VARIoT IoT vulnerabilities database

Buffer overflow in Microsoft Visual Studio RAD Support sub-component of FrontPage Server Extensions allows remote attackers to execute arbitrary commands via a long registration request (URL) to fp30reg.dll. A host running IIS 4.0, could allow the execution of arbitrary commands in the SYSTEM context

SNMP service in Atmel 802.11b VNET-B Access Point 1.3 and earlier, as used in Netgear ME102 and Linksys WAP11, accepts arbitrary community strings with requested MIB modifications, which allows remote attackers to obtain sensitive information such as WEP keys, cause a denial of service, or gain access to the network. Atmel is a chip design and manufacturing firm that provides various RF-based products to corporate consumers. Atmel manufactures firmware for various wireless access systems. It is possible to gain SNMP access to some wireless access points that use the Atmel chipset and firmware. These systems do not use sufficient access control, and allow reading/writing of MIB data with any community password. This makes it possible for a remote user to gain access to sensitive information, and potentially launch an information gathering attack

Reliant Unix 5.44 and earlier allows remote attackers to cause a denial of service via an ICMP port unreachable packet, which causes Reliant to drop all connections to the source address of the packet. Reliant UNIX is prone to a denial-of-service vulnerability

Cisco TFTP server 1.1 allows remote attackers to read arbitrary files via a ..(dot dot) attack in the GET command. The Cisco TFTPD server is a freely available software package distributed and maintained by Cisco Systems. The software package is designed to give Microsoft Windows systems the ability to serve files via the Trivial File Transfer Protocol (TFTP). It is possible to gain access to sensitive files on a system using the affect software. By issuing a dot-dot-slash (../) request to the server, any file on the system may be downloaded. This makes it possible for attackers to gain access to arbitrary files, and potentially sensitive information. CVE(CAN) ID: CAN-2001-0783 Cisco TFTP server is a tftp server developed by Cisco. Its version 1.1 has a directory traversal vulnerability. It is possible to download any file on the target host just by prefixing the filename with some \"../\"

Cisco IP Phones 7902/7905/7912, ATA 186/188, Unity Express, ACNS, and Subscriber Edge Services Manager (SESM) allows remote attackers to cause a denial of service (crash or instability) via a compressed DNS packet with a label length byte with an incorrect offset. Incorrect decoding of malformed DNS packets causes certain DNS implementations to hang or crash. Multiple DNS vendors are susceptible to a remote denial-of-service vulnerability. This issue affects both DNS servers and clients. This issue arises when an affected application handles a specially crafted DNS message. A successful attack would crash the affected client or server. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Cisco Various Products Compressed DNS Messages Denial of Service SECUNIA ADVISORY ID: SA15472 VERIFY ADVISORY: http://secunia.com/advisories/15472/ CRITICAL: Less critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Cisco ATA 180 Series Analog Telephone Adaptors http://secunia.com/product/2810/ SOFTWARE: Cisco IP Phone 7900 Series http://secunia.com/product/2809/ Cisco ACNS Software Version 5.x http://secunia.com/product/2268/ Cisco ACNS Software Version 4.x http://secunia.com/product/2269/ Cisco Unity Express 2.x http://secunia.com/product/5151/ DESCRIPTION: A vulnerability has been reported in various Cisco products, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the DNS implementation during the decompression of compressed DNS messages and can be exploited via a specially crafted DNS packet containing invalid information in the compressed section. Successful exploitation crashes a vulnerable device or causes it to function abnormally. The vulnerability affects the following products: * Cisco IP Phones 7902/7905/7912 * Cisco ATA (Analog Telephone Adaptor) 186/188 * Cisco Unity Express The following Cisco ACNS (Application and Content Networking System) devices are also affected: * Cisco 500 Series Content Engines * Cisco 7300 Series Content Engines * Cisco Content Routers 4400 series * Cisco Content Distribution Manager 4600 series * Cisco Content Engine Module for Cisco 2600, 2800, 3600, 3700, and 3800 series Integrated Service Routers. SOLUTION: See patch matrix in vendor advisory for information about fixes. http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml#software PROVIDED AND/OR DISCOVERED BY: NISCC credits Dr. Steve Beaty. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml NISCC: http://www.niscc.gov.uk/niscc/docs/al-20050524-00433.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The DNS implementation of DNRD before 2.10 allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop. Incorrect decoding of malformed DNS packets causes certain DNS implementations to hang or crash. Multiple DNS vendors are susceptible to a remote denial-of-service vulnerability. This issue affects both DNS servers and clients. This issue arises when an affected application handles a specially crafted DNS message. A successful attack would crash the affected client or server. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Cisco Various Products Compressed DNS Messages Denial of Service SECUNIA ADVISORY ID: SA15472 VERIFY ADVISORY: http://secunia.com/advisories/15472/ CRITICAL: Less critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Cisco ATA 180 Series Analog Telephone Adaptors http://secunia.com/product/2810/ SOFTWARE: Cisco IP Phone 7900 Series http://secunia.com/product/2809/ Cisco ACNS Software Version 5.x http://secunia.com/product/2268/ Cisco ACNS Software Version 4.x http://secunia.com/product/2269/ Cisco Unity Express 2.x http://secunia.com/product/5151/ DESCRIPTION: A vulnerability has been reported in various Cisco products, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the DNS implementation during the decompression of compressed DNS messages and can be exploited via a specially crafted DNS packet containing invalid information in the compressed section. Successful exploitation crashes a vulnerable device or causes it to function abnormally. The vulnerability affects the following products: * Cisco IP Phones 7902/7905/7912 * Cisco ATA (Analog Telephone Adaptor) 186/188 * Cisco Unity Express The following Cisco ACNS (Application and Content Networking System) devices are also affected: * Cisco 500 Series Content Engines * Cisco 7300 Series Content Engines * Cisco Content Routers 4400 series * Cisco Content Distribution Manager 4600 series * Cisco Content Engine Module for Cisco 2600, 2800, 3600, 3700, and 3800 series Integrated Service Routers. SOLUTION: See patch matrix in vendor advisory for information about fixes. http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml#software PROVIDED AND/OR DISCOVERED BY: NISCC credits Dr. Steve Beaty. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml NISCC: http://www.niscc.gov.uk/niscc/docs/al-20050524-00433.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The DNS implementation of PowerDNS 2.9.16 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop. Incorrect decoding of malformed DNS packets causes certain DNS implementations to hang or crash. Multiple DNS vendors are susceptible to a remote denial-of-service vulnerability. This issue affects both DNS servers and clients. This issue arises when an affected application handles a specially crafted DNS message. A successful attack would crash the affected client or server. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Cisco Various Products Compressed DNS Messages Denial of Service SECUNIA ADVISORY ID: SA15472 VERIFY ADVISORY: http://secunia.com/advisories/15472/ CRITICAL: Less critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Cisco ATA 180 Series Analog Telephone Adaptors http://secunia.com/product/2810/ SOFTWARE: Cisco IP Phone 7900 Series http://secunia.com/product/2809/ Cisco ACNS Software Version 5.x http://secunia.com/product/2268/ Cisco ACNS Software Version 4.x http://secunia.com/product/2269/ Cisco Unity Express 2.x http://secunia.com/product/5151/ DESCRIPTION: A vulnerability has been reported in various Cisco products, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the DNS implementation during the decompression of compressed DNS messages and can be exploited via a specially crafted DNS packet containing invalid information in the compressed section. Successful exploitation crashes a vulnerable device or causes it to function abnormally. The vulnerability affects the following products: * Cisco IP Phones 7902/7905/7912 * Cisco ATA (Analog Telephone Adaptor) 186/188 * Cisco Unity Express The following Cisco ACNS (Application and Content Networking System) devices are also affected: * Cisco 500 Series Content Engines * Cisco 7300 Series Content Engines * Cisco Content Routers 4400 series * Cisco Content Distribution Manager 4600 series * Cisco Content Engine Module for Cisco 2600, 2800, 3600, 3700, and 3800 series Integrated Service Routers. SOLUTION: See patch matrix in vendor advisory for information about fixes. http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml#software PROVIDED AND/OR DISCOVERED BY: NISCC credits Dr. Steve Beaty. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml NISCC: http://www.niscc.gov.uk/niscc/docs/al-20050524-00433.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The DNS implementation in DeleGate 8.10.2 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop. Note that some other DNS packet processing systems have the issues related to this vulnerability. Multiple DNS vendors are susceptible to a remote denial-of-service vulnerability. This issue affects both DNS servers and clients. This issue arises when an affected application handles a specially crafted DNS message. A successful attack would crash the affected client or server. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Cisco Various Products Compressed DNS Messages Denial of Service SECUNIA ADVISORY ID: SA15472 VERIFY ADVISORY: http://secunia.com/advisories/15472/ CRITICAL: Less critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Cisco ATA 180 Series Analog Telephone Adaptors http://secunia.com/product/2810/ SOFTWARE: Cisco IP Phone 7900 Series http://secunia.com/product/2809/ Cisco ACNS Software Version 5.x http://secunia.com/product/2268/ Cisco ACNS Software Version 4.x http://secunia.com/product/2269/ Cisco Unity Express 2.x http://secunia.com/product/5151/ DESCRIPTION: A vulnerability has been reported in various Cisco products, which can be exploited by malicious people to cause a DoS (Denial of Service). Successful exploitation crashes a vulnerable device or causes it to function abnormally. The vulnerability affects the following products: * Cisco IP Phones 7902/7905/7912 * Cisco ATA (Analog Telephone Adaptor) 186/188 * Cisco Unity Express The following Cisco ACNS (Application and Content Networking System) devices are also affected: * Cisco 500 Series Content Engines * Cisco 7300 Series Content Engines * Cisco Content Routers 4400 series * Cisco Content Distribution Manager 4600 series * Cisco Content Engine Module for Cisco 2600, 2800, 3600, 3700, and 3800 series Integrated Service Routers. SOLUTION: See patch matrix in vendor advisory for information about fixes. http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml#software PROVIDED AND/OR DISCOVERED BY: NISCC credits Dr. Steve Beaty. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml NISCC: http://www.niscc.gov.uk/niscc/docs/al-20050524-00433.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red. A vulnerability in IIS 4.0 may permit intruders to crash vulnerable IIS servers with URL redirection enabled. A vulnerability exists in the Indexing services used by Microsoft IIS 4.0 and IIS 5.0 running on Windows NT, Windows 2000, and beta versions of Windows XP. Exploitations of this vulnerability allows a remote intruder to run arbitrary code on the victim machine. An unchecked buffer resides in the 'idq.dll' ISAPI extension associated with each service. Note that Index Server and Indexing Service do not need to be running for an attacker to exploit this issue. Since 'idq.dll' is installed by default when IIS is installed, IIS would need to be the only service running. Note also that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all products that run affected versions of IIS are also vulnerable. **UPDATE**: An aggressive worm that actively exploits this vulnerability is believed to be in the wild

Cisco 6400 Access Concentrator Node Route Processor 2 (NRP2) 12.1DC card does not properly disable access when a password has not been set for vtys, which allows remote attackers to obtain access via telnet. It is distributed by Cisco Systems. This makes it possible for a remote user to gain access to systems behind the NRP2 module, potentially accessing secure systems

Maximum Rumpus FTP Server 2.0.3 dev and before allows an attacker to cause a denial of service (crash) via a mkdir command that specifies a large number of sub-folders. Rumpus FTP Server is an implementation for MacOS which allows file-sharing across TCP/IP connections. Rumpus FTP is prone to a denial of service. An ftp user can engage the attack by making a directory with an unusual number of sub-folders. This forces the software to quit, as it is unable to handle the creation of so many directories at one time. The FTP server must be rebooted to regain normal functionality. It is required that a user be logged in to carry out this attack. It may be possible for remote users to exploit this vulnerability, but authentication is required and anonymous ftp access does not grant users the privileges neccesary to create directories

Cayman 3220-H DSL Router 1.0 ship without a password set, which allows remote attackers to gain unauthorized access. Cayman gateways ship without a default password on the admin and user accounts. As long as the gateway is not addressable via the WAN, this can only be accessed and set by anyone on the LAN side. With admin access, the gateway settings can be configured by an intruder. This could facilitate remote denials of service, as well as potentially allowing further compromises of the network served by the router

ScreamingMedia SITEWare versions 2.5 through 3.1 allows a remote attacker to read world-readable files via a .. (dot dot) attack through (1) the SITEWare Editor's Desktop or (2) the template parameter in SWEditServlet. Microsoft IIS Is URL If the redirect is valid, Code Red Service operation is affected by the worm (DoS) A condition may occur.Microsoft IIS Service disruption (DoS) It may be in a state. Due to the inproper handling of URL redirection in IIS 4.0, it is possible to cause a host to stop responding. This vulnerability is currently being exploited by the 'Code Red' worm. Upon the worm sending a request attempting to infect the target host, IIS 4.0 will inproperly handle the unusal length of the request and fail. A restart of the service is required in order to gain normal functionality. It should be noted that the 'Code Red' worm attempts to exploit a previously discovered vulnerability BID 2880. Due to a flaw in SiteWare Editor's Desk, it is possible for a user to gain read access of known files residing on a SiteWare host. This is accomplished by crafting a URL containing double dot '../' sequences along with the relative path to a known file

cookiedecode function in PHP-Nuke 4.4 allows users to bypass authentication and gain access to other user accounts by extracting the authentication information from a cookie. There is a vulnerability in the cookiedecode function in PHP-Nuke version 4.4

The web management service on Cisco Content Service series 11000 switches (CSS) before WebNS 4.01B29s or WebNS 4.10B17s allows a remote attacker to gain additional privileges by directly requesting the web management URL instead of navigating through the interface. The Cisco Content Service Switch is an enterprise level web content switch, designed for load balancing and use as a frontend to a redundant web farm. It was previously manufactured by Arrowpoint. A problem with the switch can make it possible for a user to elevated privileges. Due to insufficent authentication checking, a user can bookmark the URL he or she is redirected to, and access the switch via that URL without authenication

Cisco IOS 12.1(2)T, 12.1(3)T allow remote attackers to cause a denial of service (reload) via a connection to TCP ports 3100-3999, 5100-5999, 7100-7999 and 10100-10999. It is maintained by Cisco systems. By initiating a TCP scan against a piece of Cisco hardware 3100-3999, 5100-5999, 7100-7999, and 10100-10999, the router becomes unstable and suffers memory corruption. Upon the next attempt to access the configuration, the router will unexpectedly reload the configuration. This problem makes it possible for a remote user to cause an arbitrary reload of the router configuration, and potentially deny service to network assets

The FTP server on Cisco Content Service 11000 series switches (CSS) before WebNS 4.01B23s and WebNS 4.10B13s allows an attacker who is an FTP user to read and write arbitrary files via GET or PUT commands. The Cisco Content Service (CSS) switch is an Enterprise-level utility by Cisco Systems. The CSS switch is a Layer 5 and 7 aware switch capable of providing a high performance frontend to web server farms and caches. A problem with the switch could allow non-privileged users to upload files to the switch. The switch allows any user with a valid account to use the FTP PUT and GET functions. This problem makes it possible for a remote user to overwrite local files, or gain access to sensitive files

Maxum Rumpus FTP Server 1.3.3 and 2.0.3 dev 3 allows a remote attacker to perform a denial of service (hang) by creating a directory name of a specific length. Rumpus FTP Server is an implementation for MacOS which allows file-sharing across TCP/IP connections. It is possible to log in remotely to the server and shut down the service by making a directory with a name that is 65 characters long. Users must be authenticated to engage this attack

Maxum Rumpus FTP Server 1.3.3 and 2.0.3 dev 3 stores passwords in plaintext in the "Rumpus User Database" file in the prefs folder, which could allow attackers to gain privileges on the server. Rumpus FTP Server is an implementation for MacOS which allows file-sharing across TCP/IP connections. Passwords are stored in plaintext format in the prefs folder

Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice. When IIS receives a CGI filename request, it automatically performs two actions before completing the request: 1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check. 2. When the security check is completed, IIS decodes CGI parameters. A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands. Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes. Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue. The worm Nimda(and variants) actively exploit this vulnerability