VARIoT IoT vulnerabilities database

The Log Viewer function in the Check Point FireWall-1 GUI for Solaris 3.0b through 4.1 SP2 does not check for the existence of '.log' files when saving files, which allows (1) remote authenticated users to overwrite arbitrary files ending in '.log', or (2) local users to overwrite arbitrary files via a symlink attack. Check Point Firewall-1 is a commercial firewall implementation designed for small to enterprise sized networks. A problem with Firewall-1 makes it possible for a local user to overwrite critical system files. This makes it possible for a user with administrative access to Firewall-1 and local shell access to deny service to legitimate users of the system. This can cause a local denial of service attack

Check Point FireWall-1 3.0b through 4.1 for Solaris allows local users to overwrite arbitrary files via a symlink attack on temporary policy files that end in a .cpp extension, which are set world-writable. Check Point Firewall-1 is a commercial firewall implementation designed for small to enterprise sized networks. A problem with Firewall-1 has been discovered that makes it possible for a local user to change the permissions of root-owned files to world-writable, and potentially gain elevated privileges. The problem is in the creation of predictable /tmp files. Upon editing firewall rules and committing them, a file is created in /tmp using the name of the policy as a filename, and .cpp as an extension. It's possible for a local user to create symbolic links to root-owned files, which will result in the files becoming world-writable, and potentially gain local root access. The file's attributes are set to rw-rw-rw- (666), which allows anyone to modify the file. Since the file is not checked whether it is a link file when the file is created, an attacker can create a file in any directory through a link attack. If an attacker has permission to compile firewall policies and has access to the system where the firewall resides, this vulnerability could be exploited to elevate privileges

The default configuration of Norton AntiVirus for Microsoft Exchange 2000 2.x allows remote attackers to identify the recipient's INBOX file path by sending an email with an attachment containing malicious content, which includes the path in the rejection notice. A problem exists in Microsoft Exchange 2000 when running with Norton AntiVirus for Microsoft Exchange. A host running this combination of software can be tricked into disclosing mail directory paths to an attacker. Message attachments sent to an affected host will be scanned for malicious content by Norton AntiVirus for Microsoft Exchange. Upon rejection, the message will be bounced back to the sender with notification of why the message was rejected. When this happens, the path to the intended recipient's INBOX is sent in the message header of the rejection notification. The expected behavior is that the header in the returned message will only contain the destination address of the user and not the path of the user's INBOX. This can be exploited by an attacker who intentionally crafts a message to a user on the host which contains an attachment which will be rejected by the host

D-Link DI-704 Internet Gateway firmware earlier than V2.56b6 allows remote attackers to cause a denial of service (reboot) via malformed IP datagram fragments. The DLink Dl-704 is a DSL/Cable router and switch designed for home network use. A problem has been discovered in the Dl-704 router. Upon receiving a high amount of fragmented IP packets, the router begins to become resource starved. After receiving these packets for a period greater than two minutes, the router will become unstable, ceasing operation. This results in a denial of service users on either side of the router. A power cycling is required to resume normal operation

Various Intrusion Detection Systems (IDS) including (1) Cisco Secure Intrusion Detection System, (2) Cisco Catalyst 6000 Intrusion Detection System Module, (3) Dragon Sensor 4.x, (4) Snort before 1.8.1, (5) ISS RealSecure Network Sensor 5.x and 6.x before XPU 3.2, and (6) ISS RealSecure Server Sensor 5.5 and 6.0 for Windows, allow remote attackers to evade detection of HTTP attacks via non-standard "%u" Unicode encoding of ASCII characters in the requested URL. Multiple intrusion detection systems may be circumvented via %u encoding allowing intruders to launch attacks undetected. The Microsoft IIS web server supports a non-standard method of encoding web requests. If there is no webserver support for this encoding method or if it is disabled, there will be no targets to which encoded attacks can be sent. **NOTE**: Only RealSecure, Dragon and Snort are confirmed vulnerable. It is highly likely that IDS systems from other vendors are vulnerable as well, however we have not recieved confirmation. This record will be updated as more information becomes available regarding affected technologies. BlackICE products detect '%u' encoded requests as being invalid, but do not decode them and detect encoded attack signatures

Buffer overflow in the (1) smap/smapd and (2) CSMAP daemons for Gauntlet Firewall 5.0 through 6.0 allows remote attackers to execute arbitrary code via a crafted mail message. A remotely exploitable buffer overflow exists in the Gauntlet Firewall. A boundary condition error exists in the smap/smapd and CSMAPD daemons, shipped with several popular Network Associates products. The smap/smapd and CSMAP daemons are proxy servers used to handle e-mail transactions for both inbound and outbound e-mail. By successfully exploiting this condition, an attacker may be able to cause arbitrary code/commands to be executed on a vulnerable system with the privileges of the attacked daemon. Additional technical details are currently unknown. Some versions of SGI IRIX shipped with the Gauntlet Firewall package, and in the past it was a supported SGI product. While it is no longer being supported, SGI IRIX versions 6.5.2, 6.5.3, 6.5.4 and 6.5.5 may be prone to this issue

Check Point FireWall-1 allows remote attackers to cause a denial of service (high CPU) via a flood of packets to port 264. of Check Point Software Technologies firewall-1 Exists in unspecified vulnerabilities.None. Firewall-1 is prone to a denial-of-service vulnerability

Web-based configuration utility in Cisco 600 series routers running CBOS 2.0.1 through 2.4.2ap binds itself to port 80 even when web-based configuration services are disabled, which could leave the router open to attack. CBOS is prone to a remote security vulnerability. This vulnerability will open the route to possible attacks

Cisco 600 series routers running CBOS 2.0.1 through 2.4.2ap allows remote attackers to cause a denial of service via multiple connections to the router on the (1) HTTP or (2) telnet service, which causes the router to become unresponsive and stop forwarding packets. CBOS is the Cisco Broadband Operating System, firmware designed for use on Cisco 600 series routers. It is maintained and distributed by Cisco Systems. CBOS becomes unstable when it receives multiple TCP connections on one of the two administrative ports; 21 via telnet, or 80 via HTTP. Upon receiving multiple connections on one of these two ports, the 600 series router becomes incapable of configuration, requiring reboot to resume normal operation. This problem affects the following Cisco 600 series routers: 627, 633, 673, 675, 675E, 677, 677i and 678

Buffer overflow in ssinc.dll in IIS 5.0 and 4.0 allows local users to gain system privileges via a Server-Side Includes (SSI) directive for a long filename, which triggers the overflow when the directory name is added, aka the "SSI privilege elevation" vulnerability. A buffer overflow in the code that processes server-side include files on IIS 4.0 and IIS 5.0 could allow an intruder to execute code with the privileges of the web server. Microsoft IIS Implemented in SSI The function handles file names including path names to be included DLL Contains a vulnerability that causes a buffer overflow.Local System An arbitrary code may be executed with the execution right

IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability. Microsoft IIS In Guest As a result, you can elevate from account privileges System With authority Web A vulnerability exists that allows arbitrary code placed in the public directory to be executed.System An arbitrary code may be executed with privileges

Aladdin eSafe Gateway versions 2.x allows a remote attacker to circumvent HTML SCRIPT filtering via a special arrangement of HTML tags which includes SCRIPT tags embedded within other SCRIPT tags. Esafe Gateway is prone to a remote security vulnerability. Vulnerabilities exist in Aladdin eSafe Gateway 2.x

Aladdin eSafe Gateway versions 3.0 and earlier allows a remote attacker to circumvent filtering of SCRIPT tags by embedding the scripts within certain HTML tags including (1) onload in the BODY tag, (2) href in the A tag, (3) the BUTTON tag, (4) the INPUT tag, or (5) any other tag in which scripts can be defined. Esafe Gateway is prone to a remote security vulnerability. Vulnerabilities exist in Aladdin eSafe Gateway 3.0 and earlier versions

Aladdin eSafe Gateway versions 3.0 and earlier allows a remote attacker to circumvent HTML SCRIPT filtering via the UNICODE encoding of SCRIPT tags within the HTML document. Esafe Gateway is prone to a remote security vulnerability. Vulnerabilities exist in Aladdin eSafe Gateway 3.0 and earlier versions

Cisco Catalyst 2900XL switch allows a remote attacker to create a denial of service via an empty UDP packet sent to port 161 (SNMP) when SNMP is disabled. Catalyst 2900 XL is prone to a denial-of-service vulnerability. Vulnerabilities exist in Cisco Catalyst 2900XL switches

PHP-Nuke 5.x allows remote attackers to perform arbitrary SQL operations by modifying the "prefix" variable when calling any scripts that do not already define the prefix variable (e.g., by including mainfile.php), such as article.php. PHP-Nuke reportedly contains a vulnerability introduced in a new feature which may permit remote attackers to execute almost arbitrary SQL queries. In version 5.x of PHP-Nuke, the administrator can set an arbitrary prefix for the database table names. Because it is a prefix for PHP-Nuke tables, this variable is included in many SQL queries used by PHP-Nuke. Vulnerabilities exist in PHP-Nuke 5.x versions

LinkSys EtherFast BEFSR41 Cable/DSL routers running firmware before 1.39.3 Beta allows a remote attacker to view administration and user passwords by connecting to the router and viewing the HTML source for (1) index.htm and (2) Password.htm. Linksys EtherFast routers are small four port routers designed to optimize the use of DSL or Cable connections. EtherFast routers provide advanced features such as Network Address Translation, and DHCP Serving. EtherFast routers store the ISP and router login passwords in HTML configuration files. Additionally, when accessed by the administrator, the information is sent over the network in plain text. This makes it possible to sniff the passwords during transit. A vulnerability exists in the LinkSys EtherFast BEFSR41 Cable/DSL router running firmware prior to 1.39.3 Beta

Buffer overflows in WS_FTP 2.02 allow remote attackers to execute arbitrary code via long arguments to (1) DELE, (2) MDTM, (3) MLST, (4) MKD, (5) RMD, (6) RNFR, (7) RNTO, (8) SIZE, (9) STAT, (10) XMKD, or (11) XRMD. WS FTP Server is prone to a remote security vulnerability. WS_FTP 2.02 has a buffer overflow vulnerability

SonicWALL SOHO uses easily predictable TCP sequence numbers, which allows remote attackers to spoof or hijack sessions. By predicting a sequence number, several attacks could be performed; an attacker could disrupt or hijack existing connections, or spoof future connections

Internet Explorer 5.5 and earlier allows remote attackers to obtain the physical location of cached content and open the content in the Local Computer Zone, then use compiled HTML help (.chm) files to execute arbitrary programs. Versions of the OpenSSH server prior to 3.7.1 contain buffer management errors. While the full impact of these vulnerabilities are unclear, they may lead to memory corruption and a denial-of-service situation. A vulnerability exists in Microsoft's Remote Procedure Call (RPC) implementation. A remote attacker could exploit this vulnerability to cause a denial of service. An exploit for this vulnerability is publicly available. Certain versions of Microsoft Internet Explorer (IE) that support double-byte character sets (DBCS) contain a buffer overflow vulnerability in the Type attribute of the OBJECT element. A remote attacker could execute arbitrary code with the privileges of the user running IE. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Internet Explorer Is XML There is a problem with the style sheet processing, and even if the script is disabled in the security zone, the script will be executed. Outlook Express Including many MUA Then XML Document IE Since it is displayed using the component of, the script may be executed just by displaying the mail.Please refer to the “Overview” for the impact of this vulnerability. We are sending this message to help ensure that administrators have not overlooked one or more of these vulnerabilities. There have been several recent vulnerabilities affecting OpenSSH. It is unclear if these issues are exploitable, but they are resolved in version 3.7.1. These four additional flaws are believed to be relatively minor, and are scheduled to be included in the next version of OpenSSH. Exploitation of this vulnerability may lead to a remote attacker gaining privileged access to the server, in some cases root access. VU#209807 - Portable OpenSSH server PAM conversion stack corruption http://www.kb.cert.org/vuls/id/209807 There is a vulnerability in portable versions of OpenSSH 3.7p1 and 3.7.1p1 that may permit an attacker to corrupt the PAM conversion stack. Please check the vulnerability notes for resolutions and additional details. Thank you. -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2003-04 November 24, 2003 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in September 2003 (CS-2003-03), we have documented vulnerabilities in the Microsoft Windows Workstation Service, RPCSS Service, and Exchange. We have received reports of W32/Swen.A, W32/Mimail variants, and exploitation of an Internet Explorer vulnerability reported in August of 2003. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. W32/Mimail Variants The CERT/CC has received reports of several new variants of the 'Mimail' worm. The most recent variant of the worm (W32/Mimail.J) arrives as an email message alleging to be from the Paypal financial service. The message requests that the recipient 'verify' their account information to prevent the suspension of their Paypal account. Attached to the email is an executable file which captures this information (if entered), and sends it to a number of email addresses. Current Activity - November 19, 2003 http://www.cert.org/current/archive/2003/11/19/archive.html#mimaili 2. CERT Advisory CA-2003-28 Buffer Overflow in Windows Workstation Service http://www.cert.org/advisories/CA-2003-28.html Vulnerability Note VU#567620 Microsoft Windows Workstation service vulnerable to buffer overflow when sent specially crafted network message http://www.kb.cert.org/vuls/id/567620 3. CERT Advisory CA-2003-27 Multiple Vulnerabilities in Microsoft Windows and Exchange http://www.cert.org/advisories/CA-2003-27.html Vulnerability Note VU#575892 Buffer overflow in Microsoft Windows Messenger Service http://www.kb.cert.org/vuls/id/575892 Vulnerability Note VU#422156 Microsoft Exchange Server fails to properly handle specially crafted SMTP extended verb requests http://www.kb.cert.org/vuls/id/422156 Vulnerability Note VU#467036 Microsoft Windows Help and support Center contains buffer overflow in code used to handle HCP protocol http://www.kb.cert.org/vuls/id/467036 Vulnerability Note VU#989932 Microsoft Windows contains buffer overflow in Local Troubleshooter ActiveX control (Tshoot.ocx) http://www.kb.cert.org/vuls/id/989932 Vulnerability Note VU#838572 Microsoft Windows Authenticode mechanism installs ActiveX controls without prompting user http://www.kb.cert.org/vuls/id/838572 Vulnerability Note VU#435444 Microsoft Outlook Web Access (OWA) contains cross-site scripting vulnerability in the "Compose New Message" form http://www.kb.cert.org/vuls/id/435444 Vulnerability Note VU#967668 Microsoft Windows ListBox and ComboBox controls vulnerable to buffer overflow when supplied crafted Windows message http://www.kb.cert.org/vuls/id/967668 4. Multiple Vulnerabilities in SSL/TLS Implementations Multiple vulnerabilities exist in the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols allowing an attacker to execute arbitrary code or cause a denial-of-service condition. CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS Implementations http://www.cert.org/advisories/CA-2003-26.html Vulnerability Note VU#935264 OpenSSL ASN.1 parser insecure memory deallocation http://www.kb.cert.org/vuls/id/935264 Vulnerability Note VU#255484 OpenSSL contains integer overflow handling ASN.1 tags (1) http://www.kb.cert.org/vuls/id/255484 Vulnerability Note VU#380864 OpenSSL contains integer overflow handling ASN.1 tags (2) http://www.kb.cert.org/vuls/id/380864 Vulnerability Note VU#686224 OpenSSL does not securely handle invalid public key when configured to ignore errors http://www.kb.cert.org/vuls/id/686224 Vulnerability Note VU#732952 OpenSSL accepts unsolicited client certificate messages http://www.kb.cert.org/vuls/id/732952 Vulnerability Note VU#104280 Multiple vulnerabilities in SSL/TLS implementations http://www.kb.cert.org/vuls/id/104280 Vulnerability Note VU#412478 OpenSSL 0.9.6k does not properly handle ASN.1 sequences http://www.kb.cert.org/vuls/id/412478 5. Exploitation of Internet Explorer Vulnerability The CERT/CC received a number of reports indicating that attackers were actively exploiting the Microsoft Internet Explorer vulnerability described in VU#865940. These attacks include the installation of tools for launching distributed denial-of-service (DDoS) attacks, providing generic proxy services, reading sensitive information from the Windows registry, and using a victim system's modem to dial pay-per-minute services. The vulnerability described in VU#865940 exists due to an interaction between IE's MIME type processing and the way it handles HTML application (HTA) files embedded in OBJECT tags. W32/Swen.A Worm On September 19, the CERT/CC began receiving a large volume of reports of a mass mailing worm, referred to as W32/Swen.A, spreading on the Internet. Similar to W32/Gibe.B in function, this worm arrives as an attachment claiming to be a Microsoft Internet Explorer Update or a delivery failure notice from qmail. The W32/Swen.A worm requires a user to execute the attachment either manually or by using an email client that will open the attachment automatically. Upon opening the attachment, the worm attempts to mail itself to all email addresses it finds on the system. The CERT/CC updated the current activity page to contain further information on this worm. Current Activity - September 19, 2003 http://www.cert.org/current/archive/2003/09/19/archive.html#swena 7. Buffer Overflow in Sendmail Sendmail, a widely deployed mail transfer agent (MTA), contains a vulnerability that could allow an attacker to execute arbitrary code with the privileges of the sendmail daemon, typically root. CERT Advisory CA-2003-25 Buffer Overflow in Sendmail http://www.cert.org/advisories/CA-2003-25.html Vulnerability Note VU#784980 Sendmail prescan() buffer overflow vulnerability http://www.kb.cert.org/vuls/id/784980 8. CERT Advisory CA-2003-23 RPCSS Vulnerabilities in Microsoft Windows http://www.cert.org/advisories/CA-2003-23.html Vulnerability Note VU#483492 Microsoft Windows RPCSS Service contains heap overflow in DCOM activation routines http://www.kb.cert.org/vuls/id/483492 Vulnerability Note VU#254236 Microsoft Windows RPCSS Service contains heap overflow in DCOM request filename handling http://www.kb.cert.org/vuls/id/254236 Vulnerability Note VU#326746 Microsoft Windows RPC service vulnerable to denial of service http://www.kb.cert.org/vuls/id/326746 ______________________________________________________________________ New CERT Coordination Center (CERT/CC) PGP Key On October 15, the CERT/CC issued a new PGP key, which should be used when sending sensitive information to the CERT/CC. CERT/CC PGP Public Key https://www.cert.org/pgp/cert_pgp_key.asc Sending Sensitive Information to the CERT/CC https://www.cert.org/contact_cert/encryptmail.html ______________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated * Advisories http://www.cert.org/advisories/ * Vulnerability Notes http://www.kb.cert.org/vuls * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Congressional Testimony http://www.cert.org/congressional_testimony * Training Schedule http://www.cert.org/training/ * CSIRT Development http://www.cert.org/csirts/ ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2003-04.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright \xa92003 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP8JVOZZ2NNT/dVAVAQGL9wP+I18NJBUBuv7b0pam5La7E7qOQFMn5n78 7i0gBX/dKgaY5siM6jBYYwCbbA7Y0/Jwtby2zHp1s8RHZY5/3JEzElfv4TLlR8rT rb8gJDbpan2JWA6xH9IzqZaSrxrXpNypwU2wWxR2osmbYl8FdV0rD3ZYXJjyi+nU UENALuNdthA= =DD60 -----END PGP SIGNATURE-----