VARIoT IoT vulnerabilities database

The web interface (WebUI) of NetScreen ScreenOS before 2.6.1r8, and certain 2.8.x and 3.0.x versions before 3.0.3r1, allows remote attackers to cause a denial of service (crash) via a long user name. This condition may be the result of an unchecked buffer, which may potentially allow the attacker to execute arbitrary code. This possibility has not been confirmed. Netscreen is a firewall security solution that enables wire-speed packet processing

A typographical error in the script source access permissions for Internet Information Server (IIS) 5.0 does not properly exclude .COM files, which allows attackers with only write permissions to upload malicious .COM files, aka "Script Source Access Vulnerability.". ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. Attacks that take advantage of this problem are system administrators 1 Since it can be executed when write permission and execution permission are given to all users in one or more virtual directories, IIS 5.0 Is not affected.Please refer to the “Overview” for the impact of this vulnerability. A vulnerability has been reported for Microsoft IIS that may allow a remote attacker to upload a file onto the vulnerable server and possibly execute it. As a result an attacker may be able to upload malicious files to a vulnerable server and possibly execute it. This vulnerability only affects IIS 5.0. This vulnerability was originally described in BugTraq ID 6068. It is now being assigned its own BugTraq ID

IIS 5.0 and 5.1 allows remote attackers to cause a denial of service (crash) via malformed WebDAV requests that cause a large amount of memory to be assigned. Microsoft IIS Is malicious WebDAV If you receive a request, WebDAV A vulnerability exists that allocates more memory than is normally allocated for processing requests.The request could not be processed and crashed, resulting in a service disruption (DoS) It may be in a state. The denial of service is caused by resource exhaustion. A denial of service vulnerability has been reported for Microsoft IIS 5 and 5.1. Several malformed requests sent to the server will result in the vulnerable system failing to respond to further legitimate requests for service. This vulnerability affects IIS 5.0 and 5.1 only. This vulnerability was originally described in BugTraq ID 6068. It is now being assigned its own BugTraq ID. ** Reports suggest that numerous hosts have been scanned in an attempt to exploit this vulnerability. Although unconfirmed, this may be the result of a system of automated attacks

Multiple cross-site scripting (XSS) vulnerabilities in the administrative web pages for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allow remote attackers to execute HTML script as other users through (1) a certain ASP file in the IISHELP virtual directory, or (2) possibly other unknown attack vectors. This vulnerability was originally described in BugTraq ID 6068. It is now being assigned its own BugTraq ID. Microsoft Internet Information Services (IIS) is prone to multiple vulnerabilities. The first vulnerability may allow an attacker to obtain elevated privileges. This vulnerability can be exploited by an attacker to load and execute applications on the vulnerable server with SYSTEM level privileges. This vulnerability can exploited when IIS is configured to run applications out of process. The second vulnerability may allow a remote attacker to cause a denial of service condition. This vulnerability is related to how IIS allocates memory for WebDAV requests. Any specially crafted WebDAV requests may result in IIS allocating an extremely large amount of memory on the server. Several malformed requests sent to the server will result in the vulnerable system failing to respond to further legitimate requests for service. This vulnerability affects IIS 5.0 and 5.1 only. The third vulnerability may allow a remote attacker to upload a file onto the vulnerable server and possibly execute it. The vulnerability is a result of inappropriate listing of file types that are subject to the script source access permission in IIS 5.0. As a result an attacker may be able to upload malicious files to a vulnerable server and possibly execute it. This vulnerability only affects IIS 5.0. The final vulnerability is a cross site scripting vulnerability. The vulnerability is a result of improper sanitization of user-supplied input by IIS. Several web pages, provided by IIS for administrative purposes do not adequately sanitize user-supplied input. Any malicious HTML code that may be included in the URI will be executed

Buffer overflow in the chunked encoding transfer mechanism in IIS 4.0 and 5.0 allows attackers to execute arbitrary code via the processing of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise.". This condition affects IIS 4.0 and IIS 5.0. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host

Cisco DSL CPE devices running CBOS 2.4.4 and earlier allows remote attackers to cause a denial of service (hang or memory consumption) via (1) a large packet to the DHCP port, (2) a large packet to the Telnet port, or (3) a flood of large packets to the CPE, which causes the TCP/IP stack to consume large amounts of memory. When the CBOS TCP/IP stack is forced to process a high number of unusually large packets, it will consume all memory. This will cause the router to freeze and stop forwarding packets. CBOS (Cisco Broadband Operating System) is the operating system for Cisco 600 series routers. It is possible for a remote user to cause a denial of service of a CPE running CBOS software 2.4.4 and prior. Sending an unusually large packet to the telnet port will exploit this issue. The following devices in the Cisco 600 series of routers are affected by this issue: 605, 626, 627, 633, 673, 675, 675e, 676, 677, 677i and 678. This vulnerability has been assigned Cisco Bug ID CSCdv50135. CBOS does not correctly process the information packets submitted to the DHCP server, which can lead to denial of service attacks by remote attackers. The vulnerability number is: CSCdw90020

Cisco IP Phone (VoIP) models 7910, 7940, and 7960 use a default administrative password, which allows attackers with physical access to the phone to modify the configuration settings. The 7900 series VoIP Phones are a Voice-Over-IP solution distributed by Cisco Systems. If you have the opportunity to physically visit the Cisco VoIP 7900 series, you can also use this combination key to change the configuration, such as changing the TFTP server address and other operation control systems

The web server for Cisco IP Phone (VoIP) models 7910, 7940, and 7960 allows remote attackers to cause a denial of service (reset) and possibly read sensitive memory via a large integer value in (1) the stream ID of the StreamingStatistics script, or (2) the port ID of the PortInformation script. The 7900 series VoIP Phones are a Voice-Over-IP solution distributed by Cisco Systems. It is possible to deny service to users of this line of phones. By placing a request to the /StreamingStatistics script with a stream ID (i.e. http://www.example.com/StreamingStatistics?&lt;stream&gt; where &lt;stream&gt; is an integer value) of arbitrarily high value, the phone will reset itself, creating the inability to place or receive calls for a period of up to thirty seconds. This has been reportedly reproduced by passing stream ID values of greater than 32768, and consistently reproduced with a value of 120000. The web interface of the VoIP Phone 7900 series has a loophole in processing abnormal requests, which can lead to remote attackers to conduct denial of service attacks. VoIP Phone 7900 series has a built-in monitoring port 80 WEB service. This service provides a script page for displaying streaming statistics. Users can use \" target=\"_blank\" > http://www.example.com/StreamingStatistics? < stream > Form access, because these pages can be accessed without authentication, any attacker can submit a relatively high <stream> value to the service program, which will cause the phone to reset. According to the test, providing a <stream> value higher than 32768 can be reset This vulnerability has been discovered, and requesting 120000 <stream> values ​​can reproduce the vulnerability stably

Cisco Catalyst 4000 series switches running CatOS 5.5.5, 6.3.5, and 7.1.2 do not always learn MAC addresses from a single initial packet, which causes unicast traffic to be broadcast across the switch and allows remote attackers to obtain sensitive network information by sniffing. Catalyst is a commercial-grade switch distributed by Cisco. Under normal circumstances, a switch will learn the MAC address of a system connected to a port after one packet. It has been reported that the switch may not learn the MAC of a connected system until several more packets have been sent to the unknown host. By doing so, unicast traffic between two systems across the switch may be broadcast to all systems connected to the switch. Remote attackers can obtain sensitive network information through sniffing

Vulnerability in Compaq ProLiant BL e-Class Integrated Administrator 1.0 and 1.10, allows authenticated users with Telnet, SSH, or console access to conduct unauthorized activities. The Compaq ProLiant BL e-Class enclosure utilizes the Integrated Administrator to provide system management. No further technical details are currently available

Cisco IOS 11.2.x and 12.0.x does not limit the size of its redirect table, which allows remote attackers to cause a denial of service (memory consumption) via spoofed ICMP redirect packets to the router. IOS is the Internet Operating System, used on Cisco routers. It is distributed and maintained by Cisco. This vulnerability has been assigned Cisco bug ID CSCdx32056. The following products are known to be affected: Cisco 1005 running IOS 11.0(18) Cisco 1603 running IOS 11.3(11b) Cisco 1603 running IOS 12.0(3) Cisco 2503 running IOS 11.0(22a) Cisco 2503 running IOS 11.1(24a). Cisco IOS 11.2.x and 12.0.x do not limit the size of the redirection table

Buffer overflow in the LDAP component of Ipswitch IMail 7.1 and earlier allows remote attackers to execute arbitrary code via a long "bind DN" parameter. Ipswitch IMail is an e-mail server that serves clients their mail via a web interface. It runs on Microsoft Windows operating systems. IMail normally runs in the SYSTEM context, meaning that successful exploitation will result in a full compromise of the underlying system. It should be noted that this condition may also be exploited to trigger a denial of service. The Ipswitch IMail service program includes multiple components including LDAP service, which allows remote clients to read the IMail directory, and there is a loophole in the authentication process that allows remote attackers to access the server with the authority of the SYSTEM account

Directory traversal vulnerability in the web server for Cisco IDS Device Manager before 3.1.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the HTTPS request. It is distributed and maintained by Cisco Systems. The IDS Device Manager may allow a remote user to gain access to sensitive information on the system. Due to improper handling of user-supplied input, it is possible for a user to gain access to arbitrary files on the system using an elementary directory traversal attack. By placing a request to the process, with an appended dot-dot-slash (../) tag pointing to a file, a remote user may read the specified file on the affected system. Since there is no effective security check on the data entered by the user, the attacker can view the content of any file in the target system with the authority of IDS Device Manager by submitting strings containing multiple \"../\" for directory traversal. Leakage of sensitive system information. <**>

Cross-site scripting (XSS) vulnerability in content blocking in SonicWALL SOHO3 6.3.0.0 allows remote attackers to inject arbitrary web script or HTML via a blocked URL. The Sonicwall SOHO3 is an Internet security appliance that provides firewall security solutions. Reportedly, a vulnerability exists in the product that allows for a script injection attack to be launched from a malicious user within the internal LAN. It is possible to configure Sonicwall to block domains from a list of user entered domains. Sonicwall will deny local users access to the websites that have been blocked. Attempts to access blocked domains will be entered into the log files of Sonicwall. An administrator viewing the log files will automatically cause the malicious script code execute. If the attacker's script code is injected into the logfile then the administrator will not be able to access the log normally. To regain access to the logs the appliance will need to be rebooted. It should be noted that rebooting the appliance will cause the logs to be cleared and will effectively eliminate any indication in the logs of which user initiated the attack. It is possible for a malicious remote user to exploit this issue by crafting a URL of a known blocked domain that includes script code, and enticing a local user into following the link

The default configuration of the proxy for Cisco Cache Engine and Content Engine allows remote attackers to use HTTPS to make TCP connections to allowed IP addresses while hiding the actual source IP. Cisco Cache Engines offer the ability to proxy HTTP, HTTPS and FTP transactions. Since these services may be placed on one of numerous ports, the default configuration allows a user behind the proxy to connect to another system on any port. Insufficient default access control is set on the device, allowing any user that can connect to the system to proxy a request through to another system. Cisco Cache Engine series products are network-integrated cache solutions developed and maintained by CISCO, which can reduce WAN bandwidth usage, maximize network service quality, and improve the scalability of existing networks

The web management interface for Cisco Content Service Switch (CSS) 11000 switches allows remote attackers to cause a denial of service (soft reset) via (1) an HTTPS POST request, or (2) malformed XML data. These switches run WebNS software. The attacker does not need to be authenticated to cause this condition to occur. The CSS 11000 series switches are known to be affected by this vulnerability. Since this issue occurs before authentication, any remote attacker without authentication can perform a denial of service attack

The web-based configuration interface for the Cisco ATA 186 Analog Telephone Adaptor allows remote attackers to bypass authentication via an HTTP POST request with a single byte, which allows the attackers to (1) obtain the password from the login screen, or (2) reconfigure the adaptor by modifying certain request parameters. The Cisco ATA-186 Analog Telephone Adapter is a hardware device designed to interface between analog telephones and Voice over IP (VoIP). It includes support for web based configuration. Under some circumstances, it may be possible to bypass the authentication required for this web interface. This may be done with a specially formatted change password request. Exploitation allows a remote attacker to reconfigure the vulnerable device. Reportedly, HTTP requests consisting of a single character will cause the device to disclose sensitive configuration information, including the password to the administrative web interface. By viewing the source code of the configuration tool screen page, it can be seen that there are no hidden parameters used to maintain the state, so you can trust the device usage type and HTTP input to determine whether configuration is allowed: For example: if three \"ChangeUIPasswd\" parameters without any value are provided to the system, the ATA-186 will display the login screen, similarly, if all three values ​​of \"ChangeUIPasswd\" are provided, but one of the values ​​does not match the password stored in the device, the login screen will appear again, if all provided correctly parameters, the device considers that the user has passed the authentication and provides configuration information. Interestingly, if only two \"ChangeUIPasswd\" parameters are passed, the device can also allow the user to configure

Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name. Sun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. Sun Solaris Included in the NFS/RPC Necessary to operate the file system cachefsd In cfsd_calloc function The function does not perform bounds checking properly, so abnormally long cache names and directory names are included. A remotely exploitable buffer overflow condition has been reported in cachefsd. The overflow occurs in the heap and is reportedly exploitable as valid malloc() chunk structures are overwritten. Successful attacks may result in remote attackers gaining root access on the affected system

Snapgear Lite+ firewall 1.5.4 and 1.5.3 allows remote attackers to cause a denial of service (crash) via a large number of connections to (1) the HTTP web management port, or (2) the PPTP port. Snapgear Lite+ is a device with integrated firewall, routing, and VPN support. In version 1.5.4 of the firmware only the web management module will crash, and not the entire firewall in the above situation

Snapgear Lite+ firewall 1.5.3 allows remote attackers to cause a denial of service (IPSEC crash) via a zero length packet to UDP port 500. Snapgear Lite+ is a device with integrated firewall, routing, and VPN support. This may result in a denial of VPN/tunnel service