VARIoT IoT vulnerabilities database

Variant of the "IIS Cross-Site Scripting" vulnerability as originally discussed in MS:MS00-060 (CVE-2000-0746) allows a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client then executes those scripts in the same context as the trusted site. IIS Far East Edition is prone to a cross-site scripting vulnerability

Cisco SN 5420 Storage Router 1.1(3) and earlier allows local users to access a developer's shell without a password and execute certain restricted commands without being logged. The Cisco Storage Router is a enterprise-level gigabit-capable routing device designed to handle storage over networks. It is distributed by Cisco Systems. A problem in the firmware used with SN 5420 routers makes it possible to gain unauthorized access and elevated privileges. A remote user may gain a developer shell from either rlogin via the fibrechannel interface of the router, or through port 8023 on the gigabit side of the router. Commands and configuration changes may be executed from the shell, and are not logged by the SN logging facility,. Cisco SN 5420 Storage Router 1.1(3) and earlier versions have vulnerabilities

Cisco 340-series Aironet access point using firmware 11.01 does not use 6 of the 24 available IV bits for WEP encryption, which makes it easier for remote attackers to mount brute force attacks. Aironet is prone to a remote security vulnerability

Cisco AP340 base station produces predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections. Aironet Ap340 is prone to a local security vulnerability

Format string vulnerability in x-gw in TIS Firewall Toolkit (FWTK) allows local users to execute arbitrary commands via a malformed display name. Internet Firewall Toolkit is prone to a local security vulnerability

Buffer overflow in Intel InBusiness eMail Station 1.04.87 POP service allows remote attackers to cause a denial of service and possibly execute commands via a long username

HTTP server on the WatchGuard SOHO firewall does not properly restrict access to administrative functions such as password resets or rebooting, which allows attackers to cause a denial of service or conduct unauthorized activities. There is a buffer overflow in the IBM AIX setclock command that may allow local attackers to gain root privileges. SOHO Firewall is an appliance firewall by Watchguard Technologies Inc. designed for Small Office/Home Office users. It is possible for a remote intruder to gain inappropriate access to the system on which SOHO Firewall resides through specially formed HTTP requests. The web server component will grant access to known files when HTTP requests such as http://target/filename.ext are received. For example, a remote attacker may reset the password by supplying a blank request for the /passcfg object. This will clear the administrative password and will yield access to administrative functions via HTTP. An attacker could exploit this vulnerability to cause a denial of service or manage unauthorized behavior. Microsoft Internet Explorer DBCS Remote Memory Corruption Vulnerability By Sowhat of Nevis Labs Date: 2006.04.11 http://www.nevisnetworks.com http://secway.org/advisory/AD20060411.txt http://www.microsoft.com/technet/security/bulletin/MS06-013.mspx CVE: CVE-2006-1189 Vendor Microsoft Inc. Products affected: Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 and Microsoft Windows XP Service Pack 1 Internet Explorer 6 for Microsoft Windows XP Service Pack 2 Internet Explorer 6 for Microsoft Windows Server 2003 Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, Microsoft Windows 98 SE, and Microsoft Windows Millennium Edition This vulnerability affects systems that use Double-Byte Character Sets. Systems that are affected are Windows language versions that use a Double Byte Character Set language. Examples of languages that use DBCS are Chinese, Japanese, and Korean languages. Customers using other language versions of Windows might also be affected if "Language for non-Unicode programs" has been set to a Double Byte Character Set language. Overview: There exists a buffer overflow in Microsoft Internet Explorer in the parsing of DBCS URLS. This vulnerability could allow an attacker to execute arbitrary code on the victim's system when the victim visits a web page or views an HTML email message. This attack may be utilized wherever IE parses HTML, such as webpages, email, newsgroups, and within applications utilizing web-browsing functionality. Details: URLMON.DLL does not properly validate IDN containing double-byte character sets (DBCS), which may lead to remote code execution. Exploiting this vulnerability seems to need a lot of more work but we believe that exploitation is possible. POC: No PoC will be released for this. FIX: Microsoft has released an update for Internet Explorer which is set to address this issue. This can be downloaded from: http://www.microsoft.com/technet/security/bulletin/MS06-013.mspx Vendor Response: 2005.12.29 Vendor notified via secure@microsoft.com 2005.12.29 Vendor responded 2006.04.11 Vendor released MS06-0xx patch 2006.04.11 Advisory released Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2006-1189 Greetings to Lennart@MS, Chi, OYXin, Narasimha Datta, all Nevis Labs guys, all XFocus and 0x557 guys :) References: 1. http://www.microsoft.com/technet/security/bulletin/MS06-013.mspx 2. http://www.nsfocus.com/english/homepage/research/0008.htm 3. http://xforce.iss.net/xforce/xfdb/5729 4. http://www.securityfocus.com/bid/2100/discuss 5. http://www.inter-locale.com/whitepaper/IUC27-a303.html 6. http://blogs.msdn.com/michkap/archive/2005/10/28/486034.aspx 7. [Mozilla Firefox IDN "Host:" Buffer Overflow] http://www.security-protocols.com/advisory/sp-x17-advisory.txt 8. [Mozilla Firefox 1.5 Beta 1 IDN Buffer Overflow] http://www.security-protocols.com/advisory/sp-x18-advisory.txt 9. http://72.14.203.104/search?q=cache:Dxn-V4fil1IJ:developer.novell.com /research/devnotes/1995/may/02/05.htm -- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?"

Buffer overflow in HTTP server on the WatchGuard SOHO firewall allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long GET request. SOHO Firewall is an appliance firewall by Watchguard Technologies Inc. designed for Small Office/Home Office users. SOHO Firewall is susceptible to a trivial denial of service attack. Restarting the service is required in order to regain normal functionality. Watchguard has confirmed that this vulnerability could not be implemented to launch arbitrary code. Successful exploitation of this vulnerability could assist in the development of further attacks due to the elimination of a firewall defense

Check Point VPN-1/FireWall-1 4.1 SP2 with Fastmode enabled allows remote attackers to bypass access restrictions via malformed, fragmented packets. Check Point of VPN-1 and FireWall-1 Product supports "Fast Mode" The option contains a vulnerability that could allow access to restricted services by bypassing access control.The service of the host whose communication is blocked by the firewall may be accessed. Firewall-1 is prone to a security bypass vulnerability. Fast Mode is a setting that turns off analysis of packets in tcp sessions after the TCP 3-way handshake has completed for speed-crtitical services. It is also reportedly possible to access hosts at least one hop away on the same interface as the target host being protected. In order for this to be possible, at least one TCP service on a host protected by the firewall must be accessible by the attacker to which a SYN can be sent legitimately. The vulnerability is due to a failure to handle malformed fragmented TCP segments. Check Point Software contacted SecurityFocus with an update regarding this issue. Check the solutions section for the update. Fastmode's valid version of Check Point VPN-1/FireWall-1 4.1 SP2 is vulnerable. A remote attacker can cause a denial of service by means of an extremely long URL request to the web management interface

The web administration interface for IBM AS/400 Firewall allows remote attackers to cause a denial of service via an empty GET request. As400 Firewall is prone to a denial-of-service vulnerability

WatchGuard SOHO FireWall 2.2.1 and earlier allows remote attackers to cause a denial of service via a large number of GET requests. There is a buffer overflow in the IBM AIX setclock command that may allow local attackers to gain root privileges. The SOHO 2.2 is a popular SOHO firewall by Watchguard Technologies Inc. In the case of a reboot, the firewall will be in-operable for one to five minutes. If the firewall shuts down completely, it will require a power recycle. In the case of a sustained attack, the firewall can be permanently taken off-line. It should be noted that this attack does not appear in the firewall logs except for a reboot notification. Vulnerabilities exist in WatchGuard SOHO FireWall 2.2.1 and earlier versions. Microsoft Internet Explorer DBCS Remote Memory Corruption Vulnerability By Sowhat of Nevis Labs Date: 2006.04.11 http://www.nevisnetworks.com http://secway.org/advisory/AD20060411.txt http://www.microsoft.com/technet/security/bulletin/MS06-013.mspx CVE: CVE-2006-1189 Vendor Microsoft Inc. Products affected: Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 and Microsoft Windows XP Service Pack 1 Internet Explorer 6 for Microsoft Windows XP Service Pack 2 Internet Explorer 6 for Microsoft Windows Server 2003 Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, Microsoft Windows 98 SE, and Microsoft Windows Millennium Edition This vulnerability affects systems that use Double-Byte Character Sets. Systems that are affected are Windows language versions that use a Double Byte Character Set language. Examples of languages that use DBCS are Chinese, Japanese, and Korean languages. Customers using other language versions of Windows might also be affected if "Language for non-Unicode programs" has been set to a Double Byte Character Set language. Overview: There exists a buffer overflow in Microsoft Internet Explorer in the parsing of DBCS URLS. This vulnerability could allow an attacker to execute arbitrary code on the victim's system when the victim visits a web page or views an HTML email message. This attack may be utilized wherever IE parses HTML, such as webpages, email, newsgroups, and within applications utilizing web-browsing functionality. Details: URLMON.DLL does not properly validate IDN containing double-byte character sets (DBCS), which may lead to remote code execution. Exploiting this vulnerability seems to need a lot of more work but we believe that exploitation is possible. POC: No PoC will be released for this. FIX: Microsoft has released an update for Internet Explorer which is set to address this issue. This can be downloaded from: http://www.microsoft.com/technet/security/bulletin/MS06-013.mspx Vendor Response: 2005.12.29 Vendor notified via secure@microsoft.com 2005.12.29 Vendor responded 2006.04.11 Vendor released MS06-0xx patch 2006.04.11 Advisory released Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2006-1189 Greetings to Lennart@MS, Chi, OYXin, Narasimha Datta, all Nevis Labs guys, all XFocus and 0x557 guys :) References: 1. http://www.microsoft.com/technet/security/bulletin/MS06-013.mspx 2. http://www.nsfocus.com/english/homepage/research/0008.htm 3. http://xforce.iss.net/xforce/xfdb/5729 4. http://www.securityfocus.com/bid/2100/discuss 5. http://www.inter-locale.com/whitepaper/IUC27-a303.html 6. http://blogs.msdn.com/michkap/archive/2005/10/28/486034.aspx 7. [Mozilla Firefox IDN "Host:" Buffer Overflow] http://www.security-protocols.com/advisory/sp-x17-advisory.txt 8. [Mozilla Firefox 1.5 Beta 1 IDN Buffer Overflow] http://www.security-protocols.com/advisory/sp-x18-advisory.txt 9. http://72.14.203.104/search?q=cache:Dxn-V4fil1IJ:developer.novell.com /research/devnotes/1995/may/02/05.htm -- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?"

Directory traversal vulnerability in FTP Serv-U before 2.5i allows remote attackers to escape the FTP root and read arbitrary files by appending a string such as "/..%20." to a CD command, a variant of a .. (dot dot) attack. FTP Serv-U is an internet FTP server from CatSoft. Authenticated users can gain access to the ftproot of the drive where Serv-U FTP has been installed. Users that have read, write, execute and list access in the home directory will have the same permissions to any file which resides on the same partition as the ftproot, once a user is in the home directory they can successfully transfer any files using specially crafted GET requests. All hidden files will be revealed even if the 'Hide hidden files' feature is on. Successful exploitation of this vulnerability could enable a remote user to gain access to systems files, password files, etc. This could lead to a complete compromise of the host

Buffer overflow in Voyager web administration server for Nokia IP440 allows local users to cause a denial of service, and possibly execute arbitrary commands, via a long URL. A vulnerability exists in Nokia's IP440 integrated Firewall-1/IDS. If a URL is sent to the device's administration interface which contains a large number of characters it can overflow the relevant buffer and create a segmentation fault. As with any buffer overflow, this has the potential to allow arbitrary code execution, but this result has not been reported in this case. Note that in order for this vulnerability to be exploited, the attacker must have been previously authenticated by the target system. Regardless, this vulnerability will permit an attacker to carry out a denial of services on the affected host

Microsoft IIS for Far East editions 4.0 and 5.0 allows remote attackers to read source code for parsed pages via a malformed URL that uses the lead-byte of a double-byte character. There is a buffer overflow in the IBM AIX setclock command that may allow local attackers to gain root privileges. 2 Byte character (DBCS) Of the language-speaking version using Microsoft IIS Has a specific 2 A vulnerability exists in which a request containing a byte character discloses a file with a file name that cannot be viewed normally.Any file in the system may be viewed. AIX is a version of the UNIX Operating System distributed by IBM. A problem exists that could allow a user elevated priviledges. The problem occurs in the setsenv binary. It has been reported that a buffer overflow exists in this binary which could allow a user to overwrite variables on the stack, including the return address. This makes it possible for a malicious user to execute arbitrary code, and potentially attain a UID of 0. The editions that are affected include Traditional Chinese, Simplified Chinese, Japanese, and Korean (Hangeul). This vulnerability affects IIS prior to SP6. The problem was resolved with the release of SP6, however it has resurfaced in IIS 5.0. Non-Far East editions of IIS such as English are not affected by this vulnerability. If a lead-byte exists, IIS will proceed to check for a trail-byte. If a trail-byte is not present, IIS will automatically drop the lead-byte. Problems can arise due to the exclusion of the lead-byte because it will result in the opening of a different file from the one specified. A malicious user may create a specially formed HTTP request containing DBCS to retrieve the contents of files located inside the web root. This may lead to the disclosure of sensitive information such as usernames and passwords

The web server for the SonicWALL SOHO firewall allows remote attackers to cause a denial of service via a long username in the authentication page. SonicWALL SOHO provides a secure internet connection for a network. SonicWALL SOHO is subject to a denial of service. This has been verified to last for up to 30 seconds until functionality resumes, although a restart of the service may be required in order to gain normal functionality. In addition, it has been verified that this vulnerability is exploitable by way of various malformed HTTP requests. This vulnerability may be the result of a buffer overflow, although not verified this could lead to the execution of arbitrary code on the target host. There is a vulnerability in the web server of the SonicWALL SOHO firewall

Netopia ISDN Router 650-ST before 4.3.5 allows remote attackers to read system logs without authentication by directly connecting to the login screen and typing certain control characters. A vulnerability exists in the Netopia 650-ST ISDN router, firmware version 3.3.2. A user connected to the unit's telnet interface can cause the device's system logs to be displayed with a simple keystroke entered by the user at the login screen. [CTRL]-E - displays the device event log [CTRL]-F - displays the WAN event log. Access to this information by a malicious remote user can lead to a compromise of sensitive information including usernames and passwords

Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to bypass the directionality check via fragmented TCP connection requests or reopening closed TCP connection requests, aka "One-way Connection Enforcement Bypass.". Firewall-1 is prone to a security bypass vulnerability. There are vulnerabilities in Check Point VPN-1/FireWall-1 4.1 and earlier versions. Also known as \"One-way Connection Enforcement Bypass\"

Check Point VPN-1/FireWall-1 4.1 and earlier improperly retransmits encapsulated FWS packets, even if they do not come from a valid FWZ client, aka "Retransmission of Encapsulated Packets.". Firewall-1 is prone to a remote security vulnerability

The inter-module authentication mechanism (fwa1) in Check Point VPN-1/FireWall-1 4.1 and earlier may allow remote attackers to conduct a denial of service, aka "Inter-module Communications Bypass.". Firewall-1 is prone to a denial-of-service vulnerability. A remote attacker could exploit this vulnerability to cause a denial of service. Also known as \"Inter-module Communications Bypass\"

The OPSEC communications authentication mechanism (fwn1) in Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to spoof connections, aka the "OPSEC Authentication Vulnerability.". Firewall-1 is prone to a remote security vulnerability