VARIoT IoT vulnerabilities database

The Linksys router is a router for small and medium businesses. Linksys routers have security issues that can be exploited by remote attackers to access Linksys routers to view and change configuration data. During the initialization phase of the client and Linksys router management service program (internal interface TCP port 8080), the program incorrectly processes the XML-related data submitted by the client, which may cause an attacker to use the Lynx browser to connect to the internal management interface, and when \"application/ When there is a mailcap entry in foo.xml\", administrative access authentication can be bypassed without password viewing and changing router configuration data. It is still unclear why the vulnerability occurred. Reportedly, the authentication mechanism can be bypassed by requesting a .XML page. This feature is required for UPnP functionality but is not disabled when UPnP support is disabled. This is due to a flaw in the firmware when parsing requests for .XML pages. It has also been reported that firmware revision 1.43.3 only partially fixes this vulnerability

The Buffalo AirStation Pro Intelligent Access Point is a wireless access device. The Buffalo AP handles malformed HTTP GET requests incorrectly, and remote attackers can exploit this vulnerability for denial of service attacks. Use Nmap to scan the Buffalo AP, or manually connect to the AP 80 port and submit a malformed GET request. For example, a request with a space after the GET can cause the Buffalo AP to restart and stop responding to normal communication. It is possible to trigger this condition by sending certain types of data to port 80 on the device. This condition has been reproduced with a portscanner with version grabbing functionality and via a manual connection using telnet. It is believed that this condition may be caused with a malformed HTTP GET request. Other versions or models may be affected

Buffer overflow in the get_origin function in traceroute-nanog allows attackers to execute arbitrary code via long WHOIS responses. A vulnerability has been discovered in Traceroute-nanog. It has been reported that Traceroute-nanog contains a buffer overflow condition. The overflow occurs in the 'get_origin()' function in the 'traceroute.c' file. Due to insufficient bounds checking performed by the whois parser, it may be possible to cause 'get_origin()' to corrupt memory on the system stack. This vulnerability can be exploited by an attacker to gain root privileges on a target host. Traceroute-nanog is an open source routing tracking information search program, which can perform DNS resolution on each hop, and obtain information such as the administrator's EMAIL address. The \'\'traceroute.c\'\' file in Traceroute-nanog's \'\'get_origin()\'\' function lacks proper bounds buffer checking, a local attacker can exploit this vulnerability for heap-based buffering Area overflow, careful construction of submitted data can obtain root user privileges. \'\'traceroute.c\'\' When the get_origin() function is called in the file, its stack status is as follows: char buf[256] tmp4[100] tmp3[100] tmp2[100] tmp1[100] EBP EIP [bbbbbbbbbbbbbbbbb44444444433333333332222222222111111111BBBBIIII] -> 0xbfffffff There is an 8K buffer named \'\'reply\'\' in the heap, which is used to store the response from the server. Through continuous read(2) calls, 256 The byte data is read into the buf[] array and connected to the \'\'reply[]\'\' buffer, but there is no sufficient boundary check when writing the buffer, and it is parsed by the get_origin() function When a buffer overflow is triggered, carefully constructed and submitted data can execute arbitrary instructions on the system with ROOT privileges

iSMTP 5.0.1 allows remote attackers to cause a denial of service via a long "MAIL FROM" command, possibly triggering a buffer overflow. A buffer overflow vulnerability has been reported for iSMTP Gateway. The vulnerability occurs due to inappropriate bounds checking when processing user-supplied input. An attacker can exploit this vulnerability by sending an overly long command to the vulnerable system. When the system receives this input it will crash. It may be possible that code execution may be possible, however, this has not been confirmed. iSMTP Gateway is a mail gateway software developed by Incognito System, running on the Banyan VINES operating system. Carefully crafted submission data may execute arbitrary commands with the privileges of the iSMTP process, although this has not been proven

Serv-U FTP server 3.0, 3.1 and 4.0.0.4 does not accept new connections while validating user folder access rights, which allows remote attackers to cause a denial of service (no new connections) via a series of MKD commands. A denial of service vulnerability has been reported for Serv-U FTP server. The vulnerability is a result of Serv-U FTP Server processing certain commands. When the Serv-U server receives a MKD command it attempts to verify whether the user that issued the command has sufficient rights. When performing this verification, it will not accept any more connections. An attacker that issues many such commands will prevent the server from accepting connections for an indefinite period of time thus creating the denial of service condition

GlobalSunTech Wireless Access Points (1) WISECOM GL2422AP-0T, and possibly OEM products such as (2) D-Link DWL-900AP+ B1 2.1 and 2.2, (3) ALLOY GL-2422AP-S, (4) EUSSO GL2422-AP, and (5) LINKSYS WAP11-V2.2, allow remote attackers to obtain sensitive information like WEP keys, the administrator password, and the MAC filter via a "getsearch" request to UDP port 27155. An information disclosure vulnerability has been discovered in GlobalSunTech access points. It has been reported that a remote attacker is able to retrieve sensitive information from vulnerable access points, including AP login credentials. Information gained by exploiting this vulnerability may allow an attacker to launch further attacks against the target network. It should be noted that this vulnerability was reported for a WISECOM GL2422AP-0T access point. Devices that use Global Sun Technology access points may be affected by this issue. It has been determined that D-Link DI-614+ and SMC Barricade 7004AWBR access points are not affected by this issue. It has been reported that Linksys WAP11-V2.2 is prone to this issue, but to a lesser extent

The Sun RPC functionality in multiple libc implementations does not provide a time-out mechanism when reading data from TCP connections, which allows remote attackers to cause a denial of service (hang). A denial-of-service vulnerability exists in multiple vendor Sun RPC-based libc implementations. A denial of service condition is reported to occur when data is read from a TCP connection. As a result, remote attackers may cause some services and daemons to hang. There is currently no detailed description of the vulnerability details. < *Link: http://www.kb.cert.org/vuls/id/266817* >

GlobalSunTech develops a variety of OEM wireless access point devices such as Linksys, D-Link, and other products.  A variety of wireless access point devices developed by GlobalSunTech have incorrectly processed some broadcast requests. Remote attackers can use this vulnerability to obtain sensitive information contained in the device, including administrator passwords.  An attacker can send a broadcast packet containing the "gstsearch" string to the UDP port 27155 of the wireless access point device, which can cause the device to return sensitive information including WEB keys, MAC filtering, and administrator passwords. Attackers can use this information to further attack and control the device.

Buffer overflow in the Embedded HTTP server, as used in (1) D-Link DI-804 4.68, Dl-704 V2.56b6, and Dl-704 V2.56b5 and (2) Linksys Etherfast BEFW11S4 Wireless AP + Cable/DSL Router 1.37.2 through 1.42.7 and Linksys WAP11 1.3 and 1.4, allows remote attackers to cause a denial of service (crash) via a long header, as demonstrated using the Host header. HTTP service programs are embedded in wireless access point devices from multiple vendors.  The embedded HTTP service program in the wireless access point devices of multiple manufacturers does not handle the long HTTP requests correctly. Remote attackers can use this vulnerability to conduct denial of service attacks on wireless access devices.  An attacker can send a malformed HTTP request that contains the Host: field with too many strings, which can cause the device to stop responding to normal communications and cause a denial of service. A device restart is required to restore normal functionality.  Although not confirmed, it should be caused by a buffer overflow, and there may be an opportunity to execute arbitrary instructions on the system with the permissions of the WEB process. An attacker can exploit this vulnerability to cause the device to stop functioning. Although not yet confirmed, it has been speculated that this issue is a result of a buffer overflow

Cisco ONS15454 and ONS15327 running ONS before 3.4 uses a "public" SNMP community string that cannot be changed, which allows remote attackers to obtain sensitive information. Cisco ONS15454 and Cisco ONS15327 are fiber optic network platforms developed by CISCO. The CISCO BUG ID of this vulnerability is: CSCdv62307 <* link: http://www.cisco.com/warp/public/707/ons-multiple-vuln-pub.shtml *>

Cisco ONS15454 and ONS15327 running ONS before 3.4 allows attackers to cause a denial of service (reset) via an HTTP request to the TCC, TCC+ or XTC, in which the request contains an invalid CORBA Interoperable Object Reference (IOR). A vulnerability has been discovered in Cisco ONS1545 Optical Transport and Cisco ONS15327 Edge Optical Transport platforms. Exploiting this issue will result in the denial of legitimate network requests to the TCC, TCC+, or XTC control card. The Cisco ONS15454 and Cisco ONS15327 have an issue with illegal CORBA IOR requests. A remote attacker can exploit this vulnerability to reset the device, resulting in a denial of service. The CISCO BUG ID of this vulnerability is: CSCdw15690 <* link: http://www.cisco.com/warp/public/707/ons-multiple-vuln-pub.shtml *>

Cisco ONS15454 and ONS15327 running ONS before 3.4 allows attackers to cause a denial of service (reset to TCC, TCC+, TCCi or XTC) via a malformed HTTP request that does not contain a leading / (slash) character. An attacker must be able to establish an HTTP connection to the control card in order to exploit this vulnerability. Cisco ONS15454 and Cisco ONS15327 are fiber optic network platforms developed by CISCO. The Cisco ONS15454 and Cisco ONS15327 devices do not process malformed HTTP requests correctly. The CISCO BUG ID of this vulnerability is: CSCdx82962 < *Link: http://www.cisco.com/warp/public/707/ons-multiple-vuln-pub.shtml* >

Cisco ONS15454 and ONS15327 running ONS before 3.4 have an account for the VxWorks Operating System in the TCC, TCC+ and XTC that cannot be changed or disabled, which allows remote attackers to gain privileges by connecting to the account via Telnet. Cisco ONS15454 and Cisco ONS15327 are optical fiber network platforms developed by CISCO.  Cisco ONS 15454 and Cisco ONS 15327 devices have default accounts. Remote attackers can use this vulnerability to gain unauthorized access and take complete control of the device.  TCC, TCC + and XTC contain a default username and password. This account can be used to access the VxWorks operating system, and this account cannot be changed or closed. Using this account, an attacker can remotely access through the Telnet service and take complete control of the device.  The vulnerability CISCO BUG ID is: CSCdy70756

The remote management web server for Linksys BEFSR41 EtherFast Cable/DSL Router before firmware 1.42.7 allows remote attackers to cause a denial of service (crash) via an HTTP request to Gozila.cgi without any arguments. Linksys EtherFast Cable / DSL routers is a small four-port router designed to optimize the use of DSL or Cable connections.  BEFSR41 contains a WEB interface that can be used to manage the configuration, which includes the Gozila.cgi script, but if the Gozila.cgi script is requested without submitting any parameters, it can cause BEFSR41 to crash and stop responding to normal requests. Linksys BEFSR41 is vulnerable to a denial of service condition. The denial of service condition will be triggered when the device receives a request for the script file 'Gozila.cgi' without any parameters

SQL injection vulnerability in PHP-Nuke before 6.0 allows remote authenticated users to modify the database and gain privileges via the "bio" argument to modules.php. A SQL injection vulnerability has been reported for PHP-Nuke 5.6. The vulnerability is due to insufficient sanitization of variables used to construct SQL queries in some scripts. It is possible to modify the logic of SQL queries through malformed query strings in requests for the vulnerable script. By injecting SQL code into variables, it may be possible for an attacker to corrupt database information. PHP-Nuke is a website creation and management tool that can use many database software as the backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. An attacker can bypass the reference by inserting \'\'\\'\' in the \"bio\" field, resulting in SQL injection. The following operations can modify the password of any PHP-NUKE user to \"1\"

Cisco ONS15454 and ONS15327 running ONS before 3.4 allows remote attackers to modify the system configuration and delete files by establishing an FTP connection to the TCC, TCC+ or XTC using a username and password that does not exist. It is possible for attackers to authenticate to FTP services on TCC, TCC+ and XTC control cards using a non-existent username/password. Unauthorized FTP access will enable an attacker to upload modified configuration files or delete software images. To exploit this issue, the attacker must be able to access the FTP services on TCC, TCC+ and XTC control cards. Cisco ONS15454 and Cisco ONS15327 are fiber optic network platforms developed by CISCO. There is a flaw in the FTP service implementation of Cisco ONS15454 and Cisco ONS15327 devices. The CISCO BUG ID of this vulnerability is: CSCds52295 < *Link: http://www.cisco.com/warp/public/707/ons-multiple-vuln-pub.shtml* >

Cisco ONS15454 and ONS15327 running ONS before 3.4 stores usernames and passwords in cleartext in the image database for the TCC, TCC+ or XTC, which could allow attackers to gain privileges by obtaining the passwords from the image database or a backup. An attacker with access to the backup of the running image database may trivially retrieve these credentials. Cisco ONS15454 and Cisco ONS15327 are fiber optic network platforms developed by CISCO. Cisco ONS15454 and Cisco ONS15327 devices store user names and passwords in clear text in the backup database. Remote attackers can use this vulnerability to obtain relevant user authentication information, such as administrator passwords, and use these information to access and fully control the Cisco ONS system platform. The CISCO BUG ID of this vulnerability is: CSCdt84146 < *Link: http://www.cisco.com/warp/public/707/ons-multiple-vuln-pub.shtml* >

Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation.". Microsoft IIS In IIS When running an application as part of a different process than Web What should be executed with the rights of the application manager System There is a design flaw that can be executed with privileges.System An arbitrary code may be executed with authority. A vulnerability has been reported for Microsoft IIS that may allow an attacker to obtain elevated privileges. This vulnerability can be exploited by an attacker to load and execute applications on the vulnerable server with SYSTEM level privileges. This vulnerability can exploited when IIS is configured to run applications out of process by modifying the memory space of the dllhost.exe process. This vulnerability was originally described in BugTraq ID 6068. It is now being assigned its own BugTraq ID

NetDSL ADSL Modem 800 with Microsoft Network firmware 5.5.11 allows remote attackers to gain access to configuration menus by sniffing undocumented usernames and passwords from network traffic. A weakness has been discovered in NetDSL-800 router firmware. It has been reported that NetDSL-800 firmware, configured by certain Internet Service Providers(ISP), contains undocumented users. It is possible to obtain a target devices undocumented username and password using a network sniffer and the Arescom NetDSL Remote Manager. Access via undocumented accounts may allow attackers to corrupt configuration settings or cause a denial of service. It should be noted that all firmware configurations may not contain undocumented users. Firmware configured by the MSN ISP has been reported vulnreable. It should also be noted that it has not yet been confirmed whether unique username and passwords are generated for each device. Arescom NetDSL-800 is a pluggable, easy-to-use ADSL MODEM. There are undisclosed accounts in the NetDSL-800 firmware provided by some ISPs. There are undisclosed usernames and passwords in the NetDSL-800 firmware preset by MSN ISP, which can make, change settings, or conduct denial of service attacks

SonicWall Content Filtering allows local users to access prohibited web sites via requests to the web site's IP address instead of the domain name. SonicWall Content Filtering software is designed for use with SonicWall Appliances. It has been reported that the SonicWall Content Filtering software does not sufficiently check addresses when requests are made. Because of this, it would be possible for a user behind the system to reach a restricted-access site by requesting the site on the basis of IP addresses. A remote attacker could exploit this vulnerability to bypass content inspection and access otherwise restricted sites