VARIoT IoT vulnerabilities database

Wiki Server in Apple Mac OS X 10.5.8 does not restrict the file types of uploaded files, which allows remote attackers to obtain sensitive information or possibly have unspecified other impact via a crafted file, as demonstrated by a Java applet. Apple Mac OS X Wiki Server is prone to a security-bypass vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to upload active content to the application; this may let the attacker access sensitive information or launch other attacks. This issue affects Mac OS X Server 10.5.8 and prior. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Remote attackers can trick Wiki Server users into viewing sensitive information by uploading malicious applets

Server Admin in Apple Mac OS X Server 10.5.8 does not properly determine the privileges of users who had former membership in the admin group, which allows remote authenticated users to leverage this former membership to obtain a server connection via screen sharing. Apple Mac OS X is prone to a security-bypass vulnerability that occurs in the Server Admin component. A remote attacker with former administrator privileges may exploit this issue to gain unauthorized access to the vulnerable computer. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it

Stack-based buffer overflow in PS Normalizer in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PostScript document. An attacker can exploit this issue by enticing a user into opening a specially crafted PostScript file. A successful exploit will allow attackers to execute arbitrary code with the privilegs of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Mac OS X is the operating system used by the Apple family of machines

Apple QuickTime before 7.6.6 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted color tables in a movie file, related to malformed MediaVideo data, a sample description atom (STSD), and a crafted length value. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists during the parsing of malformed MediaVideo data from a sample description atom (STSD). The application will read a length from the file, subtract 1 and then use it as a counter for a loop. Certain values may cause memory corruption and can result in code execution under the context of the current user. These issues arise when the application handles specially crafted H.264, MPEG-4, and FlashPix video files. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. Versions prior to QuickTime 7.6.6 are vulnerable on Windows 7, Vista, XP, and Mac OS X platforms. Apple QuickTime is a media player software from APPLE, a popular multimedia player that supports multiple media formats. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4104 -- Disclosure Timeline: 2009-08-20 - Vulnerability reported to vendor 2010-04-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Heap-based buffer overflow in QuickTime.qts in Apple QuickTime before 7.6.6 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PICT image with a BkPixPat opcode (0x12) containing crafted values that are used in a calculation for memory allocation. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the primary QuickTime.qts library when parsing the BkPixPat opcode (0x12) within a PICT file. The application will use 2 fields within the file in a multiply which is then passed as an argument to an allocation. As both operands in the multiply are user-controllable, specific values can cause an under allocation which will later result in a heap overflow. Successful exploitation can lead to code execution under the context of the current user. Apple QuickTime is prone to a heap-based buffer-overflow vulnerability because it fails to sufficiently validate user-supplied data when parsing PICT images. These issues arise when the application handles specially crafted H.264, MPEG-4, and FlashPix video files. Versions prior to QuickTime 7.6.6 are vulnerable on Windows 7, Vista, XP, and Mac OS X platforms. Apple QuickTime is a multimedia playback software developed by Apple (Apple). The software is capable of handling multiple sources such as digital video, media segments, and more. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4104 -- Disclosure Timeline: 2009-11-06 - Vulnerability reported to vendor 2010-04-06 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Damian Put -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi

Apple QuickTime before 7.6.6 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted BMP image. Apple QuickTime is prone to a memory-corruption vulnerability because it fails to sufficiently validate user-supplied data when viewing BMP images. These issues arise when the application handles specially crafted H.264, MPEG-4, and FlashPix video files. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. Versions prior to QuickTime 7.6.6 are vulnerable on Windows 7, Vista, XP, and Mac OS X platforms. Apple QuickTime is a very popular multimedia player

CoreAudio in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted audio content with QDMC encoding. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists in the QuickTimeAudioSupport.qtx library when parsing malformed QDMC and QDM2 codec atoms. By modifying specific values within the stream an attacker can cause heap corruption which can lead to arbitrary code execution under the context of the currently logged in user. Apple QuickTime is prone to a memory-corruption vulnerability when decoding QDMC and QDMC2 encoded atoms. Failed exploit attempts will likely result in a denial-of-service condition. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Mac OS X is the operating system used by the Apple family of machines. A buffer overflow vulnerability exists in CoreAudio for Apple Mac OS. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4077 -- Disclosure Timeline: 2009-09-22 - Vulnerability reported to vendor 2010-04-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Heap-based buffer overflow in quicktime.qts in CoreMedia and QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a malformed .3g2 movie file with H.263 encoding that triggers an incorrect buffer length calculation. The code within QuickTime trusts various values from MDAT structures and uses them during operations on heap memory. By crafting specific values the corruption can be leveraged to execute remote code under the context of the user running the application. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within quicktime.qts when parsing sample data from a malformed .3g2 file that is utilizing the h.263 codec. While parsing data to render the video stream, the application will miscalculate the length of a buffer. Later when decompressing data to the heap chunk, the application will overflow the under allocated buffer leading to code execution under the context of the currently logged in user. Failed exploit attempts will likely result in a denial-of-service condition. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Mac OS X is the operating system used by the Apple family of machines. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4077 -- Disclosure Timeline: 2009-08-10 - Vulnerability reported to vendor 2010-04-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Damian Put * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Multiple 3Com H3C switches have security issues, and remote attackers can exploit vulnerabilities to perform denial of service attacks on their SSH servers. An unspecified error exists in the built-in SSH server. The attacker sends a specially constructed SSH message to restart the device. Multiple 3Com H3C devices are prone to a remote denial-of-service vulnerability. Successfully exploiting this issue allows remote attackers to cause the affected device to restart, denying service to legitimate users. This issue affects the H3C S3100, Switch 4500, and Switch 4200G series of products. ---------------------------------------------------------------------- Looking for a job? Secunia is hiring skilled researchers and talented developers. The vulnerability is caused due to an unspecified error and can be exploited to cause an affected device to reboot by sending specially crafted SSH packets to it. Successful exploitation requires that the device is configured as SSH server. SOLUTION: Update to the latest versions. H3C S3100-52P: Update to Comware 3.10 Release 1702P13. 3Com Switch 4500: Update to version 3.03.02p09 3Com Switch 4200: Update to version 3.2.4. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: 3Com H3C (LSOD09619): http://support.3com.com/documents/H3C/switches/3100/H3C_S3100-52P_CMW3.10.R1702P13_Release_Notes.pdf http://support.3com.com/documents/switches/4500/Switch_4500_V3.03.02p09_Release_Notes.pdf 3Com H3C (LSOD09646) http://support.3com.com/documents/switches/4200G/Switch_4200G_V3.02.04_Release_Notes.pdf ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Microsoft wireless keyboard uses XOR encryption with a key derived from the MAC address, which makes it easier for remote attackers to obtain keystroke information and inject arbitrary commands via a nearby wireless device, as demonstrated by Keykeriki 2. There is a vulnerability in the encryption algorithm of the Microsoft wireless keyboard

SFLServer in OS Services in Apple Mac OS X before 10.6.3 allows local users to gain privileges via vectors related to use of wheel group membership during access to the home directories of user accounts. Apple Mac OS X is prone to a local privilege-escalation vulnerability affecting the 'SFLServer' application. Successful exploits can allow attackers to execute arbitrary code with system-level privileges, resulting in the complete compromise of the affected computer. The following are vulnerable: Mac OS X 10.5.8 Mac OS X Server 10.5.8 Mac OS X 10.6 through 10.6.2 Mac OS X Server 10.6 through 10.6.2 NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it

Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long string in a MARQUEE element. iPod Touch is prone to a denial-of-service vulnerability. Apple iPhone is the latest smartphone from Apple

Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers to cause a denial of service (application crash) via a JavaScript loop that attempts to construct an infinitely long string. Apple iPhone is the latest smartphone from Apple

Mail in Apple Mac OS X before 10.6.3 does not disable the filter rules associated with a deleted mail account, which has unspecified impact and attack vectors. An attacker can exploit this issue to perform unauthorized actions. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Mac OS X is the operating system used by the Apple family of machines. When deleting an email account, the user-defined filtering rules associated with the account are still in effect, which may lead to unexpected operations

Buffer overflow in Image RAW in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PEF image. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. The following are vulnerable: Mac OS X 10.5.8 Mac OS X Server 10.5.8 Mac OS X 10.6 prior to 10.6.3 Mac OS X Server 10.6 prior to 10.6.3 NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Viewing a specially crafted PEF graph may lead to an unexpected application termination or arbitrary code execution

Buffer overflow in Image RAW in Apple Mac OS X 10.5.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted NEF image. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. The following are vulnerable: Mac OS X 10.5.8 Mac OS X Server 10.5.8 NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Viewing a specially crafted NEF graphic may lead to an unexpected application termination or arbitrary code execution

Heap-based buffer overflow in ImageIO in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JP2 (JPEG2000) image, related to incorrect calculation and the CGImageReadGetBytesAtOffset function. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the Apple ImageIO framework during the parsing of malformed JPEG2000 files. The function CGImageReadGetBytesAtOffset can utilize miscalculated values during a memmove operation that will result in an exploitable heap corruption allowing attackers to execute arbitrary code under the context of the current user. The following are vulnerable: Mac OS X 10.5.8 Mac OS X Server 10.5.8 Mac OS X 10.6 prior to 10.6.3 Mac OS X Server 10.6 prior to 10.6.3 NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4077 -- Disclosure Timeline: 2010-02-02 - Vulnerability reported to vendor 2010-04-05 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * 85319bb6e6ab398b334509c50afce5259d42756e -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Multiple stack-based buffer overflows in iChat Server in Apple Mac OS X Server before 10.6.3 allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors. Successful exploits may allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will likely result in a denial-of-service condition. The following are vulnerable: Mac OS X Server 10.5.8 Mac OS X Server 10.6 prior to 10.6.3 NOTE: These issues were previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but have been assigned their own record to better document them

Use-after-free vulnerability in iChat Server in Apple Mac OS X Server 10.5.8 allows remote authenticated users to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors. Successful exploits may allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will likely result in a denial-of-service condition. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it

iChat Server in Apple Mac OS X Server before 10.6.3, when group chat is used, does not perform logging for all types of messages, which might allow remote attackers to avoid message auditing via an unspecified selection of message type. Remote attackers can exploit this issue to send messages which are not logged. This may aid in further attacks. The following are vulnerable: Mac OS X Server 10.5.8 Mac OS X Server 10.6 prior to 10.6.3 NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it