VARIoT IoT vulnerabilities database

Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation.". Microsoft IIS In IIS When running an application as part of a different process than Web What should be executed with the rights of the application manager System There is a design flaw that can be executed with privileges.System An arbitrary code may be executed with authority. A vulnerability has been reported for Microsoft IIS that may allow an attacker to obtain elevated privileges. This vulnerability can be exploited by an attacker to load and execute applications on the vulnerable server with SYSTEM level privileges. This vulnerability can exploited when IIS is configured to run applications out of process by modifying the memory space of the dllhost.exe process. This vulnerability was originally described in BugTraq ID 6068. It is now being assigned its own BugTraq ID

NetDSL ADSL Modem 800 with Microsoft Network firmware 5.5.11 allows remote attackers to gain access to configuration menus by sniffing undocumented usernames and passwords from network traffic. A weakness has been discovered in NetDSL-800 router firmware. It has been reported that NetDSL-800 firmware, configured by certain Internet Service Providers(ISP), contains undocumented users. It is possible to obtain a target devices undocumented username and password using a network sniffer and the Arescom NetDSL Remote Manager. Access via undocumented accounts may allow attackers to corrupt configuration settings or cause a denial of service. It should be noted that all firmware configurations may not contain undocumented users. Firmware configured by the MSN ISP has been reported vulnreable. It should also be noted that it has not yet been confirmed whether unique username and passwords are generated for each device. Arescom NetDSL-800 is a pluggable, easy-to-use ADSL MODEM. There are undisclosed accounts in the NetDSL-800 firmware provided by some ISPs. There are undisclosed usernames and passwords in the NetDSL-800 firmware preset by MSN ISP, which can make, change settings, or conduct denial of service attacks

SonicWall Content Filtering allows local users to access prohibited web sites via requests to the web site's IP address instead of the domain name. SonicWall Content Filtering software is designed for use with SonicWall Appliances. It has been reported that the SonicWall Content Filtering software does not sufficiently check addresses when requests are made. Because of this, it would be possible for a user behind the system to reach a restricted-access site by requesting the site on the basis of IP addresses. A remote attacker could exploit this vulnerability to bypass content inspection and access otherwise restricted sites

Cisco Unity 2.x and 3.x uses well-known default user accounts, which could allow remote attackers to gain access and place arbitrary calls. Unity Server is prone to a remote security vulnerability

The default configuration of the TCP/IP printer configuration utility in Apple LaserWriter 12/640 PS printer contains a blank Telnet password, which allows remote attackers to gain access. The 12/640 PS LaserWriter is a Postscript capable printer distributed by Apple. When the tool is used to configure a printer, the device does not require the setting of a telnet server password. This may allow unauthorized remote access to the device. TCP/IP Print Configuration Tool is a security and management software for Apple.LaserWriter 12/640 PS printer

Linksys WET11 firmware 1.31 and 1.32 allows remote attackers to cause a denial of service (crash) via a packet containing the device's hardware address as the source MAC address in the DLC header. It has been reported that the WET11 device is prone to a denial of service condition when receiving specially crafted packets. The device will crash when it receives packets that have the same MAC address as the device itself. Linksys WET11 is an Ethernet to 802.11b bridge that can bridge a single host or an entire network

The DSL-500 is an ADSL broadband router developed by D-Link. The DSL-500 includes a default telnet password that can be used by remote attackers to access control devices. The DSL-500 includes a default telnet password of 'private', which allows an attacker to gain unauthorized access to the device for a denial of service attack or other malicious activity. This could result in unauthorized access, denial of service, or other problems

D-Link DWL-900AP+ Access Point 2.1 and 2.2 allows remote attackers to access the TFTP server without authentication and read the config.img file, which contains sensitive information such as the administrative password, the WEP encryption keys, and network configuration information. DWL-900AP + is a WiFi / 802.11b wireless access point system developed by D-Link.  DWL-900AP + contains an undisclosed TFTP service program.  -WEP encryption key.  -Network configuration data (address, SSID, etc.).  This data exists in clear text, and through this data, an attacker may be able to control the entire device.  In addition, you can obtain other configuration files by accessing the request TFTP server:  -eeprom.dat  -mac.dat  -wtune.dat  -rom.img  -normal.img. This could lead to the disclosure of sensitive information

webs.c in GoAhead WebServer before 2.1.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an HTTP POST request that contains a Content-Length header but no body data. GoAhead WebServer is prone to an authentication-bypass vulnerability and multiple denial-of-service vulnerabilities. A remote attacker may exploit these issues to gain access to protected documents or to create a denial-of-service condition. Versions prior to GoAhead WebServer 2.1.6 are vulnerable. GoAhead WebServer is a WEB publishing service system software. The request contains a Content-Length header but no body data

webs.c in GoAhead WebServer before 2.1.4 allows remote attackers to cause a denial of service (daemon crash) via an HTTP POST request that contains a negative integer in the Content-Length header. GoAhead WebServer is prone to an authentication-bypass vulnerability and multiple denial-of-service vulnerabilities. A remote attacker may exploit these issues to gain access to protected documents or to create a denial-of-service condition. Versions prior to GoAhead WebServer 2.1.6 are vulnerable. GoAhead WebServer is a WEB publishing service system software. The request contained a negative integer value in the Content-Length header

GoAhead WebServer before 2.1.1 allows remote attackers to cause a denial of service (CPU consumption) by performing a socket disconnect to terminate a request before it has been fully processed by the server. GoAhead WebServer is prone to an authentication-bypass vulnerability and multiple denial-of-service vulnerabilities. A remote attacker may exploit these issues to gain access to protected documents or to create a denial-of-service condition. Versions prior to GoAhead WebServer 2.1.6 are vulnerable. GoAhead WebServer is a WEB publishing service system software

Unspecified vulnerability in GoAhead WebServer before 2.1.4 allows remote attackers to cause "incorrect behavior" via unknown "malicious code," related to incorrect use of the socketInputBuffered function by sockGen.c. GoAhead WebServer is prone to an authentication-bypass vulnerability and multiple denial-of-service vulnerabilities. A remote attacker may exploit these issues to gain access to protected documents or to create a denial-of-service condition. Versions prior to GoAhead WebServer 2.1.6 are vulnerable. GoAhead WebServer is a WEB publishing service system software. It has to do with incorrect use of the socketInputBuffered function

GoAhead WebServer before 2.1.6 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an invalid URL, related to the websSafeUrl function. GoAhead WebServer is prone to an authentication-bypass vulnerability and multiple denial-of-service vulnerabilities. A remote attacker may exploit these issues to gain access to protected documents or to create a denial-of-service condition. Versions prior to GoAhead WebServer 2.1.6 are vulnerable. GoAhead WebServer is a WEB publishing service system software. The vulnerability is related to the websSafeUrl function

GoAhead WebServer before 2.1.5 on Windows 95, 98, and ME allows remote attackers to cause a denial of service (daemon crash) via an HTTP request with a (1) con, (2) nul, (3) clock$, or (4) config$ device name in a path component, different vectors than CVE-2001-0385. GoAhead WebServer is prone to an authentication-bypass vulnerability and multiple denial-of-service vulnerabilities. A remote attacker may exploit these issues to gain access to protected documents or to create a denial-of-service condition. Versions prior to GoAhead WebServer 2.1.6 are vulnerable

IPSEC implementations including (1) FreeS/WAN and (2) KAME do not properly calculate the length of authentication data, which allows remote attackers to cause a denial of service (kernel panic) via spoofed, short Encapsulating Security Payload (ESP) packets, which result in integer signedness errors. IPsec implementations from multiple vendors do not adequately validate the authentication data in IPsec packets, exposing vulnerable systems to a denial of service. IBM AIX In IPSec of esp4_input() There is a vulnerability in the function that does not properly check the integrity of authentication data.There is a possibility of a kernel panic condition. A vulnerability in several implementations of IPSec related to handling of malformed ESP packets has been reported. On several systems, the conditions may be exploited to cause kernel panics. IPSEC is a set of IP security extensions that provide verification and encryption functions. It includes two types of packets, ESP and AH, represented by IP protocols 50 and 51 respectively. Several IPSec implementations have a vulnerability. Remote attackers can exploit this vulnerability to conduct denial of service attacks

The security handler in GoAhead WebServer before 2.1.1 allows remote attackers to bypass authentication and obtain access to protected web content via "an extra slash in a URL," a different vulnerability than CVE-2002-1603. This issue is also referenced in VU#124059. GoAhead WebServer contains vulnerabilities that may allow an attacker to view source files containing sensitive information or bypass authentication. The information disclosure vulnerability was previously published as VU#975041. As a result, files containing usernames and passwords may be viewed. GoAhead WebServer is prone to an authentication-bypass vulnerability and multiple denial-of-service vulnerabilities. A remote attacker may exploit these issues to gain access to protected documents or to create a denial-of-service condition. Versions prior to GoAhead WebServer 2.1.6 are vulnerable. GoAhead WebServer is a WEB publishing service system software

Buffer overflow in the embedded HTTP server for Cisco Catalyst switches running CatOS 5.4 through 7.3 allows remote attackers to cause a denial of service (reset) via a long HTTP request. Certain versions of Cisco CatOS ship with an embedded HTTP server. This issue is reported to affect CatOS versions 5.4 through 7.4 which contain "cv" in the image name

Firewalls from multiple vendors empty state tables more slowly than they are filled, which allows remote attackers to flood state tables with packet flooding attacks such as (1) TCP SYN flood, (2) UDP flood, or (3) Crikey CRC Flood, which causes the firewall to refuse any new connections. There is a vulnerability in several state-based firewall products that allows arbitrary remote attackers to conduct denial of service attacks against vulnerable firewalls. There is a vulnerability that causes the firewall to not accept new sessions by sending a large number of packets to a multi-vendor firewall by exploiting the state table specification.Service disruption to firewall (DoS) It may be in a state. It has been reported that many firewalls do not properly handle certain types of input. Firewall systems that maintain state could be attacked and forced into a situation where all service is denied. This condition would occur as a result of certain types of traffic floods. A comprehensive listing of affected products is not available at this time. A variety of firewall products use the state table to judge whether the obtained packet belongs to the existing session between two hosts. The firewall will remove relevant entries from the state table for different reasons, including session time-out expiration, detection of TCP FIN or TCP, RST packets, and so on. If new state entries are added faster than the firewall can delete entries, a remote attacker can exploit this to fill up all state table buffers, resulting in a denial of service attack. The packet of the session state is refused to accept, and the new connection will not be established, resulting in a denial of service attack. Attackers can use the following methods to attack: TCP SYN FLOOD In order to establish a TCP connection, the client and server must participate in a three-way handshake. The client system sends a SYN message to the server, and the server responds to the SYN message to the client by sending a SYN-ACK message. The client finally completes the establishment of the connection by replying to the ACK message, and then performs data transmission. In a SYN FLOOD attack, an attacker can send SYN packets with forged IP source addresses, making the communications appear to come from multiple clients. Because the client address is forged, the SYN-ACK message sent to the client will be discarded, and a large number of such communications can cause the firewall's entry table to be filled with forged entries, resulting in a denial of service attack. UDP Flood In a UDP FLOOD attack, the attacker can send a large number of small UDP packets with forged source IP addresses. However, since the UDP protocol is connectionless, there is no session state indication information (SYN, SYN-ACK, ACK, FIN, or RST) to help the firewall detect abnormal protocol states. As a result, state-based firewalls must rely on source and destination addresses to create state table entries and set session timeout values. The CRC check is calculated at each network layer and is used to determine whether data has been corrupted during transmission. C2 Flood is a packet containing an illegal checksum of the transport layer (TCP, UDP). Since the checksum of the transport layer does not go through the firewall operation, many implementations choose to optimize performance by ignoring these checksums, so if C2..

The web proxy component in Symantec Enterprise Firewall (SEF) 6.5.2 through 7.0, Raptor Firewall 6.5 and 6.5.3, VelociRaptor, and Symantec Gateway Security allow remote attackers to cause a denial of service (connection resource exhaustion) via multiple connection requests to domains whose DNS server is unresponsive or does not exist, which generates a long timeout. A denial of service vulnerability has been reported in this component. According to the report, the proxy blocks while attempting to resolve hostnames specified in CONNECT requests. While this is occuring, requests from other clients are not handled. This behaviour can be exploited to cause a denial of service condition. There is a problem when the WEB proxy service program of the firewall handles non-existing internal URLs. By submitting non-existent or wrong internal URL requests multiple times, the proxy service program may time out for a period of time without responding to subsequent proxy request connections, resulting in Denial of service attack

Secure Webserver 1.1 in Raptor 6.5 and Symantec Enterprise Firewall 6.5.2 allows remote attackers to identify IP addresses of hosts on the internal network via a CONNECT request, which generates different error messages if the host is present. The "Simple, Secure Webserver" is a HTTP proxy included with Raptor Firewall, Symantec Enterprise Firewall, VelociRaptor and Symantec Gateway Security. An information disclosure vulnerability has been reported in this component. According to the report, it is possible for external hosts to identify responsive hosts on the network connected to the internal interface. Responsive and unresponsive hosts can be distinguished based on the response to a CONNECT request for a guessed internal IP address. This vulnerability can generate different error messages when the host is online