VARIoT IoT vulnerabilities database

IIS FTP servers may allow a remote attacker to read or delete files on the server, even if they have "No Access" permissions. IIS 4.0 FTP servers which have installed a specific post SP5 FTP hotfix are vulnerable to an exploit whereby FTP clients may download. Web browser FTP clients may be able to view and/or download these files, while specially crafted requests from non-browser based FTP clients may be able to delete these files. This vulnerability only affects IIS 4.0 servers running NT 4.0 SP5 with a specific post SP5 hotfix for an FTP get error as described in <http://support.microsoft.com/support/kb/articles/Q237/9/87.ASP >. Microsoft states there are no negative ramifications to applying this hotfix to SP4 or SP5 hosts who have not installed the previously referenced FTP hotfix. To see if you are vulnerable, check the file version for Ftpsvc.dll. Versions 0718 through 0722 are thought to be vulnerable, although Microsoft documentation is unclear as to whether the vulnerable versions start with 0718 or 0719. Version 0724 represents the version installed by the latest hotfix. The hotfix designed to correct this problem was not released in time for the upcoming NT 4.0 Service Pack 6. Service Pack 6 contains the "buggy" hotfix and will be vulnerable to this error when it is released. It will be necessary to install the corresponding hotfix after installing Service Pack 6, regardless of whether or not the Service Pack 5 installation was vulnerable

A buffer overflow in TenFour TFS Gateway SMTP mail server 3.2 allows an attacker to crash the mail server and possibly execute arbitrary code by offering more than 128 bytes in a MAIL FROM string. Tfs Gateway Smtp is prone to a denial-of-service vulnerability

Cisco Catalyst 2900 Virtual LAN (VLAN) switches allow remote attackers to inject 802.1q frames into another VLAN by forging the VLAN identifier in the trunking tag. The 802.1q standard is susceptible to issues that allow attackers to send and receive packets from one VLAN to another without authorization. By spoofing various Ethernet frame fields such as the source or destination MAC addresses, IP addresses, and VLAN tags, attackers may cause packets to traverse from one VLAN to another, and possibly back again. Attackers may also add multiple VLAN tags to packets to cause multiple routers to decapsulate the packets in unexpected ways, aiding the attacker in traversing VLANs. This issue allows attackers to traverse from one VLAN to another in an unauthorized fashion. As some users may utilize VLANs to segregate network segments containing differing security properties, this may have various consequences. This issue may be exacerbated by utilizing attacker-controlled external network hosts to bounce packets between VLANs

A non-default configuration in TenFour TFS Gateway 4.0 allows an attacker to cause a denial of service via messages with incorrect sender and recipient addresses, which causes the gateway to continuously try to return the message every 10 seconds. TFS Gateway 4.0, when configured in a specific non-default manner, is vulnerable to a remotely exploitable denial of service attack. If enough emails of sufficient size of this nature are sent it can lead to a degradation or denial of service. Vulnerabilities exist in non-default configurations in TenFour TFS Gateway version 4.0. The vulnerability caused the gateway to keep trying to return information every 10 seconds

A default configuration of CiscoSecure Access Control Server (ACS) allows remote users to modify the server database without authentication. Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks

Denial of service in IIS 4.0 via a flood of HTTP requests with malformed headers. Microsoft IIS and all other products that use the IIS web engine have a vulnerability whereby a flood of specially formed HTTP request headers will make IIS consume all available memory on the server and then hang

Check Point FireWall-1 can be subjected to a denial of service via UDP packets that are sent through VPN-1 to port 0 of a host. This issue only seems to take place when the VPN being used for the transport of the packet supports ISAKMP encryption. It has been reported that Solaris hosts being attacked via this method will reboot. Check Point FireWall-1 is vulnerable

FlowPoint DSL router firmware versions prior to 3.0.8 allows a remote attacker to exploit a password recovery feature from the network and conduct brute force password guessing, instead of limiting the feature to the serial console port. Flowpoint Dsl Router is prone to a remote security vulnerability

The SMTP service in Microsoft Internet Information Services (IIS) 4.0 and 5.0 allows remote attackers to bypass anti-relaying rules and send spam or spoofed messages via encapsulated SMTP addresses, a similar vulnerability to CVE-1999-0682. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Exchange Server MTA When this server is connected to the Internet, there is a problem that allows e-mail relaying by a third party from the outside. This can be done by inserting certain characters in the email. If this issue is exploited by a malicious remote attacker, SPAM It may be used as a mail relay point. In addition, this issue can be used to target large emails that are large enough to be heavily loaded. Exchange Processing power can be taken away by sending from the server, and as a result DoS The attack will be successful. The vulnerability was originally announced in Microsoft Security Bulletin MS99-027 and reported to affect Exchange Server 5.5. Microsoft released a patch to fix the vulnerability for Exchange Server 5.5 only. There exists no patch for the IIS SMTP service. This vulnerability poses no threat to the data or software on the server, but could allow spam to be sent from the server without the administrator's knowledge or permission, and could lead to a Denial of Service condition if the volume of the mail relayed is sufficient

Microsoft Exchange 5.5 allows a remote attacker to relay email (i.e. spam) using encapsulated SMTP addresses, even if the anti-relaying features are enabled. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Exchange Server MTA When this server is connected to the Internet, there is a problem that allows e-mail relaying by a third party from the outside. This can be done by inserting certain characters in the email. In addition, this issue can be used to target large emails that are large enough to be heavily loaded. Exchange Processing power can be taken away by sending from the server, and as a result DoS The attack will be successful. still, Microsoft IIS (Internet Information Server) 4.0/5.0 Implemented as standard SMTP A similar problem exists for services.Please refer to the “Overview” for the impact of this vulnerability. The vulnerability was originally announced in Microsoft Security Bulletin MS99-027 and reported to affect Exchange Server 5.5. Microsoft released a patch to fix the vulnerability for Exchange Server 5.5 only. There exists no patch for the IIS SMTP service. This vulnerability poses no threat to the data or software on the server, but could allow spam to be sent from the server without the administrator's knowledge or permission, and could lead to a Denial of Service condition if the volume of the mail relayed is sufficient

Denial of service in Gauntlet Firewall via a malformed ICMP packet. The vulnerability occurs because Gauntlet Firewall cannot handle a condition where an ICMP Protocol Problem packet's (ICMP_PARAMPROB) encapsulated IP packet has a random protocol field and certain IP options set. The packet structure looks like this: Begin Packet ------------------------------------------ [NORMAL IP HEADER] [ICMP PARAMPROB HEADER] -- encapsulated ip packet -- [IP HEADER] (important fields in ip header) ip_p = 98 (let's specify a protocol that doesn't exist) ip_hl = 0xf (stuff options) ------------------------------------------ End Packet An attacker would do the following: Construct the [ip-icmp-ip] packet using a raw socket (SOCK_RAW) with the fields set accordingly, destination set to any machine behind the firewall. Send the packet(s). The number of packets that need to be sent depends on the platform (ie Sol on a Sparc vs BSDI). The consequence of this vulnerability being exploited is the target Gauntlet 5.0 firewall being remotely locked up. It should be expected that an attacker would send packets with spoofed source addresses in the ip header making it difficult to trace

Firewall-1 sets a long timeout for connections that begin with ACK or other packets except SYN, allowing an attacker to conduct a denial of service via a large number of connection attempts to unresponsive systems. A denial of service condition exists in some implementations of Firewall-1 by Checkpoint Software. This denial of service attack is possible due to the way Firewall-1 handles TCP connections. Typically to initiate a TCP connection, a SYN packet is sent to the destination host. On systems where Firewall-1 is installed, this packet is first passed through an internal stack maintained by the Firewall before it is passed onto the operating system's native stack. When Firewall-1 filters this packet, it checks it against the rule base. If the session is allowed where it's rulebase is concerned, it is added to the connections table with a timeout of 60 seconds. When the remote host responds with an ACK (Acknowledge) packet, the session is bumped up to a 3600 second timeout. However, if you initiate a connection with an ACK packet, Firewall-1 compares it against the rule base, if allowed it is added to the connections table. However, the timeout is set to 3600 seconds and does not care if a remote system responds. You now have a session with a 1 hour timeout, even though no system responded. If this is done with a large amount of ACK packets, it will result in a full connections table. This results in your Firewall-1 refusing subsequent connections from any source effectively rendering the Firewall-1 useless in a 'failed closed' state

WS_FTP Pro 6.0 uses weak encryption for passwords in its initialization files, which allows remote attackers to easily decrypt the passwords and gain privileges. WS_FTP, both Pro and LE versions,. allows passwords to be saved as part of a saved site configuration. These passwords are encrypted and stored in .ini files. The encryption method is weak and can be broken. WS_FTP is a widely used FTP client software maintained by Ipswitch distribution. Certain versions of WS_FTP have a problem that will leak FTP user passwords

The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods, which allows remote attackers to execute arbitrary commands. Affected MDAC 1.5 and 2.0 Is Microsoft IIS alike Micorsoft Windows NT 4.0 Option Pack Included inMicrosoft IIS 3.x and 4.x On the server where is running MDAC If is installed, an arbitrary command may be executed. Both are included in a default installation of the Windows NT 4.0 Option Pack, but can be excluded via a custom installation. RDS includes a component called the DataFactory object, which has a vulnerability that could allow any web user to: --Obtain unauthorized access to unpublished files on the IIS server --Use MDAC to tunnel ODBC requests through to a remote internal or external location, thereby obtaining access to non-public servers or effectively masking the source of an attack on another network. The main risk in this vulnerability is the following: --If the Microsoft JET OLE DB Provider or Microsoft DataShape Provider are installed, a user could use the shell() VBA command on the server with System privileges. (See the Microsoft JET Database Engine VBA Vulnerability for more information). These two vulnerabilities combined can allow an attacker on the Internet to run arbitrary commands with System level privileges on the target host

MacOS uses weak encryption for passwords that are stored in the Users & Groups Data File. apple's macOS Exists in unspecified vulnerabilities.None. The encryption algorithm in MacOS system is simple and the password can be easily decoded. Offset is different on each system and depends on Users &amp; Groups configuration, but it always lie after owner's username. It's not so difficult to find it using a hex editor, even if we don't know owner's username. Here are some examples of encrypted passwords: 00 04 06 18 0D 0A 19 0B = stayaway 0A 1F 10 1B 00 07 75 1E = yellow 1C 1B 16 14 12 62 10 7B = owner 07 02 13 1A 1E 0F 1A 14 = turnpage 27 25 33 27 27 39 24 7E = Trustno1 AA BB CC DD EE FF GG HH = aa bb cc dd ee ff gg hh where: AA BB CC DD EE FF GG HH - encrypted password (hex) aa bb cc dd ee ff gg hh - decrypted password in ASCII codes (hex) aa=AA XOR 73H bb=BB XOR AA XOR 70H cc=CC XOR BB XOR 63H dd=DD XOR CC XOR 67H ee=EE XOR DD XOR 74H ff=FF XOR EE XOR 70H gg=GG XOR FF XOR 72H hh=HH XOR GG XOR 6BH An example: Let's take OO 04 06 18 0D 0A 19 0B 00H XOR 73H = 73H = s 04H XOR 00H = 04H; 04H XOR 70H = 74H = t 06H XOR 04H = 02H; O2H XOR 63H = 61H = a 18H XOR 06H = 1EH; 1EH XOR 67H = 79H = y 0DH XOR 18H = 15H; 15H XOR 74H = 61H = a 0AH XOR 0DH = 07H; 07H XOR 70H = 77H = w 19H XOR 0AH = 13H; 13H XOR 72H = 61H = a 0BH XOR 19H = 12H; 12H XOR 6BH = 79H = y tested on: MacOS 7.5.3, 7.5.5, 8.1, 8.5 copied verbatim from a post to bugtraq by Dawid adix Adamski &lt;adixx@FRIKO4.ONET.PL&gt; on July 10, 1999. There are vulnerabilities in MacOS

IIS 3.x and 4.x does not distinguish between pages requiring encryption and those that do not, which allows remote attackers to cause a denial of service (resource exhaustion) via SSL requests to the HTTPS port for normally unencrypted files, which will cause IIS to perform extra work to send the files over SSL. NT Servers running IIS with SSL security enabled are susceptible to a DoS attack due to the server's inability to differentiate between pages that require SSL and those that don't. Therefore, by replacing the 'http' string in the URL with 'https' the server can be forced to encrypt any content in the web site, including high-bandwidth pages. An attacker could, with carefully planned https requests, drive the processor utilization to 100% resulting in extreme slowdown or even failure of the server

The Sun HotSpot Performance Engine VM allows a remote attacker to cause a denial of service on any server running HotSpot via a URL that includes the [ character. When IIS and Sun's Java HotSpot Performance engine are running simultaneously, the following URL will cause the system to crash: h t t p ://targethost/servlet/[ The following is the error message: # HotSpot Virtual Machine Error, Internal Error # # Error ID: 4649454C44345950450E4350500026 Affected processes are Jrun, ServletExec and IIS

Cisco 675 routers running CBOS allow remote attackers to establish telnet sessions if an exec or superuser password has not been set. Cisco 675 Router is prone to a remote security vulnerability. Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks. Cisco 675 routers running CBOS are vulnerable

WebTrends software stores account names and passwords in a file which does not have restricted access permissions. Vulnerabilities exist in WebTrends software

When IIS is run with a default language of Chinese, Korean, or Japanese, it allows a remote attacker to view the source code of certain files, a.k.a. "Double Byte Code Page". How this works is as follows: IIS checks the extension of the requested file to see if it needs to do any processing before delivering the information. If the requested extension is not on it's list, it then makes any language-based calculations, and delivers the file. If a single byte is appended to the end of the URL when IIS to set to use one of the double-byte language packs (Chinese, Japanese, or Korean) the language module will strip it as invalid, then look for the file. Since the new URL now points to a valid filename, and IIS has already determined that this transaction requires no processing, the file is simply delivered as is, exposing the source code