VARIoT IoT vulnerabilities database

Memory leak in the Call Telephony Integration (CTI) Framework authentication for Cisco CallManager 3.0 and 3.1 before 3.1(3) allows remote attackers to cause a denial of service (crash and reload) via a series of authentication failures, e.g. via incorrect passwords. The Cisco Call Manager contains a vulnerability that could permit an intruder to crash the Call Manager. Cisco CallManager is the software based call processing component of the Cisco IP Telephony solution. A denial of service condition has been reported in some versions of the CallManager software. If a user does not properly authenticate when using Call Telephony Integration (CTI), a memory leak may occur. This may result in the vulnerable process crashing and reloading. <*Link: http://www.cisco.com/warp/public/707/callmanager-ctifw-leak-pub.shtml *>

index.php for PHP-Nuke 5.4 and earlier allows remote attackers to determine the physical pathname of the web server when the file parameter is set to index.php, which triggers an error message that leaks the pathname. PHP-Nuke is a popular web based Portal system. It allows users to create accounts and contribute content to the site. A vulnerability has been reported in some versions of PHP-Nuke. Reportedly, a maliciously constructed HTTP request will cause the index.php script to return an error message which includes the full path of the script. It has been suggested that this is the result of an insecure server configuration. It can run under Unix and Linux operating systems, and can also run under Microsoft Windows operating systems. PHP-Nuke may leak absolute paths due to problems in handling some wrong WEB requests. Attackers can use this information to carry out further attacks on the target system

Linux Directory Penguin traceroute.pl CGI script 1.0 allows remote attackers to execute arbitrary code via shell metacharacters in the host parameter. Penguin traceroute.pl is a freely available, open source script for tracing network hops from a web server. It is distributed by Linux Directory. The Penguin traceroute script does not adequately filter special characters. This makes it possible for a remote user to embed commands into a request using special characters such as the ';' or '|' characters. The embedded command would be executed with the permissions of the web browser. Penguin traceroute.pl is a program implemented by perl language to provide routing trace function under WEB interface, developed and maintained by Linux Directory. Penguin traceroute.pl does not adequately filter the input when executing the traceroute program, allowing attackers to execute arbitrary commands with httpd privileges. An attacker can enter the metacharacter \";\" and then append any command, which will cause the attacker to execute any command with httpd authority

VPN Server module in Linksys EtherFast BEFVP41 Cable/DSL VPN Router before 1.40.1 reduces the key lengths for keys that are supplied via manual key entry, which makes it easier for attackers to crack the keys. BEFVP41 is a hardware router that is currently developed and maintained by Linksys.  BEFVP41 supports Triple DES encryption keys (48 hexadecimal characters) and MD5 check keys (32 hexadecimal characters) of the following lengths, respectively.  Encryption:  80C4DAFD9AFC3D7AB57079E19DEBFFF43538A62039768D74  Authentication:  32EA72F58D7F1E063E14A3FF78131172  However, due to a design error, when the user tried to manually enter these keys, they were cut off by mistake, and became 23 hex characters and 19 hex characters respectively.  Encryption:  80C4DAFD9AFC3D7AB57079E  Authentication:  32EA72F58D7F1E063E1  This leads to the eventual use of weak keys, increasing the likelihood of successful brute-force brute-force attacks. However, when a user attempts to manually enter a generated Triple DES key of any length greater than 23 bytes, the key is truncated to a maximum of 23 bytes. Manual entry of the key results in a truncated key maximum length of 19 bytes

Check Point FireWall-1 SecuRemote/SecuClient 4.0 and 4.1 allows clients to bypass the "authentication timeout" by modifying the to_expire or expire values in the client's users.C configuration file. Check Point Firewall-1 is a popular firewall package available from Checkpoint Software Technologies. SecuClient/SecuRemote are VPN-1 implementations for Check Point Firewall-1 products. It is possible to configure a timeout value for cached user credentials. This value is stored on client systems and can be modified by users of client systems. If security policy includes a time limit on cached credentials, malicious authenticated users may bypass the policy by modifying the value. Depending on the operating system of the client host, local administrative privileges on the client host may be required to modify the configuration file. In addition to the timeout values, other sensitive information is reportedly stored on client systems. Further details are not known at this time. SecuClient/SecuRemote is the VPN-1 implementation in the Firewall-1 product. SecuClient/SecuRemote is flawed in design, allowing client-local attackers to bypass certain server-side settings. SecuClient/SecuRemote allows the server to set the time limit for caching authentication information, and if the time limit is exceeded, it will be forced to log in again

NOTE: this issue has been disputed by the vendor. Symantec Norton AntiVirus 2002 allows remote attackers to send viruses that bypass the e-mail scanning via a NULL character in the MIME header before the virus. NOTE: the vendor has disputed this issue, acknowledging that the initial scan is bypassed, but the AutoProtect feature would detect the virus before it is executed. Upon receiving an email message crafted as such, Norton AntiVirus 2002 fails to detect the virus. As a result email messages with malicious content (ie: viruses, trojans etc.) will go undetected and could possibly run on the recipients system

NOTE: this issue has been disputed by the vendor. Symantec Norton AntiVirus (NAV) 2002 allows remote attackers to bypass the initial virus scan and cause NAV to prematurely stop scanning by using a non-RFC compliant MIME header. NOTE: the vendor has disputed this issue, acknowledging that the initial scan is bypassed, but the AutoProtect feature would detect the virus before it is executed. An issue has been discovered which involves Symantec Norton AntiVirus 2002 incoming email scanning protection feature. As a result infected emails could go undetected

NOTE: this issue has been disputed by the vendor. Symantec Norton AntiVirus 2002 allows remote attackers to bypass virus protection via a Word Macro virus with a .nch or .dbx extension, which is automatically recognized and executed as a Microsoft Office document. NOTE: the vendor has disputed this issue, acknowledging that the initial scan is bypassed, but the Office plug-in would detect the virus before it is executed. An issue has been discovered which involves Symantec Norton AntiVirus 2002 incoming email scanning protection feature. Files renamed with either a .dbx or .nch file extension can bypass the email protection feature of Norton. This issue may allow for the execution of files, depending on their original file format

NOTE: this issue has been disputed by the vendor. Symantec Norton AntiVirus (NAV) 2002 allows remote attackers to bypass e-mail scanning via a filename in the Content-Type field with an excluded extension such as .nch or .dbx, but a malicious extension in the Content-Disposition field, which is used by Outlook to obtain the file name. NOTE: the vendor has disputed this issue, acknowledging that the initial scan is bypassed, but Norton AntiVirus or the Office plug-in would detect the virus before it is executed. An issue has been discovered which involves Symantec Norton AntiVirus 2002 incoming email scanning protection feature. Using conflicting MIME headers, it is possible to rename a file to an excluded filetype in the Content-Type field, and include the original filename in the Content-Disposition field, resulting in the execution of the file by the appropriate application. For example: Content-Type: application/msword;name=\filename.nch Content-Transfer-Encoding: base64 Content-Disposition: attachment;filename=\filename.doc Norton will detect the attachment as a .nch file, however Microsoft Office will detect the .doc extension and handle it as such. If the .doc attachment happens to be a Word macro virus, it will execute on the user's sytem

Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges. OpenSSH is a program used to provide secure connection and communications between client and servers. Channels are used to segregate differing traffic between the client and the server. OpenSSH is a suite implementing the SSH protocol. It includes client and server software, and supports ssh and sftp. It was initially developed for BSD, but is also widely used for Linux, Solaris, and other UNIX-like operating systems. A vulnerability has been announced in some versions of OpenSSH. A malicious client may exploit this vulnerability by connecting to a vulnerable server. Valid credentials are believed to be required, since the exploitable condition reportedly occurs after successful authentication. An examination of the code suggests this, but it has not been confirmed by the maintainer. Administrators should assume that this can be exploited without authentication and should patch vulnerable versions immediately. It encrypts and transmits all network communications, thereby avoiding attacks at many network layers, and is a very useful network connection tool. A user with a legal login account can use this vulnerability to obtain the root authority of the host. To implement X11, TCP and proxy forwarding, OpenSSH multiplexes multiple "channels" on a single TCP connection. The program may mistakenly use memory data outside the normal range, and an attacker with a legitimate login account logs in After entering the system, this vulnerability can be exploited to allow sshd to execute arbitrary commands with root privileges

Information leaks in IIS 4 through 5.1 allow remote attackers to obtain potentially sensitive information or more easily conduct brute force attacks via responses from the server in which (2) in certain configurations, the server IP address is provided as the realm for Basic authentication, which could reveal real IP addresses that were obscured by NAT, or (3) when NTLM authentication is used, the NetBIOS name of the server and its Windows NT domain are revealed in response to an Authorization request. NOTE: this entry originally contained a vector (1) in which the server reveals whether it supports Basic or NTLM authentication through 401 Access Denied error messages. CVE has REJECTED this vector; it is not a vulnerability because the information is already available through legitimate use, since authentication cannot proceed without specifying a scheme that is supported by both the client and the server. Microsoft IIS supports Basic and NTLM authentication. When a valid authentication request is submitted for either message with an invalid username and password, an error message will be returned. This happens even if anonymous access to the requested resource is allowed. An attacker may be able to use this information to launch further intelligent attacks against the server, or to launch a brute-force password attack against a known username

HP Procurve Switch 4000M running firmware C.08.22 and C.09.09 allows remote attackers to cause a denial of service via a port scan of the management IP address, which disables the telnet service. A problem with the switch could make it possible to deny telnet service to legitimate users of the device. The problem is in the handling of port scans by the device. A ProCurve switch could be led to deny telnet users service of the switch. When the switch is portscanned by a tool such as nmap, which is capable of producing a high amount of TCP connect() requests in a short period of time, the switch will no longer accept new telnet connections. Reportedly, this issue does not affect ICMP or SNMP management of the device, nor are existing telnet sessions disconnected. Rebooting the switch may be required in order to regain normal functionality. HP ProCurve 4000M with firmware version C.09.09 or C.08.22 are reported to be susceptible to this issue. HP ProCurve Switch is a switch product produced by HP

Tiny Personal Firewall (TPF) 2.0.15, under certain configurations, will pop up an alert to the system even when the screen is locked, which could allow an attacker with physical access to the machine to hide activities or bypass access restrictions. Reportedly, this is possible even if the local system is locked. Allegedly, a user scanning the network could initiate an alert dialogue in the foreground of a locked workstation with the firewall installed. The dialogue box requires the user to either permit or deny input. If the workstation is unattended the local attacker could select permit and enter information to the firewall program, without the legitimate user of the services knowledge. Potentially this issue could allow unauthorized users to modify the Personal Tiny Firewal settings. Suppose a Windows 2000 is installed with Tiny Personal Firewall (2.0.15a), and then locked with ctrl + alt + del. Carry out a network scan to this machine, and a dialog box will pop up on the main console of this machine at this time, waiting for the user to select \"Allow/Forbid\". Even if the machine is locked, this dialog box still pops up. Anyone with physical access to the machine can make choices on this dialog, potentially modifying firewall rules

Cisco IOS 11.1CC through 12.2 with Cisco Express Forwarding (CEF) enabled includes portions of previous packets in the padding of a MAC level packet when the MAC packet's length is less than the IP level packet length. A vulnerability exists in multiple versions of Cisco's Internetworking Operating System (IOS) software that allows an attacker to collect fragments of previously processed packets. IOS is the Internet Operating System, used on Cisco routers. It is distributed and maintained by Cisco. Under some circumstances, Cisco IOS may leak information from previously routed packets that are still in memory. The data used to pad the packet is taken from other packets previously routed that are still in the router's memory. It should be noted that this problem occurs only when Cisco Express Forwarding is enabled. Attackers cannot specify the content of the information to be obtained, which reduces the possibility of obtaining sensitive information

The Notify daemon for Symantec Enterprise Firewall (SEF) 6.5.x drops large alerts when SNMP is used as the transport, which could prevent some alerts from being sent in the event of an attack. The Symantec Enterprise Firewall (SEP) is a high performance firewall solution, and is available for both Windows and Solaris systems. SEP includes a notification mechanism for important log messages, which is implemented through the Notify Daemon. It is possible to send notifcations to a specified server through SNMP traps. The SNMP reporting mechanism may, under some circumstances, fail to forward messages. This may occur when the message is over 1024 characters. Although the error is logged, no additional notification is sent. Exploitation of this vulnerability may result in lost information, possibly allowing an attack against the firewall or internal systems to go undetected. Other versions of Symantec Enterprise Firewall may share this vulnerability

SMTP proxy in Symantec Enterprise Firewall (SEF) 6.5.x includes the firewall's physical interface name and address in an SMTP protocol exchange when NAT translation is made to an address other than the firewall, which could allow remote attackers to determine certain firewall configuration information. The Symantec Enterprise Firewall (SEP) is a high performance firewall solution, and is available for both Windows and Solaris systems. This has the effect of concealing internal network infrastructure information from external recipients of mail. The Symantec Enterprise Firewall accomplishes this functionality by rewriting the SMTP header. The name/address of the physical firewall interface is still included in the rewritten SMTP header. The information disclosed in the SMTP header may reveal details about the firewall's configuration. This issue was tested on SEP v6.5.x. Other versions may be affected by this vulnerability

Netgear RM-356 and RT-338 series SOHO routers allow remote attackers to cause a denial of service (crash) via a UDP port scan, as demonstrated using nmap. RM-356 is a hardware router developed by Netgear, suitable for home or small office networks.  UDP scanning will crash RM-356 and RT-338. A cold boot is required to return to normal.  # nmap -sU 210.9.238.103 -T5  At this time, a crashdump occurred on the RM-356 console, and the information is as follows  Menu 24.2.1-System Maintenance-Information  Name: ******* _ netgear  Routing: IP  RAS F / W Version: V2.21 (I.03) | 3/30/2000  MODEM 1 F / W Version: V2.210-V90_2M_DLS  Country Code: 244  LAN  Ethernet Address: 00: a0: c5: e3: **: **  IP Address: 192.168.0.1  IP Mask: 255.255.255.0  DHCP: Server  CRASHDUMP ::  54f7a0: 00 54 f7 a8 00 21 e9 38 00 54 f8 10 00 21 e9 38 .T ...!. 8.T ...!. 8  54f7b0: 00 00 00 07 00 41 37 bc 00 2b 09 ca 00 00 00 00 ..... A7 .. + ......  54f7c0: 00 55 24 4c 00 2b 09 b2 00 00 00 00 00 55 24 4c .U $ L. + ....... U $ L  54f7d0: 00 00 00 05 00 00 00 00 00 21 16 24 00 57 26 04 .........!. $. W &.  54f7e0: 00 58 5e e8 00 21 16 24 00 00 26 04 00 21 16 24 .X ^ ..!. $ .. & ..!. $  54f7f0: 00 41 20 00 00 54 f8 10 00 21 ea 34 00 41 20 00 .A ..T ...!. 4.A.  54f800: 00 00 00 07 ff ff ff ff 00 54 f8 10 00 21 e6 6e ......... T ...!. N  54f810: 00 54 f8 2c 00 21 e6 6e 00 41 37 bc ff ff ff ff .T.,.!. N.A7 .....  54f820: ff ff 20 04 00 5e 2e 60 00 40 f7 20 00 54 f8 68 .. ^. `. @. .T.h  54f830: 00 21 b0 00 00 00 00 01 00 2b 09 ca ff ff ff ff.! ....... + ......  54f840: 00 00 00 07 00 2b 09 b2 00 5e 2e 60 00 00 00 00 ..... + ... ^. `...  54f850: ff ff ff ff 00 00 00 00 00 00 00 00 00 54 f9 9c ............. T ..  54f860: 00 5e 2e 60 00 00 00 00 00 54 f8 a8 00 21 a8 1a. ^. `..... T ...! ..  54f870: 00 00 00 07 ff ff ff ff 00 5e 2e 60 00 00 00 00 ......... ^. `...  54f880: 00 00 00 08 00 00 00 00 00 00 00 21 00 00 00 24 ...........! ... $  54f890: 00 00 00 00 00 54 f9 9c 00 5f ec d0 00 55 24 4c ..... T ..._... U $ L  54f8a0: 00 55 24 4c 00 5e 2e 60 00 54 f8 fc 00 23 b8 42 .U $ L. ^. `.T ... #. B  Boot Module Version: 4.40. Built at Wed Feb 23 14:00:29 2000  But TCP connect () scans normally.  It is worth noting that even if SNMP 161 / UDP is not open, the above scan will also cause a crash. Problem possible  In the filtering code. Most SOHO Netgear devices have a simple filtering mechanism. It is maintained and distributed by Netgear. Under some circumstances, a portscan of the router could cause a denial of service. It has been reported that portscanning a RM-356 with UDP causes the router to become unstable. This is usually accompanied by a crash, requiring a power cycling of the router to resume normal operation. It is also reported that this problem seems to affect port 161/UDP (SNMP) specifically. This problem has been reported to also affect the RT-338 models, and may affect others

GoAhead Web Server 2.1.7 and earlier allows remote attackers to obtain the source code of ASP files via a URL terminated with a /, \, %2f (encoded /), %20 (encoded space), or %00 (encoded null) character, which returns the ASP source code unparsed. This issue is also referenced in VU#124059. GoAhead WebServer contains vulnerabilities that may allow an attacker to view source files containing sensitive information or bypass authentication. The information disclosure vulnerability was previously published as VU#975041. A vulnerability in GoAhead webserver may result in the disclosure of the source code of ASP script files. The vulnerability occurs because the application fails to sanitize HTTP requests. An attacker can append certain characters to the end of an HTTP request for a specific ASP file. As a result, GoAhead webserver will disclose the contents of the requested ASP script file to the attacker. GoAhead WebServer is a small and exquisite embedded Web server of American Embedthis Company, which supports embedding in various devices and applications. Attackers can use this information to further attack the system

Microsoft Internet Information Server (IIS) 5.1 may allow remote attackers to view the contents of a Frontpage Server Extension (FPSE) file, as claimed using an HTTP request for colegal.htm that contains .. (dot dot) sequences. Allegedly, submitting a request using '../' character sequences followed by the path to a known FPSE file, will cause the host to reveal the source of the requested file. Microsoft has not confirmed the existence of these vulnerabilities. * Confliciting details exist. This issue may be the result of a configuration error, although this has not been confirmed

Microsoft Internet Information Server (IIS) 5.1 allows remote attackers to view path information via a GET request to (1) /_vti_pvt/access.cnf, (2) /_vti_pvt/botinfs.cnf, (3) /_vti_pvt/bots.cnf, or (4) /_vti_pvt/linkinfo.cnf. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Windows XP Shipped with by default Microsoft IIS 5.1 Has a problem that exposes detailed system information. IIS 5.1 Created by default installation of _vti_pvt Folder FrontPage Necessary when using. here Server Extensions There are various useful information, such as information such as page updates. this _vti_pvt The following in the folder .cnf File to remote attacker GET By sending a request, Web By revealing the structure and ownership of the site, the absolute path to each file, etc., there is a possibility that useful information will be taken for attackers who are conducting preliminary investigations on the host. < GET Files that disclose system information upon request> ・ ・ access.cnf ・ ・ botinfs.cnf ・ ・ bots.cnf ・ ・ linkinfo.cnf Also, as below /iishelp/common/colegal.htm about GET Sending a request could allow a remote attacker to access other files. GET /iishelp/common/colegal.htm:../../../../../_vti_bin/_vti_adm/admin.dll According to a further report, in order for this issue to be established, _vti_pvt The setting must allow read permission for the folder. Allegedly, submitting a request for one of the vulnerable files by way of '/_vti_pvt/', will cause the host to reveal system path information. The reported problematic files are 'access.cnf', 'botinfs.cnf', 'bots.cnf' and 'linkinfo.cnf'. Microsoft has not confirmed the existence of these vulnerabilities. * Confliciting details exist. This issue may be the result of a configuration error, although this has not been confirmed