VARIoT IoT vulnerabilities database

Absolute path traversal vulnerability in main.cgi in Linksys WVC11B Wireless-B Internet Video Camera allows remote attackers to read arbitrary files via an absolute pathname in the next_file parameter. Linksys Web Camera software version 2.10 is reportedly prone to this issue, however, it is possible that other versions are affected as well. Linksys Web Camera has an input validation vulnerability when processing user requests. The main.cgi program of Linksys Web Camera lacks sufficient inspection and filtering for the \'\'next_file\'\' parameter submitted by the user. If the system file name is submitted as a parameter, the attacker can read the content of the corresponding file

LaunchServices in Mac OS X 10.3.4 and 10.2.8 automatically registers and executes new applications, which could allow attackers to execute arbitrary code without warning the user. apple's Apple Mac OS X and Apple Mac OS X Server Exists in unspecified vulnerabilities.None. A security update has been released to address these issues and provide other enhancements. The following issues were reported: LaunchServices is reported prone to a vulnerability where the LaunchServices utility automatically registers applications. It is reported that an attacker may exploit this issue to register and run malicious applications. DiskImageMounter is reported prone to a vulnerability where the disk:// URI handler may be used to mount an anonymous remote file system. This attack can be achieved using the HTTP protocol. A remote attacker may exploit this vulnerability to write to the local disk. Safari is reported prone to an unspecified vulnerability where the Safari "Show in Finder" button, when invoked, would attempt to execute certain files instead of revealing the files in the finder window. An attacker may potentially exploit this condition to automatically execute files on the file system (including downloaded files). This could lead to privilege escalation or remote compromise. Some of these issues may already be described in previous BIDs. This BID will be split up into unique BIDs when further analysis of this update is complete. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2004-06-07 Security Update 2004-06-07 Description Security Update 2004-06-07 delivers a number of security enhancements and is recommended for all Macintosh users. The purpose of this update is to increase security by alerting you when opening an application for the first time via document mappings or a web address (URL). Discussion: LaunchServices is a system component that discovers and opens applications. This system component has been modified to only open applications that have previously been explicitly run on the system. Attempts to run an application that has not previously been explicitly run will result in a user alert. Further information is available in http://docs.info.apple.com/article.html?artnum=25785 Component: DiskImageMounter CVE-ID: No CVE ID has been reserved as this is only an additional preventative measure. Component: Terminal CVE-ID: Not applicable Impact: Attempts to use a telnet:// URI with an alternate port number fail. Discussion: A modification has been made to allow the specification of an alternate port number in a telnet:// URI. This restores functionality that was removed with the recent fix for CAN-2004-0485. ================================================ Security Update 2004-06-07 may be obtained from: * Software Update pane in System Preferences * Apple's Software Downloads web site: For Mac OS X v10.3.4 "Panther" and Mac OS X Server v10.3.4 ========================================================== http://www.apple.com/support/downloads/ Click on: Security Update 2004-06-07 (10.3.4) The download file is named: "SecUpd2004-06-07Pan.dmg" Its SHA-1 digest is: 182745485d8db3ea29ec67cb603cc5668a4f60d9 For Mac OS X v10.2.8 "Jaguar" and Mac OS X Server v10.2.8 ========================================================= http://www.apple.com/support/downloads/ Click on: Security Update 2004-06-07 (10.2.8) The download file is named: "SecUpd2004-06-07Jag.dmg" Its SHA-1 digest is: e5fa73f6a67bdcd9af76927d3416974f039b2087 Information will also be posted to the Apple Product Security web site: http://www.apple.com/support/security/security_updates.html This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/security_pgp.html -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQEVAwUBQMTXipyw5owIz4TQAQJabgf/XdzbpuwKuBbVYQAVUl8mZd+Bs7QVdF2x sVJiNlgjyObJjTd5sjqCP9695enrEhClliNM+qOtoUcj0ed4gKIWtOBDzPuuYSb8 xjgb0ntbOg8VOoI5FX5o8dWRAmJu7SXDbnKNvpTgPfFl0Gb2spgGsX5aINGLD8iS h5SerdpJYDEMvXyAl/7Mnfz0TYH8ThWStRiEkEeaucD6Uc1yBDhUl3uV/jjHjvcp AFbaI14R/UNEypI4z0ylpH0a5tLG4CKOTAOwt68Kcs3Undbqbp8FvIUqD2Iy6fXF EtdF329mjgcaa7iDYnt2BXPvkRvthla+98flmjD9okzhM69x2t0Ubg== =JdW9 -----END PGP SIGNATURE----- _______________________________________________ security-announce mailing list | security-announce@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce Do not post admin requests to the list. They will be ignored

The "Show in Finder" button in the Safari web browser in Mac OS X 10.3.4 and 10.2.8 may execute downloaded applications, which could allow remote attackers to execute arbitrary code. This could allow an attacker to execute arbitrary code. apple's Apple Mac OS X and Apple Mac OS X Server Exists in unspecified vulnerabilities.None. A security update has been released to address these issues and provide other enhancements. The following issues were reported: LaunchServices is reported prone to a vulnerability where the LaunchServices utility automatically registers applications. It is reported that an attacker may exploit this issue to register and run malicious applications. DiskImageMounter is reported prone to a vulnerability where the disk:// URI handler may be used to mount an anonymous remote file system. This attack can be achieved using the HTTP protocol. A remote attacker may exploit this vulnerability to write to the local disk. An attacker may potentially exploit this condition to automatically execute files on the file system (including downloaded files). This could lead to privilege escalation or remote compromise. Some of these issues may already be described in previous BIDs. This BID will be split up into unique BIDs when further analysis of this update is complete. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2004-06-07 Security Update 2004-06-07 Description Security Update 2004-06-07 delivers a number of security enhancements and is recommended for all Macintosh users. The purpose of this update is to increase security by alerting you when opening an application for the first time via document mappings or a web address (URL). For more details, including a description of the new alert dialog box, please see: http://docs.info.apple.com/article.html?artnum=25785 Versions: Security Update 2004-06-07 is available for the following system versions: * Mac OS X v10.3.4 "Panther" * Mac OS X Server v10.3.4 "Panther" * Mac OS X v10.2.8 "Jaguar" * Mac OS X Server v10.2.8 "Jaguar" The following components are updated: Component: LaunchServices CVE-ID: CAN-2004-0538 Impact: LaunchServices automatically registers applications, which could be used to cause the system to run unexpected applications. Discussion: LaunchServices is a system component that discovers and opens applications. This system component has been modified to only open applications that have previously been explicitly run on the system. Attempts to run an application that has not previously been explicitly run will result in a user alert. Further information is available in http://docs.info.apple.com/article.html?artnum=25785 Component: DiskImageMounter CVE-ID: No CVE ID has been reserved as this is only an additional preventative measure. Component: Terminal CVE-ID: Not applicable Impact: Attempts to use a telnet:// URI with an alternate port number fail. Discussion: A modification has been made to allow the specification of an alternate port number in a telnet:// URI. This restores functionality that was removed with the recent fix for CAN-2004-0485. ================================================ Security Update 2004-06-07 may be obtained from: * Software Update pane in System Preferences * Apple's Software Downloads web site: For Mac OS X v10.3.4 "Panther" and Mac OS X Server v10.3.4 ========================================================== http://www.apple.com/support/downloads/ Click on: Security Update 2004-06-07 (10.3.4) The download file is named: "SecUpd2004-06-07Pan.dmg" Its SHA-1 digest is: 182745485d8db3ea29ec67cb603cc5668a4f60d9 For Mac OS X v10.2.8 "Jaguar" and Mac OS X Server v10.2.8 ========================================================= http://www.apple.com/support/downloads/ Click on: Security Update 2004-06-07 (10.2.8) The download file is named: "SecUpd2004-06-07Jag.dmg" Its SHA-1 digest is: e5fa73f6a67bdcd9af76927d3416974f039b2087 Information will also be posted to the Apple Product Security web site: http://www.apple.com/support/security/security_updates.html This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/security_pgp.html -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQEVAwUBQMTXipyw5owIz4TQAQJabgf/XdzbpuwKuBbVYQAVUl8mZd+Bs7QVdF2x sVJiNlgjyObJjTd5sjqCP9695enrEhClliNM+qOtoUcj0ed4gKIWtOBDzPuuYSb8 xjgb0ntbOg8VOoI5FX5o8dWRAmJu7SXDbnKNvpTgPfFl0Gb2spgGsX5aINGLD8iS h5SerdpJYDEMvXyAl/7Mnfz0TYH8ThWStRiEkEeaucD6Uc1yBDhUl3uV/jjHjvcp AFbaI14R/UNEypI4z0ylpH0a5tLG4CKOTAOwt68Kcs3Undbqbp8FvIUqD2Iy6fXF EtdF329mjgcaa7iDYnt2BXPvkRvthla+98flmjD9okzhM69x2t0Ubg== =JdW9 -----END PGP SIGNATURE----- _______________________________________________ security-announce mailing list | security-announce@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce Do not post admin requests to the list. They will be ignored

NetGear WG602 (aka WG602v1) Wireless Access Point firmware 1.04.0 and 1.5.67 has a hardcoded account of username "super" and password "5777364", which allows remote attackers to modify the configuration. Netgear WG602 reportedly contains a default administrative account. This issue can allow a remote attacker to gain administrative access to the device. Netgear WG602 access point with firmware version 1.04.0 is reportedly affected by this issue. It is likely that other versions of the firmware are also vulnerable. It is reported that the new version (1.7.14) of the Firmware for WG602 is vulnerable to this issue as well, however, the username and password for the backdoor account has been changed. Remote attackers can use this vulnerability to modify the configuration

NetGear WG602 (aka WG602v1) Wireless Access Point 1.7.14 has a hardcoded account of username "superman" and password "21241036", which allows remote attackers to modify the configuration. Netgear WG602 reportedly contains a default administrative account. This issue can allow a remote attacker to gain administrative access to the device. Netgear WG602 access point with firmware version 1.04.0 is reportedly affected by this issue. It is likely that other versions of the firmware are also vulnerable. It is reported that the new version (1.7.14) of the Firmware for WG602 is vulnerable to this issue as well, however, the username and password for the backdoor account has been changed

PHP-Nuke 7.3, and other products that use the PHP-Nuke codebase such as the Nuke Cops betaNC PHP-Nuke Bundle, OSCNukeLite 3.1, and OSC2Nuke 7x do not properly use the eregi() PHP function with $_SERVER['PHP_SELF'] to identify the calling script, which allows remote attackers to directly access scripts, obtain path information via a PHP error message, and possibly gain access, as demonstrated using an HTTP request that contains the "admin.php" string. PHP-Nuke is affected by a direct script access security vulnerability. This issue is due to a failure to properly validate the location and name of the file being accessed. This issue will allow an attacker to gain access to sensitive scripts such as the 'admin.php' script. The attacker may be able to exploit this unauthorized access to carry out attacks against the affected application. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc

The Web interface in Linksys WRT54G 2.02.7 and BEFSR41 version 3, with the firewall disabled, allows remote attackers to attempt to login to an administration web page, even when the configuration specifies that remote administration is disabled. Linksys WRT54G Router is a router device.  Even when the management function is turned off, Linksys WRT54G Router still provides 80 and 443 port management web pages on the WAN interface. As a result, an attacker can access the management interface. In combination with other loopholes, the router may be controlled. A weakness is reported to affect the Linksys WRT54G appliance

Unknown vulnerability in Mac OS X 10.3.4, related to "handling of process IDs during package installation," a different vulnerability than CVE-2004-0516. A vulnerability in Mac OS X may permit a local authenticated user with physical access to the machine to gain elevated privileges. apple's Apple Mac OS X and Apple Mac OS X Server Exists in unspecified vulnerabilities.None. Mac OS X 10.3.4 has been released to address these issues and provide other security enhancements

Unknown vulnerability in Mac OS X 10.3.4, related to "package installation scripts," a different vulnerability than CVE-2004-0517. A vulnerability in Mac OS X may permit a local authenticated user with physical access to the machine to gain elevated privileges. apple's Apple Mac OS X and Apple Mac OS X Server Exists in unspecified vulnerabilities.None. Mac OS X 10.3.4 has been released to address these issues and provide other security enhancements

Unknown vulnerability in LoginWindow for Mac OS X 10.3.4, related to "handling of console log files.". A vulnerability in Mac OS X may permit a local authenticated user with physical access to the machine to gain elevated privileges. apple's Apple Mac OS X and Apple Mac OS X Server Exists in unspecified vulnerabilities.None

Unknown vulnerability in LoginWindow for Mac OS X 10.3.4, related to "handling of directory services lookups.". A vulnerability in Mac OS X may permit a local authenticated user with physical access to the machine to gain elevated privileges. apple's Apple Mac OS X and Apple Mac OS X Server Exists in unspecified vulnerabilities.None

Unspecified vulnerability in Mac OS X before 10.3.4 has unknown impact and attack vectors related to "logging when tracing system calls.". A vulnerability in Mac OS X may permit a local authenticated user with physical access to the machine to gain elevated privileges. apple's Apple Mac OS X Exists in unspecified vulnerabilities.None. Mac OS X 10.3.4 has been released to address these issues and provide other security enhancements. No detailed vulnerability details are currently available

Sun Java System Application Server is an application server that is compatible with the J2EE platform. The Java System Application Server incorrectly filters user-submitted requests, and a remote attacker can exploit this vulnerability to obtain installation path information for the server. Submit a similar request to Sun-Java-App-Server PE 8.0: http://127.0.0.1:8080////http://127.0.0.1:8080////CON server will return information containing the installation path Error message. Attackers can use this information to further attack the system. This issue is due to a failure of the application to properly filter user requests. Successful exploitation of this issue may allow an attacker to gain sensitive information about the file system that may aid in launching more direct attacks against the system

HP Integrated Lights-Out (iLO) 1.10 and other versions before 1.55 allows remote attackers to cause a denial of service (hang) by accessing iLO using the TCP/IP reserved port zero. hewlett packard enterprise HPE Integrated Lights-Out There are unspecified vulnerabilities in the firmware.None. A successful attack can allow an attacker to cause the iLO service to crash, affectively denying service to legitimate users. iLO firmware prior to versions 1.55 is prone to this vulnerability. Integrated Lights-Out Advanced Package - Upgrades the Integrated Lights-Out processor to full virtual memory and control via a graphical console and virtual media

Netgear RP114 allows remote attackers to bypass the keyword based URL filtering by requesting a long URL, as demonstrated using a large number of %20 (hex-encoded space) sequences. NetGear RP114 router can access management through TELNET and HTTP.  NetGear RP114 router content filtering problem, remote attackers can use this vulnerability to access restricted resources.  If the URI string requested by the user exceeds 220 bytes, the content filtering function of NetGear RP114 can be bypassed. This problem can cause administrators to ignore some security. This vulnerability may result in a false sense of security for a network administrator, where a malicious website is believed to be unreachable. In reality any host may contact blacklisted websites. D-Link DIR-100 long url filter evasion scip AG Vulnerability ID 3808 (09/08/2008) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3808 I. INTRODUCTION D-Link DIR-100 is a small and cost-effective router and firewall device for small offices and home users. More details are available at the official product web site (German link): http://www.dlink.de/?go=gNTyP9CgrdFOIC4AStFCF834mptYKO9ZTdvhLPG3yV3oV492gqltbNlwaaFp6DQoHDrpxC5H+40AAdvl II. DESCRIPTION Marc Ruef at scip AG found a possibility to evade url filters of the web proxy to prevent access to web sites. An attacker might add a very long string to the url to access web resources althought their access is forbidden. This problem could be verified in all firmware versions up to v1.12. A similar vulnerability was already detected years ago in a similar device Netgear RP114. [1, 2] III. EXPLOITATION It is possible to exploit the vulnerability with a common web browser by using a long url (approx. 1'300 chars). You can expand the length of the url by adding a non-used http get request parameter. Example url: http://www.scip.ch/?foo=aaa(...) A video illustrating this issue is available at the following url: http://de.youtube.com/watch?v=WTzPn37XNl4 The Attack Tool Kit (ATK)[3] is able to exploit this vulnerability with the following generic ASL code (expand the long URL request): open|send GET http://www.scip.ch/?foo=aaa(...) HTTP/1.0\n\n|sleep|close|pattern_not_exists *This URL is <font color=red>blocked</font> by administrator !* IV. V. DETECTION Detection of web based attacks requires a specialized web proxy and/or intrusion detection system. Patterns for such a detection are available and easy to implement. VI. SOLUTION We have informed D-Link on an early stage. Our technical requests were not answered nor confirmed. Therefore, not official statement, patch or upgrade is available. We suggest the use of another device for filtering forbidden web resources successfully. VII. VENDOR RESPONSE D-Link has been informed first via the unhandy web form at http://www.dlink.com (no public mail address for such cases could be found). The first responses claimed that the problem must be within a wrong configuration setting. Further discussions were initiated. The support was not able to understand the problem. Not even after several step-by-step guides and examples. They always suggest I have to upgrade to the latest firmware and they could not verify the problem. Therefore, no official solution, workaround or patch is available. VIII. SOURCES scip AG - Security Consulting Information Process (german) http://www.scip.ch/ scip AG Vulnerability Database (german) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3808 computec.ch document data base (german) http://www.computec.ch/download.php IX. DISCLOSURE TIMELINE 2008/07/25 Identification of the vulnerability by Marc Ruef 2008/07/28 First information to D-Link via web form 2008/07/28 First reply by D-Link support via support@service.dlink.biz (ticket id 1375981) 2008/07/29 Providing our config for further analysis 2008/08/06 Request for actual status (no reply) 2008/08/29 Another request for actual status 2008/08/29 Response could not verify the problem 2008/09/01 Detailed explanation of the exploitation 2008/09/01 Responder could still not understand the problem 2008/09/08 Public disclosure of the advisory X. CREDITS The vulnerability was discovered by Marc Ruef. Marc Ruef, scip AG, Zuerich, Switzerland maru-at-scip.ch http://www.scip.ch/ A1. BIBLIOGRAPHY [1] http://www.securityfocus.com/bid/10404 [2] http://seclists.org/bugtraq/2004/May/0263.html [3] http://www.computec.ch/projekte/atk/ A2. LEGAL NOTICES Copyright (c) 2007-2008 scip AG, Switzerland. Permission is granted for the re-distribution of this alert. It may not be edited in any way without permission of scip AG. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage from use of or reliance on this advisory

Unknown vulnerability in the ASN.1/H.323/H.225 stack of VocalTec VGW120 and VGW480 allows remote attackers to cause a denial of service. The issue is reported to exist in the ASN.1/H.323/H.225 stack. VocalTec VGW120/ VGW480 is a telephone gateway system. VocalTec VGW120/ VGW480 telephony gateways have problems when processing some H.323 communications

The default protocol helper for the disk: URI on Mac OS X 10.3.3 and 10.2.8 allows remote attackers to write arbitrary files by causing a disk image file (.dmg) to be mounted as a disk volume. Remote attackers may potentially use this vulnerability to create files on the local system without explicit user consent. We have not independently verified the scope of this vulnerability report. apple's Apple Mac OS X Exists in unspecified vulnerabilities.None. Details on the nature of this vulnerability are not known at this time. There are a range of possibilities: from a vulnerability that allows for URLs to be obfuscated to full remote command execution through malicious URLs. This alert will be updated as new information becomes available

A certain ActiveX control in Symantec Norton AntiVirus 2004 allows remote attackers to cause a denial of service (resource consumption) and possibly execute arbitrary programs. Symantec's Norton AntiVirus Exists in unspecified vulnerabilities.None. Symantec Norton AntiVirus is prone to a remote code execution vulnerability. The ActiveX control contained in Symantec Norton AntiVirus does not properly validate external input. To successfully exploit this vulnerability, the executable must be on the local system, and its location needs to be known to the attacker

The web-based Management Console in Blue Coat Security Gateway OS 3.0 through 3.1.3.13 and 3.2.1, when importing a private key, stores the key and its passphrase in plaintext in a log file, which allows attackers to steal digital certificates. The issue reportedly occurs when the private key is imported through the web-based administrative interface. This will cause the private key and passphrase to logged in plaintext, potentially exposing this issue to other local users. It is also reported that certain administrative actions or configurations could also expose this information to other unauthorized parties, though specific details have not been publicized at this time. Blue Coat Systems' products are purpose-built appliances optimized for the specific application of Web acceleration and security. Attackers may obtain these sensitive information and control the device

PHP remote file inclusion vulnerability in index.php in Php-Nuke 6.x through 7.3 allows remote attackers to execute arbitrary PHP code by modifying the modpath parameter to reference a URL on a remote web server that contains the code. PHP-Nuke is prone to a potential file include vulnerability. This issue could allow a remote attacker to include malicious files containing aribtrary code to be executed on a vulnerable system. This issue can be exploited via the 'modpath' parameter. If successful, the malicious script supplied by the attacker will be executed in the context of the web server hosting the vulnerable software. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. There is a file inclusion problem in PHP-Nuke. A remote attacker can use this vulnerability to view the content of any file in the system with the authority of the WEB process. PHP-Nuke lacks filtering for the data submitted by users to the \'\'modpath\'\' parameter