VARIoT IoT vulnerabilities database

Netgear RM-356 and RT-338 series SOHO routers allow remote attackers to cause a denial of service (crash) via a UDP port scan, as demonstrated using nmap. RM-356 is a hardware router developed by Netgear, suitable for home or small office networks.  UDP scanning will crash RM-356 and RT-338. A cold boot is required to return to normal.  # nmap -sU 210.9.238.103 -T5  At this time, a crashdump occurred on the RM-356 console, and the information is as follows  Menu 24.2.1-System Maintenance-Information  Name: ******* _ netgear  Routing: IP  RAS F / W Version: V2.21 (I.03) | 3/30/2000  MODEM 1 F / W Version: V2.210-V90_2M_DLS  Country Code: 244  LAN  Ethernet Address: 00: a0: c5: e3: **: **  IP Address: 192.168.0.1  IP Mask: 255.255.255.0  DHCP: Server  CRASHDUMP ::  54f7a0: 00 54 f7 a8 00 21 e9 38 00 54 f8 10 00 21 e9 38 .T ...!. 8.T ...!. 8  54f7b0: 00 00 00 07 00 41 37 bc 00 2b 09 ca 00 00 00 00 ..... A7 .. + ......  54f7c0: 00 55 24 4c 00 2b 09 b2 00 00 00 00 00 55 24 4c .U $ L. + ....... U $ L  54f7d0: 00 00 00 05 00 00 00 00 00 21 16 24 00 57 26 04 .........!. $. W &.  54f7e0: 00 58 5e e8 00 21 16 24 00 00 26 04 00 21 16 24 .X ^ ..!. $ .. & ..!. $  54f7f0: 00 41 20 00 00 54 f8 10 00 21 ea 34 00 41 20 00 .A ..T ...!. 4.A.  54f800: 00 00 00 07 ff ff ff ff 00 54 f8 10 00 21 e6 6e ......... T ...!. N  54f810: 00 54 f8 2c 00 21 e6 6e 00 41 37 bc ff ff ff ff .T.,.!. N.A7 .....  54f820: ff ff 20 04 00 5e 2e 60 00 40 f7 20 00 54 f8 68 .. ^. `. @. .T.h  54f830: 00 21 b0 00 00 00 00 01 00 2b 09 ca ff ff ff ff.! ....... + ......  54f840: 00 00 00 07 00 2b 09 b2 00 5e 2e 60 00 00 00 00 ..... + ... ^. `...  54f850: ff ff ff ff 00 00 00 00 00 00 00 00 00 54 f9 9c ............. T ..  54f860: 00 5e 2e 60 00 00 00 00 00 54 f8 a8 00 21 a8 1a. ^. `..... T ...! ..  54f870: 00 00 00 07 ff ff ff ff 00 5e 2e 60 00 00 00 00 ......... ^. `...  54f880: 00 00 00 08 00 00 00 00 00 00 00 21 00 00 00 24 ...........! ... $  54f890: 00 00 00 00 00 54 f9 9c 00 5f ec d0 00 55 24 4c ..... T ..._... U $ L  54f8a0: 00 55 24 4c 00 5e 2e 60 00 54 f8 fc 00 23 b8 42 .U $ L. ^. `.T ... #. B  Boot Module Version: 4.40. Built at Wed Feb 23 14:00:29 2000  But TCP connect () scans normally.  It is worth noting that even if SNMP 161 / UDP is not open, the above scan will also cause a crash. Problem possible  In the filtering code. Most SOHO Netgear devices have a simple filtering mechanism. It is maintained and distributed by Netgear. Under some circumstances, a portscan of the router could cause a denial of service. It has been reported that portscanning a RM-356 with UDP causes the router to become unstable. This is usually accompanied by a crash, requiring a power cycling of the router to resume normal operation. It is also reported that this problem seems to affect port 161/UDP (SNMP) specifically. This problem has been reported to also affect the RT-338 models, and may affect others

GoAhead Web Server 2.1.7 and earlier allows remote attackers to obtain the source code of ASP files via a URL terminated with a /, \, %2f (encoded /), %20 (encoded space), or %00 (encoded null) character, which returns the ASP source code unparsed. This issue is also referenced in VU#124059. GoAhead WebServer contains vulnerabilities that may allow an attacker to view source files containing sensitive information or bypass authentication. The information disclosure vulnerability was previously published as VU#975041. A vulnerability in GoAhead webserver may result in the disclosure of the source code of ASP script files. The vulnerability occurs because the application fails to sanitize HTTP requests. An attacker can append certain characters to the end of an HTTP request for a specific ASP file. As a result, GoAhead webserver will disclose the contents of the requested ASP script file to the attacker. GoAhead WebServer is a small and exquisite embedded Web server of American Embedthis Company, which supports embedding in various devices and applications. Attackers can use this information to further attack the system

Microsoft Internet Information Server (IIS) 5.1 may allow remote attackers to view the contents of a Frontpage Server Extension (FPSE) file, as claimed using an HTTP request for colegal.htm that contains .. (dot dot) sequences. Allegedly, submitting a request using '../' character sequences followed by the path to a known FPSE file, will cause the host to reveal the source of the requested file. Microsoft has not confirmed the existence of these vulnerabilities. * Confliciting details exist. This issue may be the result of a configuration error, although this has not been confirmed

Microsoft Internet Information Server (IIS) 5.1 allows remote attackers to view path information via a GET request to (1) /_vti_pvt/access.cnf, (2) /_vti_pvt/botinfs.cnf, (3) /_vti_pvt/bots.cnf, or (4) /_vti_pvt/linkinfo.cnf. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Windows XP Shipped with by default Microsoft IIS 5.1 Has a problem that exposes detailed system information. IIS 5.1 Created by default installation of _vti_pvt Folder FrontPage Necessary when using. here Server Extensions There are various useful information, such as information such as page updates. this _vti_pvt The following in the folder .cnf File to remote attacker GET By sending a request, Web By revealing the structure and ownership of the site, the absolute path to each file, etc., there is a possibility that useful information will be taken for attackers who are conducting preliminary investigations on the host. < GET Files that disclose system information upon request> ・ ・ access.cnf ・ ・ botinfs.cnf ・ ・ bots.cnf ・ ・ linkinfo.cnf Also, as below /iishelp/common/colegal.htm about GET Sending a request could allow a remote attacker to access other files. GET /iishelp/common/colegal.htm:../../../../../_vti_bin/_vti_adm/admin.dll According to a further report, in order for this issue to be established, _vti_pvt The setting must allow read permission for the folder. Allegedly, submitting a request for one of the vulnerable files by way of '/_vti_pvt/', will cause the host to reveal system path information. The reported problematic files are 'access.cnf', 'botinfs.cnf', 'bots.cnf' and 'linkinfo.cnf'. Microsoft has not confirmed the existence of these vulnerabilities. * Confliciting details exist. This issue may be the result of a configuration error, although this has not been confirmed

Web configuration utility in HP AdvanceStack hubs J3200A through J3210A with firmware version A.03.07 and earlier, allows unauthorized users to bypass authentication via a direct HTTP request to the web_access.html file, which allows the user to change the switch's configuration and modify the administrator password. HP AdvanceStack 10Base-T Switching Hubs combine 10Base-T functionality with the performance of switching. It has been reported that authentication for HP J3210A 10Base-T Switching Hubs may be bypassed by an unprivileged user who accesses one of the administrative web pages directly. The attacker may allegedly change the superuser password of the device via this interface and gain access to the administrative facilities of the device. Additionally, authentication credentials are disclosed to the attacker. *Reportedly, the password is stored in plain text and can be revealed by viewing the source of the web page

Buffer overflow in Apple QuickTime Player 5.01 and 5.02 allows remote web servers to execute arbitrary code via a response containing a long Content-Type MIME header. Apple QuickTime is a freely available media player. It runs on a number of platforms including MacOS and Windows 9x/ME/NT/2000/XP operating systems. Apple QuickTime For Windows does not perform sufficient bounds checking of the "Content-Type" header. This issue may be exploited if a server responds with a maliciously crafted "Content-Type" header to a HTTP request for a media file. A "Content-Type" header of 500+ characters is sufficient to trigger this condition, causing stack variables to be overwritten in the process. This issue may allow a malicious server to execute arbitrary attacker-supplied code on the host of a client who makes a request for a media file. This may result in a remote compromise, possibly with elevated privileges (depending on the environment). This issue may also allow a hostile server to introduce malicious code into a system running the vulnerable software. Exploitation of this issue requires that a user makes a request to the malicious server. However, this may also be exploited by a malicious host that is serving streaming media content to the client. It should be noted that the QuickTime player broadcasts information about the version and the operating environment via the "User-Agent" header of the HTTP request, which may aid a malicious server in successfully exploiting this issue. This vulnerability was reported for Japanese versions of Apple QuickTime Player, running on Japanese versions of the Microsoft Operating System. It is not known if other versions and environments are affected

NDSAuth.DLL in Cisco Secure Authentication Control Server (ACS) 3.0.1 does not check the Expired or Disabled state of users in the Novell Directory Services (NDS), which could allow those users to authenticate to the server. Cisco Secure ACS is a highly scalable, high-performance access control server that runs on Windows NT/2000 operating systems and Unix variants. It operates as a centralized Remote Access Dial-In User Service (RADIUS) or TACACS+ server system and controls the authentication of users accessing resources through the network. An expired or disabled user who authenticates with the correct credentials will still be able to access the service. The normal, expected behavior is that their access to the service will be denied. It should be noted that only Cisco Secure ACS 3.01 for Windows NT is prone to this issue. The vulnerability is caused by the \"NDSAuth.DLL\" file, this module allows ACS authentication via an external NDS server. < *Link: http://www.cisco.com/warp/public/707/ciscosecure-acs-nds-authentication-vuln-pub.shtml* >

Buffer overflow in ISS BlackICE Defender 2.9 and earlier, BlackICE Agent 3.0 and 3.1, and RealSecure Server Sensor 6.0.1 and 6.5 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a flood of large ICMP ping packets. Internet Security Systems's BlackICE Defender, BlackICE Agent and RealSecure Server Sensor, are network intrusion detection systems which run in Microsoft Windows environments. A buffer overflow condition has been reported in these products which can be exploited by a remote user. Exploitation is achievable via a ping flood attack. Sending a series of large Echo Request (ping) packets to a target host will trigger the overflow. It is possible to execute arbitrary code with kernel-level privileges. Only Windows 2000 and XP hosts are affected by this vulnerability

Cross-site scripting vulnerability in web administration interface for NetGear RT314 and RT311 Gateway Routers allows remote attackers to execute arbitrary script on another client via a URL that contains the script. The Netgear RT314/RT311 Gateway Router models allow Cable/DSL users to share a connection. These products provide a web-based administrative interface. The affected products run a ZyXel-RomPager web server to provide easy web-based configuration. The web interface for the router is prone to cross-site scripting attacks. This may be exploited by an attacker who knows the internal IP address of the router. Arbitrary script code may be included in a malicious link, which is executed in the browser of the victim, in the context of the router. It is possible that an attacker may capitalize on this opportunity to gain unauthorized administrative access to the router. This may occur if the attacker can successfully steal cookie-based authentication credentials from a user who has access to the administrative interface. It should be noted that there is a distinct possibility that any other router products running the ZyXel-RomPager web server (versions 3.02 or earlier) may also be prone to this issue. This issue reportedly does not affect the Netgear RP114 Cable/DSL Web Safe Router. Netgear\'\'s RT314 is a four-port router, suitable for home or small office network. But this WEB Server has a cross-site execution script vulnerability, see CERT CA-2000-02 two years ago

Directory traversal vulnerability in Multi Router Traffic Grapher (MRTG) allows remote attackers to read portions of arbitrary files via a .. (dot dot) in the cfg parameter for (1) 14all.cgi, (2) 14all-1.1.cgi, (3) traffic.cgi, or (4) mrtg.cgi. This can be accomplished by specifying a relative path and file name in a query string passed to the scripts via a properly constructed URL. The scripts reported to be vulnerable include mrtg.cgi, traffic.cgi, 14all-1.1.cgi, and 14all.cgi. An example URL is: http://somehost/mrtg.cgi?cfg=../../../../../../../../etc/passwd. All affected scripts are reportedly exploited with the same query string. (ie, the "cfg=" variable). Multi Router Traffic Grapher is a software that monitors traffic on network nodes. MRTG generates HTML pages containing GIF animations to represent a graphic representation of network traffic at that time. There is an input verification error in the implementation of the MRTG CGI program, and a remote attacker can use this vulnerability to browse any file that has permission to read on the host. The problem is that some CGI scripts of MRTG do not fully filter the user input. A remote attacker can traverse the directory on the host by inserting \"../\" into the input, and read any web process that has permission to read. document. The script programs affected by this vulnerability are mrtg.cgi, traffic.cgi, 14all-1.1.cgi and 14all.cgi, all of them use \"cfg\" variable, for example http://somehost/mrtg.cgi?cfg= ../../../../../../../../etc/passwd

NetScreen ScreenOS before 2.6.1 does not support a maximum number of concurrent sessions for a system, which allows an attacker on the trusted network to cause a denial of service (resource exhaustion) via a port scan to an external network, which consumes all available connections. NetScreen is a line of Internet security appliances integrating firewall, VPN and traffic management features. ScreenOS is the software used to manage and configure the firewall. NetScreen supports Microsoft Windows 95, 98, ME, NT and 2000 clients. An issue has been reported in NetScreen ScreenOS which could cause the system to stop responding. This is due to the number of concurrent sessions allowed per user. Exploitation of this issue is possible using a port scanner that does not properly release sessions. This vulnerability will occupy all valid connections

tac_plus Tacacs+ daemon F4.0.4.alpha, originally maintained by Cisco, creates files from the accounting directive with world-readable and writable permissions, which allows local users to access and modify sensitive files. tac_plus is an open source, freely available implementation of a TACACS+ server. It was originally written by Cisco. tac_plus creates accounting files insecurely. When tac_plus is started, it creates the file specified in the "account file =" configuration parameter with world-writable permissions. This could allow a local user to alter the contents, or entirely remove the accounting file. There are vulnerabilities in tac_plus when creating files, and local attackers can arbitrarily manipulate the files created by tac_plus

The MSDTC (Microsoft Distributed Transaction Service Coordinator) for Microsoft Windows 2000, Microsoft IIS 5.0 and SQL Server 6.5 through SQL 2000 0.0 allows remote attackers to cause a denial of service (crash or hang) via malformed (random) input. It is installed by default on Windows 2000, as well as with Microsoft SQL Server 6.5 and higher. It has been reported that it is possible to cause this service to crash by sending 1024 bytes of random data to its listening port, by default port 3372. Restarting the service will reportedly allow it to resume normal operation. The existence of this vulnerability has not been confirmed by Microsoft. * Further reports indicate that sending approximately 20200 null bytes to the service, will cause the entire system to become unresponsive

Compaq Intel PRO/Wireless 2011B LAN USB Device Driver 1.5.16.0 through 1.5.18.0 stores the 128-bit WEP (Wired Equivalent Privacy) key in plaintext in a registry key with weak permissions, which allows local users to decrypt network traffic by reading the WEP key from the registry key. Compaq's Intel PRO/Wireless 2011B LAN USB Device driver allows a user to connect a number of supported WLAN Ethernet devices via a USB port. It runs on Microsoft Windows platforms that support USB, such as Windows 98/ME/2000. The Compaq Intel PRO/Wireless 2011B LAN USB Device driver may disclose sensitive information to local attackers. The WEP Key may be used by the local attacker to decrypt all network traffic encapsulated in WEP

sql_layer.php in PHP-Nuke 5.4 and earlier does not restrict access to debugging features, which allows remote attackers to gain SQL query information by setting the sql_debug parameter to (1) index.php and (2) modules.php. PHPNuke is a website creation/maintenance tool. It is can be back-ended by a number of database products such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. Access to the debugging feature is not restricted to administrators. This may be used by a remote attacker to disclose sensitive information about the database which may contribute to further attacks against the website running PHPNuke and the database. It is not known whether PostNuke is also affected by this issue

Buffer overflows in Avirt Gateway Suite 4.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) long header fields to the HTTP proxy, or (2) a long string to the telnet proxy. Avirt Gateway Suite is a product combining the functionality of Avirt Gateway and Avirt Mail. It is designed as a single solution for collection of client machines sharing a single internet connection. It is available for the Microsoft Windows operating system. The Gateway Suite includes an HTTP proxy which resides on port 8080 by default. There is also a possibility that this buffer overflow could be used to execute arbitrary code with SYSTEM level privileges

Telnet proxy in Avirt Gateway Suite 4.2 does not require authentication for connecting to the proxy system itself, which allows remote attackers to list file contents of the proxy and execute arbitrary commands via a "dos" command. Avirt Gateway Suite is a product combining the functionality of Avirt Gateway and Avirt Mail. It is designed as a single solution for collection of client machines sharing a single internet connection. It is available for the Microsoft Windows operating system. By default, a telnet proxy server accepts connections from a configured, accepted IP address range. Any user may connect and browse the server file system or gain access to a command prompt. By default, the server runs with SYSTEM privileges. The software package contains a telnet proxy program, which listens to port 23 by default

Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. Multiple vendor SNMPv1 Trap handling implementations contain vulnerabilities that may allow unauthorized privileged access, denial-of-service conditions, or unstable behavior . If your site uses SNMP in any capacity, the CERT/CC encourages you to read the information provided below. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ SNMP Protocol is status and performance information MIB (Management Information Base) Protocol used to exchange Management side SNMP Managers such as managed routers, switches and printers SNMP Communicates with management network devices called agents. Because of its wide acceptance in the market, SNMP Has become the standard for SNMP protocol version1 Is SNMPv1 Is the most widely implemented. this SNMPv1 Sent from the agent to the manager in the implementation of SNMP Trap message and sent from the manager to the agent SNMP Decrypt the request message / There are problems in interpreting. If this problem is used by an attacker, the following actions may be executed. Many other programs that you implement may also be affected because of a protocol problem. On the target host SNMP If the service is running, an attacker could execute arbitrary code ・ If a buffer overflow attack is feasible and a very long trap message SNMP If the host on which the service is running receives, the application may go into a denial of service state The effects described above vary from application to application. For details, refer to each product.Please refer to the “Overview” for the impact of this vulnerability. Windows 95 is prone to a denial-of-service vulnerability. MPE/iX is an Internet-ready operating system for the HP e3000 class servers. It is possible to crash the service by transmitting to it a maliciously constructed SNMPv1 request PDU. It was previously known as UCD-SNMP. They typically notify the manager that some event has occured or otherwise provide information about the status of the agent. Multiple vulnerabilities have been discovered in a number of SNMP implementations. The vulnerabilities are known to exist in the process of decoding and interpreting SNMP trap messages. Among the possible consequences are denial of service and allowing attackers to compromise target systems. These depend on the individual vulnerabilities in each affected product. HP has confirmed that large traps will cause OpenView Network Node Manager to crash. This may be due to an exploitable buffer overflow condition

The Cisco Media Gateway Controller (MGC) in (1) SC2200 7.4 and earlier, (2) VSC3000 9.1 and earlier, (3) PGW 2200 9.1 and earlier, (4) Billing and Management Server (BAMS) and (5) Voice Services Provisioning Tool (VSPT) runs on default installations of Solaris 2.6 with unnecessary services and without the latest security patches, which allows attackers to exploit known vulnerabilities. The Cisco Media Gateway Controller (MGC) product is based on Sun's Solaris operating system version 2.6. There are a number of unpatched Solaris vulnerabilities present by default in Solaris that may be exploited to compromise the device. Cisco has made patches available for MGC systems that correct the Solaris vulnerabilities

index.php in Francisco Burzi PHP-Nuke 5.3.1 and earlier, and possibly other versions before 5.5, allows remote attackers to execute arbitrary PHP code by specifying a URL to the malicious code in the file parameter. PHP-Nuke has an input-validation vulnerability that can lead to execution of arbitrary PHP code hosted on another web server. PHPNuke is a website creation/maintenance tool. The 'index.php' script has a feature which allows users to include files. Due to insufficent input validation, it is possible to include files located on a remote server. Arbitrary code in the attacker's included file may be executed. As one consequence of this issue, a remote attacker can cause commands to be executed on the shell of the host running vulnerable versions of PHPNuke. Commands will be executed with the privileges of the webserver process and may result in the attacker gaining local access. It is not known whether this vulnerability affects PostNuke, though the possibility exists. This illegal local shell has the authority that the WEB Server process has. It's not clear if the same issue exists with PostNuke