VARIoT IoT vulnerabilities database

Buffer overflow in Serv-U ftp before 5.0.0.4 allows remote authenticated users to execute arbitrary code via a long time zone argument to the MDTM command. SolarWinds of Serv-U File Server Exists in a buffer error vulnerability.None. The problem exists due to insufficient bounds checking. Ultimately an attacker may leverage this issue to have arbitrary instructions executed in the context of the SYSTEM user

Cross-site scripting (XSS) vulnerability in the Management Service for Symantec Gateway Security 2.0 allows remote attackers to steal cookies and hijack a management session via a /sgmi URL that contains malicious script, which is not quoted in the resulting error page. Symantec's gateway security 5400 Exists in unspecified vulnerabilities.None. The issue is reported to exist due to improper sanitizing of user-supplied data. Successful exploitation of this vulnerability may allow an attacker to steal cookie-based authentication credentials. If an attacker manages to steal a cookie for a valid session, the attacker may leverage the vulnerability to gain management rights to the affected device. Symantec Gateway Security 5400 series is a firewall device developed by Symantec. Remote attackers can use this vulnerability to obtain administrator sensitive information, such as COOKIE information. When a client submits a URL request to be processed by the Symantec Gateway Security service object, if the processed URL does not exist, such as requesting any object in the /sgmi directory, an error page will be returned to The browser is requested, but the data is not sufficiently filtered when generating the content of the error page, so malicious scripts can be executed in the context of the SGS device. Could allow an attacker to hijack the device's administrative session

Heap-based buffer overflow in the ISS Protocol Analysis Module (PAM), as used in certain versions of RealSecure Network 7.0 and Server Sensor 7.0, Proventia A, G, and M Series, RealSecure Desktop 7.0 and 3.6, RealSecure Guard 3.6, RealSecure Sentry 3.6, BlackICE PC Protection 3.6, and BlackICE Server Protection 3.6, allows remote attackers to execute arbitrary code via an SMB packet containing an authentication request with a long username. Internet Security Systems' BlackICE and RealSecure intrusion detection products contain a remotely exploitable vulnerability. Exploitation of this vulnerability could lead to the compromise of the system with privileges of the vulnerable process, typically the "SYSTEM" user. The issue exists in the SMB parsing routines provided by the module and is due to insufficient bounds checking of protocol fields. This issue could potentially be exploited to execute arbitrary code on systems hosting the vulnerable software, potentially resulting in system compromise. RealSecure and BlackICE are host-based intrusion detection/prevention systems offered by ISS that identify and block network attacks and intrusions. Remote attackers can exploit this vulnerability to carry out buffer overflow attacks and execute arbitrary commands on the host with system privileges. Protocol Analysis Module (Protocol Analysis Module) is used to analyze network protocols to perform further analysis and attack detection. One of the supported protocols is the SMB protocol. SMB provides a mechanism for clients to remotely access resources such as files, printers, and named pipes. Because the PAM protocol analysis module lacks sufficient boundary checks in the parsing of \"Setup AndX\" SMB requests, the result can lead to remote attackers submitting SMB \"Setup AndX\" whose AccountName parameter contains a character string exceeding 300 bytes or longer " request, which can trigger a heap-based overflow. However, in some products, heap protection can detect these memory corruptions and restart PAM components to clean up the heap content. SMB parsing is state-based in PAM, and can only be triggered by establishing a real SMB connection with the server in the network through TCP/IP

Heap-based buffer overflow in Dell OpenManage Web Server 3.4.0 allows remote attackers to cause a denial of service (crash) via a HTTP POST with a long application variable. Dell's openmanage Exists in unspecified vulnerabilities.None. Dell OpenManage Web Server has been reported prone to a remote heap overflow vulnerability. The issue presents itself due to a lack of sufficient bounds checks performed on POST request data. A remote attacker may exploit this issue to corrupt heap based memory management structures located adjacent to the affected buffer

Alcatel OmniSwitch 7000 and 7800 allows remote attackers to cause a denial of service (reboot) via certain network scans, as demonstrated using a Nessus port scan of ports 1 through 1024 with safe-checks disabled. Alcatel Omniswitch is a high-performance switch.  The OmniSwitch 7000 series switch system has problems processing some types of network communications. Remote attackers can use this vulnerability to conduct denial of service attacks on the switch.  When using Nessus for security scanning, it was found that the OmniSwitch 7000 series switches would be restarted, causing a denial of service. The problem is in the handling of scans by third-party security software. It has been reported that as a result of such scans, the switch reportedly reboots, impacting performance

QuickTime Streaming Server in MacOS X 10.2.8 and 10.3.2 allows remote attackers to cause a denial of service (crash) via DESCRIBE requests with long User-Agent fields, which causes an Assert error to be triggered in the BufferIsFull function. Apple Quicktime/Darwin Streaming Server fails to properly parse DESCRIBE requests containing overly large User-Agent fields. This could allow an unauthenticated, remote attacker to cause a denial-of-service condition. apple's darwin streaming server Exists in unspecified vulnerabilities.None. This issue was originally described in Apple Security Update 2004-02-23 Released To Fix Multiple Vulnerabilities (BID 9731). Apple QuickTime/Darwin are popular streaming servers. There is a problem when Apple QuickTime/Darwin parses the DESCRIBE request

Dell TrueMobile 1300 WLAN Mini-PCI Card Util TrayApplet 3.10.39.0 does not properly drop SYSTEM privileges when started from the systray applet, which allows local users to gain privileges by accessing the Help functionality. It has been reported that a privilege escalation vulnerability exists in the Dell TrueMobile 1300 Wireless System Tray Applet. The issue is due to the software starting with SYSTEM privileges, to enable access to the wireless hardware, and subsequently failing to drop them. This may allow a local attacker to manipulate the GUI of the vulnerable application to spawn arbitrary processes with the privileges of the affected process. Although only version 3.10.39.0 of the utility has been reported vulnerable, it is likely that other versions are prone as well. Dell TrueMobile TM 1300 WLAN is a mini-PCI wireless network card system, including a system tray Applet program to control the device

Cisco ONS is a fiber optic network platform developed by CISCO. Cisco ONS has multiple vulnerabilities that can result in unauthorized access to the device, denial of service, or lock-in of the account and continued authentication. The Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 can be managed through XTC, TCC+/TCC2, TCCi/TCC2, and TSC control cards, which are typically isolated from the INTERNET and only connected to the local network environment. The following vulnerabilities exist: - CSCec17308/CSCec19124(tftp) The TFTP service uses UDP port 69 by default, allowing GET and PUT commands without any authentication. The client can connect to the fiber device and upload and download any user data. - CSCec17406 (port 1080) Cisco ONS 15327, ONS 15454 and ONS 15454 SDH hardware have ACK denial of service attacks on TCP 1080 ports, and TCP 1080 ports are used for network management to communicate with control cards. A ACK denial of service attack can result in a control card reset on a fiber optic device. - CSCec66884/CSCec71157 (SU access) By default, only superusers are allowed to telnet access to the VxWorks operating system. Due to this vulnerability, if the superuser account is disabled, locked and suspended, the VxWorks shell can still be logged in using the setup password

Cisco ONS is a fiber optic network platform developed by CISCO. Cisco ONS has multiple vulnerabilities that can result in unauthorized access to the device, denial of service, or lock-in of the account and continued authentication. The Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 can be managed through XTC, TCC+/TCC2, TCCi/TCC2, and TSC control cards, which are typically isolated from the INTERNET and only connected to the local network environment. The following vulnerabilities exist: - CSCec17308/CSCec19124(tftp) The TFTP service uses UDP port 69 by default, allowing GET and PUT commands without any authentication. The client can connect to the fiber device and upload and download any user data. - CSCec17406 (port 1080) Cisco ONS 15327, ONS 15454 and ONS 15454 SDH hardware have ACK denial of service attacks on TCP 1080 ports, and TCP 1080 ports are used for network management to communicate with control cards. A ACK denial of service attack can result in a control card reset on a fiber optic device. - CSCec66884/CSCec71157 (SU access) By default, only superusers are allowed to telnet access to the VxWorks operating system. Due to this vulnerability, if the superuser account is disabled, locked and suspended, the VxWorks shell can still be logged in using the setup password

Unknown vulnerability in Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), ONS 15454 SD before 4.1(3), and Cisco ONS15600 before 1.3(0) allows a superuser whose account is locked out, disabled, or suspended to gain unauthorized access via a Telnet connection to the VxWorks shell. Cisco Systems optical networking systems software Exists in unspecified vulnerabilities.None. It should be noted that the various ONS platforms are intended to be deployed on networks that are physically separated from the Internet, so exposure to these issues by remote attackers is limited. Cisco ONS is an optical network platform developed by CISCO. Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 can be managed by XTC, TCC+/TCC2, TCCi/TCC2, and TSC control cards. These control cards are generally isolated from the Internet and only connected to the local network environment. There are the following vulnerabilities: - CSCec17308/CSCec19124(tftp) The TFTP service uses UDP port 69 by default, allowing GET and PUT commands without any authentication, and the client can connect to the fiber optic device and upload and download arbitrary user data. - CSCec17406(port 1080) Cisco ONS 15327, ONS 15454 and ONS 15454 SDH hardware has an ACK denial of service attack on TCP port 1080, which is used for network management to communicate with the control card. Through ACK denial of service attack, the control card on the fiber optic equipment can be reset. - CSCec66884/CSCec71157(SU access) By default, only superusers are allowed to have telnet access to the VxWorks operating system. Due to this vulnerability, if the superuser account is banned, locked and suspended, you can still log in to the VxWorks shell with the set password

Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), ONS 15454 SD before 4.1(3), and Cisco ONS 15600 before 1.3(0) enable TFTP service on UDP port 69 by default, which allows remote attackers to GET or PUT ONS system files on the current active TCC in the /flash0 or /flash1 directories. Cisco Systems optical networking systems software Exists in unspecified vulnerabilities.None. Cisco ONS is a fiber optic network platform developed by CISCO.  There are multiple vulnerabilities in Cisco ONS that can lead to attacks such as unauthorized access to the device, denial of service, or locked account and continued authentication. These control cards are generally isolated from the Internet and connected only to the local network environment. The following vulnerabilities exist:  -CSCec17308 / CSCec19124 (tftp)  The TFTP service uses UDP port 69 by default, allowing GET and PUT commands to be performed without any authentication, and the client can connect to the fiber optic device to upload and download arbitrary user data. TCP 1080 port is used for network management and control card communication. An ACK denial of service attack can cause the control card on a fiber optic device to reset.  -CSCec66884 / CSCec71157 (SU access)  By default, only superusers are allowed to telnet access to the VxWorks operating system. Due to this vulnerability, if the superuser account is blocked, locked and suspended, you can still log in to the VxWorks shell using the set password. It should be noted that the various ONS platforms are intended to be deployed on networks that are physically separated from the Internet, so exposure to these issues by remote attackers is limited

Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), and ONS 15454 SD before 4.1(3) allows remote attackers to cause a denial of service (reset) by not sending the ACK portion of the TCP three-way handshake and sending an invalid response instead. Cisco Systems optical networking systems software Exists in unspecified vulnerabilities.None. Cisco has reported multiple vulnerabilities in the following platforms: Cisco ONS 15327 Edge Optical Transport Platform Cisco ONS 15454 Optical Transport Platform Cisco ONS 15454 SDH Multiplexer Platform Cisco ONS 15600 Multiservice Switching Platform These issues could permit unauthorized access to devices, including unauthenticated access to GET/PUT TFTP commands on affected platforms, denial of service attacks via incomplete TCP transactions and an issue that may allow locked out superuser accounts to still authenticate. It should be noted that the various ONS platforms are intended to be deployed on networks that are physically separated from the Internet, so exposure to these issues by remote attackers is limited. Cisco ONS 15327 4.1(3), ONS 15454 4.6(1), and ONS 15454 SD4.1(3) previous versions have vulnerabilities

Linksys WAP55AG 1.07 allows remote attackers with access to an SNMP read only community string to gain access to read/write communtiy strings via a query for OID 1.3.6.1.4.1.3955.2.1.13.1.2. Cisco Systems (Linksys) of wap55ag Exists in unspecified vulnerabilities.None. Linksys WAP55AG appliance has been reported prone to an insecure default configuration vulnerability. An attacker may disclose sensitive information in this manner. Although unconfirmed, it may also be possible for the attacker to manipulate the appliance configuration through writeable strings. Linksys WAP55AG is a wireless access device. An attacker can obtain the read/write public string information of the SNMP MIB by querying the Linksys WAP55AG SNMP service

Buffer overflow in the Lightweight Directory Access Protocol (LDAP) daemon (iLDAP.exe 3.9.15.10) in Ipswitch IMail Server 8.03 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via an LDAP message with a large tag length. Ipswitch, Inc. of Ipswitch Imail Exists in unspecified vulnerabilities.None. The Ipswitch LDAP daemon has been reported prone to a remote buffer overflow vulnerability. The vulnerability exists due to a lack of sufficient boundary checks performed on user supplied LDAP tags. When attacker-supplied data containing large LDAP tags is processed by the affected service, a stack based buffer overflow condition will be triggered. A remote attacker may exploit this condition to execute arbitrary instructions in the security context of the affected service. Ipswitch IMail server is a WEB-based mail solution. The Ipswitch LDAP daemon does not adequately check user-supplied LDAP tokens. The LDAP message is composed of the length and content of the tag. The following tags 0x02 0x03 0x0A 0x25 0xBD represent integers 665, 501 (0xA25BD). If the length tag provided by the attacker is too long, the data provided by the user will be copied according to the tag length when the program is processed. Lack of sufficient bounds checks, may overwrite the memory address in the stack due to the following assembly specification: .text: 00401188 mov byte ptr [ebp+ecx+var_4], dl Carefully submitted copy data may be executed on the system with LDAP daemon process privileges Arbitrary instructions

SQL injection vulnerability in PHP-Nuke 6.9 and earlier, and possibly 7.x, allows remote attackers to inject arbitrary SQL code and gain sensitive information via (1) the category variable in the Search module or (2) the admin variable in the Web_Links module. francisco burzi of php-nuke Exists in unspecified vulnerabilities.None. It has been reported that PHPNuke may prone to a SQL injection vulnerability, due to insufficient sanitization user-supplied input. The problem is reported to exist in the $category variable contained within the 'index.php' page. PHPNuke versions 6.9 and prior have been reported to be prone to this issue, however other versions may be affected as well. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. The \'\'index.php\'\' script included in PHP-Nuke lacks adequate filtering of the parameters submitted by users. When performing a search, the index.php script does not fully filter the data submitted by the user to the $category variable. Submitting data containing SQL commands as the $category variable parameter can change the original database logic, obtain database sensitive information and modify database content

Cross-site scripting (XSS) vulnerability in modules.php for Php-Nuke 6.x-7.1.0 allows remote attackers to execute arbitrary script as other users via URL-encoded (1) title or (2) fname parameters in the News or Reviews modules. francisco burzi of php-nuke Exists in unspecified vulnerabilities.None. It has been reported that the PHP-Nuke module 'News' is prone to a cross-site scripting vulnerability. The issue arises due to the module failing to properly sanitize user-supplied information. This could allow for execution of hostile HTML and script code in the web client of a user who visits a web page that contains the malicious code. This would occur in the security context of the site hosting the software

SQL injection vulnerability in the "public message" capability (public_message) for Php-Nuke 6.x to 7.1.0 allows remote attackers to obtain the administrator password via the c_mid parameter. francisco burzi of php-nuke Exists in unspecified vulnerabilities.None. The issue is due to improper sanitization of user-defined parameters supplied to the module. As a result, an attacker could modify the logic and structure of database queries. Other attacks may also be possible, such as gaining access to sensitive information

Multiple format string vulnerabilities in HTTP Application Intelligence (AI) component in Check Point Firewall-1 NG-AI R55 and R54, and Check Point Firewall-1 HTTP Security Server included with NG FP1, FP2, and FP3 allows remote attackers to execute arbitrary code via HTTP requests that cause format string specifiers to be used in an error message, as demonstrated using the scheme of a URI. Several versions of Check Point Firewall-1 contain a vulnerability that allows remote attackers to execute arbitrary code with administrative privileges. Check Point Firewall-1 is a high-performance firewall. An unsuccessful attack will destroy all connected HTTP sessions and stop WEB communication. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 HTTP Parsing Vulnerabilities in Check Point Firewall-1 Original release date: February 05, 2004 Last revised: -- Source: US-CERT A complete revision history can be found at the end of this file. This allows the attacker to take control of the firewall, and in some cases, to also control the server it runs on. I. Description The Application Intelligence (AI) component of Check Point Firewall-1 is an application proxy that scans traffic for application layer attacks once it has passed through the firewall at the network level. Earlier versions of Firewall-1 include the HTTP Security Server, which provides similar functionality. When Firewall-1 generates an error message in response to the invalid request, a portion of the input supplied by the attacker is included in the format string for a call to sprintf(). Researchers at Internet Security Systems have determined that it is possible to exploit this format string vulnerability to execute commands on the firewall. For more information, please see the ISS advisory at: http://xforce.iss.net/xforce/alerts/id/162 The CERT/CC is tracking this issue as VU#790771. This reference number corresponds to CVE candidate CAN-2004-0039. II. Failed attempts to exploit this vulnerability may cause the firewall to crash. III. It is unclear at this time whether there are other attack vectors that may still allow exploitation of the underlying software defect. Therefore, affected sites may be able to limit their exposure to this vulnerability by disabling HTTP Security Servers or the Application Intelligence component, as appropriate. _________________________________________________________________ This vulnerability was discovered and researched by Mark Dowd of ISS X-Force. _________________________________________________________________ This document was written by Jeffrey P. Lanza. _________________________________________________________________ This document is available from: http://www.us-cert.gov/cas/techalerts/TA04-036A.html _________________________________________________________________ Copyright 2004 Carnegie Mellon University. Revision History Feb 05, 2004: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAIsBMXlvNRxAkFWARApI0AKD4vWl9qb4hYtEr+zlkUScaY3PFcwCfRXcG pglRULK2zVbnACsvG9+BEog= =6SAE -----END PGP SIGNATURE-----

Stack-based buffer overflow in Check Point VPN-1 Server 4.1 through 4.1 SP6 and Check Point SecuRemote/SecureClient 4.1 through 4.1 build 4200 allows remote attackers to execute arbitrary code via an ISAKMP packet with a large Certificate Request packet. A buffer overflow vulnerability exists in the Internet Security Association and Key Management Protocol (ISAKMP) implementation used in Check Point VPN-1, SecuRemote, and SecureClient products. An unauthenticated, remote attacker could execute arbitrary code with the privileges of the ISAKMP process, typically root or SYSTEM. Because of this, it is possible for a remote attacker to gain unauthorized access to vulnerable systems. Check Point Firewall-1 is a high-performance firewall, Checkpoint VPN-1 server and Checkpoint VPN client provide VPN access for remote client computers. The IKE component of these products allows non-directional or bi-directional authentication of two remote peers. The Checkpoint VPN-1 server and Checkpoint VPN client lack sufficient checks when handling large certificate loads. Remote attackers can exploit this vulnerability to carry out buffer overflow attacks and possibly control the firewall server with system privileges. Internet Key Exchange (IKE) is used for key negotiation and exchange during encrypted transmission or communication via VPN. The ISAKMP protocol is used for this exchange. Remote unauthenticated users trigger this vulnerability during the initial phase of IKE negotiation when various products such as VPN implementations lack sufficient bounds checks when processing ISAKMP packets containing very large certificate request payloads. Attackers do not need to interact with the target system to exploit this vulnerability, they only need to attack by sending UDP packets with forged source addresses. Successful exploitation of this vulnerability can directly control the entire firewall system

Cisco 6000, 6500, and 7600 series systems with Multilayer Switch Feature Card 2 (MSFC2) and a FlexWAN or OSM module allow local users to cause a denial of service (hang or reset) by sending a layer 2 frame packet that encapsulates a layer 3 packet, but has inconsistent length values with that packet. A problem has been identified in the handling of specific types of traffic by Cisco 6000, 6500, and 7600 routers with the MSFC2 device. Because of this, an attacker could potentially crash a vulnerable system. layer 2 frame (layer 2 frame) is used to encapsulate layer 3 packets. Cisco 6000/6500/7600 are high-end routers. Cisco 6000, 6500, and 7600 routers using MSFC2 devices improperly handle some communications, and a remote attacker could exploit this vulnerability to perform a denial-of-service attack on the device. However, this particular package must be soft-swapped on the system affected by this vulnerability to have this problem, and hard-swapping cannot trigger this vulnerability. Although such frames can only be sent from the local network segment, they may also be triggered remotely under certain conditions. To be exploited remotely, the constructed layer 2 frame needs to pass through all source and destination layer 3 devices during the destination, without any pruning