VARIoT IoT vulnerabilities database

NOTE: this issue has been disputed by the vendor. Symantec Norton AntiVirus 2002 allows remote attackers to send viruses that bypass the e-mail scanning via a NULL character in the MIME header before the virus. NOTE: the vendor has disputed this issue, acknowledging that the initial scan is bypassed, but the AutoProtect feature would detect the virus before it is executed. Upon receiving an email message crafted as such, Norton AntiVirus 2002 fails to detect the virus. As a result email messages with malicious content (ie: viruses, trojans etc.) will go undetected and could possibly run on the recipients system

NOTE: this issue has been disputed by the vendor. Symantec Norton AntiVirus (NAV) 2002 allows remote attackers to bypass the initial virus scan and cause NAV to prematurely stop scanning by using a non-RFC compliant MIME header. NOTE: the vendor has disputed this issue, acknowledging that the initial scan is bypassed, but the AutoProtect feature would detect the virus before it is executed. An issue has been discovered which involves Symantec Norton AntiVirus 2002 incoming email scanning protection feature. As a result infected emails could go undetected

NOTE: this issue has been disputed by the vendor. Symantec Norton AntiVirus 2002 allows remote attackers to bypass virus protection via a Word Macro virus with a .nch or .dbx extension, which is automatically recognized and executed as a Microsoft Office document. NOTE: the vendor has disputed this issue, acknowledging that the initial scan is bypassed, but the Office plug-in would detect the virus before it is executed. An issue has been discovered which involves Symantec Norton AntiVirus 2002 incoming email scanning protection feature. Files renamed with either a .dbx or .nch file extension can bypass the email protection feature of Norton. This issue may allow for the execution of files, depending on their original file format

NOTE: this issue has been disputed by the vendor. Symantec Norton AntiVirus (NAV) 2002 allows remote attackers to bypass e-mail scanning via a filename in the Content-Type field with an excluded extension such as .nch or .dbx, but a malicious extension in the Content-Disposition field, which is used by Outlook to obtain the file name. NOTE: the vendor has disputed this issue, acknowledging that the initial scan is bypassed, but Norton AntiVirus or the Office plug-in would detect the virus before it is executed. An issue has been discovered which involves Symantec Norton AntiVirus 2002 incoming email scanning protection feature. Using conflicting MIME headers, it is possible to rename a file to an excluded filetype in the Content-Type field, and include the original filename in the Content-Disposition field, resulting in the execution of the file by the appropriate application. For example: Content-Type: application/msword;name=\filename.nch Content-Transfer-Encoding: base64 Content-Disposition: attachment;filename=\filename.doc Norton will detect the attachment as a .nch file, however Microsoft Office will detect the .doc extension and handle it as such. If the .doc attachment happens to be a Word macro virus, it will execute on the user's sytem

Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges. OpenSSH is a program used to provide secure connection and communications between client and servers. Channels are used to segregate differing traffic between the client and the server. OpenSSH is a suite implementing the SSH protocol. It includes client and server software, and supports ssh and sftp. It was initially developed for BSD, but is also widely used for Linux, Solaris, and other UNIX-like operating systems. A vulnerability has been announced in some versions of OpenSSH. A malicious client may exploit this vulnerability by connecting to a vulnerable server. Valid credentials are believed to be required, since the exploitable condition reportedly occurs after successful authentication. An examination of the code suggests this, but it has not been confirmed by the maintainer. Administrators should assume that this can be exploited without authentication and should patch vulnerable versions immediately. It encrypts and transmits all network communications, thereby avoiding attacks at many network layers, and is a very useful network connection tool. A user with a legal login account can use this vulnerability to obtain the root authority of the host. To implement X11, TCP and proxy forwarding, OpenSSH multiplexes multiple "channels" on a single TCP connection. The program may mistakenly use memory data outside the normal range, and an attacker with a legitimate login account logs in After entering the system, this vulnerability can be exploited to allow sshd to execute arbitrary commands with root privileges

Information leaks in IIS 4 through 5.1 allow remote attackers to obtain potentially sensitive information or more easily conduct brute force attacks via responses from the server in which (2) in certain configurations, the server IP address is provided as the realm for Basic authentication, which could reveal real IP addresses that were obscured by NAT, or (3) when NTLM authentication is used, the NetBIOS name of the server and its Windows NT domain are revealed in response to an Authorization request. NOTE: this entry originally contained a vector (1) in which the server reveals whether it supports Basic or NTLM authentication through 401 Access Denied error messages. CVE has REJECTED this vector; it is not a vulnerability because the information is already available through legitimate use, since authentication cannot proceed without specifying a scheme that is supported by both the client and the server. Microsoft IIS supports Basic and NTLM authentication. When a valid authentication request is submitted for either message with an invalid username and password, an error message will be returned. This happens even if anonymous access to the requested resource is allowed. An attacker may be able to use this information to launch further intelligent attacks against the server, or to launch a brute-force password attack against a known username

HP Procurve Switch 4000M running firmware C.08.22 and C.09.09 allows remote attackers to cause a denial of service via a port scan of the management IP address, which disables the telnet service. A problem with the switch could make it possible to deny telnet service to legitimate users of the device. The problem is in the handling of port scans by the device. A ProCurve switch could be led to deny telnet users service of the switch. When the switch is portscanned by a tool such as nmap, which is capable of producing a high amount of TCP connect() requests in a short period of time, the switch will no longer accept new telnet connections. Reportedly, this issue does not affect ICMP or SNMP management of the device, nor are existing telnet sessions disconnected. Rebooting the switch may be required in order to regain normal functionality. HP ProCurve 4000M with firmware version C.09.09 or C.08.22 are reported to be susceptible to this issue. HP ProCurve Switch is a switch product produced by HP

Tiny Personal Firewall (TPF) 2.0.15, under certain configurations, will pop up an alert to the system even when the screen is locked, which could allow an attacker with physical access to the machine to hide activities or bypass access restrictions. Reportedly, this is possible even if the local system is locked. Allegedly, a user scanning the network could initiate an alert dialogue in the foreground of a locked workstation with the firewall installed. The dialogue box requires the user to either permit or deny input. If the workstation is unattended the local attacker could select permit and enter information to the firewall program, without the legitimate user of the services knowledge. Potentially this issue could allow unauthorized users to modify the Personal Tiny Firewal settings. Suppose a Windows 2000 is installed with Tiny Personal Firewall (2.0.15a), and then locked with ctrl + alt + del. Carry out a network scan to this machine, and a dialog box will pop up on the main console of this machine at this time, waiting for the user to select \"Allow/Forbid\". Even if the machine is locked, this dialog box still pops up. Anyone with physical access to the machine can make choices on this dialog, potentially modifying firewall rules

Cisco IOS 11.1CC through 12.2 with Cisco Express Forwarding (CEF) enabled includes portions of previous packets in the padding of a MAC level packet when the MAC packet's length is less than the IP level packet length. A vulnerability exists in multiple versions of Cisco's Internetworking Operating System (IOS) software that allows an attacker to collect fragments of previously processed packets. IOS is the Internet Operating System, used on Cisco routers. It is distributed and maintained by Cisco. Under some circumstances, Cisco IOS may leak information from previously routed packets that are still in memory. The data used to pad the packet is taken from other packets previously routed that are still in the router's memory. It should be noted that this problem occurs only when Cisco Express Forwarding is enabled. Attackers cannot specify the content of the information to be obtained, which reduces the possibility of obtaining sensitive information

The Notify daemon for Symantec Enterprise Firewall (SEF) 6.5.x drops large alerts when SNMP is used as the transport, which could prevent some alerts from being sent in the event of an attack. The Symantec Enterprise Firewall (SEP) is a high performance firewall solution, and is available for both Windows and Solaris systems. SEP includes a notification mechanism for important log messages, which is implemented through the Notify Daemon. It is possible to send notifcations to a specified server through SNMP traps. The SNMP reporting mechanism may, under some circumstances, fail to forward messages. This may occur when the message is over 1024 characters. Although the error is logged, no additional notification is sent. Exploitation of this vulnerability may result in lost information, possibly allowing an attack against the firewall or internal systems to go undetected. Other versions of Symantec Enterprise Firewall may share this vulnerability

SMTP proxy in Symantec Enterprise Firewall (SEF) 6.5.x includes the firewall's physical interface name and address in an SMTP protocol exchange when NAT translation is made to an address other than the firewall, which could allow remote attackers to determine certain firewall configuration information. The Symantec Enterprise Firewall (SEP) is a high performance firewall solution, and is available for both Windows and Solaris systems. This has the effect of concealing internal network infrastructure information from external recipients of mail. The Symantec Enterprise Firewall accomplishes this functionality by rewriting the SMTP header. The name/address of the physical firewall interface is still included in the rewritten SMTP header. The information disclosed in the SMTP header may reveal details about the firewall's configuration. This issue was tested on SEP v6.5.x. Other versions may be affected by this vulnerability

Netgear RM-356 and RT-338 series SOHO routers allow remote attackers to cause a denial of service (crash) via a UDP port scan, as demonstrated using nmap. RM-356 is a hardware router developed by Netgear, suitable for home or small office networks.  UDP scanning will crash RM-356 and RT-338. A cold boot is required to return to normal.  # nmap -sU 210.9.238.103 -T5  At this time, a crashdump occurred on the RM-356 console, and the information is as follows  Menu 24.2.1-System Maintenance-Information  Name: ******* _ netgear  Routing: IP  RAS F / W Version: V2.21 (I.03) | 3/30/2000  MODEM 1 F / W Version: V2.210-V90_2M_DLS  Country Code: 244  LAN  Ethernet Address: 00: a0: c5: e3: **: **  IP Address: 192.168.0.1  IP Mask: 255.255.255.0  DHCP: Server  CRASHDUMP ::  54f7a0: 00 54 f7 a8 00 21 e9 38 00 54 f8 10 00 21 e9 38 .T ...!. 8.T ...!. 8  54f7b0: 00 00 00 07 00 41 37 bc 00 2b 09 ca 00 00 00 00 ..... A7 .. + ......  54f7c0: 00 55 24 4c 00 2b 09 b2 00 00 00 00 00 55 24 4c .U $ L. + ....... U $ L  54f7d0: 00 00 00 05 00 00 00 00 00 21 16 24 00 57 26 04 .........!. $. W &.  54f7e0: 00 58 5e e8 00 21 16 24 00 00 26 04 00 21 16 24 .X ^ ..!. $ .. & ..!. $  54f7f0: 00 41 20 00 00 54 f8 10 00 21 ea 34 00 41 20 00 .A ..T ...!. 4.A.  54f800: 00 00 00 07 ff ff ff ff 00 54 f8 10 00 21 e6 6e ......... T ...!. N  54f810: 00 54 f8 2c 00 21 e6 6e 00 41 37 bc ff ff ff ff .T.,.!. N.A7 .....  54f820: ff ff 20 04 00 5e 2e 60 00 40 f7 20 00 54 f8 68 .. ^. `. @. .T.h  54f830: 00 21 b0 00 00 00 00 01 00 2b 09 ca ff ff ff ff.! ....... + ......  54f840: 00 00 00 07 00 2b 09 b2 00 5e 2e 60 00 00 00 00 ..... + ... ^. `...  54f850: ff ff ff ff 00 00 00 00 00 00 00 00 00 54 f9 9c ............. T ..  54f860: 00 5e 2e 60 00 00 00 00 00 54 f8 a8 00 21 a8 1a. ^. `..... T ...! ..  54f870: 00 00 00 07 ff ff ff ff 00 5e 2e 60 00 00 00 00 ......... ^. `...  54f880: 00 00 00 08 00 00 00 00 00 00 00 21 00 00 00 24 ...........! ... $  54f890: 00 00 00 00 00 54 f9 9c 00 5f ec d0 00 55 24 4c ..... T ..._... U $ L  54f8a0: 00 55 24 4c 00 5e 2e 60 00 54 f8 fc 00 23 b8 42 .U $ L. ^. `.T ... #. B  Boot Module Version: 4.40. Built at Wed Feb 23 14:00:29 2000  But TCP connect () scans normally.  It is worth noting that even if SNMP 161 / UDP is not open, the above scan will also cause a crash. Problem possible  In the filtering code. Most SOHO Netgear devices have a simple filtering mechanism. It is maintained and distributed by Netgear. Under some circumstances, a portscan of the router could cause a denial of service. It has been reported that portscanning a RM-356 with UDP causes the router to become unstable. This is usually accompanied by a crash, requiring a power cycling of the router to resume normal operation. It is also reported that this problem seems to affect port 161/UDP (SNMP) specifically. This problem has been reported to also affect the RT-338 models, and may affect others

GoAhead Web Server 2.1.7 and earlier allows remote attackers to obtain the source code of ASP files via a URL terminated with a /, \, %2f (encoded /), %20 (encoded space), or %00 (encoded null) character, which returns the ASP source code unparsed. This issue is also referenced in VU#124059. GoAhead WebServer contains vulnerabilities that may allow an attacker to view source files containing sensitive information or bypass authentication. The information disclosure vulnerability was previously published as VU#975041. A vulnerability in GoAhead webserver may result in the disclosure of the source code of ASP script files. The vulnerability occurs because the application fails to sanitize HTTP requests. An attacker can append certain characters to the end of an HTTP request for a specific ASP file. As a result, GoAhead webserver will disclose the contents of the requested ASP script file to the attacker. GoAhead WebServer is a small and exquisite embedded Web server of American Embedthis Company, which supports embedding in various devices and applications. Attackers can use this information to further attack the system

Microsoft Internet Information Server (IIS) 5.1 may allow remote attackers to view the contents of a Frontpage Server Extension (FPSE) file, as claimed using an HTTP request for colegal.htm that contains .. (dot dot) sequences. Allegedly, submitting a request using '../' character sequences followed by the path to a known FPSE file, will cause the host to reveal the source of the requested file. Microsoft has not confirmed the existence of these vulnerabilities. * Confliciting details exist. This issue may be the result of a configuration error, although this has not been confirmed

Microsoft Internet Information Server (IIS) 5.1 allows remote attackers to view path information via a GET request to (1) /_vti_pvt/access.cnf, (2) /_vti_pvt/botinfs.cnf, (3) /_vti_pvt/bots.cnf, or (4) /_vti_pvt/linkinfo.cnf. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Windows XP Shipped with by default Microsoft IIS 5.1 Has a problem that exposes detailed system information. IIS 5.1 Created by default installation of _vti_pvt Folder FrontPage Necessary when using. here Server Extensions There are various useful information, such as information such as page updates. this _vti_pvt The following in the folder .cnf File to remote attacker GET By sending a request, Web By revealing the structure and ownership of the site, the absolute path to each file, etc., there is a possibility that useful information will be taken for attackers who are conducting preliminary investigations on the host. < GET Files that disclose system information upon request> ・ ・ access.cnf ・ ・ botinfs.cnf ・ ・ bots.cnf ・ ・ linkinfo.cnf Also, as below /iishelp/common/colegal.htm about GET Sending a request could allow a remote attacker to access other files. GET /iishelp/common/colegal.htm:../../../../../_vti_bin/_vti_adm/admin.dll According to a further report, in order for this issue to be established, _vti_pvt The setting must allow read permission for the folder. Allegedly, submitting a request for one of the vulnerable files by way of '/_vti_pvt/', will cause the host to reveal system path information. The reported problematic files are 'access.cnf', 'botinfs.cnf', 'bots.cnf' and 'linkinfo.cnf'. Microsoft has not confirmed the existence of these vulnerabilities. * Confliciting details exist. This issue may be the result of a configuration error, although this has not been confirmed

Web configuration utility in HP AdvanceStack hubs J3200A through J3210A with firmware version A.03.07 and earlier, allows unauthorized users to bypass authentication via a direct HTTP request to the web_access.html file, which allows the user to change the switch's configuration and modify the administrator password. HP AdvanceStack 10Base-T Switching Hubs combine 10Base-T functionality with the performance of switching. It has been reported that authentication for HP J3210A 10Base-T Switching Hubs may be bypassed by an unprivileged user who accesses one of the administrative web pages directly. The attacker may allegedly change the superuser password of the device via this interface and gain access to the administrative facilities of the device. Additionally, authentication credentials are disclosed to the attacker. *Reportedly, the password is stored in plain text and can be revealed by viewing the source of the web page

Buffer overflow in Apple QuickTime Player 5.01 and 5.02 allows remote web servers to execute arbitrary code via a response containing a long Content-Type MIME header. Apple QuickTime is a freely available media player. It runs on a number of platforms including MacOS and Windows 9x/ME/NT/2000/XP operating systems. Apple QuickTime For Windows does not perform sufficient bounds checking of the "Content-Type" header. This issue may be exploited if a server responds with a maliciously crafted "Content-Type" header to a HTTP request for a media file. A "Content-Type" header of 500+ characters is sufficient to trigger this condition, causing stack variables to be overwritten in the process. This issue may allow a malicious server to execute arbitrary attacker-supplied code on the host of a client who makes a request for a media file. This may result in a remote compromise, possibly with elevated privileges (depending on the environment). This issue may also allow a hostile server to introduce malicious code into a system running the vulnerable software. Exploitation of this issue requires that a user makes a request to the malicious server. However, this may also be exploited by a malicious host that is serving streaming media content to the client. It should be noted that the QuickTime player broadcasts information about the version and the operating environment via the "User-Agent" header of the HTTP request, which may aid a malicious server in successfully exploiting this issue. This vulnerability was reported for Japanese versions of Apple QuickTime Player, running on Japanese versions of the Microsoft Operating System. It is not known if other versions and environments are affected

NDSAuth.DLL in Cisco Secure Authentication Control Server (ACS) 3.0.1 does not check the Expired or Disabled state of users in the Novell Directory Services (NDS), which could allow those users to authenticate to the server. Cisco Secure ACS is a highly scalable, high-performance access control server that runs on Windows NT/2000 operating systems and Unix variants. It operates as a centralized Remote Access Dial-In User Service (RADIUS) or TACACS+ server system and controls the authentication of users accessing resources through the network. An expired or disabled user who authenticates with the correct credentials will still be able to access the service. The normal, expected behavior is that their access to the service will be denied. It should be noted that only Cisco Secure ACS 3.01 for Windows NT is prone to this issue. The vulnerability is caused by the \"NDSAuth.DLL\" file, this module allows ACS authentication via an external NDS server. < *Link: http://www.cisco.com/warp/public/707/ciscosecure-acs-nds-authentication-vuln-pub.shtml* >

Buffer overflow in ISS BlackICE Defender 2.9 and earlier, BlackICE Agent 3.0 and 3.1, and RealSecure Server Sensor 6.0.1 and 6.5 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a flood of large ICMP ping packets. Internet Security Systems's BlackICE Defender, BlackICE Agent and RealSecure Server Sensor, are network intrusion detection systems which run in Microsoft Windows environments. A buffer overflow condition has been reported in these products which can be exploited by a remote user. Exploitation is achievable via a ping flood attack. Sending a series of large Echo Request (ping) packets to a target host will trigger the overflow. It is possible to execute arbitrary code with kernel-level privileges. Only Windows 2000 and XP hosts are affected by this vulnerability

Cross-site scripting vulnerability in web administration interface for NetGear RT314 and RT311 Gateway Routers allows remote attackers to execute arbitrary script on another client via a URL that contains the script. The Netgear RT314/RT311 Gateway Router models allow Cable/DSL users to share a connection. These products provide a web-based administrative interface. The affected products run a ZyXel-RomPager web server to provide easy web-based configuration. The web interface for the router is prone to cross-site scripting attacks. This may be exploited by an attacker who knows the internal IP address of the router. Arbitrary script code may be included in a malicious link, which is executed in the browser of the victim, in the context of the router. It is possible that an attacker may capitalize on this opportunity to gain unauthorized administrative access to the router. This may occur if the attacker can successfully steal cookie-based authentication credentials from a user who has access to the administrative interface. It should be noted that there is a distinct possibility that any other router products running the ZyXel-RomPager web server (versions 3.02 or earlier) may also be prone to this issue. This issue reportedly does not affect the Netgear RP114 Cable/DSL Web Safe Router. Netgear\'\'s RT314 is a four-port router, suitable for home or small office network. But this WEB Server has a cross-site execution script vulnerability, see CERT CA-2000-02 two years ago