VARIoT IoT vulnerabilities database

cgiproc CGI script in Nortel Contivity HTTP server allows remote attackers to cause a denial of service via a malformed URL that includes shell metacharacters. The Contivity series is an external network switch product developed by Nortel. The newer Contivity switch includes an httpd server running on the VxWorks operating system to provide a remote Web-based management interface.  A vulnerability exists in the "cgiproc" script implementation of the Web management interface of the Contivity series switches. A remote attacker could use this vulnerability to conduct a denial of service attack on the switch or view arbitrary system files.  Because the user input is not sufficiently filtered, if you pass metacharacters to the cgiporc program, such as "!" Or "$", the system will crash. Another vulnerability of cgiproc is the lack of authentication when requesting a management page. This enables an attacker to view any file in the web server. A total system crash can occur as a result of exploiting a vulnerability in a cgi-bin program called "cgiproc" that is included with the webserver. If metacharacters such as "!", or "$" are passed to cgiproc, the system will crash (because the characters are not escaped). foo <foo@blacklisted.intranova.net> provided the following example: http://x.x.x.x/manage/cgi/cgiproc?$ [crash] No evidence of this problem being exploited is saved in the logs. foo <foo@blacklisted.intranova.net> also provided an example for this vulnerability: http://x.x.x.x/manage/cgi/cgiproc?Nocfile=/name/and/path/of/file. (interesting places to look: /system/filelist.dat, /system/version.dat, /system/keys, /system/core, etc.) All that is written to the logs when this is exploited is below: 09:44:23 tEvtLgMgr 0 : Security [12] Management: Request for cgiproc denied. requires login In order to perform the operations detailed in the report, the "attackers" must be internal, private side users or authenticated tunnel users and the site administrator must allow them HTTP as a management protocol

Intel InBusiness E-mail is a small application server. This product has a security vulnerability that allows unauthorized remote attackers to delete arbitrary files on the hard disk and change the configuration file of the e-mail workstation. Under certain conditions, remote attackers also It is possible to read the e-mail of any user in the system. Details: This e-mail workstation runs the VxWorks operating system and uses a 486 SX25 processor. A daemon called "daynad" is bound to TCP port 244. By connecting to this service port, you can execute many commands without going through any security authentication. By simply establishing a TCP connection to this port, the following commands can be executed: FormSet: After the next restart, this e- The mail workstation will be restored to the factory state. In this state, the e-mail workstation will use a DHCP server to obtain its own IP address. This also means that the attacker can connect to e without any password after the next restart. -Mail workstation and complete control of the entire device. FormProtect: After the next restart, the e-mail workstation will be restored to the factory state and all passwords will be disabled. Only reconnecting Use the FormSet command to restore to port 244. MakeDir: Create a directory on the hard disk Remove: Remove the specified file from the hard disk, which may be the user's mail or other files. Z: This command will provide a UNIX-type login prompt interface. Enter the password of the super user to enter. If the password is reset using FormSet, the attacker may log in without the password. Once logged in, the attacker may execute arbitrary commands to operate the hard disk. & Lt; * Source: Kit Knox (kit@CONNECTNET.COM) *>. e-mail

IMail IMONITOR status.cgi CGI script allows remote attackers to cause a denial of service with many calls to status.cgi. IMail includes a service called IMail Monitor which is used for local and remote performance measuring and diagnostics. It includes a small webserver operating on port 8181 to support web-based monitoring. One of the cgi scripts, status.cgi, is used to determine which services are currently running and create a web pafge to report this information. Multiple simultaneous requests for status.cgi will cause the software to crash, with a Dr. Watson error of "Invalid Memory Address". There is a vulnerability in the IMail IMONITOR status.cgi CGI script

Cisco Resource Manager (CRM) 1.0 and 1.1 creates world-readable log files and temporary files, which may expose sensitive information, to local users such as user IDs, passwords and SNMP community strings. Cisco Resource Manager is prone to a information disclosure vulnerability. Attackers can exploit this issue to gain access to sensitive information

Cisco PIX Private Link 4.1.6 and earlier does not properly process certain commands in the configuration file, which reduces the effective key length of the DES key to 48 bits instead of 56 bits, which makes it easier for an attacker to find the proper key via a brute force attack. Cisco Pix Private Link is prone to a remote security vulnerability. Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks

Cisco Resource Manager (CRM) 1.1 and earlier creates certain files with insecure permissions that allow local users to obtain sensitive configuration information including usernames, passwords, and SNMP community strings, from (1) swim_swd.log, (2) swim_debug.log, (3) dbi_debug.log, and (4) temporary files whose names begin with "DPR_". Cisco Resource Manager is prone to a local security vulnerability. Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks. CRM will create a file with unsafe permissions, local users can get sensitive from (1) swim_swd.log, (2) swim_debug.log, (3) dbi_debug

Web Cache Control Protocol (WCCP) in Cisco Cache Engine for Cisco IOS 11.2 and earlier does not use authentication, which allows remote attackers to redirect HTTP traffic to arbitrary hosts via WCCP packets to UDP port 2048. Cisco IOS is prone to a remote security vulnerability. Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks. A remote attacker can reset arbitrary user access to HTTP through UDP port 2048 of WCCP packets

Vulnerability in Cisco IOS 11.1CC and 11.1CT with distributed fast switching (DFS) enabled allows remote attackers to bypass certain access control lists when the router switches traffic from a DFS-enabled interface to an interface that does not have DFS enabled, as described by Cisco bug CSCdk35564. IOS is prone to a security bypass vulnerability. This vulnerability is also known as Cisco vulnerability CSCdk35564

Vulnerability in Cisco IOS 11.1 through 11.3 with distributed fast switching (DFS) enabled allows remote attackers to bypass certain access control lists when the router switches traffic from a DFS-enabled input interface to an output interface with a logical subinterface, as described by Cisco bug CSCdk43862. IOS is prone to a security bypass vulnerability. Cisco IOS 11.1 to 11.3's distributed fast switching (DFS) has a vulnerability

A bug in Intel Pentium processor (MMX and Overdrive) allows local users to cause a denial of service (hang) in Intel-based operating systems such as Windows NT and Windows 95, via an invalid instruction, aka the "Invalid Operand with Locked CMPXCHG8B Instruction" problem. There are loopholes in Intel Pentium processor (MMX and Overdrive)

lpr on SunOS 4.1.1, BSD 4.3, A/UX 2.0.1, and other BSD-based operating systems allows local users to create or overwrite arbitrary files via a symlink attack that is triggered after invoking lpr 1000 times. SGI of IRIX Unspecified vulnerabilities exist in products from multiple vendors.None. SunOS is prone to a local security vulnerability. Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks. SunOS 4.1.1, BSD 4.3, A/UX 2.0.1, and other BSD-based operating systems have the lpr vulnerability

IIS 3.0 allows remote attackers to cause a denial of service via a request to an ASP page in which the URL contains a large number of / (forward slash) characters. IIS is prone to a denial-of-service vulnerability

The Winmsdp.exe sample file in IIS 4.0 and Site Server 3.0 allows remote attackers to read arbitrary files. Site Server is prone to a remote security vulnerability

IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL. IIS is prone to a remote security vulnerability. Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks

FTP service in IIS 4.0 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via many passive (PASV) connections at the same time. IIS is prone to a denial-of-service vulnerability. Attackers can exploit this issue to cause a denial-of-service condition

Macintosh systems generate large ICMP datagrams in response to malformed datagrams, allowing them to be used as amplifiers in a flood attack. apple's macOS Exists in unspecified vulnerabilities.None. The implementation of Open Transport in MacOS 9 includes a weakness that could allow an attacker to use the Mac as a traffic amplifier in a DoS attack against another computer. A specially-crafted 29-byte UDP packet can be sent to a machine running MacOS 9. The Mac will then respond with a 1500 byte ICMP packet. If the first UDP packet is sent with a spoofed IP address of a third machine, and these spoofed triggger packets are sent to several MacOS 9 machines,, it will create an effective DoS of the third machine due to bandwidth starvation. There are a large number of ICMP datagram vulnerabilities in the Macintosh system. Attackers use these vulnerabilities as amplifiers to carry out attacks

The default configurations for McAfee Virus Scan and Norton Anti-Virus virus checkers do not check files in the RECYCLED folder that is used by the Windows Recycle Bin utility, which allows attackers to store malicious code without detection. Many commercial virus scanners for Windows platforms exclude the Recycled folder on the hard drive from their scans. The Recycled folder is where Win9x operating systems keep files that have been deleted via the GUI but not purged from the Recycle Bin. Files of any nature can be manually placed in the Recycled folder. Therefore, it is possible for any user or program to put code into that folder that will never be subject to virus scans. Although WinNT makes use of a folder called 'Recycler' for similar purposes, many virus scanners for NT still have the 'Recycled' folder listed in the exclusions. Note that other virus scanners than those listed under the 'info' tab may be vulnerable as well. document

IIS does not properly canonicalize URLs, potentially allowing remote attackers to bypass access restrictions in third-party software via escape characters, aka the "Escape Character Parsing" vulnerability. IIS accepts escaped characters that are not valid hexadecimal digits. All webservers that are compliant with RFC 1738 accept hexadecimal digits that are preceded by a percent sign, but IIS will also accept invalid hex digits and translate some of them into valid ASCII characters. This provides a third means of constructing URLs (plaintext, valid hex, and invalid hex) that may be used to bypass third-party access control mechanisms and intrusion detection systems. This issue does not provide a means of compromising the IIS server itself

Ipswitch IMail 5.0 and 6.0 uses weak encryption to store passwords in registry keys, which allows local attackers to read passwords for e-mail accounts. The encryption scheme used is weak and has been broken. The following description of the mechanism used is quoted from Matt Conover's post to Bugtraq, linked to in full in the Credits section. ENCRYPTION SCHEME Take the lowercase of the account name, split it up by letter and convert each letter to its ASCII equivalent. Next, find the difference between each letter and the first letter. Take each letter of the password, find it's ASCII equivalent and add the offset (ASCII value of first char of the account name minus 97) then subtract the corresponding difference. Use the differences recursively if the password length is greater than the length of the account name. This gives you the character's new ASCII value. Next, Look it up the new ASCII value in the ASCII-ENCRYPTED table (see http://www.w00w00.org/imail_map.txt) and you now have the encrypted letter. Example: Account Name: mike m = 109 i = 105 k = 107 e = 101 Differences: First - First: 0 First - Second: 4 First - Third: 2 First - Fourth: 8 Unencrypted Password: rocks r = 114 o = 111 c = 99 k = 107 s = 115 (ASCII value + offset) - difference: offset: (109 - 97) = 12 (114 + 12) - 0 = 126 (111 + 12) - 4 = 119 (99 + 12) - 2 = 109 (107 + 12) - 8 = 111 (115 + 12) - 0 = 127 126 = DF 119 = D8 109 = CE 111 = D0 127 = E0 Encrypted Password: DFD8CED0E0 The decryption scheme is a little easier. First, like the encryption scheme, take the account name, split it up by letter and convert each letter to its ASCII equivalent. Next, find the difference between each letter and the first letter. Now split the encrypted password by two characters (e.g., EFDE = EF DE) then look up their ASCII equivalent within the ASCII-ENCRYPTED table (see http://www.w00w00.org/imail_map.txt). Take that ASCII value and add the corresponding difference.Look this value up in the ascii table. This table is made by taking the ASCII value of the first character of the account name and setting it equal to 'a'. EXAMPLE Account Name: mike m = 109 i = 105 k = 107 e = 101 Differences: First - First: 0 First - Second: 4 First - Third: 2 First - Fourth: 8 Encrypted Password: DFD8CED0E0 DF = 126 D8 = 119 CE = 109 D0 = 111 E0 = 127 Add Difference: 126 + 0 = 126 119 + 4 = 123 109 + 2 = 111 111 + 8 = 119 127 + 0 = 127 Look up in table (see http://www.w00w00.org/imail_map.txt): 126 = r 123 = o 111 = c 119 = k 127 = s Unencrypted Password: rocks

Cisco Cache Engine allows an attacker to replace content in the cache. Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks