VARIoT IoT vulnerabilities database

The System Preferences capability in Mac OS X before 10.3 allows local users to access secure Preference Panes for a short period after an administrator has authenticated to the system. Mac OS X is prone to a local security vulnerability

Mac OS X before 10.3 initializes the TCP timestamp with a constant number, which allows remote attackers to determine the system's uptime via the ID field in a TCP packet. Mac OS X versions prior to 10.3 have a bug in initializing TCP timestamps with constants

Mail in Mac OS X before 10.3, when configured to use MD5 Challenge Response, uses plaintext authentication if the CRAM-MD5 hashed login fails, which could allow remote attackers to gain privileges by sniffing the password. Mail in versions prior to Mac OS X 10.3 is vulnerable

Unknown vulnerability in Mac OS X before 10.3 allows local users to access Dock functions from behind Screen Effects when Full Keyboard Access is enabled using the Keyboard pane in System Preferences. Mac OS X prior to 10.3 has an unknown vulnerability

slpd daemon in Mac OS X before 10.3 allows local users to overwrite arbitrary files via a symlink attack on a temporary file, a different vulnerability than CVE-2003-0875. The slpd daemon in Mac OS X prior to 10.3 is vulnerable

Apple Mac OS X 10.0 through 10.2.8 allows local users with a USB keyboard to gain unauthorized access by holding down the CTRL and C keys when the system is booting, which crashes the init process and leaves the user in a root shell. It has been reported that an attacker with a specific hardware configuration may be capable of gaining root privileges on MacOS X. The problem is said to occur when a user on a system with a USB keyboard, holds a specific key sequence down for an unspecified length. This is said to effectively crash the init process, and drop the user into a shell with root privileges. Mac OS X is an operating system used on Mac machines, based on the BSD system

Buffer overflow in the Mac OS X kernel 10.2.8 and earlier allows local users, and possibly remote attackers, to cause a denial of service (crash), access portions of memory, and possibly execute arbitrary code via a long command line argument (argv[]). A buffer overrun has been discovered in the MacOS X kernel when handling large argv values passed via the command-line. The precise details regarding this condition are currently unknown however the problem likely occurs due to insufficient bounds checking when handling user-supplied data. It has been confirmed that this condition can be exploited to cause a target kernel to crash. Mac OS X is an operating system used on Mac machines, based on the BSD system. By specifying extremely long command-line arguments, a local attacker could cause a Mac OS X kernel panic. The length of the total number of parameters that can trigger this condition is allowed within a small range. When this problem occurs, the operating system crashes immediately, not allowing the user to perform any operations. No logs are produced, nor are there any kernel panic messages. The system will automatically restart after a few minutes. This vulnerability can also be used to dump a small amount of kernel memory information to the attacker, but according to @stake's investigation, only the memory address will be returned to the user, and generally does not contain sensitive information

Unknown vulnerability in QuickTime Java in Mac OS X v10.3 and Mac OS X Server 10.3 allows attackers to gain "unauthorized access to a system.". No detailed vulnerability details are currently available

Finder in Mac OS X 10.2.8 and earlier sets global read/write/execute permissions on directories when they are dragged (copied) from a mounted volume such as a disk image (DMG), which could cause the directories to have less restrictive permissions than intended. These issues may cumulatively allow an attacker to cause denial of service, arbitrary code execution, privilege escalation and unauthorized access. There are multiple instances in Apple Mac OS X where files are installed or created with insecure permissions or inappropriate permissions. This could permit local attackers to modify sensitive files or potentially even replace binaries, which could then be executed by another user. Mac OS X is an operating system used on Mac machines, based on the BSD system. The same happens when dragging a folder into a mounted DMG. This reset only occurs on directories, not file permissions. Because these directories contain applications, an attacker can overwrite any application with a Trojan horse. When executed by other high-privilege users, it will lead to privilege escalation. World-writable files include: - Application and supporting executables. - Directory - Shared Objects - Configuration Files - HTML and JavaScript These files mostly exist in the following directories: -/Applications -/Library/Application Support -/Library/StartupItems

Mac OS X before 10.3 with core files enabled allows local users to overwrite arbitrary files and read core files via a symlink attack on core files that are created with predictable names in the /cores directory. Because of this, a local attacker may be able to overwrite arbitrary root owned files. Apple Mac OS X 10.3 (Panther) has been released to address multiple new and previously known vulnerabilities. These issues may cumulatively allow an attacker to cause denial of service, arbitrary code execution, privilege escalation and unauthorized access. The name of the core file is core.PID(*) , the owner of this file is ROOT, and the setting permission is 0400. Since /cores is globally writable by default, and the name of the core file is predictable, an attacker can establish a symbolic link to point to an important system file. When an application generates a CORE file, the system file will be overwritten, which may elevate privileges or cause denial of service. attack

Buffer overflow in the portmapper service (PMAP.NLM) in Novell NetWare 6 SP3 and ZenWorks for Desktops 3.2 SP2 through 4.0.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via unknown attack vectors. Novell has reported that the PMAP.NLM component of NetWare/ZenWorks is prone to a buffer overrun vulnerability

Buffer overflow in iwconfig allows local users to execute arbitrary code via a long HOME environment variable. A problem has been identified in the iwconfig program when handling strings on the commandline. Because of this, a local attacker may be able to gain elevated privileges. iwconfig has a buffer overflow vulnerability

Origo ASR-8100 ADSL Router 3.21 has an administration service running on port 254 that does not require a password, which allows remote attackers to cause a denial of service by restoring the factory defaults. A problem has been identified in some Origo ADSL routers. Due to insufficient access control, it may be possible for a remote user to gain unauthorized administrative access to routers, potentially resulting in a denial of service. Origo ADSL includes a telnet-based configuration interface on the WAN interface, listening to port 254, and does not set any password authentication

CiscoWorks Common Management Foundation (CMF) 2.1 and earlier allows the guest user to gain administrative privileges via a certain POST request to com.cisco.nm.cmf.servlet.CsAuthServlet, possibly involving the "cmd" parameter with a modifyUser value and a modified "priviledges" parameter. Vulnerabilities exist in CiscoWorks Common Management Foundation (CMF) 2.1 and earlier versions

CiscoWorks Common Management Foundation (CMF) 2.1 and earlier allows the guest user to obtain restricted information and possibly gain administrative privileges by changing the "guest" user to the Admin user on the Modify or delete users pages. Vulnerabilities exist in CiscoWorks Common Management Foundation (CMF) 2.1 and earlier versions

SQL injection vulnerability in variables.php in Goldlink 3.0 allows remote attackers to execute arbitrary SQL commands via the (1) vadmin_login or (2) vadmin_pass cookie in a request to goldlink.php. GoldLink is prone to SQL injection attacks. This is due to insufficient validation of values supplied via cookies. As a result, it may be possible to manipulate SQL queries, potentially resulting in information disclosure, bulletin board compromise or other consequences

PHP-Nuke 7.0 allows remote attackers to obtain the installation path via certain characters such as (1) ", (2) ', or (3) > in the search field, which reveals the path in an error message. PHP-Nuke is prone to a path disclosure vulnerability. Path information will be displayed in error output when invalid input is supplied in search fields. This issue may be related to a number of previously reported vulnerabilities in PHP-Nuke. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. PHP-Nuke does not properly handle search requests submitted by users. Attackers can use this information to carry out further attacks on the system

Buffer overflow in the system log viewer of Linksys BEFSX41 1.44.3 allows remote attackers to cause a denial of service via an HTTP request with a long Log_Page_Num variable. Linksys BEFSX41 is a broadband router that includes a web-based management interface.  Linksys BEFSX41 lacks sufficient filtering when processing user-submitted input. Remote attackers can use this vulnerability to conduct denial-of-service attacks on routers.  Linksys BEFSX41 general default address (http://192.168.1.1) contains a WEB-based management interface, which can be accessed using "get" mode. Due to lack of sufficient filtering of the "Log_Page_Num" parameter, when a long string is sent to the system log Viewer "Log_Page_Num" parameter can cause router to crash. Linksys BEFSX41 EtherFast Routers are prone to a denial of service. This issue is exposed via the log viewer in the web administrative interface. By submitting an invalid value for the "Log_Page_Num" parameter, it is possible to trigger this condition, causing the router to be unresponsive. While exploitation does require a logged in administrative user to submit a request to the log viewer with malformed parameters, it is possible that the admin could be tricked into visiting a specially crafted URI that contains the IP address of the router and malformed URI parameters

The Conexant Access Runner DSL is a broadband router. There is a problem with the authentication mechanism of the Conexant Access Runner DSL Router Console, which can be exploited by remote attackers to access device changes. When connecting to the router console port, an attacker entering any key will return a \"please try again\" message, and then simply enter the Enter key to access the system maintenance menu with administrator privileges. However, this vulnerability is reproduced on some devices, and this issue does not exist on some devices. The authentication mechanism used by the Conexant AccessRunner DSL Console can be bypassed. This could allow a remote user to access the device's configuration settings. There is currently no known reason for why some devices are vulnerable while others are not. This record will be updated if and when further details become available

The Cisco LEAP challenge/response authentication mechanism uses passwords in a way that is susceptible to dictionary attacks, which makes it easier for remote attackers to gain privileges via brute force password guessing attacks. Successful attackers will be able to gain unauthorized access to affected networks