VARIoT IoT vulnerabilities database

The ADS/NT Support page on the Thecus NAS server N8800 with firmware 5.03.01 allows remote attackers to discover the administrator credentials by reading this page's cleartext content. Thecus NAS server N8800 with firmware version 5.03.01, and possibly earlier versions, contains multiple vulnerabilities. Thecus NAS server N8800 is a network storage product. Successfully exploiting this issue may allow attackers to obtain sensitive information from the application, that may aid in further attacks

The Thecus NAS server N8800 with firmware 5.03.01 uses cleartext credentials for administrative authentication, which allows remote attackers to obtain sensitive information by sniffing the network. Thecus NAS server N8800 with firmware version 5.03.01, and possibly earlier versions, contains multiple vulnerabilities. Thecus NAS server N8800 is a network storage product. Attackers can exploit this issue to gain access to the application credentials by sniffing network traffic through a man-in-the-middle attack. Successful exploits will lead to other attacks

Multiple SQL injection vulnerabilities in Dell KACE K1000 5.4.76847 and possibly earlier allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the macAddress element in a (1) getUploadPath or (2) getKBot SOAP request to service/kbot_service.php; the ID parameter to (3) userui/advisory_detail.php or (4) userui/ticket.php; and the (5) ORDER[] parameter to userui/ticket_list.php. (1) service/kbot_service.php To getUploadPath request (2) service/kbot_service.php To getKBot SOAP request (3) userui/advisory_detail.php of ID Parameters (4) userui/ticket.php of ID Parameters (5) userui/ticket_list.php of ORDER[] Parameters. Dell Kace 1000 Systems Management Appliance is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Dell Kace 1000 Systems Management Appliance 5.4.76847 is vulnerable; other versions may also be affected. Dell KACE K1000 is a set of IT equipment management solutions in the KACE system management series of Dell (Dell). This solution provides functions such as software distribution, configuration management, patch installation, and security vulnerability remediation. The vulnerability is caused by (1) the service/kbot_service.php script does not correctly filter the 'macAddres' element in the getUploadPath and getKBot SOAP requests; (2) userui/advisory_detail The .php and userui/ticket.php scripts did not filter the 'ID' parameter correctly; (3) the userui/ticket_list.php script did not filter the 'ORDER[]' parameter correctly

The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which allows attackers to discover usernames, passwords, and e-mail addresses via an application that reads session.clslog. Starbucks is prone to an information-disclosure vulnerability. Successfully exploiting this issue may allow attackers to obtain sensitive information from the application, that may aid in further attacks. Starbucks 2.6.1 is vulnerable; other versions may also be affected. Starbucks is a set of mobile applications for the IOS platform of Starbucks in the United States. The application supports GPS automatic positioning, querying product introductions, understanding event information, etc

The Feixun FWR-604H diagnosis.asp script failed to properly filter the 'system_command' parameter data, allowing remote attackers to exploit the vulnerability to execute arbitrary commands. Feixun FWR-604H is a 150M enhanced wireless router product from China Feixun. A remote code execution vulnerability exists in Feixun FWR-604H. An attacker could use this vulnerability to execute arbitrary code in the context of an affected device. There are vulnerabilities in Feixun FWR-604H version 1.0, other versions may also be affected. An information disclosure vulnerability exists in the firmware NetGear N150 WNR1000v3 running 1.0.2.60_60.0.86, 1.0.2.54_60.0.82NA and 1.0.2.62_60.0.87 firmware. NetGear N150 WNR1000v3 is prone to an information-disclosure vulnerability

Cisco 9900 Unified IP phones allow remote attackers to cause a denial of service (unregistration) via a crafted SIP header, aka Bug ID CSCul24898. This issue is tracked by Cisco Bug ID CSCul24898. This product provides voice and video functions

Cross-site scripting (XSS) vulnerability in the web framework in Cisco Secure Access Control System (ACS) allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCum03625. Cisco Secure ACS is a central management platform for Cisco network devices that controls device authentication and authorization. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCum03625. The system can respectively control network access and network device access through RADIUS and TACACS protocols

The server in Cisco Unity Connection allows remote authenticated users to cause a denial of service (CPU consumption) via unspecified IMAP commands, aka Bug ID CSCul49976. Successful exploiting this issue may allow an attacker to cause excessive CPU consumption, resulting in a denial-of-service condition. This issue is tracked by Cisco Bug ID CSCul49976. Cisco Unity Connection (UC) is a set of voice message platform of Cisco (Cisco). The platform can use voice commands to make calls or listen to messages "hands-free"

The Cisco WAP4410N access point with firmware through 2.0.6.1, WRVS4400N router with firmware 1.x through 1.1.13 and 2.x through 2.0.2.1, and RVS4000 router with firmware through 2.0.3.2 allow remote attackers to read credential and configuration data, and execute arbitrary commands, via requests to the test interface on TCP port 32764, aka Bug IDs CSCum37566, CSCum43693, CSCum43700, and CSCum43685. The Cisco RVS4000/WRVS4400N/WAP4410N are wireless routers and wireless APs from Cisco. Cisco WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router and Cisco RVS4000 4-port Gigabit Security Router products have security vulnerabilities that allow unauthenticated remote attackers to gain root-level access to the device. The vulnerability is due to the fact that the affected device has an undocumented test interface on TCP port 32764. The attacker can access the device's LAN interface and execute arbitrary commands. Run the firmware version 2.0.3.2 and earlier versions of the Cisco RVS4000 4-port Gigabit Security Router, running firmware version 1.1.13 and earlier of the Cisco WRVS4400N Wireless-N Gigabit Security Router hardware versions 1.0 and 1.1, running firmware version 2.0.2.1 and earlier. Cisco RVS4000, WRVS4400N, and WAP4410N devices are prone to a remote privilege-escalation vulnerability. A remote attacker can exploit this issue to gain access to affected devices with root-level privileges. This issue is tracked by Cisco Bug ID's CSCum37566, CSCum43693, CSCum43700 and CSCum43685. Cisco WAP4410N, WRVS4400N and RVS4000 are all products of Cisco (Cisco)

Cross-site request forgery (CSRF) vulnerability in set_users.cgi in Conceptronic CIPCAMPTIWL Camera 1.0 with firmware 21.37.2.49 allows remote attackers to hijack the authentication of administrators for requests that add arbitrary users. Conceptronic CIPCAMPTIWL is an IP camera device. Conceptronic CIPCAMPTIWL is prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. Conceptronic CIPCAMPTIWL Camera is a wireless network camera product of German Conceptronic Company

Juniper Junos before 10.4 before 10.4R16, 11.4 before 11.4R8, 12.1R before 12.1R7, 12.1X44 before 12.1X44-D20, and 12.1X45 before 12.1X45-D10 on SRX Series service gateways, when used as a UAC enforcer and captive portal is enabled, allows remote attackers to cause a denial of service (flowd crash) via a crafted HTTP message. Juniper Junos is prone to a remote denial-of-service vulnerability. Successful exploits may allow the attacker to cause denial-of-service conditions. Juniper Networks Juniper Junos is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware system. The operating system provides a secure programming interface and Junos SDK. The following releases are affected: Juniper Junos 10.4 prior to 10.4R16, 11.4 prior to 11.4R8, 12.1R prior to 12.1R7, 12.1X44 prior to 12.1X44-D20, 12.1X45 prior to 12.1X45-D10

Juniper Junos 10.4S before 10.4S15, 10.4R before 10.4R16, 11.4 before 11.4R9, and 12.1R before 12.1R7 on SRX Series service gateways allows remote attackers to cause a denial of service (flowd crash) via a crafted IP packet. Juniper Junos is prone to a remote denial-of-service vulnerability. Successful exploits may allow the attacker to cause denial-of-service conditions. Juniper Networks Juniper Junos is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware system. The operating system provides a secure programming interface and Junos SDK. A security vulnerability exists in Juniper Junos on the SRX Series Services Gateway. The following releases are affected: Juniper Junos 10.4S prior to 10.4S15, 10.4R prior to 10.4R16, 11.4 prior to 11.4R9, 12.1R prior to 12.1R7

Juniper Junos 10.4 before 10.4R16, 11.4 before 11.4R10, 12.1R before 12.1R8-S2, 12.1X44 before 12.1X44-D30, 12.1X45 before 12.1X45-D20, 12.1X46 before 12.1X46-D10, 12.2 before 12.2R7, 12.3 before 12.3R4-S2, 13.1 before 13.1R3-S1, 13.2 before 13.2R2, and 13.3 before 13.3R1 allows remote attackers to cause a denial of service (rdp crash) via a large BGP UPDATE message which immediately triggers a withdraw message to be sent, as demonstrated by a long AS_PATH and a large number of BGP Communities. Juniper Junos is prone to a remote denial-of-service vulnerability. Successful exploits will allow attackers to cause the routing daemon to crash, denying service to legitimate users. Juniper Networks Juniper Junos is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware system. The operating system provides a secure programming interface and Junos SDK. The following versions are affected: Juniper Junos 10.4 prior to 10.4R16, 11.4 prior to 11.4R10, 12.1R prior to 12.1R8-S2, 12.1X44 prior to 12.1X44-D30, 12.1X45 prior to 12.1X45-D20 , 12.1X46 version before 12.1X46-D10, 12.2 version before 12.2R7, 12.3 before 12.3R4-S2 version, 13.1 version before 13.1R3-S1, 13.2 version before 13.2R2, 13.3 version before 13.3R1

Juniper Junos 10.4 before 10.4R16, 11.4 before 11.4R10, 12.1R before 12.1R8-S2, 12.1X44 before 12.1X44-D30, 12.1X45 before 12.1X45-D20, 12.1X46 before 12.1X46-D10, 12.2 before 12.2R7, 12.3 before 12.3R5, 13.1 before 13.1R3-S1, 13.2 before 13.2R2, and 13.3 before 13.3R1 allows local users to gain privileges via vectors related to "certain combinations of Junos OS CLI commands and arguments.". Juniper Junos is prone to multiple local privilege-escalation vulnerabilities. Local attackers can exploit these issues to execute arbitrary commands with root privileges. Juniper Networks Juniper Junos is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware system. The operating system provides a secure programming interface and Junos SDK. An elevation of privilege vulnerability exists in Juniper Junos. The following versions are affected: Juniper Junos 10.4 prior to 10.4R16, 11.4 prior to 11.4R10, 12.1R prior to 12.1R8-S2, 12.1X44 prior to 12.1X44-D30, 12.1X45 prior to 12.1X45-D20 , 12.1X46 version before 12.1X46-D10, 12.2 version before 12.2R7, 12.3 version before 12.3R5, 13.1 version before 13.1R3-S1, 13.2 version before 13.2R2, 13.3 version before 13.3R1

Buffer overflow in the INetViewX ActiveX control in the Lorex Edge LH310 and Edge+ LH320 series with firmware 7-35-28-1B26E, Edge2 LH330 series with firmware 11.17.38-33_1D97A, and Edge3 LH340 series with firmware 11.19.85_1FE3A allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the HTTP_PORT parameter. Lorex Security DVR Edge Series is the Edge series of digital video recorder products from Lorex Technologies of the United States. A remote buffer overflow vulnerability exists in Lorex Security DVR Edge Series. Failed exploit attempts will result in a denial-of-service condition. Hi, I have discovered a buffer overflow vulnerability that allows remote code execution in an ActiveX control bundled by a manufacturer of video surveillance systems. The company is Lorex Technologies, a major video surveillance manufacturer that is very popular in the US and East Asia. I have confirmed that all 16 are vulnerable at this point in time. The Lorex manual[1] instructs the user to blindly accept the ActiveX control install when prompted. The full list of devices, as well as links to the firware download, can be found in [2]. Their products offer remote video viewing capabilities, and you can find some of them on Shodan[3]. The buffer overflow can be triggered by a really long string (10000+ characters) in the HTTP_PORT parameter. The instruction pointer can be very easily controlled in XP by the characters 109 to 113 in the string. Please refer to the PoC file lorex-testcase.html. You will see that the HTTP_PORT parameter is composed of D's, apart from chars 109 to 113 which are four A's. If you open this file in IE after installing the control, you will see that IE will crash with an EIP of 0x41414141. Changing the four A's to any other value will cause EIP to crash on that value. The list below tells a better story about what is affected and how it can be controlled: Win XP SP3 with IE6 - Fully exploitable as described Win XP SP3 with IE8 - Could not get it to crash (????) Win 7 x64 with IE10 fully patched - Fully exploitable, though not as easy as for XP (see analyze -v [4] and !exploitable [5] outputs) To verify this vulnerability you can download and extract the firmware using binwalk (http://code.google.com/p/binwalk/). To do so, please follow the instructions in [6], and then install the ActiveX control in INetViewProj1_02030330.cab. I have contacted Lorex and they initially said they would fix it, but went radio silent shortly afterwards. 17.11.2013 - Initial contact via support page 18.11.2013 - Email to sales, no response. 21.11.2013 - Second email to sales, received response by sales saying they will forward it to technical support and get back to me. 04.12.2013 - Third email to sales saying that technical support never contacted me back. No response. 08.01.2013 - MITRE assigns CVE-2014-1201 to this issue. 09.01.2013 - Public disclosure. All references can be found at: https://github.com/pedrib/PoC/lorexActivex/lorex-report.txt Proof of concept: https://github.com/pedrib/PoC/lorexActivex/lorex-testcase.html Regards, Pedro Ribeiro (pedrib@gmail.com) Agile Information Security

Multiple open redirect vulnerabilities on the Conceptronic C54APM access point with runtime code 1.26 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via (1) the submit-url parameter in a Refresh action to goform/formWlSiteSurvey or (2) the wlan-url parameter to goform/formWlanSetup. (1) goform/formWlSiteSurvey of Refresh In action submit-url Parameters (2) goform/formWlanSetup of wlan-url Parameters. The Conceptronic C54APM is a wireless AP device. The Openron redirection vulnerability exists in Conceptronic C54APM. A remote attacker can provide the 'submit-url' parameter in the Refresh operation to the goform/formWlSiteSurvey page or the 'wlan-url' parameter to the goform/formWlanSetup page. The attacker can use the vulnerability to redirect the user to any website and then implement the phishing. attack. Conceptronic C54APM 2.0 is prone to multiple open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input. An attacker can leverage these issues by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible. Conceptronic C54APM 2.0 running firmware 1.26 is vulnerable. Conceptronic C54APM is a wireless access device produced by German Conceptronic Company

CRLF injection vulnerability in goform/formWlSiteSurvey on the Conceptronic C54APM access point with runtime code 1.26 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the submit-url parameter in a Refresh action. The Conceptronic C54APM is a wireless AP device. The Conceptronic C54APM has an HTTP response split vulnerability. The goform/formWlSiteSurvey page failed to properly filter the \342\200\230submit-url\342\200\231 parameter in the Refresh operation. Attackers can leverage this issue to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into having a false sense of trust. Conceptronic C54APM 2.0 running firmware 1.26 is vulnerable. Conceptronic C54APM is a wireless access device produced by German Conceptronic Company. There is a CRLF injection vulnerability in the Conceptronic C54APM device using the Runtime Code 1.26 accessor

Multiple cross-site scripting (XSS) vulnerabilities on the Conceptronic C54APM access point with runtime code 1.26 allow remote attackers to inject arbitrary web script or HTML via (1) the submit-url parameter in a Refresh action to goform/formWlSiteSurvey or (2) the wlan-url parameter to goform/formWlanSetup. (1) goform/formWlSiteSurvey of Refresh action of submit-url Parameters (2) goform/formWlanSetup of wlan-url Parameters. The Conceptronic C54APM is a wireless AP device. A cross-site scripting vulnerability exists in the Conceptronic C54APM device. The \342\200\230wlan-url\342\200\231 parameter was not properly filtered because the goform/formWlSiteSurvey page failed to properly filter the \342\200\230submit-url\342\200\231 parameter in the Refresh operation and the goform/formWlanSetup script. Conceptronic C54APM is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Conceptronic C54APM 2.0 running firmware 1.26 is vulnerable; other versions may be affected. Conceptronic C54APM is a wireless access device produced by German Conceptronic Company

The Conceptronic C54APM access point with runtime code 1.26 has a default password of admin for the admin account, which makes it easier for remote attackers to obtain access via an HTTP request, as demonstrated by stored XSS attacks. The Conceptronic C54APM is a wireless AP device. The Conceptronic C54APM has an unsafe default password vulnerability. Because the program uses the default password for the management account. Conceptronic C54APM 2.0 is prone to an insecure-default-password vulnerability. Conceptronic C54APM 2.0 running firmware 1.26 is vulnerable. Conceptronic C54APM is a wireless access device produced by German Conceptronic Company. There is a trust management vulnerability in the Conceptronic C54APM device using the Runtime Code 1.26 accessor

Cross-site scripting (XSS) vulnerability in the web interface in Cisco Secure Access Control System (ACS) allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCud89431. Cisco Secure ACS is a central management platform for Cisco network devices that controls device authentication and authorization. An attacker can exploit this vulnerability by enticing a user to access a malicious link due to insufficient parameter input validation. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCud89431. The system can respectively control network access and network device access through RADIUS and TACACS protocols