VARIoT IoT vulnerabilities database

Buffer overflow in Cisco IOS 11.2.x to 12.0.x allows remote attackers to cause a denial of service and possibly execute commands via a large number of OSPF neighbor announcements. Cisco Internetwork Operating System (IOS) is the operating system for the majority of Cisco routers. Open Shortest-Path First (OSPF) is a interior routing protocol. Cisco IOS In 1 For each network interface 255 More than one host neighbor relationship Such as trying to establish OSPF neighbor announcements Service operation by receiving (DoS) A vulnerability that causes a condition exists.Communication between networks connected to the router may become impossible. The overflow occurs when more than 255 OSPF neighbors are announced. This may make it possible to execute malicious instructions on a device running a vulnerable version of the software. Denial of service is also possible. This issue corresponds to Cisco Bug ID CSCdp58462. When the OSPF implementation included in some Cisco IOS versions receives notifications from more than 255 OSPF neighbors on an interface, the IO memory structure will be damaged. FX of Phenoelit research provides a program that exploits this vulnerability to execute malicious code on the router

SQL injection vulnerability in PHP-Nuke 5.6 and 6.0 allows remote attackers to execute arbitrary SQL commands via the days parameter to the search module. PHPNuke, in some cases, does not sufficiently sanitize user-supplied input which is used when constructing SQL queries. As a result, attackers may supply malicious parameters to manipulate the structure and logic of SQL queries. This may result in unauthorized operations being performed on the underlying database. This issue may be exploited to cause sensitive information to be disclosed to a remote attacker. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. A remote attacker may use this vulnerability to obtain the encrypted password HASH value of the PHP-Nuke administrator, thereby gaining administrator privileges

Buffer overflow in Symantec Norton AntiVirus 2002 allows remote attackers to execute arbitrary code via an e-mail attachment with a compressed ZIP file that contains a file with a long filename. The Norton Antivirus 2002 email scanner is vulnerable to a buffer overflow. This could potentially result in code execution in the security context of the antivirus scanner. When parsing this mail, a buffer overflow may occur. Carefully constructed file name data may execute arbitrary instructions on the system with the process privilege of the logged-in user

TruBlueEnvironment for MacOS 10.2.3 and earlier allows local users to overwrite or create arbitrary files and gain root privileges by setting a certain environment variable that is used to write debugging information. There is a vulnerability in the Apple MacOS Classic emulator for MacOS X that may lead to elevation of privileges. This issue exists in TruBlueEnvironment, which is included in the emulator. The environment variable is used to define a location to output debugging information to a file. Exploitation of this issue may enable a malicious local user to gain elevated privileges by causing malicious files to be run through a facility such as cron. Overwriting critical system files may also cause a denial of service. TruBlueEnvironment is a tool included with the MacOS Classic Emulator, installed as setuid root by default. There is a problem with setting environment variables in TruBlueEnvironment. Local attackers can use this vulnerability to perform privilege escalation attacks through cron tools, or overwrite important system files to perform denial-of-service attacks. If the file exists, it will be set to zero bytes. If the file does not exist, it will be created with the umask permission of the calling process. Although the attacker cannot create a file with execution permission, the file created in this way can be read and written globally. In MacOS X, this vulnerability can be used to automatically create files through cron. By default, cron uses the periodic command for daily maintenance. This command will receive several files and pass them to the SHELL parser to run. Since these scripts are run with root user privileges running, so possibly privilege escalation by running cron and TruBluEnvironment

Apple File Protocol (AFP) in Mac OS X before 10.2.4 allows administrators to log in as other users by using the administrator password. This may result in the disclosure of sensitive information if data is intercepted. Further details about this issue are not known at this time. This BID will be updated as further information becomes available. Remote attackers can use this vulnerability to obtain administrator authentication information by intercepting communication data. No detailed vulnerability details have been obtained so far

Cisco IOS 12.0 through 12.2, when IP routing is disabled, accepts false ICMP redirect messages, which allows remote attackers to cause a denial of service (network routing modification). It has been reported that it is possible to make arbitrary remote modifications to the Cisco IOS routing table. ICMP redirect messages are normally sent to indicate inefficient routing, a new route or a routing change. An attacker may specify a default gateway on the local network that does not exist, thus denying service to the affected router for traffic destined to any location outside the local subnet. Internet Operating System (IOS) is an operating system used on CISCO routers. Another possibility is to advertise that the gateway is on a completely different subnet. If a device proxyes ARP requests for this fake gateway, all communications destined for external subnets will be forwarded to the fake gateway. And if there is no device acting as an ARP request agent for the fake gateway, the information described in the first case will be blocked. A final possibility is for a malicious user to insert the default gateway as the IP address of the attacker's machine, which could lead to interception of all communications

The web administration page for the Ericsson HM220dp ADSL modem does not require authentication, which could allow remote attackers to gain access from the LAN side. This interface does not require any authentication in order to access. There is no option to enable any authentication requirement. Ericsson HM220dp is a small office environment ADSL MODEM

Directory traversal vulnerability in the web configuration interface in Netgear FM114P 1.4 allows remote attackers to read arbitrary files, such as the netgear.cfg configuration file, via a hex-encoded (%2e%2e%2f) ../ (dot dot slash) in the port parameter. Netgear FM114P is a wireless network router that includes a firewall function.  Netgear FM114P wireless firewall lacks proper filtering of web requests submitted by users.  Netgear FM114P's WEB configuration interface lacks sufficient filtering for user-submitted requests. Attackers can submit malicious URL requests to break through the / upnp / service directory limit. Unauthorized access to router configuration files. Configuration files contain dial-up passwords, dynamic DNS configuration passwords, and router configurations. Options, etc. Attackers can use this information to conduct further attacks on routers. Netgear FM114P Wireless Firewalls allow directory traversal using escaped character sequences. It is possible for an unauthenticated user to retrieve the firewall's configuration file by escaping from the /upnp/service directory

Aladdin Knowlege Systems eSafe Gateway 3.5.126.0 does not check the entire stream of Content Vectoring Protocol (CVP) data, which allows remote attackers to bypass virus protection. It has been reported that under some circumstances, eSafe Gateway does not properly scan messages in transit. This problem occurs when data is passed to eSafe via a Check Point OPSEC CVP compliant firewall. Because of this, malicious code may be able to circumvent the filters imposed by the software and enter, or exit the network. This could lead to further compromise of network resources. A remote attacker can exploit this vulnerability to bypass virus filtering. When Checkpoint installed with Feature Pack 3 receives more than 2M files, the scanning program will be unstable during CVP inspection. For example, if the SMTP message exceeds 2MB, FW-1 will perform the following operations: 1. Put the information into the buffer pool. 2. Send data to the CVP server. 3. It will stop when sending 1MB or nearly 2MB of data. 4. Sending will resume after 5 minutes. 5. The CVP server allows data to be placed in spool\d_resend and enters a loop operation until the information is marked as expired

Cross-site scripting (XSS) vulnerability in the Your_Account module for PHP-Nuke 5.0 through 6.0 allows remote attackers to inject arbitrary web script or HTML via the user_avatar parameter. A problem with PHP-Nuke could allow remote users to execute arbitrary code in the context of the web site. The problem is in the lack of sanitization of some types of input. PHP-Nuke does not sanitize code submitted to a site from the avatar select box. Due to this, a malicious user may be able to submit embedded code from their profile page instead of an avatar. This would result in code being executed in the location where a user's avatar should normally display. This code would be executed by a victim user's browser in the context of the site

The Apache HTTP Server in Apple Mac OS X before 10.6.2 enables the HTTP TRACE method, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified web client software. The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. Attackers could leverage this behavior to access sensitive information, such as cookies or authentication data, contained in the HTTP headers of the request. The attacker may exploit this issue to steal cookie-based authentication credentials and carry out other attacks. NOTE: This issue was previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. This update provides a solution to this vulnerability. Update: The wrong package was uploaded for 2009.1. This update addresses that problem. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2823 http://www.kb.cert.org/vuls/id/867593 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.1: d20085bdf2db6c017ae2bbd1e66b95a3 2009.1/i586/apache-conf-2.2.11-5.1mdv2009.1.i586.rpm 528faefad6aa4272aa1f4eb028ffa738 2009.1/SRPMS/apache-conf-2.2.11-5.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 3621be7e9f192f73f0c0435891d5ee1e 2009.1/x86_64/apache-conf-2.2.11-5.1mdv2009.1.x86_64.rpm 528faefad6aa4272aa1f4eb028ffa738 2009.1/SRPMS/apache-conf-2.2.11-5.1mdv2009.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLRcf1mqjQ0CJFipgRAu1hAKD028okjckw8ACr/FJhfKYKLYaWKACfYIQK uxRECffkMfmnBqa56GkQhAA= =MP9m -----END PGP SIGNATURE----- . Update: Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

The default configuration of the web server for the Solaris Management Console (SMC) in Solaris 8, 9, and 10 enables the HTTP TRACE method, which could allow remote attackers to obtain sensitive information such as cookies and authentication data from HTTP headers. The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. RFC 2616 According to TRACE Supports methods Web The server is set in the browser Cookie A vulnerability exists in which information is obtained.Set in browser Cookie Authentication information derived from (Basic Authentication: base64 Contains encoded user information ) May get you. Sun Solaris Management Console is prone to an information-disclosure vulnerability. The attacker may exploit this issue along with other attacks, such as cross-site scripting, to steal cookie-based authentication credentials. TITLE: Sun Solaris HTTP TRACE Response Cross-Site Scripting Issue SECUNIA ADVISORY ID: SA17334 VERIFY ADVISORY: http://secunia.com/advisories/17334/ CRITICAL: Not critical IMPACT: Cross Site Scripting WHERE: >From local network OPERATING SYSTEM: Sun Solaris 10 http://secunia.com/product/4813/ Sun Solaris 8 http://secunia.com/product/94/ Sun Solaris 9 http://secunia.com/product/95/ DESCRIPTION: Sun has acknowledged a security issue in Solaris, which potentially can be exploited by malicious people to conduct cross-site scripting attacks. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site when combined with certain browser vulnerabilities. It is reportedly not possible to disable the TRACE method. The security issue has been reported in Solaris 8, 9 and 10 on both SPARC and x86 platforms. SOLUTION: Apply patches when available. The vendor recommends that the SMC may be disabled as a workaround. -- SPARC Platform -- Solaris 9: Apply patch 116807-02 or later. -- x86 Platform -- Solaris 9: Apply patch 116808-02 or later. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102016-1 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

ZyXEL DSL Modem is a broadband MODEM device developed and maintained by ZyXEL. The ZyXEL DSL Modem management interface has a pre-configured account that allows remote attackers to obtain sensitive information on the device. The ZyXEL DSL Modem has a default username and password. The user name is \"root\" and the password is \"1234\". You can log in to the modem's built-in FTP server to download data files containing sensitive information, such as spt.dat. The file contains the following information: - 0x20 The root password in clear- 0x40 SNMP Location- 0x60 Device name- 0x80 SNMP Sys Contact- 0xac SNMP read community- 0xcc SNMP read community- 0xec SNMP read community - 0x188 SUA Server IP address- 0x1c54 First PPPoE Account config name (Default: ChangeMe )- 0x1dde First PPPoe Username- 0x1dfe First PPPoe Password- 0x21dc Second PPPeE Account config name Use this information to make changes and reconfigure the device. This default account information may also be present in other ZyXEL DSL Series Modems. It has been reported that the administration interface on some ZyXEL devices, including the 642 and 645 series, is remotely accessible and pre-set with a default username and password. It is important to note that other ZyXEL devices may share this default account

D-Link wireless access point DWL-900AP+ 2.2, 2.3 and possibly 2.5 allows remote attackers to set factory default settings by upgrading the firmware using AirPlus Access Point Manager.  If the user has installed the D-Link AirPlus access point management program for firmware wins, once the program starts, two pages will pop up, of which the lower page is "Aveliable AP", and you can find that the AP is running in the 2.5 firmware version on. The upper window is "Upgrage AP", which can list the firmware version you want to upgrade. After obtaining the relevant version and clicking upgrade, the management program will not prompt for any password, and simply tftp the new firmware to the AP, and once the firmware is uploaded, return the AP to the default settings

Efficient Networks 5861 DSL router, when running firmware 5.3.80 configured to block incoming TCP SYN, packets allows remote attackers to cause a denial of service (crash) via a flood of TCP SYN packets to the WAN interface using a port scanner such as nmap. A denial of service vulnerability has been reported for the Efficient Networks 5861 line of DSL routers. The vulnerability can be triggered when the router is configured to block incoming TCP SYN flags and is subsequently portscanned. An attacker can exploit this vulnerability by portscanning a vulnerable DSL router on its WAN interface. When this occurs the device will reportedly lock up and then restart after a period of time. The Efficient Networks DSL Router is a small ADSL router that offers features like firewall and VPN

Macromedia ColdFusion MX is an efficient web application server development environment with high ease of use and development efficiency, based on standard Java technology. Can be integrated with XML, Web Services, and the Microsoft .NET environment. ColdFusion MX does not properly handle cfinclude and cfmodule tags, and remote attackers can exploit this vulnerability to gain unauthorized access to system files. The <cfinclude> and <cfmodule> tags receive filenames using relative paths as arguments, and ColdFusion MX does not check Sandbox security file/directory permissions checks when including files that use these tags, which can result in unauthorized builds of malicious templates that use these tags. data. A vulnerability in the use of the cfinclude and cfmodule Tags exists in ColdFusion MX. In environments that are sandboxed, it may be possible for a script to access files outside of the sandboxed directory. This could lead to unauthorized access to files on the host

Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. The network device driver fills in packet data for less than 46 bytes. The Ethernet standard (IEEE 802.3) defines that the minimum field of a packet is 46 bytes. If a higher layer protocol such as IP provides less than 46 bytes, the device driver must fill the data segment to meet the minimum frame size specification specified by IEEE 802. The padding value is generally NULL data. However, many Ethernet device drivers do not operate correctly in accordance with the standard implementation. The data is padded without using NULL bytes, and the previously transmitted frame data is reused for padding. Since the Ethernet frame buffer is allocated in the kernel memory space, some system sensitive information can be obtained by analyzing these padding data. Some device drivers fail to do this adequately, leaving the data that was stored in the memory comprising the buffer prior to its use intact. Consequently, this data may be transmitted within frames across Ethernet segments. Cisco has stated that the IOS 12.1 and 12.2 trains are not affected. National Semiconductor Ethernet controller chips are not vulnerable to this issue. This issue is described in CERT Vulnerability VU#412115 (see http://www.kb.cert.org/vuls/id/412115 and http://www.kb.cert.org/vuls/id/JPLA-5BGNYP). 2. Contributing Factors This issue can occur in the following releases: SPARC Platform * Solaris 2.6 without patch 105181-35 * Solaris 7 without patch 112604-02 * Solaris 8 without patch 112609-02 * Solaris 9 without patch 115172-01 Note: The Am7990 ("LANCE") Ethernet driver le(7D) is for SPARC platforms only, thus x86 platforms are not affected. This issue only occurs on SPARC systems that utilize the Am7990 ("LANCE") Ethernet driver (le(7D)). To determine if the Am7990 Ethernet driver is installed on your system, run the following command: $ ifconfig -a le0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.0 netmask ff000000 Any reference to "le0" would indicate an open Lance Ethernet (le) interface. 3. Symptoms There are no predictable symptoms that would show the described issue has been exploited. SOLUTION SUMMARY: 4. Relief/Workaround There is no workaround for this issue. Please see "Resolution" section below. 5. Resolution This issue is addressed in the following releases: SPARC Platform * Solaris 2.6 with patch 105181-35 or later * Solaris 7 with patch 112604-02 or later * Solaris 8 with patch 112609-02 or later * Solaris 9 with patch 115172-01 or later This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2003 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. _________________________________________________________________ _________________________________________________________________ APPLIES TO: ATTACHMENTS:

TFTP server in Longshine Wireless Access Point (WAP) LCS-883R-AC-B, and in D-Link DI-614+ 2.0 which is based on it, allows remote attackers to obtain the WEP secret and gain administrator privileges by downloading the configuration file (config.img) and other files without authentication. The Longshine LCS-883R-AC-B device will allow tftp connections. The configuration file contains sensitive information including the administrator password and WEP keys. ** The D-Link DI-614+ product, reportedly based on the Longshine device, appears to be vulnerable to this issue however, only some files were accessible

Symantec Firewall/VPN Appliance 100 through 200R hardcodes the administrator's MAC address inside the firewall's configuration, which allows remote attackers to spoof the administrator's MAC address and perform an ARP poisoning man-in-the-middle attack to obtain the administrator's password. Firewall/VPN Appliance 200 is prone to a remote security vulnerability

Unknown vulnerability in Parallel port powerSwitch (aka pp_powerSwitch) 0.1 does not properly enforce access controls, which allows local users to access arbitrary ports. Pp Powerswitch is prone to a local security vulnerability