VARIoT IoT vulnerabilities database

IIS 4.0 and 5.0 allows remote attackers to obtain fragments of source code by appending a +.htr to the URL, a variant of the "File Fragment Reading via .HTR" vulnerability. A vulnerability exists in Microsoft Internet Information Server (IIS) that could disclose sensitive information contained in CGI-type files. Typically a CGI/script file on a web server should only be executable and not readable to remote users. Sensitive information contained in CGI-type files file might include user credentials for access to a back-end database.This is a variation of the vulnerability previously discussed in VU#35085 and Microsoft Security Bulletin MS00-031. Requesting a known filename with the extension replaced with .htr preceeded by approximately 230 "%20" (which is an escaped character that represents a space) from Microsoft IIS 4.0/5.0 will cause the server to retrieve the file and its contents. This is due to the .htr file extension being mapped to ISM.DLL ISAPI application which redirects .htr file requests to ISM.DLL. ISM.DLL removes the extraneous "%20" and replaces .htr with the proper filename extension and reveals the source of the file. This vulnerability is similar to a more recently discovered variant, BugTraq ID 1488. This action can only be performed if a .htr request has not been previously made or if ISM.DLL is loaded into memory for the first time. If an .htr request has already been made, a restart of the web server is necessary in order to perform another. Microsoft IIS 4.0 and 5.0 can be made to disclose fragments of source code which should otherwise be inaccessible. This is done by appending "+.htr" to a request for a known .asp (or .asa, .ini, etc) file. Appending this string causes the request to be handled by ISM.DLL, which then strips the +.htr string and may disclose part or all of the source of the .asp file specified in the request. There has been a report that source will be displayed up to the first '<%' encountered - '<%' and '%>' are server-side script delimiters. Pages which use the <script runat=server></script> delimiters instead will display the entire source, or up to any '<%' in the page

IIS 4.05 and 5.0 allow remote attackers to cause a denial of service via a long, complex URL that appears to contain a large number of file extensions, aka the "Malformed Extension Data in URL" vulnerability. Restarting the application or waiting until the URL is processed will be required in order to regain normal functionality

ISM.DLL in IIS 4.0 and 5.0 allows remote attackers to read file contents by requesting the file and appending a large number of encoded spaces (%20) and terminated with a .htr extension, aka the ".HTR File Fragment Reading" or "File Fragment Reading via .HTR" vulnerability. A vulnerability exists in Microsoft Internet Information Server (IIS) that could disclose sensitive information contained in CGI-type files. Typically a CGI/script file on a web server should only be executable and not readable to remote users. Sensitive information contained in CGI-type files file might include user credentials for access to a back-end database.This is a variation of the vulnerability previously discussed in VU#35085 and Microsoft Security Bulletin MS00-031. Microsoft IIS Is (1) If you receive a password change request that does not specify a delimiter that should be specified, (2) If a known file extension is changed to a specific character string, there is a flaw that causes an infinite search, resulting in a significant decrease in processing power.Microsoft IIS Service disruption (DoS) It may be in a state. Requesting a known filename with the extension replaced with .htr preceeded by approximately 230 "%20" (which is an escaped character that represents a space) from Microsoft IIS 4.0/5.0 will cause the server to retrieve the file and its contents. This is due to the .htr file extension being mapped to ISM.DLL ISAPI application which redirects .htr file requests to ISM.DLL. ISM.DLL removes the extraneous "%20" and replaces .htr with the proper filename extension and reveals the source of the file. This vulnerability is similar to a more recently discovered variant, BugTraq ID 1488. This action can only be performed if a .htr request has not been previously made or if ISM.DLL is loaded into memory for the first time. If an .htr request has already been made, a restart of the web server is necessary in order to perform another. Microsoft IIS 4.0 and 5.0 can be made to disclose fragments of source code which should otherwise be inaccessible. This is done by appending "+.htr" to a request for a known .asp (or .asa, .ini, etc) file. Appending this string causes the request to be handled by ISM.DLL, which then strips the +.htr string and may disclose part or all of the source of the .asp file specified in the request. There has been a report that source will be displayed up to the first '<%' encountered - '<%' and '%>' are server-side script delimiters. Pages which use the <script runat=server></script> delimiters instead will display the entire source, or up to any '<%' in the page

Microsoft IIS 4.0 and 5.0 with the IISADMPWD virtual directory installed allows a remote attacker to cause a denial of service via a malformed request to the inetinfo.exe program, aka the "Undelimited .HTR Request" vulnerability. The virtual directory within IIS 4.0 and 5.0 contains .htr files which permits users to change passwords remotely. If a user initiates a password change request containing malformed data, the server CPU becomes fully utilized until the administrator performs a reboot to regain normal functionality. The patch available for this issue creates a similar vulnerability which is exploited by appending %3F+.htr to a request

NetStructure 7110 and 7180 have undocumented accounts (servnow, root, and wizard) whose passwords are easily guessable from the NetStructure's MAC address, which could allow remote attackers to gain root access. NetStructure (formerly known as Ipivot Commerce Accelerator) is a multi-site traffic director. This internet equipment is designed for businesses with multiple Web site locations, routing traffic to the best available site from a single URL. Certain revisions of this package have an undocumented supervisor password. This password, which grants access to the 'wizard' mode of the device, is derived from the MAC address of the primary NIC. This MAC address is displayed in the login banner. This password can be utilized from the admin console locally (via a serial interface) or remotely if the machine has been deployed with a modem for remote access. With this password an intruder gains shell access to the underlying UNIX system and may sniff traffic, among other things. These passwords are derived from is the ethernet address of the public interface which under default installs is available via a default passworded SNMP daemon. It should be noted that configuration over telnet is preferred in the user documentation. NetStructure 7110 and 7180 have undisclosed accounts (servnow, root, and wizard). Remote attackers can use this vulnerability to obtain root user privileges

The shtml.exe program in the FrontPage extensions package of IIS 4.0 and 5.0 allows remote attackers to determine the physical path of HTML, HTM, ASP, and SHTML files by requesting a file that does not exist, which generates an error message that reveals the path. Passing a path to a non-existent file to the shtml.exe or shtml.dll (depending on platform) program will display an error message stating that the file cannot be found accompanied by the full local path to the web root. For example, performing a request for http://target/_vti_bin/shtml.dll/non_existant_file.html will produce an error message stating "Cannot open "C:\localpath\non_existant_file.html": no such file or folder"

The on-line help system options in Cisco routers allows non-privileged users without "enabled" access to obtain sensitive information via the show command. This information is comprised of access lists among other things. The help system itself does not list these items as being available via the 'show' commands yet none the less it will execute them. The message which detailed this vulnerability to the Bugtraq mailing list is attached in the 'Credit' section of this vulnerability entry. It is suggested that you read it if this vulnerability affects your infrastructure

AppleShare IP 6.1 and later allows a remote attacker to read potentially sensitive information via an invalid range request to the web server. The additional data will appear appended to the file requested and may contain sensitive information

The IOS HTTP service in Cisco routers and switches running IOS 11.1 through 12.1 allows remote attackers to cause a denial of service by requesting a URL that contains a %% string. There is a denial-of-service vulnerability in several Cisco switch and router products which allows an attacker to force affected devices to crash and reboot. If the router is configured to have a web server running for configuration and other information a user can cause the router to crash. Cisco IOS is an operating system that runs widely on various network devices of the Cisco system. Remote attackers may use this loophole to carry out denial of service attacks on the device. Some routers will automatically restart, while others must be manually powered off and on to restore the router to normal operation

The web mail functionality in Usermin 1.x and Webmin 1.x allows remote attackers to execute arbitrary commands via shell metacharacters in an e-mail message. Usermin Is Web The module that sends and receives emails via the interface is incomplete and received HTML Another in the email Usermin A vulnerability exists that does not properly remove links to modules.An arbitrary command may be executed with the authority of the user who received and viewed the email. Webmin / Usermin are reportedly affected by a command execution vulnerability when rendering HTML email messages. This issue is reported to affect Usermin versions 1.080 and prior. Under certain versions of the Cisco Catalyst a user who already has access to the device can elevate their current access to 'enable' mode without a password. Once 'enable' mode is obtained the user can access the configuration mode and commit unauthorized configuration changes on a Catalyst switch. This can be done either from the console itself or via a remote Telnet session

Cisco IOS 11.x and 12.x allows remote attackers to cause a denial of service by sending the ENVIRON option to the Telnet daemon before it is ready to accept it, which causes the system to reboot. Certain versions of Cisco's IOS software have a vulnerability in the Telnet Environment handling code. This attack can be launched repeatedly thereby effecting a Denial of Service attack. Cisco Internet Operating System (IOS) is an operating system used on CISCO routers. < *Link: http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml* >

Cisco Catalyst 5.4.x allows a user to gain access to the "enable" mode without a password. This can be done either from the console itself or via a remote Telnet session

IIS 4.0 and 5.0 allows remote attackers to cause a denial of service by sending many URLs with a large number of escaped characters, aka the "Myriad Escaped Characters" Vulnerability. Requesting a malformed URL containing numerous escaped characters will cause Microsoft IIS performance to dramatically decrease until the URL has been processed

Ipswitch IMAIL server 6.02 and earlier allows remote attackers to cause a denial of service via the AUTH CRAM-MD5 command. Due to the implementation of IMail's authentication scheme, the server could be remotely forced to stop responding to login requests. If the client fails to terminate the connection, IMail will not be able to authenticate any other users due to the fact that it can only authorize one user at a time. Once the client times out the connection, IMail will regain normal functionality. Otherwise the service will have to be restarted

Buffer overflow in WebObjects.exe in the WebObjects Developer 4.5 package allows remote attackers to cause a denial of service via an HTTP request with long headers such as Accept. apple's WebObjects Exists in unspecified vulnerabilities.None. A denial-of-service vulnerability exists in Apple's WebObjects 4.5 Developer, a popular platform for developing web-based applications. The vulnerable version is Windows NT 4.0 SP5, when run in conjunction with the CGI-adapter and IIS 4.0. An HTTP request sent with a long header (ie, over 4.1K), will crash webobjects.exe. This may also permit the attacker to remotely execute code with the privilege of IIS, but this has not been verified. This vulnerability is reportedly present only in installations running under a development license. Those licensed for deployment are not affected

IIS 4.0 and 5.0 does not properly perform ISAPI extension processing if a virtual directory is mapped to a UNC share, which allows remote attackers to read the source code of ASP and other files, aka the "Virtualized UNC Share" vulnerability. Files located on the local drive where IIS is installed is not affected by this vulnerability

Cisco Secure PIX Firewall does not properly identify forged TCP Reset (RST) packets, which allows remote attackers to force the firewall to close legitimate connections. The attacker would have to possess detailed knowledge of the connection table in the firewall (which is used to track outgoing connections and disallow any connections from the external network that were not initiated by an internal machine) or be able to otherwise determine the required IP address and port information to exploit this

IIS 4.0 allows attackers to cause a denial of service by requesting a large buffer in a POST or PUT command which consumes memory, aka the "Chunked Transfer Encoding Buffer Overflow Vulnerability.". Microsoft IIS 4.0, circa March 2000, contained a vulnerability that allowed an intruder to consume unlimited memory on a vulnerable server. Due to unchecked buffer code that handles chunked encoding transfers, remote users are able to consume CPU cycles in Microsoft IIS until the program is rendered completely unstable and eventually crash. This can cause the server to hang indefinitely until the remote user cancels the session or until the IIS service is stopped and restarted

Buffer overflow in the web server for Norton AntiVirus for Internet Email Gateways allows remote attackers to cause a denial of service via a long URL. Due to unchecked buffer code, the program will crash causing a Dr. Watson error when a URL consisting of a large number of characters is requested

Firewall-1 3.0 and 4.0 leaks packets with private IP address information, which could allow remote attackers to determine the real IP address of the host that is making the connection. A vulnerability exists in which Checkpoint Firewall-1 will expose internal addresses to machines outside the network. Under seemingly normal load conditions, according to the poster of this vulnerability, 40% CPU utilization with 200+ active connections, Firewall-1 will attempt to establish connections utilizing the internal address. As this address is either non-routable, or internal, a retransmission will occur; this packet will have the correct address rewritten, but will use the same source port. This may be particularly useful to attackers conducting client side attacks. These problems have been seen on both NT and Solaris versions of FW-1, although the poster indicated that not enough data was available to directly state the Solaris version was vulnerable in the same ways, or to the same degrees