VARIoT IoT vulnerabilities database

Cayman 3220-H DSL Router 1.0 allows remote attacker to cause a denial of service (crash) via a series of SYN or TCP connect requests. Cayman gateways are vulnerable to a denial of service

Scripting.FileSystemObject in asp.dll for Microsoft IIS 4.0 and 5.0 allows local or remote attackers to cause a denial of service (crash) via (1) creating an ASP program that uses Scripting.FileSystemObject to open a file with an MS-DOS device name, or (2) remotely injecting the device name into ASP programs that internally use Scripting.FileSystemObject. Microsoft IIS is prone to denial of service attacks by local users. This issue is exploitable if the local attacker can create an .asp file which makes calls to various devices names. The local attacker must of course possess the privileges required to create such files. The end result of exploiting this vulnerability is that the server will crash and a denial of services will occur. The affected services must be restarted to regain normal functionality

Check Point VPN-1/FireWall-1 4.1 base.def contains a default macro, accept_fw1_rdp, which can allow remote attackers to bypass intended restrictions with forged RDP (internal protocol) headers to UDP port 259 of arbitrary hosts. Check Point VPN-1/FireWall-1 version 4.0 & 4.1 may allow an intruder to pass traffic through the firewall on port 259. It is designed to work on various operating systems, both as a single firewall or as a firewall cluster system. A problem has been discovered with the firewall that allows traversal. It is possible for a remote user to pass packets across the firewall via port 259 by using false RDP headers on UDP packets. This makes it possible for remote users to gain access to restricted information systems

Apple Personal Web Sharing (PWS) 1.1, 1.5, and 1.5.5, when Web Sharing authentication is enabled, allows remote attackers to cause a denial of service via a long password, possibly due to a buffer overflow. Upon attempting to authenticate to the file server with 300 or more characters, the file-sharing system will stop responding. The vulnerability may be attributed to a buffer overflow vulnerability

nidump on MacOS X before 10.3 allows local users to read the encrypted passwords from the password file by specifying passwd as a command line argument. A vulnerability exists in all versions of Apple MacOS X. It has been found to contain a vulnerability which could allow disclosure of passwords and other sensitive system information. nidump is a Mac OS X system data extraction utility which can be used to read the contents of the NetInfo database. This utility's default file permissions leave this utility available to any local user at the command line. However, hosts with a network nidomain may be vulnerable to remote exploitation of this issue. This is possible if remote tags are used for nidump. It should also be noted that both portmap and netinfobind must be listening on the target host for this issue to be exploited. The output of the nidump command can reveal the list of usernames and passwords in clear text. An attacker could then use this list to log in as a user with administrative priveleges

Apple MacOS X 10.0 and 10.1 allow a local user to read and write to a user's desktop folder via insecure default permissions for the Desktop when it is created in some languages. A vulnerability exists in versions of Apple MacOS X. Due to a misconfiguration of file permissions, the destop folder belonging to a given user is by default world-readable/writable. If the folder's permissions are not manually reset, arbitrary users can read from and write to any files in this location. In addition to the potential loss of confidentiality and integrity of this data, if this folder contains security-sensitive information such as usernames, passwords or configuration information, a hostile user may be able to exploit it and further undermine the security of the host. Note that some users have reported MacOS X 10.0.4 systems which do not exhibit this vulnerability. Etaoin Shrdlu <shrdlu@deaddrop.org> notes that this issue may be applicable to accounts created during the Max OS X beta test period: "Sounds like the problem accounts were upgrades from beta versions. If you are running an upgrade from a beta, then you might want to take a second look. Fresh installs seem to be just fine." An attempt has been made to fix this issue in MacOS X 10.1. This includes the admin account if permissions are not changed manually before the upgrade

Microsoft IIS 4.0 and before, when installed on a FAT partition, allows a remote attacker to obtain source code of ASP files via a URL encoded with Unicode. A flaw exists in the handling of .asp requests. Typically when a request is made for an .asp file, IIS will identify that it is a script and run it as such

Buffer overflow in Microsoft Visual Studio RAD Support sub-component of FrontPage Server Extensions allows remote attackers to execute arbitrary commands via a long registration request (URL) to fp30reg.dll. A host running IIS 4.0, could allow the execution of arbitrary commands in the SYSTEM context

SNMP service in Atmel 802.11b VNET-B Access Point 1.3 and earlier, as used in Netgear ME102 and Linksys WAP11, accepts arbitrary community strings with requested MIB modifications, which allows remote attackers to obtain sensitive information such as WEP keys, cause a denial of service, or gain access to the network. Atmel is a chip design and manufacturing firm that provides various RF-based products to corporate consumers. Atmel manufactures firmware for various wireless access systems. It is possible to gain SNMP access to some wireless access points that use the Atmel chipset and firmware. These systems do not use sufficient access control, and allow reading/writing of MIB data with any community password. This makes it possible for a remote user to gain access to sensitive information, and potentially launch an information gathering attack

Reliant Unix 5.44 and earlier allows remote attackers to cause a denial of service via an ICMP port unreachable packet, which causes Reliant to drop all connections to the source address of the packet. Reliant UNIX is prone to a denial-of-service vulnerability

Cisco TFTP server 1.1 allows remote attackers to read arbitrary files via a ..(dot dot) attack in the GET command. The Cisco TFTPD server is a freely available software package distributed and maintained by Cisco Systems. The software package is designed to give Microsoft Windows systems the ability to serve files via the Trivial File Transfer Protocol (TFTP). It is possible to gain access to sensitive files on a system using the affect software. By issuing a dot-dot-slash (../) request to the server, any file on the system may be downloaded. This makes it possible for attackers to gain access to arbitrary files, and potentially sensitive information. CVE(CAN) ID: CAN-2001-0783 Cisco TFTP server is a tftp server developed by Cisco. Its version 1.1 has a directory traversal vulnerability. It is possible to download any file on the target host just by prefixing the filename with some \"../\"

Cisco IP Phones 7902/7905/7912, ATA 186/188, Unity Express, ACNS, and Subscriber Edge Services Manager (SESM) allows remote attackers to cause a denial of service (crash or instability) via a compressed DNS packet with a label length byte with an incorrect offset. Incorrect decoding of malformed DNS packets causes certain DNS implementations to hang or crash. Multiple DNS vendors are susceptible to a remote denial-of-service vulnerability. This issue affects both DNS servers and clients. This issue arises when an affected application handles a specially crafted DNS message. A successful attack would crash the affected client or server. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Cisco Various Products Compressed DNS Messages Denial of Service SECUNIA ADVISORY ID: SA15472 VERIFY ADVISORY: http://secunia.com/advisories/15472/ CRITICAL: Less critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Cisco ATA 180 Series Analog Telephone Adaptors http://secunia.com/product/2810/ SOFTWARE: Cisco IP Phone 7900 Series http://secunia.com/product/2809/ Cisco ACNS Software Version 5.x http://secunia.com/product/2268/ Cisco ACNS Software Version 4.x http://secunia.com/product/2269/ Cisco Unity Express 2.x http://secunia.com/product/5151/ DESCRIPTION: A vulnerability has been reported in various Cisco products, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the DNS implementation during the decompression of compressed DNS messages and can be exploited via a specially crafted DNS packet containing invalid information in the compressed section. Successful exploitation crashes a vulnerable device or causes it to function abnormally. The vulnerability affects the following products: * Cisco IP Phones 7902/7905/7912 * Cisco ATA (Analog Telephone Adaptor) 186/188 * Cisco Unity Express The following Cisco ACNS (Application and Content Networking System) devices are also affected: * Cisco 500 Series Content Engines * Cisco 7300 Series Content Engines * Cisco Content Routers 4400 series * Cisco Content Distribution Manager 4600 series * Cisco Content Engine Module for Cisco 2600, 2800, 3600, 3700, and 3800 series Integrated Service Routers. SOLUTION: See patch matrix in vendor advisory for information about fixes. http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml#software PROVIDED AND/OR DISCOVERED BY: NISCC credits Dr. Steve Beaty. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml NISCC: http://www.niscc.gov.uk/niscc/docs/al-20050524-00433.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The DNS implementation of DNRD before 2.10 allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop. Incorrect decoding of malformed DNS packets causes certain DNS implementations to hang or crash. Multiple DNS vendors are susceptible to a remote denial-of-service vulnerability. This issue affects both DNS servers and clients. This issue arises when an affected application handles a specially crafted DNS message. A successful attack would crash the affected client or server. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Cisco Various Products Compressed DNS Messages Denial of Service SECUNIA ADVISORY ID: SA15472 VERIFY ADVISORY: http://secunia.com/advisories/15472/ CRITICAL: Less critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Cisco ATA 180 Series Analog Telephone Adaptors http://secunia.com/product/2810/ SOFTWARE: Cisco IP Phone 7900 Series http://secunia.com/product/2809/ Cisco ACNS Software Version 5.x http://secunia.com/product/2268/ Cisco ACNS Software Version 4.x http://secunia.com/product/2269/ Cisco Unity Express 2.x http://secunia.com/product/5151/ DESCRIPTION: A vulnerability has been reported in various Cisco products, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the DNS implementation during the decompression of compressed DNS messages and can be exploited via a specially crafted DNS packet containing invalid information in the compressed section. Successful exploitation crashes a vulnerable device or causes it to function abnormally. The vulnerability affects the following products: * Cisco IP Phones 7902/7905/7912 * Cisco ATA (Analog Telephone Adaptor) 186/188 * Cisco Unity Express The following Cisco ACNS (Application and Content Networking System) devices are also affected: * Cisco 500 Series Content Engines * Cisco 7300 Series Content Engines * Cisco Content Routers 4400 series * Cisco Content Distribution Manager 4600 series * Cisco Content Engine Module for Cisco 2600, 2800, 3600, 3700, and 3800 series Integrated Service Routers. SOLUTION: See patch matrix in vendor advisory for information about fixes. http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml#software PROVIDED AND/OR DISCOVERED BY: NISCC credits Dr. Steve Beaty. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml NISCC: http://www.niscc.gov.uk/niscc/docs/al-20050524-00433.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The DNS implementation of PowerDNS 2.9.16 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop. Incorrect decoding of malformed DNS packets causes certain DNS implementations to hang or crash. Multiple DNS vendors are susceptible to a remote denial-of-service vulnerability. This issue affects both DNS servers and clients. This issue arises when an affected application handles a specially crafted DNS message. A successful attack would crash the affected client or server. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Cisco Various Products Compressed DNS Messages Denial of Service SECUNIA ADVISORY ID: SA15472 VERIFY ADVISORY: http://secunia.com/advisories/15472/ CRITICAL: Less critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Cisco ATA 180 Series Analog Telephone Adaptors http://secunia.com/product/2810/ SOFTWARE: Cisco IP Phone 7900 Series http://secunia.com/product/2809/ Cisco ACNS Software Version 5.x http://secunia.com/product/2268/ Cisco ACNS Software Version 4.x http://secunia.com/product/2269/ Cisco Unity Express 2.x http://secunia.com/product/5151/ DESCRIPTION: A vulnerability has been reported in various Cisco products, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the DNS implementation during the decompression of compressed DNS messages and can be exploited via a specially crafted DNS packet containing invalid information in the compressed section. Successful exploitation crashes a vulnerable device or causes it to function abnormally. The vulnerability affects the following products: * Cisco IP Phones 7902/7905/7912 * Cisco ATA (Analog Telephone Adaptor) 186/188 * Cisco Unity Express The following Cisco ACNS (Application and Content Networking System) devices are also affected: * Cisco 500 Series Content Engines * Cisco 7300 Series Content Engines * Cisco Content Routers 4400 series * Cisco Content Distribution Manager 4600 series * Cisco Content Engine Module for Cisco 2600, 2800, 3600, 3700, and 3800 series Integrated Service Routers. SOLUTION: See patch matrix in vendor advisory for information about fixes. http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml#software PROVIDED AND/OR DISCOVERED BY: NISCC credits Dr. Steve Beaty. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml NISCC: http://www.niscc.gov.uk/niscc/docs/al-20050524-00433.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The DNS implementation in DeleGate 8.10.2 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop. Note that some other DNS packet processing systems have the issues related to this vulnerability. Multiple DNS vendors are susceptible to a remote denial-of-service vulnerability. This issue affects both DNS servers and clients. This issue arises when an affected application handles a specially crafted DNS message. A successful attack would crash the affected client or server. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Cisco Various Products Compressed DNS Messages Denial of Service SECUNIA ADVISORY ID: SA15472 VERIFY ADVISORY: http://secunia.com/advisories/15472/ CRITICAL: Less critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Cisco ATA 180 Series Analog Telephone Adaptors http://secunia.com/product/2810/ SOFTWARE: Cisco IP Phone 7900 Series http://secunia.com/product/2809/ Cisco ACNS Software Version 5.x http://secunia.com/product/2268/ Cisco ACNS Software Version 4.x http://secunia.com/product/2269/ Cisco Unity Express 2.x http://secunia.com/product/5151/ DESCRIPTION: A vulnerability has been reported in various Cisco products, which can be exploited by malicious people to cause a DoS (Denial of Service). Successful exploitation crashes a vulnerable device or causes it to function abnormally. The vulnerability affects the following products: * Cisco IP Phones 7902/7905/7912 * Cisco ATA (Analog Telephone Adaptor) 186/188 * Cisco Unity Express The following Cisco ACNS (Application and Content Networking System) devices are also affected: * Cisco 500 Series Content Engines * Cisco 7300 Series Content Engines * Cisco Content Routers 4400 series * Cisco Content Distribution Manager 4600 series * Cisco Content Engine Module for Cisco 2600, 2800, 3600, 3700, and 3800 series Integrated Service Routers. SOLUTION: See patch matrix in vendor advisory for information about fixes. http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml#software PROVIDED AND/OR DISCOVERED BY: NISCC credits Dr. Steve Beaty. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml NISCC: http://www.niscc.gov.uk/niscc/docs/al-20050524-00433.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red. A vulnerability in IIS 4.0 may permit intruders to crash vulnerable IIS servers with URL redirection enabled. A vulnerability exists in the Indexing services used by Microsoft IIS 4.0 and IIS 5.0 running on Windows NT, Windows 2000, and beta versions of Windows XP. Exploitations of this vulnerability allows a remote intruder to run arbitrary code on the victim machine. An unchecked buffer resides in the 'idq.dll' ISAPI extension associated with each service. Note that Index Server and Indexing Service do not need to be running for an attacker to exploit this issue. Since 'idq.dll' is installed by default when IIS is installed, IIS would need to be the only service running. Note also that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all products that run affected versions of IIS are also vulnerable. **UPDATE**: An aggressive worm that actively exploits this vulnerability is believed to be in the wild

Cisco 6400 Access Concentrator Node Route Processor 2 (NRP2) 12.1DC card does not properly disable access when a password has not been set for vtys, which allows remote attackers to obtain access via telnet. It is distributed by Cisco Systems. This makes it possible for a remote user to gain access to systems behind the NRP2 module, potentially accessing secure systems

Maximum Rumpus FTP Server 2.0.3 dev and before allows an attacker to cause a denial of service (crash) via a mkdir command that specifies a large number of sub-folders. Rumpus FTP Server is an implementation for MacOS which allows file-sharing across TCP/IP connections. Rumpus FTP is prone to a denial of service. An ftp user can engage the attack by making a directory with an unusual number of sub-folders. This forces the software to quit, as it is unable to handle the creation of so many directories at one time. The FTP server must be rebooted to regain normal functionality. It is required that a user be logged in to carry out this attack. It may be possible for remote users to exploit this vulnerability, but authentication is required and anonymous ftp access does not grant users the privileges neccesary to create directories

Cayman 3220-H DSL Router 1.0 ship without a password set, which allows remote attackers to gain unauthorized access. Cayman gateways ship without a default password on the admin and user accounts. As long as the gateway is not addressable via the WAN, this can only be accessed and set by anyone on the LAN side. With admin access, the gateway settings can be configured by an intruder. This could facilitate remote denials of service, as well as potentially allowing further compromises of the network served by the router

ScreamingMedia SITEWare versions 2.5 through 3.1 allows a remote attacker to read world-readable files via a .. (dot dot) attack through (1) the SITEWare Editor's Desktop or (2) the template parameter in SWEditServlet. Microsoft IIS Is URL If the redirect is valid, Code Red Service operation is affected by the worm (DoS) A condition may occur.Microsoft IIS Service disruption (DoS) It may be in a state. Due to the inproper handling of URL redirection in IIS 4.0, it is possible to cause a host to stop responding. This vulnerability is currently being exploited by the 'Code Red' worm. Upon the worm sending a request attempting to infect the target host, IIS 4.0 will inproperly handle the unusal length of the request and fail. A restart of the service is required in order to gain normal functionality. It should be noted that the 'Code Red' worm attempts to exploit a previously discovered vulnerability BID 2880. Due to a flaw in SiteWare Editor's Desk, it is possible for a user to gain read access of known files residing on a SiteWare host. This is accomplished by crafting a URL containing double dot '../' sequences along with the relative path to a known file