VARIoT IoT vulnerabilities database

A number of vulnerabilities exist in the TACACS+ protocol. These are part of the protocol, and as such do not affect only those products listed as being vulnerable, but any implementation of TACACS+, both on the client and on the server side. 1) Integrity Checking TACACS+ does not use any form of integrity checking to ensure a TACACS+ packet has not been tampered with. Due to the nature of its encryption mechanism, an attacker could potentially alter a packet by flipping bits. One example cited is the possibility of an attacker flipping a single bit to alter an accounting packet, changing the elapsed_time being reported from 9000 to 1000. 2) Vulnerability to Replay TACACS+ has no protection against replay attacks. So long as a packet has the correct TACACS+ sequence number, it will be accepted. As TACACS+ sequence numbers start at 1, the server will always process packets with the sequence number of 1. The description of this vulnerability noted that this is most easily used against accounting packets, as they are single packet transactions. 3) Session ID collision The encryption mechanism for TACACS+ depends heavily on a unique session_id for each session. If multiple sessions get the same session_id and seq_no, it can become vulnerable to a frequency analysis attack. In addition, if plaintext is known in one packet, it is trivial to decrypt the corresponding portion of the other packet containing the same sequence and session id. It is possible to get a TACACS+ server to encrypt a reply packet using a chosen session_id. This makes it possible to compromise the encryption of packets from the server to client. 4) Session ID randomness Due to the length of the session_id, and an inability to prevent id collision across reboots and multiple servers, session id's will eventually be reused, which can result in the decryption of packets. For an ISP handling 20,000 dialup sessions a day, there could be over 100,000 session_id collisions in a year. 5) Lack of padding A lack of padding of fields in the protocol can reveal the length of these unpadded fields. This could result in revealing the length of a user password. 6) MD5 context leak A theoretical vulnerability exists whereby part of a packet may be decrypted, due to the presence of certain bytes. These attacks all require the attacker be present on the network where these transaction are taking place; in some cases, the attack may need to be on a machine or router seperating the client from the server. As such, while very real vulnerabilities, using them in a real world situation may be difficult.

The listening port of the Network Associates WebShield SMTP 4.5.44 remote management service is 9999. When connected to this port, you can get the current configuration by executing the following command: GET_CONFIG & lt; CR> When accepting a string of more than 208 bytes to When parameters are configured, a stack overflow occurs. This service usually crashes. If the string contains executable code, an attacker may execute arbitrary commands as system. & lt; * Source: Delphis Consulting Plc Security Team Advisories securityteam@delphisplc.com *>

The Cayman 3220-H DSL router allows remote attackers to cause a denial of service via oversized ICMP echo (ping) requests. Reported effects vary; sometimes it stops telnet and http admin services, other times the router may restart without routing but the admin services stay up. The Cayman 3220H DSL router is vulnerable

Top Layer AppSwitch 2500 allows remote attackers to cause a denial of service via malformed ICMP packets. TopLayer AppSwitch 2500 has been reported to be vulnerable to numerous DoS attacks. Fragmented packets, bad ICMP checksums, and other anomalous packets are reported to crash the switch. Vulnerabilities exist in Top Layer AppSwitch version 2500

Windows 95, Windows 98, Windows 2000, Windows NT 4.0, and Terminal Server systems allow a remote attacker to cause a denial of service by sending a large number of identical fragmented IP packets, aka jolt2 or the "IP Fragment Reassembly" vulnerability. CPU utilization will return to normal after the attack has ceased. In some cases, this attack could produce a blue screen of death. An analysis of the exploit was posted to BugTraq on May 26, 2000 by Mikael Olsson <mikael.olsson@enternet.se>. He concludes that the DoS initated by this attack may not be related to IP fragmentation but rather to resource exhaustion and a problem in filtering bad packets by Microsoft Windows. See the message references by Mikael Olsson for a further interpretation of the mechanism of this attack

Buffer overflow in the CyberPatrol daemon "cyberdaemon" used in gauntlet and WebShield allows remote attackers to cause a denial of service or execute arbitrary commands. A buffer overflow exists in the version of Mattel's Cyber Patrol software integrated in to Network Associates Gauntlet firewall, versions 4.1, 4.2, 5.0 and 5.5. Due to the manner in which Cyber Patrol was integrated, a vulnerability was introduced which could allow a remote attacker to gain root access on the firewall, or execute arbitrary commands on the firewall. By default, Cyber Patrol is installed on Gauntlet installations, and runs for 30 days. After that period, it is disabled. During this 30 day period, the firewall is susceptible to attack,. Due to the filtering software being externally accessible, users not on the internal network may also be able to exploit the vulnerability. Some versions of SGI IRIX shipped with the Gauntlet Firewall package, and in the past it was a supported SGI product. While it is no longer being supported, SGI IRIX versions 6.5.2, 6.5.3, 6.5.4 and 6.5.5 may be prone to this issue

The HTTP administration interface to the Cayman 3220-H DSL router allows remote attackers to cause a denial of service via a long username or password. Router log will show "restart not in response to admin command". Cayman 3220-H DS has a vulnerability in the HTTP management interface

The Netopia R9100 router does not prevent authenticated users from modifying SNMP tables, even if the administrator has configured it to do so. The router has a command-line mode that is reached by typing control-N after the user has passed the intial login test. At the "#" prompt one can then do most management of the device. This includes the setting of SNMP community strings in spite of the limitation imposed by the administrator. The following devices are confirmed as vulnerable: R2020 Dual Analog Router R3100 ISDN Router R3100-I ISDL Router R3100-T IDSL router for Covad R3232-I IDSL 4-IMUX router R5100 Serial router R5200 DDS router R5220 DDS router w/ V.90 backup R5300 T1 router R5320 T1 router w/ V.90 backup R5331 T1 router w/ ISDN backup R7100-C SDSL router R7120 SDSL Router w/int V.90 R7131 SDSL router w/int ISDN R7171 SDSL 2x IMUX router R7200-T SDSL router for Covad R7220 SDSL router w/int.V.90 R7231 SDSL router w/int ISDN R9100 Ethernet-to-ethernet Router

IIS 4.0 and 5.0 allows remote attackers to obtain fragments of source code by appending a +.htr to the URL, a variant of the "File Fragment Reading via .HTR" vulnerability. A vulnerability exists in Microsoft Internet Information Server (IIS) that could disclose sensitive information contained in CGI-type files. Typically a CGI/script file on a web server should only be executable and not readable to remote users. Sensitive information contained in CGI-type files file might include user credentials for access to a back-end database.This is a variation of the vulnerability previously discussed in VU#35085 and Microsoft Security Bulletin MS00-031. Requesting a known filename with the extension replaced with .htr preceeded by approximately 230 "%20" (which is an escaped character that represents a space) from Microsoft IIS 4.0/5.0 will cause the server to retrieve the file and its contents. This is due to the .htr file extension being mapped to ISM.DLL ISAPI application which redirects .htr file requests to ISM.DLL. ISM.DLL removes the extraneous "%20" and replaces .htr with the proper filename extension and reveals the source of the file. This vulnerability is similar to a more recently discovered variant, BugTraq ID 1488. This action can only be performed if a .htr request has not been previously made or if ISM.DLL is loaded into memory for the first time. If an .htr request has already been made, a restart of the web server is necessary in order to perform another. Microsoft IIS 4.0 and 5.0 can be made to disclose fragments of source code which should otherwise be inaccessible. This is done by appending "+.htr" to a request for a known .asp (or .asa, .ini, etc) file. Appending this string causes the request to be handled by ISM.DLL, which then strips the +.htr string and may disclose part or all of the source of the .asp file specified in the request. There has been a report that source will be displayed up to the first '<%' encountered - '<%' and '%>' are server-side script delimiters. Pages which use the <script runat=server></script> delimiters instead will display the entire source, or up to any '<%' in the page

IIS 4.05 and 5.0 allow remote attackers to cause a denial of service via a long, complex URL that appears to contain a large number of file extensions, aka the "Malformed Extension Data in URL" vulnerability. Restarting the application or waiting until the URL is processed will be required in order to regain normal functionality

ISM.DLL in IIS 4.0 and 5.0 allows remote attackers to read file contents by requesting the file and appending a large number of encoded spaces (%20) and terminated with a .htr extension, aka the ".HTR File Fragment Reading" or "File Fragment Reading via .HTR" vulnerability. A vulnerability exists in Microsoft Internet Information Server (IIS) that could disclose sensitive information contained in CGI-type files. Typically a CGI/script file on a web server should only be executable and not readable to remote users. Sensitive information contained in CGI-type files file might include user credentials for access to a back-end database.This is a variation of the vulnerability previously discussed in VU#35085 and Microsoft Security Bulletin MS00-031. Microsoft IIS Is (1) If you receive a password change request that does not specify a delimiter that should be specified, (2) If a known file extension is changed to a specific character string, there is a flaw that causes an infinite search, resulting in a significant decrease in processing power.Microsoft IIS Service disruption (DoS) It may be in a state. Requesting a known filename with the extension replaced with .htr preceeded by approximately 230 "%20" (which is an escaped character that represents a space) from Microsoft IIS 4.0/5.0 will cause the server to retrieve the file and its contents. This is due to the .htr file extension being mapped to ISM.DLL ISAPI application which redirects .htr file requests to ISM.DLL. ISM.DLL removes the extraneous "%20" and replaces .htr with the proper filename extension and reveals the source of the file. This vulnerability is similar to a more recently discovered variant, BugTraq ID 1488. This action can only be performed if a .htr request has not been previously made or if ISM.DLL is loaded into memory for the first time. If an .htr request has already been made, a restart of the web server is necessary in order to perform another. Microsoft IIS 4.0 and 5.0 can be made to disclose fragments of source code which should otherwise be inaccessible. This is done by appending "+.htr" to a request for a known .asp (or .asa, .ini, etc) file. Appending this string causes the request to be handled by ISM.DLL, which then strips the +.htr string and may disclose part or all of the source of the .asp file specified in the request. There has been a report that source will be displayed up to the first '<%' encountered - '<%' and '%>' are server-side script delimiters. Pages which use the <script runat=server></script> delimiters instead will display the entire source, or up to any '<%' in the page

Microsoft IIS 4.0 and 5.0 with the IISADMPWD virtual directory installed allows a remote attacker to cause a denial of service via a malformed request to the inetinfo.exe program, aka the "Undelimited .HTR Request" vulnerability. The virtual directory within IIS 4.0 and 5.0 contains .htr files which permits users to change passwords remotely. If a user initiates a password change request containing malformed data, the server CPU becomes fully utilized until the administrator performs a reboot to regain normal functionality. The patch available for this issue creates a similar vulnerability which is exploited by appending %3F+.htr to a request

NetStructure 7110 and 7180 have undocumented accounts (servnow, root, and wizard) whose passwords are easily guessable from the NetStructure's MAC address, which could allow remote attackers to gain root access. NetStructure (formerly known as Ipivot Commerce Accelerator) is a multi-site traffic director. This internet equipment is designed for businesses with multiple Web site locations, routing traffic to the best available site from a single URL. Certain revisions of this package have an undocumented supervisor password. This password, which grants access to the 'wizard' mode of the device, is derived from the MAC address of the primary NIC. This MAC address is displayed in the login banner. This password can be utilized from the admin console locally (via a serial interface) or remotely if the machine has been deployed with a modem for remote access. With this password an intruder gains shell access to the underlying UNIX system and may sniff traffic, among other things. These passwords are derived from is the ethernet address of the public interface which under default installs is available via a default passworded SNMP daemon. It should be noted that configuration over telnet is preferred in the user documentation. NetStructure 7110 and 7180 have undisclosed accounts (servnow, root, and wizard). Remote attackers can use this vulnerability to obtain root user privileges

The shtml.exe program in the FrontPage extensions package of IIS 4.0 and 5.0 allows remote attackers to determine the physical path of HTML, HTM, ASP, and SHTML files by requesting a file that does not exist, which generates an error message that reveals the path. Passing a path to a non-existent file to the shtml.exe or shtml.dll (depending on platform) program will display an error message stating that the file cannot be found accompanied by the full local path to the web root. For example, performing a request for http://target/_vti_bin/shtml.dll/non_existant_file.html will produce an error message stating "Cannot open "C:\localpath\non_existant_file.html": no such file or folder"

The on-line help system options in Cisco routers allows non-privileged users without "enabled" access to obtain sensitive information via the show command. This information is comprised of access lists among other things. The help system itself does not list these items as being available via the 'show' commands yet none the less it will execute them. The message which detailed this vulnerability to the Bugtraq mailing list is attached in the 'Credit' section of this vulnerability entry. It is suggested that you read it if this vulnerability affects your infrastructure

AppleShare IP 6.1 and later allows a remote attacker to read potentially sensitive information via an invalid range request to the web server. The additional data will appear appended to the file requested and may contain sensitive information

The IOS HTTP service in Cisco routers and switches running IOS 11.1 through 12.1 allows remote attackers to cause a denial of service by requesting a URL that contains a %% string. There is a denial-of-service vulnerability in several Cisco switch and router products which allows an attacker to force affected devices to crash and reboot. If the router is configured to have a web server running for configuration and other information a user can cause the router to crash. Cisco IOS is an operating system that runs widely on various network devices of the Cisco system. Remote attackers may use this loophole to carry out denial of service attacks on the device. Some routers will automatically restart, while others must be manually powered off and on to restore the router to normal operation

The web mail functionality in Usermin 1.x and Webmin 1.x allows remote attackers to execute arbitrary commands via shell metacharacters in an e-mail message. Usermin Is Web The module that sends and receives emails via the interface is incomplete and received HTML Another in the email Usermin A vulnerability exists that does not properly remove links to modules.An arbitrary command may be executed with the authority of the user who received and viewed the email. Webmin / Usermin are reportedly affected by a command execution vulnerability when rendering HTML email messages. This issue is reported to affect Usermin versions 1.080 and prior. Under certain versions of the Cisco Catalyst a user who already has access to the device can elevate their current access to 'enable' mode without a password. Once 'enable' mode is obtained the user can access the configuration mode and commit unauthorized configuration changes on a Catalyst switch. This can be done either from the console itself or via a remote Telnet session

Cisco IOS 11.x and 12.x allows remote attackers to cause a denial of service by sending the ENVIRON option to the Telnet daemon before it is ready to accept it, which causes the system to reboot. Certain versions of Cisco's IOS software have a vulnerability in the Telnet Environment handling code. This attack can be launched repeatedly thereby effecting a Denial of Service attack. Cisco Internet Operating System (IOS) is an operating system used on CISCO routers. < *Link: http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml* >

Cisco Catalyst 5.4.x allows a user to gain access to the "enable" mode without a password. This can be done either from the console itself or via a remote Telnet session