VARIoT IoT vulnerabilities database

Directory traversal vulnerability in FTP Serv-U before 2.5i allows remote attackers to escape the FTP root and read arbitrary files by appending a string such as "/..%20." to a CD command, a variant of a .. (dot dot) attack. FTP Serv-U is an internet FTP server from CatSoft. Authenticated users can gain access to the ftproot of the drive where Serv-U FTP has been installed. Users that have read, write, execute and list access in the home directory will have the same permissions to any file which resides on the same partition as the ftproot, once a user is in the home directory they can successfully transfer any files using specially crafted GET requests. All hidden files will be revealed even if the 'Hide hidden files' feature is on. Successful exploitation of this vulnerability could enable a remote user to gain access to systems files, password files, etc. This could lead to a complete compromise of the host

Buffer overflow in Voyager web administration server for Nokia IP440 allows local users to cause a denial of service, and possibly execute arbitrary commands, via a long URL. A vulnerability exists in Nokia's IP440 integrated Firewall-1/IDS. If a URL is sent to the device's administration interface which contains a large number of characters it can overflow the relevant buffer and create a segmentation fault. As with any buffer overflow, this has the potential to allow arbitrary code execution, but this result has not been reported in this case. Note that in order for this vulnerability to be exploited, the attacker must have been previously authenticated by the target system. Regardless, this vulnerability will permit an attacker to carry out a denial of services on the affected host

The web server for the SonicWALL SOHO firewall allows remote attackers to cause a denial of service via a long username in the authentication page. SonicWALL SOHO provides a secure internet connection for a network. SonicWALL SOHO is subject to a denial of service. This has been verified to last for up to 30 seconds until functionality resumes, although a restart of the service may be required in order to gain normal functionality. In addition, it has been verified that this vulnerability is exploitable by way of various malformed HTTP requests. This vulnerability may be the result of a buffer overflow, although not verified this could lead to the execution of arbitrary code on the target host. There is a vulnerability in the web server of the SonicWALL SOHO firewall

Netopia ISDN Router 650-ST before 4.3.5 allows remote attackers to read system logs without authentication by directly connecting to the login screen and typing certain control characters. A vulnerability exists in the Netopia 650-ST ISDN router, firmware version 3.3.2. A user connected to the unit's telnet interface can cause the device's system logs to be displayed with a simple keystroke entered by the user at the login screen. [CTRL]-E - displays the device event log [CTRL]-F - displays the WAN event log. Access to this information by a malicious remote user can lead to a compromise of sensitive information including usernames and passwords

Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to bypass the directionality check via fragmented TCP connection requests or reopening closed TCP connection requests, aka "One-way Connection Enforcement Bypass.". Firewall-1 is prone to a security bypass vulnerability. There are vulnerabilities in Check Point VPN-1/FireWall-1 4.1 and earlier versions. Also known as \"One-way Connection Enforcement Bypass\"

Check Point VPN-1/FireWall-1 4.1 and earlier improperly retransmits encapsulated FWS packets, even if they do not come from a valid FWZ client, aka "Retransmission of Encapsulated Packets.". Firewall-1 is prone to a remote security vulnerability

The inter-module authentication mechanism (fwa1) in Check Point VPN-1/FireWall-1 4.1 and earlier may allow remote attackers to conduct a denial of service, aka "Inter-module Communications Bypass.". Firewall-1 is prone to a denial-of-service vulnerability. A remote attacker could exploit this vulnerability to cause a denial of service. Also known as \"Inter-module Communications Bypass\"

The OPSEC communications authentication mechanism (fwn1) in Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to spoof connections, aka the "OPSEC Authentication Vulnerability.". Firewall-1 is prone to a remote security vulnerability

The seed generation mechanism in the inter-module S/Key authentication mechanism in Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to bypass authentication via a brute force attack, aka "One-time (s/key) Password Authentication.". Firewall-1 is prone to a security bypass vulnerability

Buffer overflow in Getkey in the protocol checker in the inter-module communication mechanism in Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to cause a denial of service. Firewall-1 is prone to a denial-of-service vulnerability

Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to redirect FTP connections to other servers ("FTP Bounce") via invalid FTP commands that are processed improperly by FireWall-1, aka "FTP Connection Enforcement Bypass.". Firewall-1 is prone to a remote security vulnerability. Vulnerabilities exist in Check Point VPN-1/FireWall-1 4.1 and earlier versions

Buffer overflow in IIS ISAPI .ASP parsing mechanism allows attackers to execute arbitrary commands via a long string to the "LANGUAGE" argument in a script tag. The ASP ISAPI file parser does not properly execute certain malformed ASP files that contain scripts with the LANGUAGE parameter containing a buffer of over 2200 characters and have the RUNAT value set as 'server'. Depending on the data entered into the buffer, a denial of service attack could be launched or arbitrary code could be executed under the SYSTEM privilege level in the event that a malicious ASP file were locally executed on IIS

IIS 5.0 allows remote attackers to execute arbitrary commands via a malformed request for an executable file whose name is appended with operating system commands, aka the "Web Server File Request Parsing" vulnerability. Thus, a malicious user may perform system commands through cmd.exe under the context of the IUSR_machinename account which could possibly lead to privilege escalation, deletion, addition, and modification of files, or full compromise of the server. In order to establish successful exploitation, the file requested must be an existing .bat or .cmd file residing in a folder that the user possesses executable permissions to. Update (November 27, 2000): Georgi Guninski has discovered new variants of this vulnerability that have appeared after applying the patch (Q277873) supplied by Microsoft. Please see 'Exploit' for further details. Update (December 7, 2000): Billy Nothern has discovered that the commands can also be parsed through ActiveState Perl. Please see his Bugtraq posted located under 'Credit' for further information. **UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability

The client authentication interface for Check Point Firewall-1 4.0 and earlier generates different error messages for invalid usernames versus invalid passwords, which allows remote attackers to identify valid usernames on the firewall. Checkpoint Firewall-1 is a popular firewall package available from Checkpoint Software Technologies. Upon connecting to the firewall, the attacker enters a username and password. If the username and password are invalid, the firewall will respond with "<username> not found". If the username is valid, and the password is invalid, the firewall will respond with "Access denied by Firewall-1 authentication". Upon successfully determining a valid username, a remote attacker could then attempt a brute force or password grinding attack to determine the password for the valid username. If successful, an attacker could then gain access to the firewall based on that user's privileges

The web configuration interface for Catalyst 3500 XL switches allows remote attackers to execute arbitrary commands without authentication when the enable password is not set, via a URL containing the /exec/ directory. A vulnerability exists in the webserver configuration interface which will allow an anonymous user to execute commands. A http request which includes /exec and a known filename will reveal the contents of the particular file. In addition to disclosing the contents of files, this vulnerability could allow a user to execute arbitrary code. Catalyst 3500 XL switch web configuration interface has a vulnerability

Cisco Virtual Central Office 4000 (VCO/4K) uses weak encryption to store usernames and passwords in the SNMP MIB, which allows an attacker who knows the community name to crack the password and gain privileges. A vulnerability exists in the Cisco Virtual Central Office 4000 (VCO/4K) programmable voice switch running software versions 5.13 and earlier. The usernames and passwords for the device's SNMP administration interface are protected by a simple substitution cipher which can be easily defeated. As a result, if the "encrypted" passwords are retrieved, (for example, through the read-only community string) an attacker can obtain a list of valid usernames and passwords potentially allowing an elevation of privileges and possibly more serious consequences

The HTTP server in Cisco IOS 12.0 through 12.1 allows local users to cause a denial of service (crash and reload) via a URL containing a "?/" string. A vulnerability exists in multiple versions of Cisco's Internetworking Operating System (IOS) software that allows an attacker to force affected switches and routers to crash and reboot. The device will enter an infinite loop when supplied with a URL containing a "?/" and an enable password. Subsequently, the router will crash in two minutes after the watchdog timer has expired and will then reload. In certain cases, the device will not reload and a restart would be required in order to regain normal functionality. This vulnerability is restricted to devices that do not have the enable password set or if the password is known or can be easily predicted. The vulnerable service is only on by default in the Cisco 1003, 1004 and 1005 routers. Users can identify vulnerable or invulnerable devices running IOS by logging onto the device and issuing the ?show version? command. If IOS is running on a vulnerable device the command will return ?Internetwork Operating System Software? or ?IOS (tm)? with a version number. Vulnerable IOS software may be found on the following Cisco devices: *Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500, and 12000 series. *Recent versions of LS1010 ATM switch. *Catalyst 6000 with IOS. *Catalyst 2900XL LAN switch with IOS. *Cisco DistributedDirector

The HTTP router management service on Cisco IOS has been reported to be prone to a remote denial of service vulnerability. On Cisco IOS versions 12.0T and up, the "?" character when appended with a "/" character is not properly interpreted by the HTTP router management service and may cause the appliance to crash.

IIS 4.0 and 5.0 .ASP pages send the same Session ID cookie for secure and insecure web sessions, which could allow remote attackers to hijack the secure web session of the user if that user moves to an insecure session, aka the "Session ID Cookie Marking" vulnerability. Under certain circumstances, Microsoft IIS will transmit the plaintext contents of Session ID Cookies that should be marked as secure. A website may require state information so that it can distinguish one user over another, especially if it undergoes a great deal of traffic load. This is especially prevalent in the case of e-commerce sites in order to keep track of an individuals shopping order, etc. as they browse from page to page. Session ID Cookies may be used as a method to acquire state information. It maintains the identity of a user as they browse a site. This is not the case if the user visits an ASP page hosted on IIS. Once the user were to visit a non-secure portion of the website, a malicious third party who had access to the network traffic between the user and the website would be able to read the contents of the cookie since it would be sent in plaintext

IOS is the firmware used by many Cisco network devices. In some versions of IOS 12.x (verified on 12.1(4) and reportedly other versions), certain rules in extended access control lists will not be enforced. This may allow attackers to access vulnerable network services thought to be protected by the access control lists. The reason for this behaviour is not yet known.