VARIoT IoT vulnerabilities database

Buffer overflow in ssinc.dll for Microsoft Internet Information Services (IIS) 5.0 allows local users to execute arbitrary code via a web page with a Server Side Include (SSI) directive with a long filename, aka "Server Side Include Web Pages Buffer Overrun.". Microsoft IIS ssinc.dll has been reported prone to a buffer overflow vulnerability. The issue presents itself, due to insufficient bounds checking performed on requests for server side includes. This vulnerability was initially described in BID 7728 and is now being assigned its own BID

The D-Link DI-704P is a 4-port broadband router. The syslog.htm contained in the WEB interface of the DI-704P incorrectly handles the long input submitted by the user. The remote attacker can exploit this vulnerability to perform a denial of service attack on the router. The attacker submits a syslog.htm script request containing a very long string to the WEB interface, such as the following URL to the internal interface: http://192.168.0.1/syslog.htm?D=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA The above URL will cause the router to perform the following DNS Query: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@xxxx.xx.comcast.net and this hostname does not exist, the final router will answer \"no such name\". Since the DNS reply packet is much larger than the request packet, the attacker can submit multiple similar requests, which can cause the router to generate a denial of service. The issue presents itself in a D-Link web interface page. It has been reported that when excessive is data passed URI parameter in a request for the vulnerable page, the router firmware the device behaves in an unstable manner. Subsequent malicious requests may result in a complete denial of service condition requiring a device reboot, or in corruption of device logs. Although unconfirmed, it should be noted that other D-Link devices that use related firmware might also be affected

Privacyware Privatefirewall 3.0 does not block certain incoming packets when in "Filter Internet Traffic" or Deny Internet Traffic" modes, which allows remote attackers to identify running services via FIN scans or Xmas scans. It has been reported that Privatefirewall does not properly handle TCP traffic with certain flag settings. This may allow an attacker to circumvent firewall filtering. Privatefirewall is a set of firewall software that integrates personal firewall and intrusion detection system. Privatefirewall does not properly handle the communication of some specially marked packets. Remote attackers can exploit this vulnerability to bypass filtering restrictions and access protected resources. The filtering rules of Privatefirewall cannot detect FIN and /Xmas scans, and attackers can use scanning tools such as NMAP to scan protected resources and obtain sensitive information

The web-based administration capability for various Axis Network Camera products allows remote attackers to bypass access restrictions and modify configuration via an HTTP request to the admin/admin.shtml containing a leading // (double slash). A vulnerability in various Axis Communications products may allow unauthorized remote privileged access. By making a request for a specially formatted URL, it may be possible for remote users to access the administrative configuration interface without being prompted for authentication. Axis network video can transmit and capture on-site images directly through IP network, allowing users to view and manage the camera system with a WEB browser. The management tool of the Axis network video system does not properly handle user access restrictions. After setting up the Axis network video system, a WEB-based management tool is provided for users to access to configure and manage the camera system. Users can access it by requesting the following URL: http://camera-ip/admin/admin.shtml However, the above connection needs to provide a user name and password, but due to the incorrect design of access restrictions, an attacker can access the management interface without a password by submitting the following URL: http://camera-ip//admin/admin.shtml The user can reset the RO0T password, then modify the configuration file through the telnet service program, and execute arbitrary commands on the system with root user privileges through non-interactive access

Integer overflow in MP3Broadcaster for Apple QuickTime/Darwin Streaming Server 4.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via malformed ID3 tags in MP3 files. Apple's QuickTime and Darwin Streaming Server (DSS) package includes a utility called MP3Broadcaster. This utility contains an integer overflow which may be exploited to cause a denial of service. MP3Broadcaster has been reported prone to a vulnerability when processing malicious ID3 tags. This is likely due to insufficient sanity checks performed when handling signed integer values contained within MP3 file ID3 tags. MP3Broadcaster is an MP3 broadcasting program included in the Darwin streaming service program. MP3Broadcaster does not correctly process the ID3 tag. Remote attackers can use this vulnerability to construct malicious MP3 files, trigger integer-based buffer overflows, and perform denial-of-service attacks on service programs. Malicious MP3 files can cause MP3Broadcaster to segfault

It has been reported that Cisco IOS is vulnerable to an issue in handling Service Assurance Agent (previously called Response Time Reporter, or RTR) packets. Because of this, a remote user may be able to cause the router to become unstable and crash.

The Internet Operating System (IOS) is an operating system used on CISCO routers. The use of an access control list when the CISCO router enables the crypto engine accelerator allows unauthorized types of communication access, which can be exploited by remote attackers to bypass the access control list to access the protected network. If the CISCO router has the following configuration: crypto engine accelerator PPPoE dialer Ip route-cache Set the access control list on the external interface to allow only incoming ISAKMP and IPSEC communication, such as: ip access-list extended Block-Inbound-unwanted-Trafic permit udp 100.100. 100.0 0.0.0.255 host 102.168.1.2 eq isakmp permit esp 100.100. 100.0 0.0.0.255 host 102.168.1.2 deny ip any any log The IPSec communication will be parsed twice due to the incoming access control list, which will result in unauthorized communication access being protected. The internet. For example, ACLs allow internal networks to be exploited by attackers to inject fake packets into the network. However, if static encryption (crypto) mapping is used, this problem does not exist, so non-encrypted communication will be discarded when it is parsed by the ACL. In the case of dynamic encryption mapping, if an attacker wants to note that a forged packet bypasses the access list to access the network, it must control the neighbor router connected to the ACK interface to complete the attack

Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 6.x through 7.6 allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter in the Your_Account module, (2) avatarcategory parameter in the Your_Account module, or (3) lid parameter in the Downloads module. It is reported that the PHP-Nuke 'Your_Account' module is affected by a cross-site scripting vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied URI input. This issue could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials. This vulnerability is reported to affect PHP-Nuke version 7.6 and previous versions

The Web_Links module in PHP-Nuke 6.0 through 6.5 final allows remote attackers to obtain the full web server path via an invalid cid parameter that is non-numeric or null, which leaks the pathname in an error message. The Web_Links module for PHP-Nuke has been reported prone to a vulnerability which, when exploited, may disclose sensitive path information to a remote attacker. An attacker may use the information gathered in this manner to mount further attacks against the host. It should be noted that although PHP-Nuke version 6.x has been reported vulnerable, other versions might also be affected. There is a vulnerability in the Web_Links module of PHP-Nuke versions 6.0 to 6.5 Ultimate

Multiple SQL injection vulnerabilities in the Downloads module for PHP-Nuke 5.x through 6.5 allow remote attackers to execute arbitrary SQL commands via the (1) lid parameter to the getit function or the (2) min parameter to the search function. Exploitation could allow for injection of malicious SQL syntax, resulting in modification of SQL query logic or other attacks

The administration capability for Apple AirPort 802.11 wireless access point devices uses weak encryption (XOR with a fixed key) for protecting authentication credentials, which could allow remote attackers to obtain administrative access via sniffing when the capability is available via Ethernet or non-WEP connections. The Apple AirPort device is a wireless access point that provides 802.11 services to network clients. This device can be managed via TCP 5009 port through the management protocol.  The password encryption mechanism used in the management and verification process of Apple AirPort devices is too simple. Remote attackers can use this vulnerability to sniff the network and obtain password information.  AirPort devices use authentication passwords with a maximum length of 32 characters and perform XOR operations on predefined keys. When the password is transmitted to the network, the password is fixed to 32 bytes and sent. @stake used a single character as the password for the experiment. By observing the exchange of network packets, he found a 31-byte key for XOR operation. The last byte of the cipher text is the first word that has been encrypted The first byte of the ciphertext and plaintext password is XORed.  If AirPort can connect via the Ethernet interface or through an insecure wireless connection (without WEP), anonymous attackers can sniff the network to gain administrator access to the device. The problem lies in the administrative password being encoded using a simple XOR key. An attacker capable of intercepting authentication-based network traffic may trivially reverse the cipher, resulting in administrative access to the device

Multiple SQL injection vulnerabilities in the Web_Links module for PHP-Nuke 5.x through 6.5 allows remote attackers to steal sensitive information via numeric fields, as demonstrated using (1) the viewlink function and cid parameter, or (2) index.php. PHP-Nuke is reportedly prone to multiple SQL injection vulnerabilities in the Downloads module. Exploitation could allow for injection of malicious SQL syntax, resulting in modification of SQL query logic or other attacks. It has been reported that multiple input validation bugs exist in the Web_Links module used by PHPNuke. Because of this, a remote user may be able to access the database and potentially gain access to sensitive information. Successful exploitation could result in compromise of the web forums or more severe consequences. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. If the SQL agent allows users to use the UNION syntax, it is possible to expand any information inside the database through the Web_Links module, including passwords and personal data, but if the UNION syntax cannot be used, the attacker cannot access other SQL tables managed through WEB LINK, so Only some click-through rate and voting information can be obtained

Konqueror Embedded and KDE 2.2.2 and earlier does not validate the Common Name (CN) field for X.509 Certificates, which could allow remote attackers to spoof certificates via a man-in-the-middle attack. KDE Included file manager or Web Used as a browser Konqueror Is SSL Due to incomplete implementation of SSL The check against the certificate is not the host name IP User forged because it is done with an address SSL A vulnerability exists that accepts a certificate without realizing it is a certificate.SSL Untrusted through malicious Web May connect to site. The browser fails to detect cases where the CN doesn't match the hostname of the server. This could lead to a variety of attacks, including the possibility of allowing a malicious server to masquerade as a trusted server. The non-embedded Konqueror distribution is reportedly not affected by this issue

Buffer overflow in Siemens 45 series mobile phones allows remote attackers to cause a denial of service (disconnect and unavailable inbox) via a Short Message Service (SMS) message with a long image name. There are vulnerabilities in Siemens 45 series phones. This is reportedly due to a boundary condition error that occurs when an overly large image name is included in a SMS message

Unknown vulnerability in Cisco Catalyst 7.5(1) allows local users to bypass authentication and gain access to the enable mode without a password. Cisco Catalyst version 7.5(1) has an unknown vulnerability

The backup configuration file for Microsoft MN-500 wireless base station stores administrative passwords in plaintext, which allows local users to gain access. A weakness has been reported for the MN-500 device that may result in the disclosure of administrative credentials to remote attackers. Microsoft MN-500 is a wireless access device that supports 802.11B wireless network. According to the report, the problem is that the backup configuration file stores the administrator password in clear text, and the attacker can control the entire device by querying the backup file to obtain authentication information

The Cisco ONS 15454, ONS 15327, ONS 15454 SDH, and ONS 15600 hardware are managed by TCC+, XTC, TCCi, and TSC control cards, which are typically used in internal customer environments to connect to the external Internet. The telnet service of the Cisco Optical Transport Platform system handles illegal requests incorrectly. A remote attacker can exploit this vulnerability to perform a denial of service attack on the device, which can cause network interruption. By submitting an illegal telnet request, an attacker can cause a TCC+, XTC, TCCi, and TSC control card to be reset. Repeating an illegal request can cause the device to interrupt normal communication and generate a denial of service. This vulnerability was reproduced by the Nessus scanner, CISCO BUG number: CSCdz83519

OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. Portable Edition OpenSSH If this setting is PAM If enabled in conjunction with an implementation of OpenSSH When authentication fails, the authentication result is determined depending on the existing username and non-existing username. "Permission denied, please try again." There is a vulnerability where there is a difference in the time it takes to return the .It may be possible to guess whether the username exists or not. The portable version of OpenSSH is reported prone to an information-disclosure vulnerability. The portable version is distributed for operating systems other than its native OpenBSD platform. This issue is related to BID 7467. Reportedly, the previous fix for BID 7467 didn't completely fix the issue. This current issue may involve differing code paths in PAM, resulting in a new vulnerability, but this has not been confirmed. Exploiting this vulnerability allows remote attackers to test for the presence of valid usernames. Knowledge of usernames may aid them in further attacks

Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute administrator commands by sniffing packets from a valid session and replaying them against the remote administration server

Buffer overflow in the administrator authentication process for Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute arbitrary code via a handshake packet. An exploit for this vulnerability is publicly available. A buffer-overflow vulnerability has been discovered in Kerio Personal Firewall. The problem occurs during the administration authentication process. An attacker could exploit this vulnerability by forging a malicious packet containing an excessive data size. The application then reads this data into a static memory buffer without first performing sufficient bounds checking. Note that this vulnerability affects Kerio Personal Firewall 2.1.4 and earlier. When the administrator connects to the firewall, a handshake connection will be performed to establish an encrypted session. The fourth packet of the handshake (the first packet is sent by the administrator) contains 4 bytes of data, which has a certain fixed value 0x40 (64) to indicate the follow-up The size of the package containing the admin key. When the firewall side uses recv() to process this data, it does not check the boundary buffer