VARIoT IoT vulnerabilities database

Buffer overflow in traceroute-nanog (aka traceroute-ng) may allow local users to execute arbitrary code via a long hostname argument. Traceroute is a tool that is used to track packets in a TCP/IP network to determine the path of network connections. This vulnerability affects the Traceroute-Nanog program, written for Unix and Linux operating systems. It has been reported that a buffer overflow exists in Traceroute-Nanog. Due to insufficient bounds checking in the Traceroute-Nanog program, a user may execute the program with a hostname of arbitrary length, and cause the overwriting of stack memory within the process. This could result in the execution of attacker-supplied instructions

The spray mode in traceroute-nanog (aka traceroute-ng) may allow local users to overwrite arbitrary memory locations via an array index overflow using the nprobes (number of probes) argument. Traceroute is a tool that is used to track packets in a TCP/IP network to determine the path of network connections. This vulnerability affects the Traceroute-Nanog program, written for Unix and Linux operating systems. It has been reported that a buffer overflow exists in Traceroute-Nanog. Due to insufficient bounds checking in the Traceroute-Nanog program, a user may execute the program with a spray packets amount of excessive size, and cause the overwriting of stack memory within the process. This could result in the execution of attacker-supplied instructions. The spray mode in traceroute-nanog (also known as traceroute-ng) is vulnerable

Cisco PIX Firewall 6.0.3 and earlier, and 6.1.x to 6.1.3, do not delete the duplicate ISAKMP SAs for a user's VPN session, which allows local users to hijack a session via a man-in-the-middle attack. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. By exploiting this issue, a remote attacker can gain access to legitimate users. IP Get the address, PIX * Firewall It is possible to avoid authentication. For this attack to succeed, the attacker must use the pre-shared key required for authentication. (group pre-shared key) Or you need to get a group password.Please refer to the “Overview” for the impact of this vulnerability. PIX is the firewall system/firmware combination distributed and maintained by Cisco Systems. A vulnerability has been discovered in the handling of VPN sessions by PIX firewalls. When processing initial contact notify messages, PIX does not remove duplicate peer-to-peer ISAKMP SAs. When a user establishes a VPN session during peer user authentication, the PIX creates a KSAKMP SA associated with the user and his IP address. If an attacker can prevent a logged-in user from connecting, and use the same IP address as that user to connect to the PIX, the attacker can successfully establish a VPN session through the PIX and gain unauthorized access to the internal network. CISCO designated this vulnerability BUG ID as: CSCdv83490

Buffer overflow in Cisco PIX Firewall 5.2.x to 5.2.8, 6.0.x to 6.0.3, 6.1.x to 6.1.3, and 6.2.x to 6.2.1 allows remote attackers to cause a denial of service via HTTP traffic authentication using (1) TACACS+ or (2) RADIUS. Cisco has reported a vulnerability in its PIX Firewall devices. A buffer overrun condition exists in the HTTP RADIUS/TACACS+ proxy component. The condition occurs when the PIX device processes a specially malformed request. Further technical details are not known at this time. Exploitation of this vulnerability may lead to code executed on target devices. It may also be possible to cause a denial of service, resulting in a network outage until the device is reset. Cisco PIX firewall provides enterprise-level security services, including state inspection firewall, IPSEC, VPN, intrusion detection and other functions. The HTTP RADIUS/TACACS+ proxy component of the Cisco PIX firewall does not correctly process user malformed requests. Remote attackers can exploit this vulnerability to carry out buffer overflow attacks and cause the device to restart. Users who initiate a connection via FTP, TELNET, or HTTP will be prompted to enter their username and password. If the username and password are verified by the specified TACACS+ or RADIUS authentication server, the PIX firewall will allow the \"cut-through proxy\" function of the firewall More communication takes place between the authentication server and the connection side. CISCO designated this vulnerability BUG ID as: CSCdx35823

Buffer overflow in the Web management interface in Linksys BEFW11S4 wireless access point router 2 and BEFSR11, BEFSR41, and BEFSRU31 EtherFast Cable/DSL routers with firmware before 1.43.3 with remote management enabled allows remote attackers to cause a denial of service (router crash) via a long password. Linksys has developed a variety of broadband router devices, including BEFW11S4, BEFSRU31, etc., which all include WEB management interfaces.  The router's WEB management interface incorrectly handles long passwords. Remote attackers can use this vulnerability to perform buffer overflow attacks and crash the device.  An attacker can submit a request with a password field containing a long string to the router's WEB management interface system. When the device attempts to process this malformed input request, it can cause the device to crash. Need to restart to resume normal function.  The remote management interface is not enabled by default. Multiple Linksys devices lack proper handling of very long GET requests. Because the device does not adequately allocate memory buffers, an attacker can exploit this vulnerability to send a very long GET request to a Linksys device that has this vulnerability. Rebooting the device is necessary to restore functionality. This may allow an attacker to change configuration information on the vulnerable device

Alcatel OmniSwitch 7700/7800 switches running AOS 5.1.1 contains a back door telnet server that was intended for development but not removed before distribution, which allows remote attackers to gain administrative privileges. This gives anyone access to the OmniSwitch's Vx-Works operating system without requiring a password. Alcatel Operating System (AOS) version 5.1.1 Works Alcatel OmniSwitch 7700/7800 The switch was used during development telnet Port for server (6778/TCP) Is ready for continuous use. this telnet By using the service, you do not need a password, OmniSwitch of Vx-Works operating system Can be accessed.A third party could remotely gain control of the vulnerable device. As a result, unauthorized access, unauthorized monitoring, information leakage, denial of service (denial-of-service, DoS) It may be accompanied by dangers such as attacks. OmniSwitch 7700/7800 LAN switch runs Alcatel Operating System (AOS) operating system. This service is used to access the Wind River Vx-Works operating system during the development phase, but before the product is released No removal. Attackers can use this service to control the entire system. It is distributed and maintained by Alcatel. It has been discovered that an unintended back door is built into some releases of AOS

Netscreen running ScreenOS 4.0.0r6 and earlier allows remote attackers to cause a denial of service via a malformed SSH packet to the Secure Command Shell (SCS) management interface, as demonstrated via certain CRC32 exploits, a different vulnerability than CVE-2001-0144. The Secure Command Shell service on NetScreen firewall products contains a remotely exploitable denial-of-service vulnerability. The vulnerability exists in Netscreen running ScreenOS 4.0.0r6 and earlier

The Linksys router is a router for small and medium businesses. Linksys routers have security issues that can be exploited by remote attackers to access Linksys routers to view and change configuration data. During the initialization phase of the client and Linksys router management service program (internal interface TCP port 8080), the program incorrectly processes the XML-related data submitted by the client, which may cause an attacker to use the Lynx browser to connect to the internal management interface, and when \"application/ When there is a mailcap entry in foo.xml\", administrative access authentication can be bypassed without password viewing and changing router configuration data. It is still unclear why the vulnerability occurred. Reportedly, the authentication mechanism can be bypassed by requesting a .XML page. This feature is required for UPnP functionality but is not disabled when UPnP support is disabled. This is due to a flaw in the firmware when parsing requests for .XML pages. It has also been reported that firmware revision 1.43.3 only partially fixes this vulnerability

The Buffalo AirStation Pro Intelligent Access Point is a wireless access device. The Buffalo AP handles malformed HTTP GET requests incorrectly, and remote attackers can exploit this vulnerability for denial of service attacks. Use Nmap to scan the Buffalo AP, or manually connect to the AP 80 port and submit a malformed GET request. For example, a request with a space after the GET can cause the Buffalo AP to restart and stop responding to normal communication. It is possible to trigger this condition by sending certain types of data to port 80 on the device. This condition has been reproduced with a portscanner with version grabbing functionality and via a manual connection using telnet. It is believed that this condition may be caused with a malformed HTTP GET request. Other versions or models may be affected

Buffer overflow in the get_origin function in traceroute-nanog allows attackers to execute arbitrary code via long WHOIS responses. A vulnerability has been discovered in Traceroute-nanog. It has been reported that Traceroute-nanog contains a buffer overflow condition. The overflow occurs in the 'get_origin()' function in the 'traceroute.c' file. Due to insufficient bounds checking performed by the whois parser, it may be possible to cause 'get_origin()' to corrupt memory on the system stack. This vulnerability can be exploited by an attacker to gain root privileges on a target host. Traceroute-nanog is an open source routing tracking information search program, which can perform DNS resolution on each hop, and obtain information such as the administrator's EMAIL address. The \'\'traceroute.c\'\' file in Traceroute-nanog's \'\'get_origin()\'\' function lacks proper bounds buffer checking, a local attacker can exploit this vulnerability for heap-based buffering Area overflow, careful construction of submitted data can obtain root user privileges. \'\'traceroute.c\'\' When the get_origin() function is called in the file, its stack status is as follows: char buf[256] tmp4[100] tmp3[100] tmp2[100] tmp1[100] EBP EIP [bbbbbbbbbbbbbbbbb44444444433333333332222222222111111111BBBBIIII] -> 0xbfffffff There is an 8K buffer named \'\'reply\'\' in the heap, which is used to store the response from the server. Through continuous read(2) calls, 256 The byte data is read into the buf[] array and connected to the \'\'reply[]\'\' buffer, but there is no sufficient boundary check when writing the buffer, and it is parsed by the get_origin() function When a buffer overflow is triggered, carefully constructed and submitted data can execute arbitrary instructions on the system with ROOT privileges

iSMTP 5.0.1 allows remote attackers to cause a denial of service via a long "MAIL FROM" command, possibly triggering a buffer overflow. A buffer overflow vulnerability has been reported for iSMTP Gateway. The vulnerability occurs due to inappropriate bounds checking when processing user-supplied input. An attacker can exploit this vulnerability by sending an overly long command to the vulnerable system. When the system receives this input it will crash. It may be possible that code execution may be possible, however, this has not been confirmed. iSMTP Gateway is a mail gateway software developed by Incognito System, running on the Banyan VINES operating system. Carefully crafted submission data may execute arbitrary commands with the privileges of the iSMTP process, although this has not been proven

Serv-U FTP server 3.0, 3.1 and 4.0.0.4 does not accept new connections while validating user folder access rights, which allows remote attackers to cause a denial of service (no new connections) via a series of MKD commands. A denial of service vulnerability has been reported for Serv-U FTP server. The vulnerability is a result of Serv-U FTP Server processing certain commands. When the Serv-U server receives a MKD command it attempts to verify whether the user that issued the command has sufficient rights. When performing this verification, it will not accept any more connections. An attacker that issues many such commands will prevent the server from accepting connections for an indefinite period of time thus creating the denial of service condition

GlobalSunTech Wireless Access Points (1) WISECOM GL2422AP-0T, and possibly OEM products such as (2) D-Link DWL-900AP+ B1 2.1 and 2.2, (3) ALLOY GL-2422AP-S, (4) EUSSO GL2422-AP, and (5) LINKSYS WAP11-V2.2, allow remote attackers to obtain sensitive information like WEP keys, the administrator password, and the MAC filter via a "getsearch" request to UDP port 27155. An information disclosure vulnerability has been discovered in GlobalSunTech access points. It has been reported that a remote attacker is able to retrieve sensitive information from vulnerable access points, including AP login credentials. Information gained by exploiting this vulnerability may allow an attacker to launch further attacks against the target network. It should be noted that this vulnerability was reported for a WISECOM GL2422AP-0T access point. Devices that use Global Sun Technology access points may be affected by this issue. It has been determined that D-Link DI-614+ and SMC Barricade 7004AWBR access points are not affected by this issue. It has been reported that Linksys WAP11-V2.2 is prone to this issue, but to a lesser extent

The Sun RPC functionality in multiple libc implementations does not provide a time-out mechanism when reading data from TCP connections, which allows remote attackers to cause a denial of service (hang). A denial-of-service vulnerability exists in multiple vendor Sun RPC-based libc implementations. A denial of service condition is reported to occur when data is read from a TCP connection. As a result, remote attackers may cause some services and daemons to hang. There is currently no detailed description of the vulnerability details. < *Link: http://www.kb.cert.org/vuls/id/266817* >

GlobalSunTech develops a variety of OEM wireless access point devices such as Linksys, D-Link, and other products.  A variety of wireless access point devices developed by GlobalSunTech have incorrectly processed some broadcast requests. Remote attackers can use this vulnerability to obtain sensitive information contained in the device, including administrator passwords.  An attacker can send a broadcast packet containing the "gstsearch" string to the UDP port 27155 of the wireless access point device, which can cause the device to return sensitive information including WEB keys, MAC filtering, and administrator passwords. Attackers can use this information to further attack and control the device.

Buffer overflow in the Embedded HTTP server, as used in (1) D-Link DI-804 4.68, Dl-704 V2.56b6, and Dl-704 V2.56b5 and (2) Linksys Etherfast BEFW11S4 Wireless AP + Cable/DSL Router 1.37.2 through 1.42.7 and Linksys WAP11 1.3 and 1.4, allows remote attackers to cause a denial of service (crash) via a long header, as demonstrated using the Host header. HTTP service programs are embedded in wireless access point devices from multiple vendors.  The embedded HTTP service program in the wireless access point devices of multiple manufacturers does not handle the long HTTP requests correctly. Remote attackers can use this vulnerability to conduct denial of service attacks on wireless access devices.  An attacker can send a malformed HTTP request that contains the Host: field with too many strings, which can cause the device to stop responding to normal communications and cause a denial of service. A device restart is required to restore normal functionality.  Although not confirmed, it should be caused by a buffer overflow, and there may be an opportunity to execute arbitrary instructions on the system with the permissions of the WEB process. An attacker can exploit this vulnerability to cause the device to stop functioning. Although not yet confirmed, it has been speculated that this issue is a result of a buffer overflow

Cisco ONS15454 and ONS15327 running ONS before 3.4 uses a "public" SNMP community string that cannot be changed, which allows remote attackers to obtain sensitive information. Cisco ONS15454 and Cisco ONS15327 are fiber optic network platforms developed by CISCO. The CISCO BUG ID of this vulnerability is: CSCdv62307 <* link: http://www.cisco.com/warp/public/707/ons-multiple-vuln-pub.shtml *>

Cisco ONS15454 and ONS15327 running ONS before 3.4 allows attackers to cause a denial of service (reset) via an HTTP request to the TCC, TCC+ or XTC, in which the request contains an invalid CORBA Interoperable Object Reference (IOR). A vulnerability has been discovered in Cisco ONS1545 Optical Transport and Cisco ONS15327 Edge Optical Transport platforms. Exploiting this issue will result in the denial of legitimate network requests to the TCC, TCC+, or XTC control card. The Cisco ONS15454 and Cisco ONS15327 have an issue with illegal CORBA IOR requests. A remote attacker can exploit this vulnerability to reset the device, resulting in a denial of service. The CISCO BUG ID of this vulnerability is: CSCdw15690 <* link: http://www.cisco.com/warp/public/707/ons-multiple-vuln-pub.shtml *>

Cisco ONS15454 and ONS15327 running ONS before 3.4 allows attackers to cause a denial of service (reset to TCC, TCC+, TCCi or XTC) via a malformed HTTP request that does not contain a leading / (slash) character. An attacker must be able to establish an HTTP connection to the control card in order to exploit this vulnerability. Cisco ONS15454 and Cisco ONS15327 are fiber optic network platforms developed by CISCO. The Cisco ONS15454 and Cisco ONS15327 devices do not process malformed HTTP requests correctly. The CISCO BUG ID of this vulnerability is: CSCdx82962 < *Link: http://www.cisco.com/warp/public/707/ons-multiple-vuln-pub.shtml* >

Cisco ONS15454 and ONS15327 running ONS before 3.4 have an account for the VxWorks Operating System in the TCC, TCC+ and XTC that cannot be changed or disabled, which allows remote attackers to gain privileges by connecting to the account via Telnet. Cisco ONS15454 and Cisco ONS15327 are optical fiber network platforms developed by CISCO.  Cisco ONS 15454 and Cisco ONS 15327 devices have default accounts. Remote attackers can use this vulnerability to gain unauthorized access and take complete control of the device.  TCC, TCC + and XTC contain a default username and password. This account can be used to access the VxWorks operating system, and this account cannot be changed or closed. Using this account, an attacker can remotely access through the Telnet service and take complete control of the device.  The vulnerability CISCO BUG ID is: CSCdy70756