VARIoT IoT vulnerabilities database

The (1) stopserver.sh and (2) startserver.sh scripts in Adobe Version Cue on Mac OS X uses the current working directory to find and execute the productname.sh script, which allows local users to execute arbitrary code by copying and calling the scripts from a user-controlled directory. A local privilege escalation vulnerability reportedly affects Adobe Version Cue. This issue is due to a failure of the application to validate its environment, allowing an attacker to run arbitrary script code. It should be noted that this issue reportedly only affects Adobe Version Cue on Mac OS X platforms. An attacker may exploit this issue to have arbitrary scripts run with superuser privileges. This will facilitate privileges escalation

Apple Mac OS X 10.3.4, 10.4, 10.5, and possibly other versions does not properly clear memory for login (aka Loginwindow.app), Keychain, or FileVault passwords, which could allow the root user or an attacker with physical access to obtain sensitive information by reading memory

The lock manager in Cisco CNS Network Registrar 6.0 through 6.1.1.3 allows remote attackers to cause a denial of service (process crash) via a certain "unexpected packet sequence.". Cisco CNS Network Registrar is a DNS/DHCP server offered by Cisco. It is available for Microsoft Windows, UNIX, and Linux platforms. These issues affect the Domain Name Service and Dynamic Host Configuration Protocol server components of the CNS Network Registrar. It is reported that an attacker may cause a crash by sending a specially crafted packet sequence to an affected server. These vulnerabilities only affect Cisco CNS Network Registrar for the Microsoft Windows platform. The first issue affects CNS Network Registrar versions 6.0 upto and including 6.1.1.3 and the second issue affects all versions including 6.1.1.3

Safari 1.2.4 on Mac OS X 10.3.6 allows remote attackers to cause a denial of service (application crash from memory exhaustion), as demonstrated using Javascript code that continuously creates nested arrays and then sorts the newly created arrays. Apple Safari Web Browser is prone to a vulnerability that may result in a browser crash. This issue is exposed when the browser performs an infinite JavaScript array sort operation. It is conjectured that this will only result in a denial of service and is not further exploitable to execute arbitrary code, though this has not been confirmed. Mac OS X is an operating system used on Mac machines, based on the BSD system. A denial of service vulnerability exists in Safari 1.2.4 in Mac OS X version 10.3.6

Multiple interpretation error in various F-Secure Anti-Virus products, including Workstation 5.43 and earlier, Windows Servers 5.50 and earlier, MIMEsweeper 5.50 and earlier, Anti-Virus for Linux Servers and Gateways 4.61 and earlier, and other products, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on the target system. Anti-virus software may rely on corrupted headers to determine if a zip archive is valid. As a result, anti-virus software may fail to detect malicious content within a zip archive. It is reported that the software does not filter certain ZIP archives. Exploitation of this vulnerability may result in a false sense of security and in the execution of malicious applications. The vulnerability does not prevent compressed files from being opened on the target system. TITLE: F-Secure Products Zip Archive Virus Detection Bypass Vulnerability SECUNIA ADVISORY ID: SA13263 VERIFY ADVISORY: http://secunia.com/advisories/13263/ CRITICAL: Moderately critical IMPACT: Security Bypass WHERE: >From remote SOFTWARE: F-Secure Internet Security 2005 http://secunia.com/product/4300/ F-Secure Internet Security 2004 http://secunia.com/product/3499/ F-Secure Internet Gatekeeper 6.x http://secunia.com/product/3339/ F-Secure Anti-Virus for Workstations 5.x http://secunia.com/product/457/ F-Secure Anti-Virus for Samba Servers 4.x http://secunia.com/product/3501/ F-Secure Anti-Virus for MIMEsweeper 5.x http://secunia.com/product/455/ F-Secure Anti-Virus for Microsoft Exchange 6.x http://secunia.com/product/454/ F-Secure Anti-Virus for Linux 4.x http://secunia.com/product/3165/ F-Secure Anti-Virus for Firewalls 6.x http://secunia.com/product/451/ F-Secure Anti-Virus Client Security 5.x http://secunia.com/product/2718/ F-Secure Anti-Virus 5.x http://secunia.com/product/3334/ F-Secure Anti-Virus 2005 http://secunia.com/product/4299/ F-Secure Anti-Virus 2004 http://secunia.com/product/3500/ DESCRIPTION: A vulnerability has been reported in various F-Secure products, which can be exploited by malware to bypass certain scanning functionality. The vulnerability is caused due to an error when parsing ".zip" archives and can be exploited via a specially crafted ".zip" archive, which the scanner incorrectly calculates be of zero length. Successful exploitation causes malware in a specially crafted ".zip" archive to bypass the scanning functionality. NOTE: This is not a critical issue on client systems, as the malware still is detected when it is extracted. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.f-secure.com/security/fsc-2004-3.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

ZyXEL Prestige 623, 650, and 652 HW Routers, and possibly other versions, with HTTP Remote Administration enabled, does not require a password to access rpFWUpload.html, which allows remote attackers to reset the router configuration file. ZyXEL Prestige router series is reported prone to an access validation vulnerability. A remote attacker may exploit this vulnerability to reset the configuration of the router

iCal before 1.5.4 on Mac OS X 10.2.3, and other later versions, does not alert the user when handling calendars that use alarms, which allows attackers to execute programs and send e-mail via alarms. It is reported that when importing an Apple iCal calendar, iCal fails to warn an end user if the calendar contains an alarm. This may result in a victim importing a calendar that is believed to be safe when in reality the calendar contains malicious alarm entries

Unspecified vulnerability in 3Com OfficeConnect ADSL 11g Router allows remote attackers to cause a denial of service (crash) via a large amount of UDP traffic. This issue is due to a failure of the application to handle anomalous network traffic. An attacker may leverage this issue to cause the affected router to crash, denying service to legitimate users

Stack-based buffer overflow in IPSwitch IMail 8.13 allows remote authenticated users to execute arbitrary code via a long IMAP DELETE command. Ipswitch IMail is reported prone to a remote buffer overflow vulnerability. This issue exists due to insufficient boundary checks performed by the application. Ipswitch IMail 8.13 is reported prone to this vulnerability. It is possible that other versions are affected as well. Ipswitch IMail Server is a powerful email solution. Ipswitch IMail Server handles the DELETE command incorrectly

Archive::Zip Perl module before 1.14, when used by antivirus programs such as amavisd-new, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. Archive::Zip does not properly parse Zip files and may incorrectly interpret malformed zip archives to contain zero length/size files. As a a result, anti-virus software using Archive::Zip may fail to detect malicious content within a Zip archive. Archive::Zip is a free perl module for working with zip compressed files. Archive::Zip versions prior to 1.14 have security bypass vulnerabilities when used in antivirus programs

sudo before 1.6.8p2 allows local users to execute arbitrary commands by using "()" style environment variables to create functions that have the same name as any program within the bash script that is called without using the program's full pathname. A restricted command execution bypass vulnerability affects GratiSoft's Sudo application. This issue is due to a design error that causes the application to fail to properly sanitize user-supplied environment variables. An attacker with sudo privileges may leverage this issue to execute commands that are explicitly disallowed. This may facilitate privileges escalation and certainly leads to a false sense of security

Cisco IOS 2.2(18)EW, 12.2(18)EWA, 12.2(14)SZ, 12.2(18)S, 12.2(18)SE, 12.2(18)SV, 12.2(18)SW, and other versions without the "no service dhcp" command, keep undeliverable DHCP packets in the queue instead of dropping them, which allows remote attackers to cause a denial of service (dropped traffic) via multiple undeliverable DHCP packets that exceed the input queue size. A denial-of-service vulnerability exists in Cisco's Internetwork Operating System (IOS). This vulnerability may allow remote attackers to conduct denial-of-service attacks on an affected device. 7600 is prone to a denial-of-service vulnerability. Reportedly, DHCP packets containing certain unspecified content have the capability to block the input queue of interfaces on affected devices. Once an input queue is blocked, further ARP, and routing protocol packets will not be processed. This condition can only be corrected by rebooting the affected device. An attacker with the ability to send malicious DHCP packets to an affected device may be able to interrupt the routing services of the affected device, potentially denying further network service to legitimate users. Cisco IOS is the system used by Cisco networking equipment. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Technical Cyber Security Alert TA04-316A Cisco IOS Input Queue Vulnerability Original release date: November 11, 2004 Last revised: -- Source: US-CERT Systems Affected * Cisco routers, switches, and line cards running vulnerable versions of IOS The following versions of IOS are known to be affected: * 12.2(18)EW * 12.2(18)EWA * 12.2(18)S * 12.2(18)SE * 12.2(18)SV * 12.2(18)SW * 12.2(14)SZ Overview There is a vulnerability in the way Cisco IOS processes DHCP packets. Exploitation of this vulnerability may lead to a denial of service. The processing of DHCP packets is enabled by default. I. Description The Dynamic Host Configuration Protocol (DHCP) provides a means for distributing configuration information to hosts on a TCP/IP network.The Cisco Internetwork Operating System (IOS) contains a vulnerability that allows malformed DHCP packets to cause an affected device to stop processing incoming network traffic. Cisco devices can act as a DHCP server, providing host configuration information to clients, or they can forward DHCP and BootP requests as a relay agent. The affected devices have the DHCP service enabled by default and will accept and process incoming DHCP packets. When the queue becomes full, the device will stop accepting all traffic on that interface, not just DHCP traffic. The DHCP service is enabled by default in IOS. DHCP can only be disabled when the no service dhcp command is specified in the running configuration. Cisco notes the following in their advisory: "Cisco routers are configured to process and accept DHCP packets by default, therefore the command service dhcp does not appear in the running configuration display, and only the command for the disabled feature, no service dhcp, will appear in the running configuration display when the feature is disabled. The vulnerability is present, regardless if the DHCP server or relay agent configurations are present on an affected product. US-CERT is tracking this issue as VU#630104. II. Repeated exploitation of this vulnerability could lead to a sustained denial-of-service condition. In order to regain functionality, the device must be rebooted to clear the input queue on the interface. III. Solution Upgrade to fixed versions of IOS Cisco has published detailed information about upgrading affected Cisco IOS software to correct this vulnerability. System managers are encouraged to upgrade to one of the non-vulnerable releases. For additional information regarding availability of repaired releases, please refer to the "Software Versions and Fixes" section of the Cisco Security Advisory. Workarounds Cisco recommends a number of workarounds. For a complete list of workarounds, see the Cisco Security Advisory. Appendix A. References * Vulnerability Note VU#630104 - <http://www.kb.cert.org/vuls/id/630104> * Cisco Security Advisory: "Cisco IOS DHCP Blocked Interface Denial-of-Service" - <http://www.cisco.com/warp/public/707/cisco-sa-20041110-dhcp.shtml > _________________________________________________________________ US-CERT thanks Cisco Systems for notifying us about this problem. _________________________________________________________________ Feedback can be directed to the authors: Jeff Havrilla, Damon Morda, and Jason Rafail _________________________________________________________________ This document is available from: <http://www.us-cert.gov/cas/techalerts/TA04-316A.html> _________________________________________________________________ Copyright 2004 Carnegie Mellon University. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History Nov 11, 2004: Initial release Last updated November 11, 2004 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQZP5KBhoSezw4YfQAQLfEAgAlabhwlqCsQXLVFjedNKxa2CmRPYta5aC GXy6I+TDAVv7V57pz4QE4LxreUEb2vyc8CE4TWUy5PL7+tR0IEduur7XXnOs13Is O77GyYxBzxtOi+12zAui2wVM8gepobMS6JwYY7V5tyCRZ7mT7lGkVXzO2xHwFsM7 l6meXU/3eO0AjUv5NmJWBuWuGcPny3qyy3M4rgAcRCXIEWaVMnSCAALfSfPS6Ea8 6qYTmXOCbOnEC1RfdnRDgfmnWGwX5RlOPSrDJr3uS5DEkuEvFwaBnIDWMVtQUnvv oL1jZwbFVY1WNuPIosKSFSBs0U4l7RStiwSw3BF/EbgPrUBg3ugYyw== =gshZ -----END PGP SIGNATURE-----

The buffer overflow trigger in Cisco Security Agent (CSA) before 4.0.3 build 728 waits five minutes for a user response before terminating the process, which could allow remote attackers to bypass the buffer overflow protection by sending additional buffer overflow attacks within the five minute timeout period. This aids attackers in exploiting latent vulnerabilities in services protected by the affected package. Versions prior to 4.0.3.728 are reported susceptible to this vulnerability. Versions before CAS4.0.3build728 do not properly handle buffer overflow attacks. If the user has no choice, it will choose to terminate the operation by default. If the attacker continues to carry out the overflow attack during this period of time waiting for the user response, it will be possible

The FWDRV.SYS driver in Kerio Personal Firewall 4.1.1 and earlier allows remote attackers to cause a denial of service (CPU consumption and system freeze from infinite loop) via a (1) TCP, (2) UDP, or (3) ICMP packet with a zero length IP Option field. A remote denial of service vulnerability affects the IP options filtering functionality of Kerio's Personal Firewall. This issue is caused by a failure of the application to properly handle malformed network packets. A remote attacker can exploit this issue anonymously with a spoofed packet to cause a computer running the affected application to hang indefinitely, denying service to legitimate users. Kerio Personal Firewall is a personal desktop firewall

Multiple implementations of the DNS protocol, including (1) Poslib 1.0.2-1 and earlier as used by Posadis, (2) Axis Network products before firmware 3.13, and (3) Men & Mice Suite 2.2x before 2.2.3 and 3.5.x before 3.5.2, allow remote attackers to cause a denial of service (CPU and network bandwidth consumption) by triggering a communications loop via (a) DNS query packets with localhost as a spoofed source address, or (b) a response packet that triggers a response packet. [CERT/CC VU#887766 See also ] DNS A vulnerability in the protocol implementation has been identified. Depending on the implementation, between servers Query - response A storm may occur. Also, localhost UDP 53 Port is From If a query with is sent, the server may continue to respond to the server itself and resources may be exhausted.Denial of service (denial-of-service, DoS) You can be attacked. Multiple DNS vendors are reported susceptible to a denial of service vulnerability

Nortel Networks Contivity VPN Client displays a different error message depending on whether the username is valid or invalid, which could allow remote attackers to gain sensitive information. It is reported that Nortel Contivity VPN client is susceptible to a username enumeration vulnerability. Attackers may exploit this vulnerability to discern valid usernames. This may aid them in brute force password cracking, or other attacks. Versions prior to 5.01_030 are reported susceptible to this issue. Nortel Networks Contivity VPN Client is the client software for Nortel VPN devices. Name: User Account Enumeration in Nortel Contivity VPN Vendor: Nortel Networks Products Affected: Nortel Networks Contivity VPN Client Type: Remote User Account Enumeration Severity: Medium I. This bug was discovered as part of a penetration test we carried out on the VPN server of a client. II. Description 1. III. Impact The different error messages could enable a malicious person to guess valid user names on the Contivity VPN/Firewall, and then launch password-guessing attacks against these accounts. IV. Solution This issue is resolved in Contivity VPN Client for Windows V5.01_030 Refer to the CERT VU Note at http://www.kb.cert.org/vuls/id/830214 and our full advisory at http://www.nii.co.in/vuln/contivity.html for information about vendor response, applying the patches, and other technical details. V. About Network Intelligence India We're a leading provider of information security services and products. Our AuditPro suite of security assessment software provides comprehensive, policy-based security audits for Windows 2000, 2003, XP, Redhat Linux, Sun Solaris, Oracle and MS SQL Servers. For more information, visit us at http://www.nii.co.in **** Happy Diwali AND Eid Mubarak! ****

F-Secure Anti-Virus for Microsoft Exchange 6.30 and 6.31 does not properly detect certain password-protected files in a ZIP file, which allows remote attackers to bypass anti-virus protection. It is reported that a specially crafted archive that is nested within another archive is sufficient to trigger this vulnerability. Such an archive may contain malicious applications and will not be detected and quarantined at the email gateway

Cisco Secure Access Control Server for Windows (ACS Windows) and Cisco Secure Access Control Server Solution Engine (ACS Solution Engine) 3.3.1, when the EAP-TLS protocol is enabled, does not properly handle expired or untrusted certificates, which allows remote attackers to bypass authentication and gain unauthorized access via a "cryptographically correct" certificate with valid fields such as the username. This issue is due to a failure of the software to properly validate user credentials prior to granting access. The problem presents itself when an attacker attempts to authenticate to the affected server. Apparently the application will grant access to any attacker that presents a valid user name and a certificate that is cryptographically correct. An attacker can leverage this issue to gain unauthorized remote access to any devices or networks that rely on the affected software for access control

The Allied Telesyn TFTP service is reported to be prone to multiple vulnerabilities. The following specific issues are reported: 1. Allied Telesyn TFTP Server is reported susceptible to a directory-traversal vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied input data. This vulnerability allows remote attackers to retrieve or overwrite the contents of arbitrary potentially sensitive files located on the serving appliance with the privileges of the TFTP server process. 2. Allied Telesyn TFTP Server is reported prone to a remote buffer-overflow vulnerability. This vulnerability may be exploited by a remote attacker to crash the affected service. NOTE (November 17, 2010): This vendor may now be known as Allied Telesis.

Integer overflow on Apple QuickTime before 6.5.2, when running on Windows systems, allows remote attackers to cause a denial of service (memory consumption) via certain inputs that cause a large memory operation. This issue is due to a failure of the application to properly validate integer signed-ness prior to using it to carry out critical operations. An attacker may leverage this issue to cause the affected QuickTime client to crash, denying service to legitimate users. It has been speculated that this issue may also facilitate code execution; any code execution would occur with the privileges of the user that activated the affected software. Apple QuickTime is a media player that provides high-quality sound and images. An unspecified issue in Apple QuickTime for Windows could allow a remote attacker to execute arbitrary code with process privileges from the HTML environment. Currently NSSSoftware has not released detailed vulnerability details