VARIoT IoT vulnerabilities database

Cisco IOS 11.x and 12.0 through 12.2 allows remote attackers to cause a denial of service (traffic block) by sending a particular sequence of IPv4 packets to an interface on the device, causing the input queue on that interface to be marked as full. A denial-of-service vulnerability exists in Cisco's Internetwork Operating System (IOS). This vulnerability may allow remote attackers to conduct denial-of-service attacks on an affected device. A denial of service vulnerability has been reported to exist in all hardware platforms that run Cisco IOS versions 11.x through 12.x. This issue may be triggered by a sequence of specifically crafted IPV4 packets. A power cycling of an affected device is required to regain normal functionality. Many Cisco devices run IOS. The attack does not trigger any alarms, nor does the router automatically reload. An attacker can repeatedly attack all interfaces of the Cisco device, making the router inaccessible remotely. < *Links: http://www.cert.org/advisories/CA-2003-15.html http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml* >

The Teledat DSL Router is an ADSL router from Deutsche Telekom. The Teledat DSL Router does not properly handle port scanning, and remote attackers can exploit this vulnerability to perform a denial of service attack on the router. Scanning the Teledat DSL Router with the Symantec security scan scanner can cause the router to crash and require a reboot to get normal service. Because of this, an attacker may be able to deny service to legimate users

The Asus AAM6000EV is an ADSL router. Asus AAM6000EV ADSL files with sensitive information can be accessed directly, and intranet users can use this vulnerability to obtain username and password information. If the WEB server embedded in the Asus AAM6000EV ADSL router is enabled, users on any local network can obtain some plain text username and password information by accessing the /userdata file. It is possible to request files from the built-in Web server that contain information such as usernames, passwords and other configuration information

Cisco Catalyst is a family of business-grade switches distributed and maintained by CISCO. Cisco Catalyst does not properly handle non-standard TCP packet communication. A remote attacker can exploit this vulnerability to perform a denial of service attack on the switch device, causing legitimate users to fail to communicate properly. Introducing a TCP connection using eight non-standard TCP tag combinations, the Catalyst switch will stop the normal TCP response for some services. To re-use the functionality of this service, the switch needs to be restarted. These standard services, including HTTP, Telnet, and SSH, are not affected by this vulnerability, including console communications. This Cisco bug ID is: CSCdw52219. Because of this, an attacker may be able to deny legitimate user access to the switch

The screen saver in MacOS X allows users with physical access to cause the screen saver to crash and gain access to the underlying session via a large number of characters in the password field, possibly triggering a buffer overflow. Apple Mac OS X has a screen saver, entitled Screen Effects, with a password feature. Mac OS X is an operating system used on Mac machines, based on the BSD system

Ezbounce is an IRC proxy server. Ezbounce has a format string processing problem. A remote attacker can use this vulnerability to submit a malicious format string. It may execute arbitrary commands on the system with the ezbounce process permission. The problem exists in the \"ezbounce/commands.cpp\" file. When the program supports the session function, the attacker submits the \"sessions\" command containing the malicious string, which can cause the sensitive information in the process memory to be destroyed. The ezbounce process privilege executes arbitrary commands on the system. The condition is present in the file "ezbounce/commands.cpp" and can be triggered when session support is enabled. To exploit this vulnerability, the attacker must have valid credentials. This flaw may be of use to attackers who have proxy access but no privileges on the underlying host

Unknown vulnerability in HP NonStop Server D40.00 through D48.03, and G01.00 through G06.20, allows local users to gain additional privileges. Successful exploitation of this vulnerability could potentially allow an attacker to gain privileged access to the system and thus carry out further attacks. Local attackers can use this vulnerability to perform privilege escalation attacks on the system. No detailed vulnerability details are currently available

Switches developed by the OptiSwitch 400 and 800 Series MRV Communications. There is a problem with the OptiSwitch 400 and 800 series initializing connections, which can be exploited by remote attackers without authorization to access the switch without a password. When a remote user connects to the device via telnet or console and initiates a special keystroke request, the switch is not authorized to access the switch with root privileges. A vulnerability has been reported for the OptiSwitch device which could allow an attacker to gain unauthorized remote access. When the sequence is processed, remote access will be granted to the attacker. *** The vendor has responded and has reported that the vulnerability does not infact exist

tcptraceroute 1.4 and earlier does not fully drop privileges after obtaining a file descriptor for capturing packets, which may allow local users to gain access to the descriptor via a separate vulnerability in tcptraceroute. This condition is not currently known to be exploitable, however, it could potentially allow for local privilege escalation. tcptraceroute is a traceroute implementation using TCP packets. A local attacker can exploit this vulnerability to potentially execute arbitrary commands on the system with root process privileges. No detailed vulnerability details are currently available

traceroute-nanog 6.1.1 allows local users to overwrite unauthorized memory and possibly execute arbitrary code via certain "nprobes" and "max_ttl" arguments that cause an integer overflow that is used when allocating memory, which leads to a buffer overflow. An integer overflow vulnerability has been reported for Traceroute-Nanog. It has been reported that when processing certain max_ttl and nprobes values from a traceroute invocation, some functions or utilities may fail to sufficiently handle the size of data returned. Because an attacker can control arbitrary memory corruption, although conjectured and unconfirmed, an attacker might exploit this condition to execute arbitrary instructions with elevated privileges. It should be noted that this vulnerability might only affect the Debian implementation of Traceroute-Nanog. There is a vulnerability in traceroute-nanog version 6.1.1

Avaya Cajun offers a multiservice network switch system solution. Avaya Cajun switches do not properly handle 4,000 ports of abnormal communication, which can be exploited by remote attackers to delay the switch for a period of time. By connecting the switch 4000 port, sending the first 4 bytes represents a negative number, and packets exceeding 5 bytes can cause the switch to delay for a period of time. Multiple such packets can cause the switch to stop working and generate a denial of service. Because of this, an attacker may be able to cause the switch to stall for period of time

Venturi Client before 2.2, as used in certain Fourelle and Venturi Wireless products, can be used as an open proxy for various protocols, including an open relay for SMTP, which allows it to be abused by spammers

Information leak in dsimportexport for Apple Macintosh OS X Server 10.2.6 allows local users to obtain the username and password of the account running the tool. The Apache HTTP server contains a denial-of-service vulnerability that allows remote attackers to to conduct denial-of-service attacks on the HTTP basic authentication module of an affected server. Mac OS X is an operating system used on Mac machines, based on the BSD system. No detailed vulnerability details are currently available

znew in the gzip package allows local users to overwrite arbitrary files via a symlink attack on temporary files. Because of this, a local attacker may be able to launch a symbolic link attack against sensitive files. GNU Gzip is a compression/decompression program of the GNU Project. znew in Gzip packets has an input validation error vulnerability. The vulnerability stems from the failure of the network system or product to properly validate the input data

SMC Networks Barricade Wireless Cable/DSL Broadband Router SMC7004VWBR allows remote attackers to cause a denial of service via certain packets to PPTP port 1723 on the internal interface. A vulnerability has been discovered in the SMC SMC7004VWBR wireless router. The problem is said to occur while processing a sequence of malformed PPTP packets received via the local interface. Successful exploitation of this vulnerability will result in the router no longer responding to internal wireless traffic. SMC7004VWBR does not correctly process malformed PPTP packets. Remote attackers can use this vulnerability to conduct denial of service attacks on the device and prevent legitimate users from accessing network resources. By default, the router listens on TCP port 1723. The attacker connects to the target network through the 802.11b wireless network interface card and sends a series of malformed PPTP data, which can cause the router to stop responding, and legitimate users cannot access network resources

The Service Assurance Agent (SAA) in Cisco IOS 12.0 through 12.2, aka Response Time Reporter (RTR), allows remote attackers to cause a denial of service (crash) via malformed RTR packets to port 1967

Cross-site scripting (XSS) vulnerability in the Statistics module for PHP-Nuke 6.0 and earlier allows remote attackers to insert arbitrary web script via the year parameter. PHP-Nuke is prone to a cross-site scripting vulnerability

Unknown vulnerability in Apple File Service (AFP Server) for Mac OS X Server, when sharing files on a UFS or re-shared NFS volume, allows remote attackers to overwrite arbitrary files. A vulnerability has been discovered in Apple AFP Server. The problem presents itself when the application is serving files on a specific filesystem type. A remote attacker is said to be able to exploit this vulnerability to corrupt arbitrary files on the local system. Mac OS X is an operating system used on Mac machines, based on the BSD system. The included Apple File Protocol (Apple Filing Protocol) is used for communication between the server and guest room machines in the AppleShare network. No detailed vulnerability details are currently available

Safari 1.0 Beta 2 (v73) and earlier does not validate the Common Name (CN) field for X.509 Certificates, which could allow remote attackers to spoof certificates

A race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash). ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. Therefore, it cannot be read originally setuid It is possible to create an executable file with a bit assigned as a new executable file by changing the owner. As a result, local attackers who exploit this issue cannot read it setuid It is possible to read an executable file with a bit attached. At this time, it has been reported that this issue could potentially be used to execute arbitrary code with elevated privileges.Please refer to the “Overview” for the impact of this vulnerability. The problem lies in the atomicity of placing a target executables file descriptor within the current process descriptor and executing the file. Linux is an open source operating system. The execve() function has the following code (fs/binfmt_elf.c): static int load_elf_binary(struct linux_binprm * bprm, struct pt_regs * regs) { struct file *interpreter = NULL; /* to shut gcc up */ [...] retval = kernel_read(bprm->file, elf_ex.e_phoff, (char *) elf_phdata, size); if (retval < 0) goto out_free_ph; retval = get_unused_fd(); if (retval < 0) goto out_free_ph; get_file(bprm- >file); fd_install(elf_exec_fileno = retval, bprm->file); When executing a new binary program, put the open executable file descriptor into the file table of the current process (current execve() caller), and execute . This allows an attacker to read the contents of the suid program (even if the attacker does not have permission to read)