VARIoT IoT vulnerabilities database

Absolute path traversal vulnerability in Yealink VoIP Phone SIP-T38G allows remote authenticated users to read arbitrary files via a full pathname in the dumpConfigFile function in the command parameter to cgi-bin/cgiServer.exx. Yealink VoIP Phone SIP-T38G is an enterprise HD IP phone. Yealink VoIP Phone SIP-T38G 'cgiServer.exx' has a file containing vulnerability. Since the Yealink VoIP Phone SIP-T38G 'cgiServer.exx' failed to properly filter the user-submitted input, the remote attacker was allowed to exploit the vulnerability to submit a special request to view the system file contents with WEB permissions. Yealink VoIP Phone SIP-T38G is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit these issues using directory-traversal strings to view files and execute local script code in the context of the web server process. This may allow the attacker to compromise the application; other attacks are also possible

Directory traversal vulnerability in Yealink VoIP Phone SIP-T38G allows remote authenticated users to read arbitrary files via a .. (dot dot) in the page parameter to cgi-bin/cgiServer.exx. Yealink VoIP Phone SIP-T38G is an enterprise HD IP phone. Yealink VoIP Phone SIP-T38G 'cgiServer.exx' has a file containing vulnerability. Since the Yealink VoIP Phone SIP-T38G 'cgiServer.exx' failed to properly filter the user-submitted input, the remote attacker was allowed to exploit the vulnerability to submit a special request to view the system file contents with WEB permissions. Yealink VoIP Phone SIP-T38G is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit these issues using directory-traversal strings to view files and execute local script code in the context of the web server process. This may allow the attacker to compromise the application; other attacks are also possible

cgi-bin/cgiServer.exx in Yealink VoIP Phone SIP-T38G allows remote authenticated users to execute arbitrary commands by calling the system method in the body of a request, as demonstrated by running unauthorized services, changing directory permissions, and modifying files. Yealink VoIP Phone SIP-T38G is an enterprise HD IP phone. The remote attacker is allowed to exploit the vulnerability to submit a special request and execute arbitrary commands with WEB privileges because the user-submitted input is not properly filtered. An attacker may leverage this issue to execute arbitrary commands in the context of the affected application

Parallels Plesk Panel is a host control panel solution from Parallels, USA. The solution supports web tools, built-in virtualization, customer experience, and more. An XML external entity injection vulnerability exists in Parallels Plesk Panel. An attacker could use this vulnerability to obtain sensitive information. Vulnerabilities exist in Parallels Plesk Panel 10.4.4 and 11.0.9. Other versions may also be affected. Attackers can exploit these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks

config/.htpasswd in Yealink IP Phone SIP-T38G has a hardcoded password of (1) user (s7C9Cx.rLsWFA) for the user account, (2) admin (uoCbM.VEiKQto) for the admin account, and (3) var (jhl3iZAe./qXM) for the var account, which makes it easier for remote attackers to obtain access via unspecified vectors. Yealink VoIP Phone SIP-T38G is an enterprise HD IP phone. Yealink VoIP Phone SIP-T38G has a security credential security bypass vulnerability. The Yealink VoIP Phone SIP-T38G WEB interface uses authentication credentials in /config/.htpasswd, such as: user:user, admin:admin, var:var, to allow attacks. These credentials are used for unauthorized access. Successful attacks can allow a remote attacker to gain access to the vulnerable device

Unspecified vulnerability in the Juniper Networks NetScreen Firewall products with ScreenOS before 6.3r17, when configured to use the internal DNS lookup client, allows remote attackers to cause a denial of service (crash and reboot) via vectors related to a DNS lookup. Multiple Juniper NetScreen Firewall products are prone to a denial-of-service vulnerability. Successfully exploiting this issue may allow an attacker to cause denial-of-service conditions

CRLF injection vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the model parameter to servlet. Yealink VoIP Phone The firmware of CRLF An injection vulnerability exists. Supplementary information : CWE Vulnerability type by CWE-93: Improper Neutralization of CRLF Sequences (CRLF injection ) Has been identified. Yealink VoIP Phones are prone to an HTTP-response-splitting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to influence how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust. Yealink VoIP Phones are IP phone products of China YeaLink Company. The product supports caller avatar display, call recording and anonymous calling, etc. I. BACKGROUND Yealink is a manufacturer of VoIP and Video products. To minimize noise read more at: http://www.yealink.com/Companyprofile.aspx III. Validated on Firmware Version 28.72.0.2 Hardware Version 28.2.0.128.0.0.0 CRLF Injection (Header Splitting) proof of concept: Request GET /servlet?linepage=1&model=%0d%0a%20 ANYTHING I WANT GOES HERE &p=dsskey&q=load HTTP/1.1 In the above request, attackers can shove in code, webpages, etc. In my tests, I have used javascript, redirects, and even an entire web page shoved into the CRLF vulnerable inputs. ----- The XSS vulnerability GET /servlet?jumpto=dsskey&model=%22%20onmouseover%3dprompt%28 1337 %29%20badpuppy%3d%22&p=login&q=loginForm HTTP/1.1 Typical Cross Site Scripting. IV. SOLUTION Minimize accessibility to the phone's interface. V. VENDOR CONTACT AND RESPONSE 05/08/2014 E-mailed security@yealink.com (bounced) 05/08/2014 Created an account on Yealink's forum and sent message (no response for weeks) 05/26/2014 Response via e-mail from Yealink 05/26/2014 Replied to vendor I would disclose in June 06/01/2014 Reached back out to vendor for update 06/08/2014 Reached back out to vendor for update 06/11/2014 Rouched out one last time... Crickets 06/12/2014 Advisory VI. TOOLS USED Burpsuite, WVS, Firefox -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF

Cross-site scripting (XSS) vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary web script or HTML via the model parameter to servlet. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Yealink VoIP Phones firmware 28.72.0.2 and hardware 28.2.0.128.0.0.0 are vulnerable; other versions may also be affected. Yealink VoIP P are IP phone products of China YeaLink Company. The product supports caller avatar display, call recording and anonymous calling, etc. I. ADVISORY CVE-2014-3427 CRLF Injection in Yealink VoIP Phones CVE-2014-3428 XSS vulnerabilities in Yealink VoIP Phones Date published: 06/12/2014 Vendor Contacted: 05/08/2014 II. BACKGROUND Yealink is a manufacturer of VoIP and Video products. To minimize noise read more at: http://www.yealink.com/Companyprofile.aspx III. DESCRIPTION There are CRLF Injection and XSS vulnerabilities in Yealink VoIP telephones. Validated on Firmware Version 28.72.0.2 Hardware Version 28.2.0.128.0.0.0 CRLF Injection (Header Splitting) proof of concept: Request GET /servlet?linepage=1&model=%0d%0a%20 ANYTHING I WANT GOES HERE &p=dsskey&q=load HTTP/1.1 In the above request, attackers can shove in code, webpages, etc. In my tests, I have used javascript, redirects, and even an entire web page shoved into the CRLF vulnerable inputs. ----- The XSS vulnerability GET /servlet?jumpto=dsskey&model=%22%20onmouseover%3dprompt%28 1337 %29%20badpuppy%3d%22&p=login&q=loginForm HTTP/1.1 Typical Cross Site Scripting. IV. SOLUTION Minimize accessibility to the phone's interface. V. VENDOR CONTACT AND RESPONSE 05/08/2014 E-mailed security@yealink.com (bounced) 05/08/2014 Created an account on Yealink's forum and sent message (no response for weeks) 05/26/2014 Response via e-mail from Yealink 05/26/2014 Replied to vendor I would disclose in June 06/01/2014 Reached back out to vendor for update 06/08/2014 Reached back out to vendor for update 06/11/2014 Rouched out one last time... Crickets 06/12/2014 Advisory VI. TOOLS USED Burpsuite, WVS, Firefox -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF

The mDNS implementation in Cisco IOS XE 3.12S does not properly interact with autonomic networking, which allows remote attackers to obtain sensitive networking-services information by sniffing the network or overwrite networking-services data via a crafted mDNS response, aka Bug ID CSCun64867. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Cisco Autonomic Networking infrastructure is prone to a security-bypass vulnerability. An attacker can leverage this issue to perform unauthorized actions and obtain sensitive information that may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCun64867. The vulnerability stems from the fact that the program does not properly restrict mDNS from handling autonomous networks

XML link function of Hitachi COBOL2002 contains vulnerabilities to conduct information leakage or cause a denial of service (DoS) condition.A remote attacker could conduct information leakage or cause a denial of service (DoS) condition via untrusted XML document loading unexpected external entities.

Cisco IOS XR 4.1.2 through 5.1.1 on ASR 9000 devices, when a Trident-based line card is used, allows remote attackers to cause a denial of service (NP chip and line card reload) via malformed IPv6 packets, aka Bug ID CSCun71928. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Cisco IOS XR Software for ASR 9000 Series Aggregation Services Routers have security vulnerabilities in resolving malformed IPv6 packets. Cisco IOS XR is prone to a remote denial-of-service vulnerability. This issue is being tracked by Cisco Bug ID CSCun71928

The Juniper Networks NetScreen Firewall devices with ScreenOS before 6.3r17, when configured to use the internal DNS lookup client, allows remote attackers to cause a denial of service (crash and reboot) via a sequence of malformed packets to the device IP. Juniper NetScreen Firewall is prone to a denial-of-service vulnerability. Successful exploits may allow the attacker to cause denial-of-service conditions. Juniper NetScreen Firewall 3.0 is vulnerable; other versions may also be affected

The HSRP implementation in Cisco NX-OS 6.2(2a) and earlier allows remote attackers to bypass authentication and cause a denial of service (group-member state modification and traffic blackholing) via malformed HSRP packets, aka Bug ID CSCup11309. Vendors have confirmed this vulnerability Bug ID CSCup11309 It is released as.Malformed by a third party HSRP Authentication is avoided and service operation is interrupted via packets. ( Group member state changes and traffic black holes ) There is a possibility of being put into a state. Cisco NX-OS is a data center-level operating system. An attacker could exploit this vulnerability to bypass authentication and convert the status of a group member to SPEAK, causing a denial of service. An attacker can leverage this issue to cause a denial-of-service condition; denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCup11309

SQL injection vulnerability in BulkViewFileContentsAction.java in the Java interface in Cisco Unified Communications Manager (Unified CM) allows remote authenticated users to execute arbitrary SQL commands via crafted filename parameters in a URL, aka Bug ID CSCuo17337. An authenticated attacker can leverage this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. This issue is tracked by Cisco Bug ID CSCuo17337. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Cisco WebEx Meeting Server does not properly restrict the content of URLs, which allows remote authenticated users to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history, aka Bug ID CSCuj81691. Cisco WebEx Meeting Server Is URL There is a vulnerability that can retrieve important information because it does not properly limit the content of. Cisco WebEx Meetings Server is a Cisco Conference Center implementation from Cisco. An attacker can leverage this issue to obtain sensitive information that may aid in further attacks. This issue is being tracked by Cisco bug ID CSCuj81691. Cisco WebEx Meeting Server is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution

SCADA Data Gateway is a Windows application for system integrators and utilities that collects data on OPC, IEC 60870-6 (TASE.2/ICCP), IEC 61850, IEC 60870-5, DNP3, Modbus Server/Slave devices. This data is then transmitted to other control systems that support OPC, IEC 60870-6 (TASE.2/ICCP) Client, IEC 60870-5, DNP3, Modbus Client/Master communication protocols. The SCADA Data Gateway has an information disclosure vulnerability in its implementation due to the bundled OpenSSL (CVE-2014-0160) with a heart-bleeding vulnerability. Malicious users can exploit this vulnerability to obtain sensitive information

Hitachi COBOL2002 is a COBOL running on Japanese XP. Hitachi COBOL2002 products have errors in parsing XML entities, allowing attackers to exploit vulnerabilities through specially crafted XML documents containing references to external entities to obtain local resources or consume large amounts of server resources. Multiple Hitachi COBOL2002 Products is prone to an XML External Entity injection vulnerability. Attackers can exploit this issue to obtain potentially sensitive information or cause denial-of-service conditions. This may lead to further attacks. The following are vulnerable: COBOL2002 Net Developer COBOL2002 Net Client Suite COBOL2002 Net Client Runtime COBOL2002 Net Server Suite COBOL2002 Net Server Runtime COBOL2002 Net Developer(64) COBOL2002 Net Server Suite(64) COBOL2002 Net Server Runtime(64) COBOL2002 Developer Professional

Cross-site scripting (XSS) vulnerability in Hitachi Tuning Manager before 7.6.1-06 and 8.x before 8.0.0-04 and JP1/Performance Management - Manager Web Option 07-00 through 07-54 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. These vulnerabilities can not be exploited, unless logging in these products.A remote attackers could insert to malicious scripts during display of the web page. Hitachi Tuning Manager (HTnM) software is a storage performance management application that maps, monitors, and analyzes storage network resources from applications to storage devices. The vulnerability stems from the program's failure to filter user-supplied input. Attackers use the vulnerability to steal cookie-based authentication certificates and execute arbitrary script code in the context of the browser of the user's affected site. Other attacks are also possible

Cross-site request forgery (CSRF) vulnerability in Hitachi Tuning Manager before 7.6.1-06 and 8.x before 8.0.0-04 and JP1/Performance Management - Manager Web Option 07-00 through 07-54 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. These vulnerabilities can not be exploited, unless logging in these products.A remote attackers could insert to malicious scripts during display of the web page. Hitachi Tuning Manager (HTnM) software is a storage performance management application that maps, monitors, and analyzes storage network resources from applications to storage devices. A remote attacker can use the vulnerability to construct a malicious URI, induce users to parse, obtain sensitive cookies, hijack sessions or perform malicious operations on the client. 2. Allow remote attackers to construct malicious URIs to induce users to parse and perform malicious operations on the target user context. An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, disclose or modify sensitive information, or perform unauthorized actions. Other attacks are also possible

TP-Link is a well-known supplier of network and communication equipment. TP-Link TD-W8901G, TD-W8101G, TD-8840G, TD-8817 firmware version 3.11.2.175_TC3086, T14.F7_5.0 There is a remote denial of service vulnerability, which can be exploited by an attacker to cause the affected device to crash. Multiple TP-Link routers are prone to a denial-of-service vulnerability. TP-Link TD-W8901G, TD-W8101G, TD-8840G, TD-8817 running firmware version 3.11.2.175_TC3086 and hardware version T14.F7_5.0 are vulnerable