remote attackers to execute arbitrary code via unspecified vectors. Pro-face GP-Pro EX is a set of HMI screen editing and logic programming software from Pro-face, USA. Digital Electronics Proface GP-Pro EX is a programmable human-machine interface product from Digital Electronics of Japan. A security vulnerability exists in Digital Electronics Proface GP-Pro EX. An attacker could use this vulnerability to execute arbitrary code in the context of an affected application or leak sensitive information. Other attacks are also possible. GP-Pro EX 1.00 through 4.0.4 are vulnerable

Advantech EKI-132x devices with firmware before 2015-12-31 allow remote attackers to bypass authentication via unspecified vectors. Advantech EKI-132x The device firmware contains a vulnerability that prevents authentication.Authentication may be bypassed by a third party. The Advantech EKI-132x is a serial device networking server from Advantech, Inc., which provides a variety of redundant configurations and multiple access configurations for remote monitoring of serial devices over Ethernet communication protocols. Advantech EKI products are prone to a security-bypass vulnerability

AVM FRITZ!OS before 6.30 extracts the contents of firmware updates before verifying their cryptographic signature, which allows remote attackers to create symlinks or overwrite critical files, and consequently execute arbitrary code, via a crafted firmware image. AVM FRITZ!OS is prone to a remote code-execution vulnerability. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. AVM FRITZ!OS versions prior to 6.30 are vulnerable

Stack-based buffer overflow in Pro-face GP-Pro EX EX-ED before 4.05.000, PFXEXEDV before 4.05.000, PFXEXEDLS before 4.05.000, and PFXEXGRPLS before 4.05.000 allows remote attackers to execute arbitrary code via unspecified vectors. Pro-face GP-Pro EX is a set of HMI screen editing and logic programming software from Pro-face, USA. Digital Electronics Proface GP-Pro EX is a programmable human-machine interface product from Digital Electronics of Japan. A security vulnerability exists in Digital Electronics Proface GP-Pro EX. An attacker could use this vulnerability to execute arbitrary code in the context of an affected application or leak sensitive information. Other attacks are also possible. GP-Pro EX 1.00 through 4.0.4 are vulnerable

BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, and PEM 12.0.0 before HF1 on the 2000, 4000, 5000, 7000, and 10000 platforms do not properly sync passwords with the Always-On Management (AOM) subsystem, which might allow remote attackers to obtain login access to AOM via an (1) expired or (2) default password. F5BIG-IP is a device product for application delivery services manufactured by F5Network, which is mainly used for load balancing, business acceleration optimization and other purposes. Multiple F5 BIG-IP products are prone to an insecure default-password vulnerability. An attacker with knowledge of the default credentials may exploit this vulnerability to gain unauthorized access and perform unauthorized actions. This may aid in further attacks. F5 BIG-IP LTM, etc. are all products of F5 Company in the United States. LTM is a local traffic manager; APM is a solution that provides secure unified access to business-critical applications and networks

The DroneDeleteOldMeasurements implementation in Ipswitch WhatsUp Gold before 16.4 does not properly validate serialized XML objects, which allows remote attackers to conduct SQL injection attacks via a crafted SOAP request. Deserialize untrusted data (CWE-502) - CVE-2015-8261 WhatsUp Gold Is SOAP Request handler DroneDeleteOldMeasurements Exists. CWE-502: Deserialization of Untrusted Data http://cwe.mitre.org/data/definitions/502.htmlOn a database by a remote attacker SQL The statement may be executed. Ipswitch WhatsUp Gold is prone to a security-bypass vulnerability. Successful exploits may allow attackers to bypass certain security restrictions and perform unauthorized actions. Ipswitch WhatsUp Gold 16.3 is vulnerable; other versions may also be affected. Ipswitch WhatsUp Gold is a set of unified infrastructure and application monitoring software from Ipswitch in the United States. The software supports the performance management of networks, servers, virtual environments and applications