VARIoT IoT vulnerabilities database

Squid before 2.3STABLE5 in HTTP accelerator mode does not enable access control lists (ACLs) when the httpd_accel_host and http_accel_with_proxy off settings are used, which allows attackers to bypass the ACLs and conduct unauthorized activities such as port scanning

The default configuration of SecuRemote for Check Point Firewall-1 allows remote attackers to obtain sensitive configuration information for the protected network without authentication. SecureRemote is the proprietary VPN infrastructure designed by Check Point Software, and included with some versions of Firewall-1

Buffer overflow in BSD-based telnetd telnet daemon on various operating systems allows remote attackers to execute arbitrary commands via a set of options including AYT (Are You There), which is not properly handled by the telrcv function. The telnetd program is a server for the telnet remote virtual terminal protocol. There is a remotely exploitable buffer overflow in telnet daemons derived from BSD source code. This vulnerability can crash the server, or be leveraged to gain root access. The function responsible for processing the options prepares a response within a fixed sized buffer, without performing any bounds checking. This vulnerability is now being actively exploited. A worm is known to be circulating around the Internet. Exposure: Remote root compromise through buffer handling flaws Confirmed vulnerable: Up-to-date Debian 3.0 woody (issue is Debian-specific) Debian netkit-telnet-ssl-0.17.24+0.1 package Debian netkit-telnet-ssl-0.17.17+0.1 package Mitigating factors: Telnet service must be running and accessible to the attacker. Nowadays, telnet service presence on newly deployed Linux hosts is relatively low. The service is still used for LAN access from other unix platforms, and to host various non-shell services (such as MUDs). Problem description: Netkit telnetd implementation shipped with Debian Linux appears to be lacking the AYT vulnerability patch. This patch was devised by Red Hat (?) and incorporated into Debian packages, but later dropped. This exposes the platform to a remote root problem discovered by scut of TESO back in 2001 (CVE-2001-0554), as well as to other currently unpublished flaws associated with the old buffer handling code, and elliminated by the Red Hat's overhaul of buffer handling routines. Based on a review of package changelogs, my best guess is that the patch was accidentally dropped by Christoph Martin in December 2001, but I have not researched the matter any further. Vendor response: I have contacted Debian security staff on August 29, and received a confirmation of the problem from Matt Zimmerman shortly thereafter. Since this is not a new flaw, I did not plan to release my own advisory, hoping they will release a DSA bulletin and fix the problem. Three weeks have passed, however, and Debian did not indicate any clear intent to release the information any time soon. They did release nine other advisories in the meantime, some of which were of lesser importance. As such, I believe it is a good idea to bring the problem to public attention, particularly since those running telnetd were and are, unbeknownst to them, vulnerable to existing exploits. Workaround: Disable telnet service if not needed; manually apply Red Hat netkit patches, or compile the daemon from Red Hat sources. Note that netkit as such is no longer maintained by the author, and hence obtaining the most recent source tarball (0.17) is NOT sufficient. You may also examine other less popular telnetd implementations, but be advised that almost all are heavily based on the original code, and not always up-to-date with security fixes for that codebase. PS. Express your outrage: http://eprovisia.coredump.cx

Check Point FireWall-1 4.0 and 4.1 before SP5 allows remote attackers to obtain the IP addresses of internal interfaces via certain SecuRemote requests to TCP ports 256 or 264, which leaks the IP addresses in a reply packet. An information leakage issue has been discovered in Check Point Firewall-1. Because of this, an attacker may gain sensitive information about network resources. Check Point FireWall-1 4.0 and 4.1 (prior to SP5) include SecuRemote which allows mobile users to connect to the internal network using encrypted and authenticated sessions. Connect to TCP port 256 of Firewall-1 version 4.0 and 4.1 via telnet, and enter the following characters: aa<CR> aa<CR> The IP address of the firewall will be returned in binary form. In addition, when using SecuRemote to connect to the TCP port 264 of the firewall, if you use a packet sniffer to intercept the data transmission, you can see the IP address information similar to the following: 15:45:44.029883 192.168.1.1.264 > 10.0.0.1.1038: P 5: 21(16) ack 17 win 8744 (DF) 0x0000 4500 0038 a250 4000 6e06 5b5a ca4d b102 E..8.P@.n.[ZM. 0x0010 5102 42c3 0108 040e 1769 fb25 cdc0....8a .i.\\%...6 0x0020 5018 2228 fa32 0000 0000 000c c0a8 0101 P.\"(.2.......M.. 0x0030 c0a8 0a01 c0a8 0e01 ........ c0a8 0101 = 192.168.1.1 c0a8 0a01 = 192.168.10.1 c0a8 0e01 = 192.168.14.1

slapd in OpenLDAP 1.x before 1.2.12, and 2.x before 2.0.8, allows remote attackers to cause a denial of service (crash) via an invalid Basic Encoding Rules (BER) length field. Multiple versions of OpenLDAP contain vulnerabilities that may allow denial-of-service attacks. These vulnerabilities were revealed using the PROTOS LDAPv3 test suite and are documented in CERT Advisory CA-2001-18. If your site uses this product, the CERT/CC encourages you to follow the advice provided below. Vulnerabilities exist in slapd in OpenLDAP 1.x versions prior to 1.2.12 and 2.x versions prior to 2.0.8

PPTP implementation in Cisco IOS 12.1 and 12.2 allows remote attackers to cause a denial of service (crash) via a malformed packet. IOS functions on numerous Cisco devices, including routers and switches. The problem occurs when a malformed PPTP packet is sent to port 1723 on the router. If this occurs, the router must be reset to regain normal functionality. The PPTP implementation in Cisco IOS Releases 12.1 and 12.2 is vulnerable

Format string vulnerability in Check Point VPN-1/FireWall-1 4.1 allows a remote authenticated firewall administrator to execute arbitrary code via format strings in the control connection. Check Point Firewall-1 Then malicious Management Module The control station is activated when an administrator sends a management packet with malicious content to the target control station. OS A vulnerability exists that destroys the stack at the intended location.Managed Check Point Firewall-1 You may be attacked without depending on the access control status set in. Firewall-1/VPN-1 management station contains a format string vulnerability. The vulnerability is the result of passing client-supplied data to a printf* function as the format string argument. This vulnerability can only be exploited by a client that is authenticated as an administrator and connected from an authorized IP address. Administrators with limited privileges (such as read-only) may be able to exploit this vulnerability to gain control over the management station

Cisco SN 5420 Storage Router 1.1(3) and earlier allows remote attackers to cause a denial of service (reboot) via a series of connections to TCP port 8023. The Cisco SN 5420 Storage Router is a device that provides universal data storage functionality over an IP network. The problem occurs when multiple connections are rapidly established to TCP port 8023

ml85p in Samsung ML-85G GDI printer driver before 0.2.0 allows local users to overwrite arbitrary files via a symlink attack on temporary files. ml85p is a Linux driver for Samsung ML-85G series printers. It may be bundled with distributions of Ghostscript. ml85p does not check for symbolic links when creating image output files. These files are created in /tmp with a guessable naming format, making it trivial for attackers to exploit this vulnerability. Since user-supplied data is written to the target file, attackers may be able to elevate privileges

Cayman 3220-H DSL Router 1.0 allows remote attacker to cause a denial of service (crash) via a series of SYN or TCP connect requests. Cayman gateways are vulnerable to a denial of service

Scripting.FileSystemObject in asp.dll for Microsoft IIS 4.0 and 5.0 allows local or remote attackers to cause a denial of service (crash) via (1) creating an ASP program that uses Scripting.FileSystemObject to open a file with an MS-DOS device name, or (2) remotely injecting the device name into ASP programs that internally use Scripting.FileSystemObject. Microsoft IIS is prone to denial of service attacks by local users. This issue is exploitable if the local attacker can create an .asp file which makes calls to various devices names. The local attacker must of course possess the privileges required to create such files. The end result of exploiting this vulnerability is that the server will crash and a denial of services will occur. The affected services must be restarted to regain normal functionality

Check Point VPN-1/FireWall-1 4.1 base.def contains a default macro, accept_fw1_rdp, which can allow remote attackers to bypass intended restrictions with forged RDP (internal protocol) headers to UDP port 259 of arbitrary hosts. Check Point VPN-1/FireWall-1 version 4.0 & 4.1 may allow an intruder to pass traffic through the firewall on port 259. It is designed to work on various operating systems, both as a single firewall or as a firewall cluster system. A problem has been discovered with the firewall that allows traversal. It is possible for a remote user to pass packets across the firewall via port 259 by using false RDP headers on UDP packets. This makes it possible for remote users to gain access to restricted information systems

Apple Personal Web Sharing (PWS) 1.1, 1.5, and 1.5.5, when Web Sharing authentication is enabled, allows remote attackers to cause a denial of service via a long password, possibly due to a buffer overflow. Upon attempting to authenticate to the file server with 300 or more characters, the file-sharing system will stop responding. The vulnerability may be attributed to a buffer overflow vulnerability

nidump on MacOS X before 10.3 allows local users to read the encrypted passwords from the password file by specifying passwd as a command line argument. A vulnerability exists in all versions of Apple MacOS X. It has been found to contain a vulnerability which could allow disclosure of passwords and other sensitive system information. nidump is a Mac OS X system data extraction utility which can be used to read the contents of the NetInfo database. This utility's default file permissions leave this utility available to any local user at the command line. However, hosts with a network nidomain may be vulnerable to remote exploitation of this issue. This is possible if remote tags are used for nidump. It should also be noted that both portmap and netinfobind must be listening on the target host for this issue to be exploited. The output of the nidump command can reveal the list of usernames and passwords in clear text. An attacker could then use this list to log in as a user with administrative priveleges

Apple MacOS X 10.0 and 10.1 allow a local user to read and write to a user's desktop folder via insecure default permissions for the Desktop when it is created in some languages. A vulnerability exists in versions of Apple MacOS X. Due to a misconfiguration of file permissions, the destop folder belonging to a given user is by default world-readable/writable. If the folder's permissions are not manually reset, arbitrary users can read from and write to any files in this location. In addition to the potential loss of confidentiality and integrity of this data, if this folder contains security-sensitive information such as usernames, passwords or configuration information, a hostile user may be able to exploit it and further undermine the security of the host. Note that some users have reported MacOS X 10.0.4 systems which do not exhibit this vulnerability. Etaoin Shrdlu <shrdlu@deaddrop.org> notes that this issue may be applicable to accounts created during the Max OS X beta test period: "Sounds like the problem accounts were upgrades from beta versions. If you are running an upgrade from a beta, then you might want to take a second look. Fresh installs seem to be just fine." An attempt has been made to fix this issue in MacOS X 10.1. This includes the admin account if permissions are not changed manually before the upgrade

Microsoft IIS 4.0 and before, when installed on a FAT partition, allows a remote attacker to obtain source code of ASP files via a URL encoded with Unicode. A flaw exists in the handling of .asp requests. Typically when a request is made for an .asp file, IIS will identify that it is a script and run it as such

Buffer overflow in Microsoft Visual Studio RAD Support sub-component of FrontPage Server Extensions allows remote attackers to execute arbitrary commands via a long registration request (URL) to fp30reg.dll. A host running IIS 4.0, could allow the execution of arbitrary commands in the SYSTEM context

SNMP service in Atmel 802.11b VNET-B Access Point 1.3 and earlier, as used in Netgear ME102 and Linksys WAP11, accepts arbitrary community strings with requested MIB modifications, which allows remote attackers to obtain sensitive information such as WEP keys, cause a denial of service, or gain access to the network. Atmel is a chip design and manufacturing firm that provides various RF-based products to corporate consumers. Atmel manufactures firmware for various wireless access systems. It is possible to gain SNMP access to some wireless access points that use the Atmel chipset and firmware. These systems do not use sufficient access control, and allow reading/writing of MIB data with any community password. This makes it possible for a remote user to gain access to sensitive information, and potentially launch an information gathering attack

Reliant Unix 5.44 and earlier allows remote attackers to cause a denial of service via an ICMP port unreachable packet, which causes Reliant to drop all connections to the source address of the packet. Reliant UNIX is prone to a denial-of-service vulnerability

Cisco TFTP server 1.1 allows remote attackers to read arbitrary files via a ..(dot dot) attack in the GET command. The Cisco TFTPD server is a freely available software package distributed and maintained by Cisco Systems. The software package is designed to give Microsoft Windows systems the ability to serve files via the Trivial File Transfer Protocol (TFTP). It is possible to gain access to sensitive files on a system using the affect software. By issuing a dot-dot-slash (../) request to the server, any file on the system may be downloaded. This makes it possible for attackers to gain access to arbitrary files, and potentially sensitive information. CVE(CAN) ID: CAN-2001-0783 Cisco TFTP server is a tftp server developed by Cisco. Its version 1.1 has a directory traversal vulnerability. It is possible to download any file on the target host just by prefixing the filename with some \"../\"