VARIoT IoT vulnerabilities database

Buffer overflow in Apple AppleShare Mail Server 5.0.3 on MacOS 8.1 and earlier allows a remote attacker to cause a denial of service (crash) via a long HELO command. apple's AppleShare Mail Server Exists in unspecified vulnerabilities.None. If yu connect to the SMTP port and issue a HELO command with a large string (500 bytes or more) for a hostname the server, and possibly the whole machine, will crash

Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities. apple's AppleShare Unspecified vulnerabilities exist in products from multiple vendors.None. The issue presents itself due to insufficient bounds checking performed when handling malicious SMTP HELO command arguments of excessive length. A remote attacker may exploit this condition to trigger a denial-of-service in the affected daemon. Sendmail 8.8.8 is affected; earlier versions may also be vulnerable

Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool. A variety of Lucent router product lines named "Ascend" using the TAOS operating system support configuration tools to communicate through UDP port 9

By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system. Microsoft IIS is a popular web server package for Windows NT based platforms. Version 4.0 of IIS installs a remotely accessible directory, /IISADMPWD - mapped to c:\winnt\system32\inetsrv\iisadmpwd, which contains a number of vulnerable .HTR files. These were designed to allow system administrators the ability to provide HTTP based password change services to network users. The affected files, achg.htr, aexp*.htr, and anot*.htr can be used in this manner. A microsoft bulletin on the feature recommends using /IISADMPWD/aexp.htr for this purpose. Requesting one of the listed .htr files returns a form that requests the account name, current password, and changed password. This can be used to determine whether or not the account requested exists on the host, as well as conduct brute force attacks. If the account does not exist, the message "invalid domain" is returned - if it does, but the password change was unsuccessful, the attacker is notified. This be used against the server and against other machines connected to the local network (and possibly even other machines on the internet), by preceding the account name with an IP address and a backslash. (e.g., XXX.XXX.XXX.XXX\ACCOUNT) The server contacts the networked machine through the NetBIOS session port and attempts to change the password

AAA authentication on Cisco systems allows attackers to execute commands without authorization. Cisco Systems Cisco IOS Exists in unspecified vulnerabilities.None. Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks. There is a loophole in the Cisco system's AAA authentication

This desciprion was taken from the Cisco advisory. A remote attacker who knows how to exploit this vulnerability, and who can make a connection to TCP port 7161 on an affected switch, can cause the supervisor module of that switch to reload. While the supervisor is reloading, the switch will not forward traffic, and the attack will therefore deny service to the equipment attached to the switch. The switch will recover automatically, but repeated attacks can extend the denial of service indefinitely.

Cisco Catalyst LAN switches running Catalyst 5000 supervisor software allows remote attackers to perform a denial of service by forcing the supervisor module to reload. Cisco Catalyst is a widely used switch product developed by Cisco.  A remote attacker may connect to the TCP 7161 port of the affected switch, causing the management module to reload. At this time, the switch will not forward the packet. Although the switch can automatically recover and forward the packet afterwards, the attacker can continue to attack and form Denial of service attack

Buffer overflow in Cisco 7xx routers through the telnet service. Cisco Systems Cisco IOS Exists in unspecified vulnerabilities.None

The IPv6 support in Windows XP SP2, 2003 Server SP1, and Longhorn, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, a variant of CVE-2005-0688 and a reoccurrence of the "Land" vulnerability (CVE-1999-0016). When a packet of this type is handled, an infinite loop is initiated and the affected system halts. A remote attacker may exploit this issue to deny service for legitimate users

Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016). Microsoft Windows does not adequately validate IP options, allowing an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service. An attacker could take complete control of a vulnerable system. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00. It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue. **Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Microsoft Exchange SMTP Service Extended Verb Request Buffer Overflow SECUNIA ADVISORY ID: SA14920 VERIFY ADVISORY: http://secunia.com/advisories/14920/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Microsoft Exchange Server 2000 http://secunia.com/product/41/ Microsoft Exchange Server 2003 http://secunia.com/product/1828/ DESCRIPTION: ISS X-Force has reported a vulnerability in Microsoft Exchange Server, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error in the SMTP service within the handling of a certain extended verb request. This can be exploited to cause a heap-based buffer overflow by connecting to the SMTP service and issuing a specially crafted command. Successful exploitation allows execution of arbitrary code with the privileges of the SMTP service (by default "Local System"). Instead, this requires permissions usually only granted to other Exchange servers in a domain. SOLUTION: Apply patches. Microsoft Exchange 2000 Server (requires SP3): http://www.microsoft.com/downloads/details.aspx?FamilyId=2A2AF17E-2E4A-4479-8AC9-B5544EA0BD66 Microsoft Exchange Server 2003: http://www.microsoft.com/downloads/details.aspx?FamilyId=97F409EB-C8D0-4C94-A67B-5945E26C9267 Microsoft Exchange Server 2003 (requires SP1): http://www.microsoft.com/downloads/details.aspx?FamilyId=35BCE74A-E84A-4035-BF18-196368F032CC The following versions are not affected: * Microsoft Exchange Server 5.5 SP4 * Microsoft Exchange Server 5.0 SP2 PROVIDED AND/OR DISCOVERED BY: Mark Dowd and Ben Layer, ISS X-Force. ORIGINAL ADVISORY: MS05-021 (KB894549): http://www.microsoft.com/technet/security/Bulletin/MS05-021.mspx ISS X-Force: http://xforce.iss.net/xforce/alerts/id/193 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Land IP denial of service. MSN Messenger clients before version 7.0 will allow remote attackers to take control of a computer if malicious GIF files are processed. Microsoft Windows does not adequately validate IP options, allowing an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service. An attacker could take complete control of a vulnerable system. A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices &amp; Catalyst switches, and HP-UX up to 11.00. It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue. **Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible. The TCP/IP network protocol stack is the most widely used network protocol for Internet networking implemented by most operating systems. There are loopholes in the TCP/IP protocol stack implementation of early BSD-derived systems (except Linux) and Windows systems, and remote attackers can use this loophole to carry out denial-of-service attacks on the server. Due to problems in the implementation of TCP/IP, the target system may have problems processing such malformed packets. Many old versions of UNIX-like operating systems will crash, and NT's CPU resource usage will be close to 100\\% (for about five minutes). The vulnerability is caused due to improper handling of IP packets with the same destination and source IP and the SYN flag set. This causes a system to consume all available CPU resources for a certain period of time. This kind of attack was first reported in 1997 and became known as LAND attacks. SOLUTION: Filter traffic with the same IP address as source and destination address at the perimeter. The vulnerability is caused due to a boundary error in the SMTP service within the handling of a certain extended verb request. This can be exploited to cause a heap-based buffer overflow by connecting to the SMTP service and issuing a specially crafted command. Instead, this requires permissions usually only granted to other Exchange servers in a domain. Microsoft Exchange 2000 Server (requires SP3): http://www.microsoft.com/downloads/details.aspx?FamilyId=2A2AF17E-2E4A-4479-8AC9-B5544EA0BD66 Microsoft Exchange Server 2003: http://www.microsoft.com/downloads/details.aspx?FamilyId=97F409EB-C8D0-4C94-A67B-5945E26C9267 Microsoft Exchange Server 2003 (requires SP1): http://www.microsoft.com/downloads/details.aspx?FamilyId=35BCE74A-E84A-4035-BF18-196368F032CC The following versions are not affected: * Microsoft Exchange Server 5.5 SP4 * Microsoft Exchange Server 5.0 SP2 PROVIDED AND/OR DISCOVERED BY: Mark Dowd and Ben Layer, ISS X-Force. ORIGINAL ADVISORY: MS05-021 (KB894549): http://www.microsoft.com/technet/security/Bulletin/MS05-021.mspx ISS X-Force: http://xforce.iss.net/xforce/alerts/id/193 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA05-102A Multiple Vulnerabilities in Microsoft Windows Components Original release date: April 12, 2005 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows Systems For a complete list of affected versions of the Windows operating systems and components, refer to the Microsoft Security Bulletins. Overview Microsoft has released a Security Bulletin Summary for April, 2005. This summary includes several bulletins that address vulnerabilities in various Windows applications and components. Details of the vulnerabilities and their impacts are provided below. I. Description The list below provides a mapping between Microsoft's Security Bulletins and the related US-CERT Vulnerability Notes. More information related to the vulnerabilities is available in these documents. III. Solution Apply a patch Microsoft has provided the patches for these vulnerabilities in the Security Bulletins and on Windows Update. Appendix A. References * Microsoft's Security Bulletin Summary for April, 2005 - < http://www.microsoft.com/technet/security/bulletin/ms05-apr.mspx> * US-CERT Vulnerability Note VU#774338 - <http://www.kb.cert.org/vuls/id/774338> * US-CERT Vulnerability Note VU#756122 - <http://www.kb.cert.org/vuls/id/756122> * US-CERT Vulnerability Note VU#222050 - <http://www.kb.cert.org/vuls/id/222050> * US-CERT Vulnerability Note VU#275193 - <http://www.kb.cert.org/vuls/id/275193> * US-CERT Vulnerability Note VU#633446 - <http://www.kb.cert.org/vuls/id/633446> * US-CERT Vulnerability Note VU#233754 - <http://www.kb.cert.org/vuls/id/233754> _________________________________________________________________ Feedback can be directed to the authors: Will Dormann, Jeff Gennari, Chad Dougherty, Ken MacInnis, Jason Rafail, Art Manion, and Jeff Havrilla. _________________________________________________________________ This document is available from: <http://www.us-cert.gov/cas/techalerts/TA05-102A.html> _________________________________________________________________ Copyright 2005 Carnegie Mellon University. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History April 12, 2005: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQlxwexhoSezw4YfQAQJ4RAf/bTgaa6SBDMJveqW/GnQET79F9aVPM1S2 glam1w4YFyOdyIHpDYqQZRBqgXgpJjel/MiH02tZreU5mgIjkPIWA3gleepyWvnN 7VYv8KcbSnyvGxDl/8K2YjFz550gxA3pkRD7IiqdpOums87lJ7xM7sjdUY0ZA8aF JEvA4gfndpgLSuISV7Gf8y1s4MU329DurNy3t8W4EB9Iuef/E4Z058IvHnz9dTnT XwBnyW1KfH2Ohpy7QBOtcXt1wXU8X0F+d01g/VZmTL7xVwXmcPi8UpS7bPK8A17+ asqo582KjZVR56iL7fqNQzsrXUGZncEnX/8QOhi3Ym2LfAEkKrg3rw== =BY/p -----END PGP SIGNATURE-----

Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections. Cisco Systems Cisco IOS Exists in unspecified vulnerabilities.None

Cisco IOS software is reported prone to an authentication bypass vulnerability. This vulnerability presents itself in PPP CHAP authentication used by IOS. A remote attacker may bypass authentication to gain unauthorized access to vulnerable device. Cisco non-switch products with product numbers greater than or equal to 1000, AGS/AGS+/CGS/MGS, and CS-500 products are vulnerable to this issue. Another vulnerability related to the issue described above affects Cisco IOS/700 software. This issue can allow a remote attacker to establish an unauthorized PPP connection to a device that is running the vulnerable application. This attack requires the device to be using CHAP authentication and the attacker needs to modify code for a vulnerable PPP/CHAP implementation.

ICMP information such as (1) netmask and (2) timestamp is allowed from arbitrary hosts. McAfee Data Loss Prevention (DLP) is a set of data loss prevention solutions from McAfee. The solution protects intellectual property and ensures compliance by protecting the environment in which sensitive data resides (on-premise, in the cloud, or on the endpoint). Cross-site scripting vulnerabilities and cross-site request forgery vulnerabilities exist in McAfee DLP. When the user browses the affected website, his browser will execute any script code provided by the attacker, which may cause the attacker to steal cookie-based authentication, perform unauthorized operations, leak or modify sensitive information, or other forms may exist. s attack. Other attacks may also be possible

Ascom Timeplex router allows remote attackers to obtain sensitive information or conduct unauthorized activities by entering debug mode through a sequence of CTRL-D characters. Timeplex Routers is prone to a information disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information

IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL. Microsoft Internet Information Server (IIS) is a popular web server, providing support for a variety of scripting languages, including ASP (active server pages). This is accomplished by appending a period (.) to the end of a URL requesting a specific script, and applies to any file types in the "script-map list", including .asp, .ht., .id, .PL, and others. Consequences of exploitation vary depending on the site design, but commonly include details of directory structure on the web server, database passwords, and various other pieces of information that could then be used to mount further attacks. A Microsoft hotfix for this issue was released, but has been found vulnerable to a variation whereby the period is replaced by %2e, the hexadecimal encoding for the same character. (BugTraq ID 1814). Microsoft IIS will return the source code of various server side script files (such as ASP files) if the filename in the URL request contains a "%2e", the hex value for ".". For example, the following URL will display the source of the ASP file: http://target/file%2easp Source code disclosure could possibly yield sensitive information such as usernames and passwords

The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access. HP-UX is prone to a local privilege-escalation vulnerability. Local attackers may exploit this issue to gain root privileges

phf CGI program allows remote command execution through shell metacharacters. This document describes a vulnerability in a CGI script known as phf which was widely exploited in 1996 and 1997. A vulnerability exists in the sample cgi bin program, phf, which is included with NCSA httpd, and Apache 1.0.3, an NCSA derivitive. By supplying certain characters that have special meaning to the shell, arbitrary commands can be executed by remote users under whatever user the httpd is run as. The phf program, and possibly other programs, call the escape_shell_cmd() function. This subroutine is intended to strip dangerous characters out prior to passing these strings along to shell based library calls, such as popen() or system(). By failing to capture certain characters, however, it becomes possible to execute commands from these calls. Versions below each of the vulnerable webservers are assumed to be vulnerable to exploitation via the phf example code

Cross-site scripting (XSS) vulnerability on the Linksys WRT300N router with firmware 2.00.20, when Mozilla Firefox or Apple Safari is used, allows remote attackers to inject arbitrary web script or HTML via the dyndns_domain parameter to the default URI. A web server can use a remote site's FormMail script without authorization, using remote system resources or exploiting other vulnerabilities in the script. For example, this issue can be used to exploit BID 2079, "Matt Wright FormMail Remote Command Execution Vulnerability". FormMail is a widely-used web-based e-mail gateway, which allows form-based input to be emailed to a specified user. User supplied data (from the "recipient" hidden field) is passed to a Perl OPEN function without proper input verification, allowing the use of the command separation shell metacharacter (;) to execute arbitrary commands on the remote host. Consequences could range from destruction of data and web site defacement to elevation of privileges through locally exploitable vulnerabilities. Wrt300n is prone to a cross-site scripting vulnerability

Multiple cross-site scripting (XSS) vulnerabilities in Belkin N300 router allow remote attackers to inject arbitrary web script or HTML via the Guest Access PSK field to wireless_guest2_print.stm or other unspecified vectors. The Belkin N300 Wi-Fi N Router is a wireless router device. A cross-site scripting vulnerability exists in the Belkin N300 Wi-Fi N Router that allows remote attackers to exploit vulnerabilities to build malicious URIs, entice users to resolve, gain sensitive information, or hijack user sessions. A web server can use a remote site's FormMail script without authorization, using remote system resources or exploiting other vulnerabilities in the script. For example, this issue can be used to exploit BID 2079, "Matt Wright FormMail Remote Command Execution Vulnerability". FormMail is a widely-used web-based e-mail gateway, which allows form-based input to be emailed to a specified user. User supplied data (from the "recipient" hidden field) is passed to a Perl OPEN function without proper input verification, allowing the use of the command separation shell metacharacter (;) to execute arbitrary commands on the remote host. Consequences could range from destruction of data and web site defacement to elevation of privileges through locally exploitable vulnerabilities. The Belkin N300 router is prone to an unspecified cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks