VARIoT IoT vulnerabilities database

ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of user authentication. The issue lies in the failure to compare the password when authenticating. An attacker can leverage this vulnerability to bypass authentication checks which can then be chained to execute code with root privileges. The Arris VAP2500 is a wireless access device from Arris, USA. Arris VAP2500 is prone to an authentication-bypass vulnerability

Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors. Supplementary information : CWE Vulnerability type by CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ( injection ) Has been identified. http://cwe.mitre.org/data/definitions/74.htmlAn arbitrary command may be executed by a third party. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of access to the management portal. The issue lies in the ability to execute arbitrary commands without any sanitization. An attacker can leverage this vulnerability to execute code with root privileges. The Arris VAP2500 is a wireless access device from Arris, USA

Stack-based buffer overflow in UltraCamLib in the UltraCam ActiveX Control (UltraCamX.ocx) for the TRENDnet SecurView camera TV-IP422WN allows remote attackers to execute arbitrary code via a long string to the (1) CGI_ParamSet, (2) OpenFileDlg, (3) SnapFileName, (4) Password, (5) SetCGIAPNAME, (6) AccountCode, or (7) RemoteHost function. TRENDnet TEW-818DRU is a routing device. TRENDnet TV-IP422WN 'UltraCamX.ocx' has multiple stack buffer overflow vulnerabilities because it cannot properly check user-supplied data before copying it to a full-size memory buffer. An attacker could exploit these vulnerabilities to execute arbitrary code in the context of an affected application. Failed exploit attempts will result in denial-of-service conditions. SecurView Wireless N Day/Night Pan/Tilt Internet Camera, a powerfuldual-codec wireless network camera with the 2-way audio function that providesthe high-quality image and on-the-spot audio via the Internet connection.The UltraCam ActiveX Control 'UltraCamX.ocx' suffers from a stack bufferoverflow vulnerability when parsing large amount of bytes to several functionsin UltraCamLib, resulting in memory corruption overwriting severeal registersincluding the SEH. An attacker can gain access to the system of the affectednode and execute arbitrary code.<br/><br/>--------------------------------------------------------------------------------<br/><br/><code>0:000&gt; r<br/>eax=41414141 ebx=100ceff4 ecx=0042df38 edx=00487900 esi=00487a1c edi=0042e9fc<br/>eip=100203fb esp=0042d720 ebp=0042e9a8 iopl=0 nv up ei pl nz ac po nc<br/>cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210212<br/>UltraCamX!DllUnregisterServer+0xeb2b:<br/>100203fb 8b48e0 mov ecx,dword ptr [eax-20h] ds:002b:41414121=????????<br/>0:000&gt; !exchain<br/>0042eda8: 41414141<br/>Invalid exception stack at 41414141<br/></code><br/> --------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows 7 Professional SP1 (EN). TRENDnet SecurView camera TV-IP422WN is a wireless IP camera product from TRENDnet. UltraCam ActiveX Control (UltraCamX.ocx) is one of the digital aerial camera controls

Race condition in the lighttpd module in Cisco IOS XR 5.1 and earlier on Network Convergence System 6000 devices allows remote attackers to cause a denial of service (process reload) by establishing many TCP sessions, aka Bug ID CSCuq45239. Cisco IOS XR is a fully modular, distributed network operating system from Cisco's IOS software family. This issue is being tracked by Cisco Bug ID CSCuq45239. Lighttpd is one of the web server modules

Buffer overflow in decode.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file. The specific flaw exists within the decoder logic. By providing malformed H.264 data to the decoder, an attacker can overwrite a heap buffer. This could result in the execution of arbitrary code in the context of the application. The Cisco OpenH264 is prone to multiple buffer-overflow vulnerabilities because it fails to properly bounds-check user supplied input. Cisco OpenH264 1.0.0, 1.1.1, and 1.2.2 are vulnerable. Cisco OpenH264 is an open source H.264 (video codec technology) encoder and decoder from Cisco

Use-after-free vulnerability in decode_slice.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file. By providing malformed H.264 data to the decoder, an attacker can force a dangling pointer to be referenced after it has been freed. The Cisco OpenH264 is prone to a memory corruption vulnerability. Cisco OpenH264 1.0.0, 1.1.1, and 1.2.2 are vulnerable. Cisco OpenH264 is an open source H.264 (video codec technology) encoder and decoder from Cisco

Buffer overflow in Hikvision DVR DS-7204 Firmware 2.2.10 build 131009, and other models and versions, allows remote attackers to execute arbitrary code via an RTSP PLAY request with a long Authorization header. The Hikvision DVR is a hard disk recorder. Hikvision DVR DS-7204 has a remote buffer overflow vulnerability because it fails to adequately check the boundaries of the user-supplied data. An attacker could exploit this vulnerability to execute arbitrary code in the context of an affected device. Failed exploit attempts may result in a denial-of-service condition. Hikvision DVR DS-7204 running firmware 2.2.10 is vulnerable; other devices may also be affected

Cisco IOS XR allows remote attackers to cause a denial of service (LISP process reload) by establishing many LISP TCP sessions, aka Bug ID CSCuq90378. Cisco IOS XR is a fully modular, distributed network operating system from Cisco's IOS software family. This issue is being tracked by Cisco Bug ID CSCuq90378

Wibu-Systems CodeMeter Runtime before 5.20 uses weak permissions (read and write access for all users) for codemeter.exe, which allows local users to gain privileges via a Trojan horse file. Wibu-Systems CodeMeter is a hardware-based software, file, access and media protection solution. CodeMeter has a local privilege escalation vulnerability that can be exploited by local attackers to enforce arbitrary code with system privileges. CodeMeter is prone to a local privilege-escalation vulnerability. CodeMeter Weak Service Permissions Vendor Website : http://www.codemeter.com INDEX --------------------------------------- 1. Background 2. Description 3. Affected Products 4. Solution 6. Credit 7. Disclosure Timeline 8. CVE 1. BACKGROUND --------------------------------------- CodeMeter from Wibu-Systems provides maximum protection against software piracy and is bundled with multiple open-source products. 2. DESCRIPTION --------------------------------------- When the CodeMeter runtime is installed on a Microsoft Windows operating system, it creates a service named "codemeter.exe". When installed with the default settings, this service allows Read/Write access to any user, meaning any user can modify the location of the binary executed by the service with SYSTEM privileges. It should be noted that this vulnerability is not present in the most recent version of Codemeter runtime (currently 5.20). 3. AFFECTED PRODUCTS --------------------------------------- Only the following versions have been confirmed vulnerable: CodeMeter Runtime 4.50b CodeMeter Runtime 4.40 CodeMeter Runtime 4.20b 4. VULNERABILITIES --------------------------------------- 4.1 codemeter.exe 5. SOLUTION --------------------------------------- Vendor contacted and approved for disclosure as most recent version is not vulnerable. 6. CREDIT --------------------------------------- This vulnerability was discovered by Andrew Smith and Matt Smith of Sword & Shield Enterprise Security. 7. DISCLOSURE TIMELINE --------------------------------------- 7-16-2014 - Vulnerability Discovered 8-11-2014 - Vendor Informed 11-20-2014 - Public Disclosure 8. CVE --------------------------------------- CVE-2014-8419

TP-Link TL-WR740N 4 with firmware 3.17.0 Build 140520, 3.16.6 Build 130529, and 3.16.4 Build 130205 allows remote attackers to cause a denial of service (httpd crash) via vectors involving a "new" value in the isNew parameter to PingIframeRpm.htm. Supplementary information : CWE Vulnerability type by CWE-19: Data Handling ( Data processing ) Has been identified. http://cwe.mitre.org/data/definitions/19.htmlService disruption by a third party (httpd crash ) There is a possibility of being put into a state. The TP-LINK TL-WR740N is a wireless router device. TP-Link TL-WR740N is prone to a denial-of-service vulnerability. The TL-WR740N is a combined wired/wireless network connection device integrated with internet-sharing router and 4-port switch. The wireless N Router is 802.11b&amp;g compatible based on 802.11n technology and gives you 802.11n performance up to 150Mbps at an even more affordable price. Bordering on 11n and surpassing 11g speed enables high bandwidth consuming applications like video streaming to be more fluid.The TP-Link WR740N Wireless N Router network device is exposed to adenial of service vulnerability when processing a HTTP GET request. Thisissue occurs when the web server (httpd) fails to handle a HTTP GET requestover a given default TCP port 80. Resending the value 'new' to the 'isNew'parameter in 'PingIframeRpm.htm' script to the router thru a proxy willcrash its httpd service denying the legitimate users access to the admincontrol panel management interface. To bring back the http srv and theadmin UI, a user must physically reboot the router.Tested on: Router Webserver. A security vulnerability exists in the PingIframeRpm.htm script of TP-LINK TL-WR740N. The following versions are affected: TP-LINK TL-WR740N version 4 using firmware versions 3.17.0 Build 140520, 3.16.6 Build 130529 and 3.16.4 Build 130205

Netgear WNR500 is a wireless router product from NetGear. A local file inclusion vulnerability exists in the Netgear WNR500 Router, which is caused by the program's insufficient filtering of user-submitted input. An attacker could use this vulnerability to obtain sensitive information and execute arbitrary local scripts to control applications and computers. Vulnerabilities in Netgear WNR500 using firmware version 1.0.7.2, other versions may also be affected. This could allow the attacker to compromise the application and the computer; other attacks are also possible. It is a simple, secure way to share yourInternet connection and allows you to easily surf the Internet, use email,and have online chats. The quick, CD-less setup can be done through a webbrowser. The small, efficient design fits perfectly into your home.The router suffers from an authenticated file inclusion vulnerability(LFI) when input passed thru the 'getpage' parameter to 'webproc' script isnot properly verified before being used to include files. This can be exploitedto include files from local resources with directory traversal attacks.Tested on: mini_httpd/1.19 19dec2003

The ViewPoint web application in Dell SonicWALL Global Management System (GMS) before 7.2 SP2, SonicWALL Analyzer before 7.2 SP2, and SonicWALL UMA before 7.2 SP2 allows remote authenticated users to execute arbitrary code via unspecified vectors. Authentication is required to exploit this vulnerability.The specific flaw exists within the GMS ViewPoint (GMSVP) web application. The issue lies in the handling of configuration input due to a failure to safely sanitize user data before executing a command. An attacker could leverage this vulnerability to execute code with root privileges on the underlying operating system. Multiple Dell SonicWALL Products are prone to multiple remote code-execution vulnerabilities. Successful exploitation can completely compromise the vulnerable device. GMS is a global management system for rapid deployment and centralized management of SonicWALL infrastructure. Analyzer is a set of network analyzer software for SonicWALL infrastructure. UMA is a set of universal management device software

The PackageInstaller module in Huawei P7-L10 smartphones before V100R001C00B136 allows remote attackers to spoof the origin website and bypass the website whitelist protection mechanism via a crafted package. Huawei P7-L10 is a mobile phone developed by Huawei. Huawei P7-L10 has a security bypass vulnerability that an attacker can use to bypass certain security restrictions and perform unauthorized operations. Huawei P7-L10 is prone to a remote security-bypass vulnerability. This may aid in further attacks. The Huawei P7 is a smartphone from the Chinese company Huawei. Security vulnerabilities exist in the PackageInstaller module of Huawei P7-L10 smartphones in versions earlier than V100R001C00B136

Multiple stack-based buffer overflows in Advantech AdamView 4.3 and earlier allow remote attackers to execute arbitrary code via a crafted (1) display properties or (2) conditional bitmap parameter in a GNI file. ADAMView is a data capture software. Advantech AdamView has multiple stack buffer overflow vulnerabilities because the application failed to properly border the user-supplied data before copying it into a full-size buffer. Allows an attacker to exploit these vulnerabilities to execute arbitrary code in the context of an application that is affected by an ActiveX control, typically Internet Explorer. Failed exploit attempts likely result in denial-of-service conditions. Advantech AdamView 4.3 is vulnerable; other versions may also be affected. The software provides features such as graphical panel configuration, modularity and priority task design. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Advantech AdamView Buffer Overflow 1. *Advisory Information* Title: Advantech AdamView Buffer Overflow Advisory ID: CORE-2014-0008 Advisory URL: http://www.coresecurity.com/advisories/advantech-adamView-buffer-overflow Date published: 2014-11-19 Date of last update: 2014-11-19 Vendors contacted: Advantech Release mode: User release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2014-8386 3. 4. Advantech AdamView V4.3 . 5. *Vendor Information, Solutions and Workarounds* The vendor informed us that the product is no longer supported and therefore no fix or update is going to be released. Given that this is a client-side vulnerability, affected users should avoid opening untrusted '.gni' files. Core Security also recommends those affected use third party software such as Sentinel [3] or EMET [2] that could help to prevent the exploitation of affected systems to some extent. 6. *Credits* This vulnerability was discovered and researched by Daniel Kazimirow and Fernando Paez from Core Security Exploit Writers Team. The publication of this advisory was coordinated by Joaqu\xedn Rodr\xedguez Varela from Core Advisories Team. 7. Below are shown the vulnerable fields, the debug information, and the stack state after being overwritten. /----- VULNERABLE FIELDS: [+] display properties (BUG 1) 00475BA0 |. 53 PUSH EBX ; /<%s> 00475BA1 |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18] ; | 00475BA5 |. 68 F09C4B00 PUSH ADAMView.004B9CF0 ; |Format = "Display Designer: %s" 00475BAA |. 51 PUSH ECX ; |s 00475BAB |. 8BF0 MOV ESI,EAX ; | 00475BAD |. FF15 84FF4900 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; \wsprintfA DEBUG: EAX 00000000 ECX 00000001 EDX 00000000 EBX 00000003 ESP 0012F924 EBP 00000000 ESI 0012F9B4 EDI 00F39DC8 EIP CCCCCCCC <------------------------------------ C 0 ES 0023 32bit 0(FFFFFFFF) P 0 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 0 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDE000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G) ST0 empty ST1 empty ST2 empty ST3 empty ST4 empty ST5 empty ST6 empty ST7 empty 3 2 1 0 E S P U O Z D I FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 STACK: 0012F958 CCCCCCCC \xcc\xcc\xcc\xcc 0012F95C CCCCCCCC \xcc\xcc\xcc\xcc 0012F960 CCCCCCCC \xcc\xcc\xcc\xcc 0012F964 CCCCCCCC \xcc\xcc\xcc\xcc 0012F968 CCCCCCCC \xcc\xcc\xcc\xcc 0012F96C CCCCCCCC \xcc\xcc\xcc\xcc 0012F970 CCCCCCCC \xcc\xcc\xcc\xcc 0012F974 CCCCCCCC \xcc\xcc\xcc\xcc 0012F978 CCCCCCCC \xcc\xcc\xcc\xcc 0012F97C CCCCCCCC \xcc\xcc\xcc\xcc Pointer to next SEH record 0012F980 0043304A J0C. SE handler <-------------- SEH CONTROLLED BY US (PPR) 0012F984 FFFFFFFF \xff\xff\xff\xff 0012F988 00485103 QH. Below are shown the vulnerable fields, the debug information, and the stack state after being overwritten. /----- VULNERABLE FIELDS: [+] conditional bitmap > bitmap file map (is a path) (BUG 2) 00406E70 |. 55 |PUSH EBP ; /StringToAdd 00406E71 |. 51 |PUSH ECX ; |ConcatString 00406E72 |. FF15 A8F34900 |CALL DWORD PTR DS:[<&KERNEL32.lstrcatA>>; \lstrcatA DEBUG: EAX 00000000 ECX CCCCCCCC <--------------------- EAX EDX 73EA2608 MFC42.73EA2608 EBX 00F3C92E ASCII "BMP1" ESP 0012F884 EBP 0000099C ESI 0012F9B4 EDI 00F3C818 EIP CCCCCCCC <--------------------- C 0 ES 0023 32bit 0(FFFFFFFF) P 0 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 0 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDF000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_PATH_NOT_FOUND (00000003) EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G) ST0 empty ST1 empty ST2 empty ST3 empty ST4 empty ST5 empty ST6 empty ST7 empty 3 2 1 0 E S P U O Z D I FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 STACK: 0012F884 CCCCCCCC 0012F888 CCCCCCCC 0012F88C CCCCCCCC 0012F890 CCCCCCCC 0012F894 CCCCCCCC 0012F898 CCCCCCCC 0012F89C CCCCCCCC 0012F8A0 7ACCCCCC 0012F8A4 CC004342 0012F8A8 CCCCCCCC 0012F8AC CCCCCCCC 0012F8B0 CCCCCCCC 0012F8B4 CCCCCCCC 0012F8B8 CCCCCCCC 0012F8BC CCCCCCCC 0012F8C0 CCCCCCCC 0012F8C4 CCCCCCCC -----/ 8. *Report Timeline* . 2014-10-01: Initial notification sent to ICS-CERT informing of the vulnerability and requesting the vendor's contact information. 2014-10-01: ICS-CERT informs that they will ask the vendor if they want to coordinate directly with us or if they prefer to have ICS-CERT mediate. They request the vulnerability report. 2014-10-01: ICS-CERT informs that the vendor answered that they would like the ICS-CERT to mediate the coordination of the advisory. They requested again the vulnerability report. 2014-10-01: We send the vulnerability detail, including technical description and a PoC. 2014-10-09: We request a status update on the reported vulnerability. 2014-10-20: ICS-CERT informs that the vendor is still reviewing the vulnerability. 2014-10-27: ICS-CERT informs us that the vendor is no longer supporting ADAMView, and therefore they will not fix it. 2014-11-13: We inform them that we will publish this advisory as user release on Wednesday 19th of November. 2014-11-19: Advisory CORE-2014-0008 published. 9. *References* [1] http://www.advantech.com/products/1-39JG4I/ADAMVIEW/mod_328DB466-4B81-4652-B8AF-F5568F24A103.aspx. [2] http://support.microsoft.com/kb/2458544. [3] https://github.com/CoreSecurity/sentinel. 10. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security* Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors. IBM Security Network Protection is a device of the IBM Security Intrusion Prevention product portfolio. The system can monitor application usage, website access and operation execution within the network to avoid threats such as malware and botnets

Cisco Unified Communications Manager IM and Presence Service 9.1(1) produces different returned messages for URL requests depending on whether a username exists, which allows remote attackers to enumerate user accounts via a series of requests, aka Bug ID CSCur63497. Vendors have confirmed this vulnerability Bug ID CSCur63497 It is released as.A third party may enumerate user accounts through a series of requests. An attacker may leverage this issue to harvest valid user accounts, which may aid in brute-force attacks. This issue being tracked by Cisco Bug ID CSCur63497. There is a security vulnerability in CUCM IM and Presence Service 9.1(1), which is caused by the program not correctly filtering the return message of URL request

cgi/utility.cgi in Advantech EKI-6340 2.05 Wi-Fi Mesh Access Point allows remote authenticated users to execute arbitrary commands via shell metacharacters in the pinghost parameter to ping.cgi. The EKI-6340 series is one of the outdoor wireless MeshAP products. The Advantech EKI-6340 has a command injection vulnerability because it does not properly filter user-supplied input. Allows an attacker to execute arbitrary commands in the context of the affected device. There is a security vulnerability in the cgi/utility.cgi file of Advantech EKI-6340 version 2.05

Stack-based buffer overflow in Advantech WebAccess, formerly BroadWin WebAccess, before 8.0 allows remote attackers to execute arbitrary code via a crafted ip_address parameter in an HTML document. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. A stack buffer overflow vulnerability exists in Advantech WebAccess because the application failed to properly check the user-supplied data before copying it to a full-size buffer. An attacker could exploit this vulnerability to execute arbitrary code in the context of an application (usually Internet Explorer) that is affected by an ActiveX control. Failed exploit attempts will likely result in denial-of-service conditions. Advantech WebAccess 7.2 is vulnerable; other versions may also be affected. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Advantech WebAccess Stack-based Buffer Overflow 1. *Advisory Information* Title: Advantech WebAccess Stack-based Buffer Overflow Advisory ID: CORE-2014-0010 Advisory URL: http://www.coresecurity.com/advisories/advantech-webAccess-stack-based-buffer-overflow Date published: 2014-11-19 Date of last update: 2014-11-19 Vendors contacted: Advantech Release mode: Coordinated release 2. *Vulnerability Description* Advantech WebAccess [1] is a browser-based software package for human-machine interfaces HMI, and supervisory control and data acquisition SCADA. 4. WebAccess 7.2 . 5. *Vendor Information, Solutions and Workarounds* Given that this is a client-side vulnerability, affected users should avoid opening untrusted '.html' files. Core Security also recommends those affected use third party software such as Sentinel [3] or EMET [2] that could help to prevent the exploitation of affected systems to some extent. Additionally the vendor released WebAccess v8 [4] where it has deleted the vulnerable file 'webeye.ocx' but if version upgrade is being performed, the vulnerable ocx file is not deleted at all, therefore we do not consider this a correct fix. 6. *Credits* This vulnerability was discovered and researched by Ricardo Narvaja from Core Security Consulting Services. The publication of this advisory was coordinated by Joaqu\xedn Rodr\xedguez Varela from Core Advisories Team. 7. This is caused because the application copies to the stack the string without checking its length. /----- document.vdoactx.Connect(ip_address, port_no); -----/ /----- 0001C2AA 8B11 MOV EDX,DWORD PTR DS:[ECX] 0001C2AC 8A45 08 MOV AL,BYTE PTR SS:[EBP+8] 0001C2AF 8802 MOV BYTE PTR DS:[EDX],AL 0001C2B1 FF01 INC DWORD PTR DS:[ECX] 0001C2B3 0FB6C0 MOVZX EAX,AL 0001C2B6 EB 0B JMP SHORT 0001C2C3 -----/ 8. *Report Timeline* . 2014-10-01: Initial notification sent to ICS-CERT informing of the vulnerability and requesting the vendor's contact information. 2014-10-01: ICS-CERT informs that they will ask the vendor if they want to coordinate directly with us or if they prefer to have ICS-CERT mediate. They request the vulnerability report. 2014-10-01: ICS-CERT informs that the vendor answered that they would like the ICS-CERT to mediate the coordination of the advisory. They requested again the vulnerability report. 2014-10-01: We send the vulnerability detail, including technical description and a PoC. 2014-10-09: We request a status update on the reported vulnerability. 2014-10-20: ICS-CERT informs that the vendor has patched WebAccess in version 8.0 and published it. This was done without informing us in order to make a coordianted release. The ICS-CERT asks if we can test the fix. 2014-10-21: We clearly state how we disagree with the uncoordinated published fix. We began testing the fix. 2014-10-21: We inform them that the "webeye.ocx" file (version 1.0.1.35) is still present in the new version. 2014-10-27: ICS-CERT informs us that the vendor has removed the vulnerable OCX file from the new version but it doesn't remove it from previous installations, making the new version still vulnerable. 2014-11-13: We inform them that we will publish this advisory as user release on Wednesday 19th of November. 2014-11-19: Advisory CORE-2014-0010 published. 9. *References* [1] http://webaccess.advantech.com/. [2] http://support.microsoft.com/kb/2458544. [3] https://github.com/CoreSecurity/sentinel. [4] http://webaccess.advantech.com/webaccess_download.php?lang=eng. 10. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security* Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

The Hikvision DVR is a hard disk recorder. Hikvision DVR DS-7204 has a remote buffer overflow vulnerability. The program failed to perform a sufficient boundary check on the input provided by the user. An attacker could exploit this vulnerability to execute arbitrary code in the context of an affected device. Hikvision DVR DS-7204 is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary-checks on user-supplied input. Failed exploit attempts may result in a denial-of-service condition. Hikvision DVR DS-7204 running firmware 2.2.10 is vulnerable; other devices may also be affected

The Hikvision DVR is a hard disk recorder. Hikvision DVR DS-7204 has a remote buffer overflow vulnerability because it fails to adequately check the boundaries of the user-supplied data. An attacker could exploit this vulnerability to execute arbitrary code in the context of an affected device. Failed exploit attempts may result in a denial-of-service condition. Hikvision DVR DS-7204 running firmware 2.2.10 is vulnerable; other devices may also be affected. R7-2014-18: Buffer Overflow in Hikvision RTSP Request Body Handling (CVE-2014-4878)