VARIoT IoT vulnerabilities database

Denial of service in Gauntlet Firewall via a malformed ICMP packet. The vulnerability occurs because Gauntlet Firewall cannot handle a condition where an ICMP Protocol Problem packet's (ICMP_PARAMPROB) encapsulated IP packet has a random protocol field and certain IP options set. The packet structure looks like this: Begin Packet ------------------------------------------ [NORMAL IP HEADER] [ICMP PARAMPROB HEADER] -- encapsulated ip packet -- [IP HEADER] (important fields in ip header) ip_p = 98 (let's specify a protocol that doesn't exist) ip_hl = 0xf (stuff options) ------------------------------------------ End Packet An attacker would do the following: Construct the [ip-icmp-ip] packet using a raw socket (SOCK_RAW) with the fields set accordingly, destination set to any machine behind the firewall. Send the packet(s). The number of packets that need to be sent depends on the platform (ie Sol on a Sparc vs BSDI). The consequence of this vulnerability being exploited is the target Gauntlet 5.0 firewall being remotely locked up. It should be expected that an attacker would send packets with spoofed source addresses in the ip header making it difficult to trace

Firewall-1 sets a long timeout for connections that begin with ACK or other packets except SYN, allowing an attacker to conduct a denial of service via a large number of connection attempts to unresponsive systems. A denial of service condition exists in some implementations of Firewall-1 by Checkpoint Software. This denial of service attack is possible due to the way Firewall-1 handles TCP connections. Typically to initiate a TCP connection, a SYN packet is sent to the destination host. On systems where Firewall-1 is installed, this packet is first passed through an internal stack maintained by the Firewall before it is passed onto the operating system's native stack. When Firewall-1 filters this packet, it checks it against the rule base. If the session is allowed where it's rulebase is concerned, it is added to the connections table with a timeout of 60 seconds. When the remote host responds with an ACK (Acknowledge) packet, the session is bumped up to a 3600 second timeout. However, if you initiate a connection with an ACK packet, Firewall-1 compares it against the rule base, if allowed it is added to the connections table. However, the timeout is set to 3600 seconds and does not care if a remote system responds. You now have a session with a 1 hour timeout, even though no system responded. If this is done with a large amount of ACK packets, it will result in a full connections table. This results in your Firewall-1 refusing subsequent connections from any source effectively rendering the Firewall-1 useless in a 'failed closed' state

WS_FTP Pro 6.0 uses weak encryption for passwords in its initialization files, which allows remote attackers to easily decrypt the passwords and gain privileges. WS_FTP, both Pro and LE versions,. allows passwords to be saved as part of a saved site configuration. These passwords are encrypted and stored in .ini files. The encryption method is weak and can be broken. WS_FTP is a widely used FTP client software maintained by Ipswitch distribution. Certain versions of WS_FTP have a problem that will leak FTP user passwords

The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods, which allows remote attackers to execute arbitrary commands. Affected MDAC 1.5 and 2.0 Is Microsoft IIS alike Micorsoft Windows NT 4.0 Option Pack Included inMicrosoft IIS 3.x and 4.x On the server where is running MDAC If is installed, an arbitrary command may be executed. Both are included in a default installation of the Windows NT 4.0 Option Pack, but can be excluded via a custom installation. RDS includes a component called the DataFactory object, which has a vulnerability that could allow any web user to: --Obtain unauthorized access to unpublished files on the IIS server --Use MDAC to tunnel ODBC requests through to a remote internal or external location, thereby obtaining access to non-public servers or effectively masking the source of an attack on another network. The main risk in this vulnerability is the following: --If the Microsoft JET OLE DB Provider or Microsoft DataShape Provider are installed, a user could use the shell() VBA command on the server with System privileges. (See the Microsoft JET Database Engine VBA Vulnerability for more information). These two vulnerabilities combined can allow an attacker on the Internet to run arbitrary commands with System level privileges on the target host

MacOS uses weak encryption for passwords that are stored in the Users & Groups Data File. apple's macOS Exists in unspecified vulnerabilities.None. The encryption algorithm in MacOS system is simple and the password can be easily decoded. Offset is different on each system and depends on Users & Groups configuration, but it always lie after owner's username. It's not so difficult to find it using a hex editor, even if we don't know owner's username. Here are some examples of encrypted passwords: 00 04 06 18 0D 0A 19 0B = stayaway 0A 1F 10 1B 00 07 75 1E = yellow 1C 1B 16 14 12 62 10 7B = owner 07 02 13 1A 1E 0F 1A 14 = turnpage 27 25 33 27 27 39 24 7E = Trustno1 AA BB CC DD EE FF GG HH = aa bb cc dd ee ff gg hh where: AA BB CC DD EE FF GG HH - encrypted password (hex) aa bb cc dd ee ff gg hh - decrypted password in ASCII codes (hex) aa=AA XOR 73H bb=BB XOR AA XOR 70H cc=CC XOR BB XOR 63H dd=DD XOR CC XOR 67H ee=EE XOR DD XOR 74H ff=FF XOR EE XOR 70H gg=GG XOR FF XOR 72H hh=HH XOR GG XOR 6BH An example: Let's take OO 04 06 18 0D 0A 19 0B 00H XOR 73H = 73H = s 04H XOR 00H = 04H; 04H XOR 70H = 74H = t 06H XOR 04H = 02H; O2H XOR 63H = 61H = a 18H XOR 06H = 1EH; 1EH XOR 67H = 79H = y 0DH XOR 18H = 15H; 15H XOR 74H = 61H = a 0AH XOR 0DH = 07H; 07H XOR 70H = 77H = w 19H XOR 0AH = 13H; 13H XOR 72H = 61H = a 0BH XOR 19H = 12H; 12H XOR 6BH = 79H = y tested on: MacOS 7.5.3, 7.5.5, 8.1, 8.5 copied verbatim from a post to bugtraq by Dawid adix Adamski <adixx@FRIKO4.ONET.PL> on July 10, 1999. There are vulnerabilities in MacOS

IIS 3.x and 4.x does not distinguish between pages requiring encryption and those that do not, which allows remote attackers to cause a denial of service (resource exhaustion) via SSL requests to the HTTPS port for normally unencrypted files, which will cause IIS to perform extra work to send the files over SSL. NT Servers running IIS with SSL security enabled are susceptible to a DoS attack due to the server's inability to differentiate between pages that require SSL and those that don't. Therefore, by replacing the 'http' string in the URL with 'https' the server can be forced to encrypt any content in the web site, including high-bandwidth pages. An attacker could, with carefully planned https requests, drive the processor utilization to 100% resulting in extreme slowdown or even failure of the server

The Sun HotSpot Performance Engine VM allows a remote attacker to cause a denial of service on any server running HotSpot via a URL that includes the [ character. When IIS and Sun's Java HotSpot Performance engine are running simultaneously, the following URL will cause the system to crash: h t t p ://targethost/servlet/[ The following is the error message: # HotSpot Virtual Machine Error, Internal Error # # Error ID: 4649454C44345950450E4350500026 Affected processes are Jrun, ServletExec and IIS

Cisco 675 routers running CBOS allow remote attackers to establish telnet sessions if an exec or superuser password has not been set. Cisco 675 Router is prone to a remote security vulnerability. Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks. Cisco 675 routers running CBOS are vulnerable

WebTrends software stores account names and passwords in a file which does not have restricted access permissions. Vulnerabilities exist in WebTrends software

When IIS is run with a default language of Chinese, Korean, or Japanese, it allows a remote attacker to view the source code of certain files, a.k.a. "Double Byte Code Page". How this works is as follows: IIS checks the extension of the requested file to see if it needs to do any processing before delivering the information. If the requested extension is not on it's list, it then makes any language-based calculations, and delivers the file. If a single byte is appended to the end of the URL when IIS to set to use one of the double-byte language packs (Chinese, Japanese, or Korean) the language module will strip it as invalid, then look for the file. Since the new URL now points to a valid filename, and IIS has already determined that this transaction requires no processing, the file is simply delivered as is, exposing the source code

Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions. This vulnerability may allow a remote attacker to execute arbitrary code on the target machine. IIS supports a number of file extensions that require futher processing. When a request is made for one of these types of files a specific DLL processes it

Cisco Gigabit Switch routers running IOS allow remote attackers to forward unauthorized packets due to improper handling of the "established" keyword in an access list. Cisco IOS is prone to a remote security vulnerability. Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks

A vulnerability in certain versions of the Cisco IOS software running in the Cisco 12000 series Gigabit Switch Routers may allow a remote attacker to bypass security restrictions. The issue allows a vulnerable device to forward unauthorized traffic regardless of security restrictions. The issue occurs due to an error in the processing of the 'established' keyword in an access-list statement. Specifically, this issue presents itself when an affected router carries out the following command: access-list 101 permit tcp any any established It is reported that the vulnerable devices ignore the 'established' keyword and forward all TCP traffic to the relevant interface. Cisco Gigabit Switch Routers running Cisco IOS software release 11.2(14)GS2 to 11.2(15)GS3 are vulnerable to this issue.

A possible interaction between Apple MacOS X release 1.0 and Apache HTTP server allows remote attackers to cause a denial of service (crash) via a flood of HTTP GET requests to CGI programs, which generates a large number of processes. A vulnerability in the MacOS X Server may crash it while under heavy load. The vulnerability appears while stress testing a server running the Apache web server and 32 or more process are concurntly doing HTTP GET request to a CGI script in a loop. The system will panic and display a stack trace with ipc_task_init. Although the vulnerability is not related to web servering it can only be reproduced so far using this means

The fwluser script in AIX eNetwork Firewall allows local users to write to arbitrary files via a symlink attack. A vulnerability exists in the fwluser script in the AIX eNetwork firewall

Control Panel "Password Security" option for Apple Powerbooks allows attackers with physical access to the machine to bypass the security by booting it with an emergency startup disk and using a disk editor to modify the on/off toggle or password in the aaaaaaaAPWD file, which is normally inaccessible. apple's macOS Exists in unspecified vulnerabilities.None. Powerbooks come with a 'Password Security' Control Panel. This allows the user to create a password that must be entered prior to the OS mounting the hard drive. This feature can be enabled or disabled by the user. The control panel stores the enabled/disabled state, as well as an encrypted verion of the password, in a file called 'aaaaaaaaAPWD' in the root of the drive. The problem is that this security feature can be bypassed with a boot disk and hard drive utility

Buffer overflow in iParty server 1.2 and earlier allows remote attackers to cause a denial of service (crash) by connecting to default port 6004 and sending repeated extended characters. A buffer overflow condition has been discovered in the Intel iParty server. The server will need to be restarted to regain normal functionality. This issue may be due to a buffer overrun, potentially resulting in arbitrary code execution. This possibility has not been confirmed. iParty is a small voice conference chat program developed by Intel Experimental Technologies Department. The iParty meeting service daemon does not correctly handle the malformed requests submitted by users. Remote attackers can use this vulnerability to carry out denial-of-service attacks on the meeting service system

The codebrws.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. IIS is prone to a remote security vulnerability. Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks

The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. Microsoft IIS of showcode.asp Passed source There is a vulnerability that allows arbitrary files to be viewed by specifying a relative path in the parameter.ASP You may get important information about the source code and system. IIS 4.0 installs a number of sample ASP scripts including one called "showcode.asp". This script allows clients to view the source of other sample scripts via a browser. The "showcode.asp" script does not perform sufficent checks and allows files outside the sample directory to be requested. In particular, it does not check for ".." in the path of the requested file. The script takes one parameter, "source", which is the file to view. The script's default location URL is: http://www.sitename.com/msadc/Samples/SELECTOR/showcode.asp Similar vulnerabilities have been noted in ViewCode.asp, CodeBrws.asp and Winmsdp.exe

The code.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. IIS is prone to a remote security vulnerability. Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks