VARIoT IoT vulnerabilities database

Cisco 2611 router running IOS 12.1(6.5), possibly an interim release, allows remote attackers to cause a denial of service via port scans such as (1) scanning all ports on a single host and (2) scanning a network of hosts for a single open port through the router. NOTE: the vendor could not reproduce this issue, saying that the original reporter was using an interim release of the software. IOS is the Internet Operating System, used on Cisco routers. It is distributed and maintained by Cisco. This vulnerability has been reported to exist on a Cisco 2611 router running IOS 12.1(6.5). Cisco has reported that they are unable to reproduce this problem. It is possible that this issue is the result of a configuration error or site specific conditions. However, according to the test by CISCO technicians, this problem did not occur, which may be caused by specific configurations

The design of the Hot Standby Routing Protocol (HSRP), as implemented on Cisco IOS 12.1, when using IRPAS, allows remote attackers to cause a denial of service (CPU consumption) via a router with the same IP address as the interface on which HSRP is running, which causes a loop. IOS is the Internet Operating System, used on Cisco routers. It is distributed and maintained by Cisco. Hot Standby Routing Protocol (HSRP) is a protocol used to allow multiple routers to dynamically act as backups in the event of router failure. HSRP traffic takes place over UDP port 1985. A vulnerability has been reported in some versions of IOS. It may be possible for maliciously constructed HSRP traffic to create a loop condition, resulting in a denial of service attack. It has been reported possible to cause this condition in version 12.1 of IOS. Other versions of IOS may share this vulnerability, this has not however been confirmed. This issue has been assigned Cisco Bug ID CSCdu38323. CISCO's HSRP protocol itself has design problems, which can lead to denial of service attacks by attackers on the local network. The HSRP protocol does not have a strict security verification mechanism, and the router communication on the network is not checked correctly. The attacker can set the loop interface address on the active router. When the virtual router is advertised through the HSRP protocol, the loop interface is directly used. resulting in a denial of service. This attack can only work on the local network because most routers do not forward the address (224.0.0.2) that is multicast to all routers

Telindus 1100 series ADSL router allows remote attackers to gain privileges to the device via a certain packet to UDP port 9833, which generates a reply that includes the router's password and other sensitive information in cleartext. The 1100 series routers are a broadband connectivity solution distributed by Telindus. Under some circumstances, a vulnerable Telindus router may leak sensitive information. When an attempt to connect to the router is made using the administrative software, the router sends the password to the client in plain text. This packet is sent via UDP. **The vendor has released firmware version 6.0.27, dated July 2002. Reports suggest that this firmware does not adequately protect against this vulnerability. The firmware is reported to use an encrypted UDP packet when connecting to the router. However, the firmware uses a weak encryption scheme and thus it is easily circumvented by an attacker. A design vulnerability in the Telindus 1100 series routers could allow a remote attacker to obtain administrator password information. Telindus 1100 series routers provide a management software, which can be downloaded from Telindus website for free, and can be used to remotely manage routers

configure for Dsniff 2.3, fragroute 1.2, and fragrouter 1.6, when downloaded from monkey.org on May 17, 2002, has been modified to contain a backdoor, which allows remote attackers to access the system. The server hosting fragroute, fragrouter, and dsniff, www.monkey.org, was compromised recently. It has been reported that the intruder made modifications to the source code of fragroute, fragrouter and dsniff to include a backdoor. This backdoor allowed a user from the IP address 216.80.99.202 to remotely execute commands on the host that it was installed on. The source code is reported to have been corrupted on May 17, 2002. Downloads of the source from monkey.org during this time likely contain the trojan code. A confirmed MD5 sum of a contaminated archive is: 65edbfc51f8070517f14ceeb8f721075 If a fragroute install was based on an archive with this MD5 sum, it is likely that the backdoor code was executed. It is possible for other backdoored archives to have different MD5 sums. If it is believed that a trojan horse copy of fragroute has been installed, administrators should remove systems from the network and thoroughly inspect/clean the system. As of this writing (05-31-2002), the current version available from monkey.org has the following MD5 sum: 7e4de763fae35a50e871bdcd1ac8e23a It is believed that this version is clean. Caution should still be exercised when building and installing. Dsniff 2.3, fragroute 1.2, and fragrouter 1.6 configurations are vulnerable

Buffer overflow in the vpnclient program for UNIX VPN Client before 3.5.2 allows local users to gain administrative privileges via a long profile name in a connect argument. The Cisco VPN Client software is used to establish Virtual Private Network (VPN) connections between client machines and a Cisco VPN Concentrator. A vulnerability has been reported in some versions of the VPN Client. If an oversized profile name is passed to the vpnclient binary, a buffer overflow condition may occur. As vpnclient runs suid root, exploitation of this vulnerability will grant a local attacker root access to the vulnerable system. This vulnerability affects the VPN Client version 3.5.1 for Linux, Solaris and Mac OS X. Windows clients are not believed to be vulnerable. Earlier versions of the VPN Client may share this vulnerability, although this has not been confirmed. The Cisco VPN client is installed in the system with the suid root attribute by default, and the program lacks correct and sufficient checks on the data submitted by the user to the \"connect\" parameter, and the attacker can submit a very long file name (over 520 bytes) to The \"connect\" parameter can cause a buffer overflow, and carefully constructing the file name data may execute arbitrary commands in the system with root privileges

Buffer overflow in WS_FTP Pro 7.5 allows remote attackers to execute code on a client system via unknown attack vectors. Ipswitch WS_FTP Pro is a FTP client for Microsoft Windows systems. A buffer overflow condition has been reported in WS_FTP Pro. Precise details are not currently available, however it is believed that it may be exploitable by a malicious server. Ipswitch WS_FTP Pro lacks correct checks on the response submitted by the server, which can lead to remote attackers forging server responses and resulting in denial of service attacks. After Ipswitch provides the patch, NGS Software will provide detailed technical details

The web interface (WebUI) of NetScreen ScreenOS before 2.6.1r8, and certain 2.8.x and 3.0.x versions before 3.0.3r1, allows remote attackers to cause a denial of service (crash) via a long user name. This condition may be the result of an unchecked buffer, which may potentially allow the attacker to execute arbitrary code. This possibility has not been confirmed. Netscreen is a firewall security solution that enables wire-speed packet processing

A typographical error in the script source access permissions for Internet Information Server (IIS) 5.0 does not properly exclude .COM files, which allows attackers with only write permissions to upload malicious .COM files, aka "Script Source Access Vulnerability.". ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. Attacks that take advantage of this problem are system administrators 1 Since it can be executed when write permission and execution permission are given to all users in one or more virtual directories, IIS 5.0 Is not affected.Please refer to the “Overview” for the impact of this vulnerability. A vulnerability has been reported for Microsoft IIS that may allow a remote attacker to upload a file onto the vulnerable server and possibly execute it. As a result an attacker may be able to upload malicious files to a vulnerable server and possibly execute it. This vulnerability only affects IIS 5.0. This vulnerability was originally described in BugTraq ID 6068. It is now being assigned its own BugTraq ID

IIS 5.0 and 5.1 allows remote attackers to cause a denial of service (crash) via malformed WebDAV requests that cause a large amount of memory to be assigned. Microsoft IIS Is malicious WebDAV If you receive a request, WebDAV A vulnerability exists that allocates more memory than is normally allocated for processing requests.The request could not be processed and crashed, resulting in a service disruption (DoS) It may be in a state. The denial of service is caused by resource exhaustion. A denial of service vulnerability has been reported for Microsoft IIS 5 and 5.1. Several malformed requests sent to the server will result in the vulnerable system failing to respond to further legitimate requests for service. This vulnerability affects IIS 5.0 and 5.1 only. This vulnerability was originally described in BugTraq ID 6068. It is now being assigned its own BugTraq ID. ** Reports suggest that numerous hosts have been scanned in an attempt to exploit this vulnerability. Although unconfirmed, this may be the result of a system of automated attacks

Multiple cross-site scripting (XSS) vulnerabilities in the administrative web pages for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allow remote attackers to execute HTML script as other users through (1) a certain ASP file in the IISHELP virtual directory, or (2) possibly other unknown attack vectors. This vulnerability was originally described in BugTraq ID 6068. It is now being assigned its own BugTraq ID. Microsoft Internet Information Services (IIS) is prone to multiple vulnerabilities. The first vulnerability may allow an attacker to obtain elevated privileges. This vulnerability can be exploited by an attacker to load and execute applications on the vulnerable server with SYSTEM level privileges. This vulnerability can exploited when IIS is configured to run applications out of process. The second vulnerability may allow a remote attacker to cause a denial of service condition. This vulnerability is related to how IIS allocates memory for WebDAV requests. Any specially crafted WebDAV requests may result in IIS allocating an extremely large amount of memory on the server. Several malformed requests sent to the server will result in the vulnerable system failing to respond to further legitimate requests for service. This vulnerability affects IIS 5.0 and 5.1 only. The third vulnerability may allow a remote attacker to upload a file onto the vulnerable server and possibly execute it. The vulnerability is a result of inappropriate listing of file types that are subject to the script source access permission in IIS 5.0. As a result an attacker may be able to upload malicious files to a vulnerable server and possibly execute it. This vulnerability only affects IIS 5.0. The final vulnerability is a cross site scripting vulnerability. The vulnerability is a result of improper sanitization of user-supplied input by IIS. Several web pages, provided by IIS for administrative purposes do not adequately sanitize user-supplied input. Any malicious HTML code that may be included in the URI will be executed

Buffer overflow in the chunked encoding transfer mechanism in IIS 4.0 and 5.0 allows attackers to execute arbitrary code via the processing of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise.". This condition affects IIS 4.0 and IIS 5.0. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host

Cisco DSL CPE devices running CBOS 2.4.4 and earlier allows remote attackers to cause a denial of service (hang or memory consumption) via (1) a large packet to the DHCP port, (2) a large packet to the Telnet port, or (3) a flood of large packets to the CPE, which causes the TCP/IP stack to consume large amounts of memory. When the CBOS TCP/IP stack is forced to process a high number of unusually large packets, it will consume all memory. This will cause the router to freeze and stop forwarding packets. CBOS (Cisco Broadband Operating System) is the operating system for Cisco 600 series routers. It is possible for a remote user to cause a denial of service of a CPE running CBOS software 2.4.4 and prior. Sending an unusually large packet to the telnet port will exploit this issue. The following devices in the Cisco 600 series of routers are affected by this issue: 605, 626, 627, 633, 673, 675, 675e, 676, 677, 677i and 678. This vulnerability has been assigned Cisco Bug ID CSCdv50135. CBOS does not correctly process the information packets submitted to the DHCP server, which can lead to denial of service attacks by remote attackers. The vulnerability number is: CSCdw90020

Cisco IP Phone (VoIP) models 7910, 7940, and 7960 use a default administrative password, which allows attackers with physical access to the phone to modify the configuration settings. The 7900 series VoIP Phones are a Voice-Over-IP solution distributed by Cisco Systems. If you have the opportunity to physically visit the Cisco VoIP 7900 series, you can also use this combination key to change the configuration, such as changing the TFTP server address and other operation control systems

The web server for Cisco IP Phone (VoIP) models 7910, 7940, and 7960 allows remote attackers to cause a denial of service (reset) and possibly read sensitive memory via a large integer value in (1) the stream ID of the StreamingStatistics script, or (2) the port ID of the PortInformation script. The 7900 series VoIP Phones are a Voice-Over-IP solution distributed by Cisco Systems. It is possible to deny service to users of this line of phones. By placing a request to the /StreamingStatistics script with a stream ID (i.e. http://www.example.com/StreamingStatistics?&lt;stream&gt; where &lt;stream&gt; is an integer value) of arbitrarily high value, the phone will reset itself, creating the inability to place or receive calls for a period of up to thirty seconds. This has been reportedly reproduced by passing stream ID values of greater than 32768, and consistently reproduced with a value of 120000. The web interface of the VoIP Phone 7900 series has a loophole in processing abnormal requests, which can lead to remote attackers to conduct denial of service attacks. VoIP Phone 7900 series has a built-in monitoring port 80 WEB service. This service provides a script page for displaying streaming statistics. Users can use \" target=\"_blank\" > http://www.example.com/StreamingStatistics? < stream > Form access, because these pages can be accessed without authentication, any attacker can submit a relatively high <stream> value to the service program, which will cause the phone to reset. According to the test, providing a <stream> value higher than 32768 can be reset This vulnerability has been discovered, and requesting 120000 <stream> values ​​can reproduce the vulnerability stably

Cisco Catalyst 4000 series switches running CatOS 5.5.5, 6.3.5, and 7.1.2 do not always learn MAC addresses from a single initial packet, which causes unicast traffic to be broadcast across the switch and allows remote attackers to obtain sensitive network information by sniffing. Catalyst is a commercial-grade switch distributed by Cisco. Under normal circumstances, a switch will learn the MAC address of a system connected to a port after one packet. It has been reported that the switch may not learn the MAC of a connected system until several more packets have been sent to the unknown host. By doing so, unicast traffic between two systems across the switch may be broadcast to all systems connected to the switch. Remote attackers can obtain sensitive network information through sniffing

Vulnerability in Compaq ProLiant BL e-Class Integrated Administrator 1.0 and 1.10, allows authenticated users with Telnet, SSH, or console access to conduct unauthorized activities. The Compaq ProLiant BL e-Class enclosure utilizes the Integrated Administrator to provide system management. No further technical details are currently available

Cisco IOS 11.2.x and 12.0.x does not limit the size of its redirect table, which allows remote attackers to cause a denial of service (memory consumption) via spoofed ICMP redirect packets to the router. IOS is the Internet Operating System, used on Cisco routers. It is distributed and maintained by Cisco. This vulnerability has been assigned Cisco bug ID CSCdx32056. The following products are known to be affected: Cisco 1005 running IOS 11.0(18) Cisco 1603 running IOS 11.3(11b) Cisco 1603 running IOS 12.0(3) Cisco 2503 running IOS 11.0(22a) Cisco 2503 running IOS 11.1(24a). Cisco IOS 11.2.x and 12.0.x do not limit the size of the redirection table

Buffer overflow in the LDAP component of Ipswitch IMail 7.1 and earlier allows remote attackers to execute arbitrary code via a long "bind DN" parameter. Ipswitch IMail is an e-mail server that serves clients their mail via a web interface. It runs on Microsoft Windows operating systems. IMail normally runs in the SYSTEM context, meaning that successful exploitation will result in a full compromise of the underlying system. It should be noted that this condition may also be exploited to trigger a denial of service. The Ipswitch IMail service program includes multiple components including LDAP service, which allows remote clients to read the IMail directory, and there is a loophole in the authentication process that allows remote attackers to access the server with the authority of the SYSTEM account

Directory traversal vulnerability in the web server for Cisco IDS Device Manager before 3.1.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the HTTPS request. It is distributed and maintained by Cisco Systems. The IDS Device Manager may allow a remote user to gain access to sensitive information on the system. Due to improper handling of user-supplied input, it is possible for a user to gain access to arbitrary files on the system using an elementary directory traversal attack. By placing a request to the process, with an appended dot-dot-slash (../) tag pointing to a file, a remote user may read the specified file on the affected system. Since there is no effective security check on the data entered by the user, the attacker can view the content of any file in the target system with the authority of IDS Device Manager by submitting strings containing multiple \"../\" for directory traversal. Leakage of sensitive system information. <**>

Cross-site scripting (XSS) vulnerability in content blocking in SonicWALL SOHO3 6.3.0.0 allows remote attackers to inject arbitrary web script or HTML via a blocked URL. The Sonicwall SOHO3 is an Internet security appliance that provides firewall security solutions. Reportedly, a vulnerability exists in the product that allows for a script injection attack to be launched from a malicious user within the internal LAN. It is possible to configure Sonicwall to block domains from a list of user entered domains. Sonicwall will deny local users access to the websites that have been blocked. Attempts to access blocked domains will be entered into the log files of Sonicwall. An administrator viewing the log files will automatically cause the malicious script code execute. If the attacker's script code is injected into the logfile then the administrator will not be able to access the log normally. To regain access to the logs the appliance will need to be rebooted. It should be noted that rebooting the appliance will cause the logs to be cleared and will effectively eliminate any indication in the logs of which user initiated the attack. It is possible for a malicious remote user to exploit this issue by crafting a URL of a known blocked domain that includes script code, and enticing a local user into following the link