Digital Defense’s Vulnerability Research Team (VRT) team posts advisories to raise awareness of newly discovered vulnerabilities or other informational items that help further secure computing networks from compromise by unauthorized parties. Advisories are posted by the VRT team on an as-needed basis.
DDI provides the links below as a service and does not take responsibility for the content or availability of the sites, nor does it endorse any services or products listed below.
Should you have any questions regarding any advisory, or vulnerability specifically, please feel free to contact Client Support at 888.273.1412 or support@ddifrontline.com.
Vulnerability Legend | |
---|---|
— High | |
— Medium | |
— Low |
Title: DDIVRT-2012-45 SolarWinds Network Performance Monitor Blind SQL Injection
Severity: High
Date Discovered: April 26, 2012
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$
Vulnerability Description: The SolarWinds Orion Network Performance Monitor 9.1 and prior contains a blind SQL injection flaw on the 'Login.asp' page. An attacker can leverage this flaw to execute arbitrary SQL commands and extract sensitive information from the backend database using standard blind SQL injection exploitation techniques.
This vulnerability applies to installations that have been upgraded from version 9.1 or prior. Fresh installations and migrations starting with version 9.5 do not contain this vulnerability.
Solution Description: SolarWinds has addressed the issue in releases subsequent to and including version 9.5 and has provided the following options to resolve the issue:
Please contact SolarWinds support for assistance in addressing the issue.
Tested Systems / Software (with versions):
SolarWinds Orion Network Performance Monitor 9.1
Vendor Contact: SolarWinds
Website: http://www.solarwinds.com/
Title: DDIVRT-2012-41 ACTi Web Configurator cgi-bin Directory Traversal
Severity: High
Date Discovered: March 8, 2012
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: shmoov and r@b13$
Vulnerability Description: The ACTi Web Configurator 3.0 for ACTi IP Surveillance Cameras contains a directory traversal vulnerability within the cgi-bin directory. An unauthenticated remote attacker can use this vulnerability to retrieve arbitrary files that are located outside the root of the web server.
Solution Description: The production of the cameras employing this version of the ACTi Web Configurator have been discontinued. However, a firmware upgrade which addresses the issue is available for download from the ACTi support team. Please contact the ACTi support team to retrieve the firmware upgrade and instructions on how to apply the changes.
Tested Systems / Software (with versions):
ACTi Web Configurator 3.0 - camera version unknown
Vendor Contact: ACTi Corporation | http://www.acti.com/corporate/Brief.asp
Website: http://www.acti.com/home/index.asp
Title: DDIVRT-2012-40 PacketVideo TwonkyServer and TwonkyMedia Directory Traversal
Severity: High
Date Discovered: March 12, 2012
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$
Vulnerability Description: Multiple PacketVideo products contain a directory traversal vulnerability within the web server that is running on port 9000. These products are vulnerable to the attack regardless of having configured the "Secured Server Settings" which are available on the Advanced configuration page. Susceptible products include the Twonky 7.0 Special and the TwonkyManager 3.0.
An unauthenticated remote attacker can use this vulnerability to retrieve arbitrary files that are located outside the root of the web server.
Solution Description: PacketVideo has addressed the issue. Contact the vendor for the software update.
Tested Systems / Software (with versions):
Twonky 7.0 Special on Windows Vista
TwonkyManager 3.0 on Windows Vista
Vendor Contact: PacketVideo Corporation | http://www.pv.com/
Website: http://twonky.com/
Title: DDIVRT-2011-39 SolarWinds Storage Manager Server SQL Injection Authentication Bypass
Severity: High
Date Discovered: December 7, 2011
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$
Vulnerability Description: The 'LoginServlet' page on port 9000 of the SolarWinds Storage Manager Server is vulnerable to a SQL injection within the 'loginName' field. An attacker can leverage this flaw to bypass authentication to the Storage Manager application or to execute arbitrary SQL commands and extract sensitive information from the backend database using standard SQL exploitation techniques. Additionally, an attacker may be able to leverage this flaw to compromise the database server host operating system.
Solution Description: SolarWinds has not yet provided a patch to address the issue. Digital Defense, Inc. recommends restricting access to the affected port until an update has been produced by the vendor.
Tested Systems / Software (with versions):
32-bit SolarWinds Storage Manager Server version 5.1.2 on Windows 2003
Vendor Contact: SolarWinds
Website: http://www.solarwinds.com/
Title: DDIVRT-2011-38 KnowledgeTree login.php Blind SQL Injection
Severity: High
Date Discovered: November 18, 2011
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: sxkeebler and r@b13$
Vulnerability Description: The KnowledgeTree login.php login page is vulnerable to a blind SQL injection vulnerability within the username field. An attacker can leverage this flaw to execute arbitrary SQL commands and extract sensitive information from the backend database using standard blind SQL exploitation techniques. Additionally, an attacker may be able to leverage this flaw to compromise the database server host OS.
Solution Description: KnowledgeTree has released a patch which addresses the issue. The new source is available at: http://wiki.knowledgetree.org/Security_advisory:_KnowledgeTree_login.php_Blind_SQL_Injection
Tested Systems / Software (with versions):
KnowledgeTree Version 3.7.0.2 (community edition)
Vendor Contact: KnowledgeTree, Inc.
Website: http://www.knowledgetree.com/
Title: DDIVRT-2011-37 HP JetDirect Device Page Directory Traversal
Severity: High
Date Discovered: October 12, 2011
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: sxkeebler and r@b13$
Vulnerability Description: The HP-ChaiSOE/1.0 embedded web server on certain HP JetDirect printers allows a potential attacker to gain read only access to directories and files outside of the web root, different from CVE-2008-4419. An attacker can leverage this flaw to read arbitrary system configuration files, cached documents, etc. Information obtained from an affected host may facilitate further attacks against the host. Exploitation of this flaw is trivial using common web server directory traversal techniques.
Solution Description: At this time, the vendor has not yet released a patch for this vulnerability. As a work around, Digital Defense, Inc. recommends restricting access to the HP JetDirect web administration interface to authorized hosts only.
Tested Systems / Software (with versions):
HP LaserJet 4650
Current Firmware: 20070419 07.006.0
HP LaserJet P3015
Current Firmware: 20100518 07.050.8 (Outdated)
HP LaserJet 2430
Current Firmware: 20090624 08.113.0_I35128
Vendor Contact: HP
Website: http://www.hp.com/
Title: DDIVRT-2011-36 Cybele Software, Inc. ThinVNC Product Suite Arbitrary File Retrieval
Severity: High
Date Discovered: September 6th, 2011
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$
Vulnerability Description: Multiple Cybele Software, Inc. products are vulnerable to arbitrary file retrieval and directory traversal vulnerabilities including ThinVNC, ThinRDP, and ThinVNC Access Point 2.0. An unauthenticated remote attacker can submit requests for files that are located outside the root of the web server that is distributed with these Cybele Software, Inc. products.
Solution Description: Cybele Software, Inc. has released a patch for the vulnerability which is available for download from the http://www.thinvnc.com/ website.
Tested Systems / Software (with versions):
ThinVNC 2.0.0.1
ThinRDP 1.0.0.33
ThinVNC Access Point 2.0.0.1
Vendor Contact: Cybele Software, Inc.
Website: http://www.thinvnc.com/
Title: DDIVRT-2011-35 Cisco Unified Contact Center Express Directory Traversal [CVE-2011-3315]
Severity: High
Date Discovered: August 9, 2011
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$
Vulnerability Description: The default deployment of Cisco Unified Contact Center Express (UCCX) system is configured with multiple listening services. The web service that is listening on TCP port 9080, or on TCP port 8080 in versions prior to 8.0(x), serves a directory which is configured in a way that allows for a remote unauthenticated attacker to retrieve arbitrary files from the UCCX root filesystem through a directory traversal attack. It is possible for an attacker to use this vector to gain console access to the vulnerable node as the 'ccxcluster' user, and subsequently escalate privileges.
Solution Description: Cisco has released a patch for this vulnerability. Information regarding the software update which addresses this issue is available at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-uccx
Tested Systems / Software (with versions):
Cisco Unified Contact Center Express (UCCX) versions: 8.5(x), 8.0(x), 7.0(x), 6.0(x)
Cisco Unified IP Interactive Voice Response (Unified IP-IVR) versions: 8.5(x), 8.0(x), 7.0(x), 6.0(x)
Vendor Contact: Cisco
Website: http://www.cisco.com/
Title: DDIVRT-2011-34 Metropolis Technologies OfficeWatch Directory Traversal
Severity: High
Date Discovered: August 15, 2011
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Chris Graham and r@b13$
Vulnerability Description: Metropolis Technologies OfficeWatch enables a web server on TCP port 80 that is susceptible to a directory traversal. An attacker may send a ../ (dot-dot-slash) sequence to traverse out of the web root and access arbitrary files on the host.
Solution Description: Until a patch is released by the vendor, it is recommended to restrict access to the web server to authorized hosts only. Access controls can be configured through Windows firewall.
Tested Systems / Software (with versions): Metropolis Technologies OfficeWatch for Windows 2000/XP/2003/Vista Version 2011.06.20
Vendor Contact: Metropolois Technologies
Email: support2011@metropolis.com
Title: DDIVRT-2011-33 IBM WebSphere Application Server 'help' Servlet Plug-in Bundle Directory Traversal [CVE-2011-1359]
Severity: High
Date Discovered: July 28, 2011
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Javier Castro, sxkeebler and r@b13$
Vulnerability Description: The default installation of the IBM WebSphere Application Server is deployed with a 'help' servlet which is designed to serve supporting documentation for the WebSphere system. When the 'help' servlet processes a URL that contains a reference to a Java plug-in Bundle that is registered with the Eclipse Platform Runtime Environment of the WebSphere Application Server, the 'help' servlet fails to ensure that the submitted URL refers to a file that is both located within the web root of the servlet and is of a type that is allowed to be served.
An unauthenticated remote attacker can use this weakness in the 'help' servlet to retrieve arbitrary system files from the host that is running the 'help' servlet. This can be accomplished by submitting a URL which refers to a registered Java plug-in Bundle followed by a relative path to the desired file.
Solution Description: IBM has released a patch for this issue. The patch is available through APAR PM45322.
http://www-01.ibm.com/support/docview.wss?uid=swg21509257
Tested Systems / Software (with versions):
WebSphere Application Server Version 8.0
WebSphere Application Server Version 7.0
WebSphere Application Server Version 6.1
Vendor Contact: IBM
Website: http://www-01.ibm.com/software/webservers/appserv/was/library/
Title: DDIVRT-2011-32 Axway SecureTransport '/icons/' Directory Traversal
Severity: High
Date Discovered: July 15, 2011
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: sxkeebler and r@b13$
Vulnerability Description: The Axway SecureTransport device contains a directory traversal in the '/icons/' directory. An unauthenticated remote attacker can use this vulnerability to obtain arbitrary files from the root file system of the vulnerable host.
Solution Description: Axway Global Support has addressed this vulnerability in package: SecureTransport Server 4.8.2 Patch 12.
Patch download: Axway Customers can download the patch using their support account at https://support.axway.com
File Packages: STEE-4_8_2-Patch12-Windows-x86-Build420.jar
MD5 checksum: 0401efe41ee05f2ee25d3adddca113ba
Size: 928753 bytes
See the Patch Readme file which is available on the vendor website for additional information.
Tested Systems / Software (with versions):
DDI tested: Axway SecureTransport 4.8.1
Axway tested: Axway tested all supported platforms for SecureTransport 4.8.x, 4.9.x, 5.0, and 5.1 and determined that the vulnerability only exists on the Windows platform for SecureTransport 4.8.x
Vendor Contact: Axway
Email: support@axway.com
Phone: +1-866-AXWAY-US or
- Go to https://support.axway.com
- Click the "Contact Axway Support" link to display our list of regional support contact phone numbers.
Title: DDIVRT-2010-30 Alcatel-Lucent OmniVista 4760 NMS 'lang' Directory Traversal Vulnerability (CVE-2011-0345)
Severity: High
Date Discovered: October 29th, 2010
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$
Vulnerability Description: The Alcatel-Lucent OmniVista 4760 NMS is vulnerable to a directory traversal. This flaw allows remote unauthenticated attackers to retrieve arbitrary files from a vulnerable system.
Solution Description: Alcatel-Lucent has provided a patch for this vulnerability. The patch is available on the vendor's website. If you are unable to patch the system, mitigate this vulnerability by disabling the service, or restricting access to a local interface or a trusted network via a firewall or other means.
Tested Systems / Software (with versions):
OmniVista 4760 NMS version 5.0.07.05
OmniVista 4760 NMS version 5.1.06.03
Vendor Contact: Alcatel-Lucent - http://www.alcatel-lucent.com/
Title: DDIVRT-2009-28 Sun Solaris 10 rpc.cmsd Buffer Overflow and Denial of Service (CVE-2010-3509)
Severity: High
Date Discovered: November 3, 2009
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Alex Kaszczuk, Alan Chin, Jose R. Hernandez and r@b13$
Vulnerability Description: The rpc.cmsd service contains an integer overflow, which can allow a malicious unauthenticated user to cause a denial of service, or remotely execute arbitrary code with root privileges.
Solution Description: Sun has addressed this vulnerability in Sun bugID 6214701. The patch is available for download through the Oracle October Critical Patch Update (CPU) released on 12 October, 2010.
Tested Systems / Software (with versions): Sun Solaris 10 (10/09 Download)
Vendor Contact: Sun Microsystems - http://www.sun.com/
Title: DDIVRT-2010-29 ALPHA Ethernet Adapter II Web-Manager 3.40.2 Authentication Bypass
Severity: High
Date Discovered: April 30, 2010
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Edward Bullard, James Robertson and r@b13$
Vulnerability Description: This version of Web-Manager contains a vulnerability which an intruder can leverage to gain read and write access to configuration settings through the device's web administration interface, leading to a full host compromise.
Solution Description: No patch is available at this time.
Tested Systems / Software (with versions):
Ubuntu Linux 9.10: Mozilla Firefox 3.5.9
Windows XP Professional Service Pack 3: Windows Internet Explorer 7.0.5730.13, Mozilla Firefox 3.6.3
Vendor Contact: Adaptive Micro Systems Inc. - http://www.adaptivedisplays.com/Default.asp
Title: DDIVRT-2009-27 Files2Links F2L-3000 SQL Injection Vulnerability
Severity: Medium
Date Discovered: November 19, 2009
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Rob Kraus, Chris Graham and r@b13$
Vulnerability Description: The login page of the F2L-3000 version 4.0.0 is vulnerable to SQL Injection. Exploitation of the vulnerability may allow attackers to bypass authentication and access sensitive information stored on the device.
Solution Description: A patch is not available at this time. Possible workarounds include disabling the vulnerable service, or limiting access to a set of trusted IP addresses.
Tested Systems / Software (with versions): F2L-3000 version 4.0.0 is the only platform that has been manually tested. Earlier versions and other, similar models may also be vulnerable as the platform is sold in various configurations.
Vendor Contact: Files2Links - http://www.files2links.com/
Title: DDIVRT-2009-26 LogRover SQL Injection Authentication Bypass
Severity: Medium
Date Discovered: May 12th, 2009
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Geoff Humes and r@b13$
Vulnerability Description: The login screen of the LogRover web interface is vulnerable to a SQL Injection which can allow remote attackers to login to the system via an authentication bypass.
Solution Description: Limit access to the login page to internal networks and trusted users only.
Tested Systems / Software (with versions): LogRover version 2.3 for Windows XP
Vendor Contact: LogRover - http://www.logrover.com/
Title: DDIVRT-2009-25 IPsession SQL Injection Vulnerability
Severity: Medium
Date Discovered: March 31st, 2009
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: David Marshall and r@b13$
Vulnerability Description: IPsession runs a web interface on port 8090 that requires valid login credentials. This interface uses user supplied input to form a database query and is vulnerable to SQL injection. This may be used to bypass authentication.
Solution Description: Limit access to the login page to internal networks and trusted users only.
Tested Systems / Software (with versions): Unknown version on Windows 2003
Vendor Contact: IPcelerate - www.ipcelerate.com/ipsession.html
Title: DDIVRT-2009-24 Precidia Ether232 Memory Corruption
Severity: Medium
Date Discovered: March 10th, 2009
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Steven James and princeofnigeria and r@b13$
Vulnerability Description: Certain Precidia Ether232 devices contain memory overwrite and authentication flaws. By making malformed GET requests to the built-in web server on certain Precidia Ether232 devices, it is possible to arbitrarily overwrite memory on the device and cause unknown impact.
Solution Description: At this point in time, Precidia Technologies has not provided a firmware upgrade addressing the memory corruption flaw. As a workaround, Precidia Technologies suggests that users disable the web server on the device through the serial or telnet configuration interface.
Tested Systems / Software (with versions): Precidia Ether3201-232 w/ firmware 3.00.250, Precidia Ether232 Duo w/ firmware 5.00.02, Other versions are believed to be vulnerable.
Vendor Contact: Precidia Technologies - solutions@precidia.com, support@precidia.com
Title: DDIVRT-2009-23 Apache ActiveMQ Numerous Cross Site Scripting Issues
Severity: Low
Date Discovered: February 23rd, 2009
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: David Marshall and r@b13$
Vulnerability Description: ActiveMQ 5.2.0's /admin interface gathers input from the user in numerous forms which are not properly sanitized. Attackers may insert script tags to have them execute when a user browses the affected areas of the page.
Solution Description: User-supplied inputs should not be rendered as executable script code when presented back to the user.
Tested Systems / Software (with versions): Windows XP SP3, ActiveMQ 5.2.0 Release Windows Binary
Vendor Contact: The Apache Software Foundation http://activemq.apache.org/
Title: DDIVRT-2009-22 SMART Board Whiteboard Directory Traversal Vulnerability
Severity: High
Date Discovered: January 19, 2009
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: David Marshall and r@b13$
Vulnerability Description: A directory traversal condition exists in SMART Web Server whereby arbitrary files may be retrieved from this host's file system. Attackers may leverage this issue to gain access to sensitive information stored on this host.
Solution Description: No patch is available at this time.
Tested Systems / Software (with versions): Windows XP, SMART Board Whiteboard
Vendor Contact: SMART Technologies ULC http://www.smarttech.com/us
Title: DDIVRT-2009-21 vBook Login Application Cross-site Scripting Vulnerability
Severity: Low
Date Discovered: January 19, 2009
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: David Marshall and r@b13$
Vulnerability Description: Alterations of the title and message parameters in vBook allow attacks to specify arbitrary web or scripting content. This allows scripting tags to be executed by the browser to perform XSS attacks. Such an attack would require convincing a user to click on a specially crafted link.
Solution Description: No patch is available at this time.
Tested Systems / Software (with versions): Windows Server 2003, IIS vBooks v 4.2.17
Vendor Contact: Retrieve Technologies, Inc. http://www.retrieve.com/index.html
Title: DDIVRT-2009-20 NetMRI Login Application Cross-site Scripting Vulnerability
Severity: Medium
Date Discovered: January 19, 2009
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: David Marshall and r@b13$
Vulnerability Description: NetMRI contains a cross-site scripting (XSS) issue whereby portions of the GET request are echoed back in an error page. This allows scripting tags to be executed by the browser to perform XSS attacks. Such an attack would require convincing a user to click on a specially crafted link.
Solution Description: On February 18, 2009, Netcordia released a patch named "CrossScriptPatch.gpg" to address this vulnerability in all currently supported versions of NetMRI through v3.0.1. Customers can acquire the patch through the normal mechanisms or contact Netcordia Technical Support for assistance. Additionally, the necessary changes will be incorporated in future versions beginning with NetMRI v3.0.2.
Tested Systems / Software (with versions): Red Hat Linux, NetMRI
Vendor Contact: Netcordia http://www.netcordia.com/products/netmri-event-analysis.asp
Title: DDIVRT-2009-19 HP JetDirect Web Administration Directory Traversal
Severity: High
Date Discovered: October 23, 2008
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Shmoov and r@b13$
Vulnerability Description: The HP-ChaiSOE/1.0 embedded web server on certain HP JetDirect printers allows a potential attacker to gain read only access to directories and files outside of the web root. An attacker can leverage this flaw to read arbitrary system configuration files, cached documents, etc. Information obtained from an affected host may facilitate further attacks against the host. Exploitation of this flaw is trivial using common web server directory traversal techniques.
Solution Description: The vendor has released an update. See http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01623905 for more details. Digital Defense, Inc. recommends restricting access to the HP JetDirect web administration interface to authorized hosts only.
Tested Systems / Software (with versions): Embedded web server HP-ChaiSOE/1.0 on:
HP JetDirect 2420
HP JetDirect 4250
Vendor Contact: HP http://www.hp.com/
Title: DDIVRT-2008-18 Orb Directory Denial of Service
Severity: High
Date Discovered: October 21, 2008
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Steven James and r@b13$
Vulnerability Description: Orb Networks' Orb media server is vulnerable to a denial of service condition. Sending malformed http requests may crash the service denying service to legitimate users.
Solution Description: Use firewall rules to restrict access to authorized users of the Orb server.
Tested Systems / Software (with versions): Orb version 2.01.0022 on Windows XP Pro SP2 Orb version 2.01.0017 on Windows XP Pro SP2 Nullsoft Winamp Remote Server Beta (featuring Orb version 2.01.0013) on Windows XP Pro SP2.
Vendor Contact: Orb Networks, www.orb.com
Title: DDIVRT-2008-17 Orb Directory Traversal
Severity: High
Date Discovered: October 21, 2008
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Steven James and r@b13$
Vulnerability Description: Orb Networks' Orb media server is vulnerable to directory traversal attacks. Users can leverage specially crafted GET requests to read arbitrary files.
Solution Description: Use firewall rules to restrict access to authorized users of the Orb server. This issue is fixed in version 2.01.0022 available at http://www.orb.com/download/us/setup_2.01.0022.exe.
Tested Systems / Software (with versions): Orb version 2.01.0017 on Windows XP Pro SP2 Nullsoft Winamp Remote Server Beta (featuring Orb version 2.01.0013) on Windows XP Pro SP2.
Vendor Contact: Orb Networks, www.orb.com
Title: DDIVRT-2008-15 iPhone Configuration Web Utility 1.0 for Windows Directory Traversal
Severity: High
Date Discovered: October 2, 2008
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Corey LeBleu and r@b13$
Vulnerability Description: The iPhone Configuration Web Utility allows centralized management of iPhone configuration settings. The iPhone Configuration Web Utility 1.0 for Windows web interface is vulnerable to a common web directory traversal attack. Successful exploitation will result in arbitrary read-only file access outside of the iPhone Configuration Web Utility 1.0 web root.
Solution Description: Filter network traffic so that only trusted users can access the web interface.
Tested Systems / Software (with versions): Windows XP Professional iPhone Configuration Web Utility 1.0 for Windows
Vendor Contact: Apple Inc., www.apple.com
Title: DDIVRT-2008-14 3Com Wireless 8760 Dual Radio 11a/b/g PoE Access Point Malformed HTTP POST DoS
Severity: Medium
Date Discovered: May 20, 2008
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Brandon Shilling and r@b13$
Vulnerability Description: The 3Com Wireless 8760 Dual Radio 11a/b/g PoE Access Point is an enterprise-grade wireless access point. The web management interface is vulnerable to a DoS condition due to improper validation of malformed HTTP POST requests. Successful exploitation will result in a complete DoS of the device.
Solution Description: 3Com has not addressed this issue at this time. Digital Defense, Inc. does not currently know of any work arounds for this flaw.
Tested Systems / Software (with versions): Tested against 3Com Wireless 8760 Dual Radio 11a/b/g PoE Access Point, firmware unknown.
Vendor Contact: 3Com, www.3com.com
Title: DDIVRT-2008-13 AVTECH PageR Enterprise Directory Traversal
Severity: Medium
Date Discovered: July 1, 2008
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Corey LeBleu and r@b13$
Vulnerability Description: PageR Enterprise is a centralized device / server event monitoring system. The PageR Enterprise server web interface is vulnerable to a common web directory traversal attack. Successful eploitation will result in arbitrary read-only file access outside of the PageR Enterprise web root.
Solution Description: AVTECH has addressed this flaw in PageR version 5.0.7, which was available for public use on August 13, 2008.
Tested Systems / Software (with versions): Tested against PageR Enterprise/4.3.7 running on a Microsoft Windows 2000 system. Other versions of PageR Enterprise may be vulnerable.
Vendor Contact: AVTECH, www.avtech.com, Info@AVTECH.com
Title: DDIVRT-2008-12 ServerView SnmpGetMibValues.exe Buffer Overflow
Severity: High
Date Discovered: May 1, 2008
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Steven James, Mike James and r@b13$
Vulnerability Description: ServerView is a server management suite. Several buffer overflow conditions exist in remotely-accessible portions of the suite. Authenticated users (by default, all users) can cause a stack overflow by sending a specially-crafted URL to the ServerView web interface.
Solution Description: Authenticate remote users who use the web interface to minimize potential malicious users.
Tested Systems / Software (with versions): ServerView 04.60.07 was tested on Windows XP. Other versions are assumed to be vulnerable.
As of yet, a patch has not been issued by the vendor.
Vendor Contact: Fujitsu Siemens, www.fujitsu-siemens.com/
Title: DDIVRT-2008-11 BadBlue uninst.exe Denial of Service
Severity: Medium
Date discovered: March 5, 2008
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Steven James and r@b13$
Vulnerability Description: BadBlue is a web server used for peer-to-peer file sharing. By default, several executable files are stored in the web root: badblue.exe, uninst.exe, and dyndns.exe. Executable files stored in the web root of BadBlue can be launched remotely by any user. This can be leveraged to create a DoS condition by repeatedly invoking the uninst.exe executable. Due to the fact that BadBlue has not released a patch for the previously documented directory traversal vulnerability (CVE 2007-6378), an attacker may utilize these two flaws in conjunction to place a malicious executable in the web root and compromise a vulnerable server.
Solution Description: Restrict access to the executables already in the web root (badblue.exe, uninst.exe, and dyndns.exe) and take steps to ensure that users cannot write files to the web root.
Tested Systems / Software (with versions): BadBlue Personal Edition version 2.72 has been tested on Windows XP and Windows Server 2003. Other versions and systems are assumed to be vulnerable.
Vendor Contact: BadBlue, www.badblue.com
Title:DDIVRT-2008-10 PacketTrap PT360 Tool Suite TFTP Arbitrary File Access
Severity: High
Date discovered: January 29, 2008
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: princeofnigeria and r@b13$
Vulnerability Description: The default installation of the PacketTrap PT360 Tool Suite Version 1.1.33.1.0 TFTP server component is susceptible to directory traversal attack. A remote or local attacker can exploit this flaw to retrieve arbitrary files outside of the TFTP server root directory. This vulnerability also allows a remote attacker to overwrite and modify system files which could facilitate a full system compromise.
Solution Description: PacketTrap Networks, Inc. released a patch (#3302) for this flaw on February 29, 2008
Tested Systems / Software (with versions): Windows XP Professional Service Pack 2, PacketTrap PT360 Tool Suite Version 1.1.33.1.0.
Other versions may be vulnerable to this flaw.
Vendor Contact: PacketTrap Networks, Inc., www.packettrap.com, sales@packettrap.com, support@packettrap.com, info@packettrap.com
Title: DDIVRT-2008-9 PacketTrap PT360 Tool Suite TFTP Denial of Service
Severity: Medium
Date discovered: January 29, 2008
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: princeofnigeria and r@b13$
Vulnerability Description: The default installation of the PacketTrap PT360 Tool Suite Version 1.1.33.1.0 TFTP server component is susceptible to denial of service condition. A remote or local attacker can exploit this flaw by sending a specially crafted packet to the TFTP server. Successful exploitation of this flaw will cause the TFTP server process to crash. The TFTP server will need to be restarted to resume normal TFTP server operations.
Solution Description: PacketTrap Networks, Inc. released a patch (#3302) for this flaw on February 29, 2008
Tested Systems / Software (with versions): Windows XP Professional Service Pack 2, PacketTrap PT360 Tool Suite Version 1.1.33.1.0.
Other versions may be vulnerable to this flaw.
Vendor Contact: PacketTrap Networks, Inc.,/www.packettrap.com, sales@packettrap.com, support@packettrap.com, info@packettrap.com
Title: Title: DDIVRT-2007-7 Job File Scheduler Authentication Bypass
Severity: Severity: High
Date Discovered: Date Discovered: November 14th, 2007
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Michael Sunderland
Vulnerability Description: The Job File Scheduler web application is vulnerable to an authentication bypass through SQL injection. Successful exploitation of this vulnerability allows administrative level access to the web application with the ability to make modifications to the configuration of the application and all scheduled jobs. Due to the sensitivity of the data handled through this application, the extent of the compromise could result in the disclosure of personal information such as names, addresses, financial account numbers, SSN, etc.
Solution Description: Digital Defense, Inc. initially notified Trust Data Solutions, LLC on November 28, 2007 and received confirmation from the notification on the same day. Trust Data Solutions, LLC informed DDI that this flaw had previously been identified internally. Special thanks to Trust Data Solutions, LLC for their willingness to work with the DDI VRT staff.
Due to the fact that Trust Data Solutions, LLC does not offer automated patching, it is necessary to contact Trust Data Solutions, LLC specifically concerning the SQL injection flaw in order to obtain the fix.
Tested Systems / Software (with versions): Red Hat Linux / Apache v2.0.52 / Job File Scheduler v2.0 Other versions may be vulnerable to this flaw.
Vendor Contact: Trust Data Solutions, LLC, http://www.trustdatasolutions.com/, Email: support@trustdatasolutions.com
Title: DDIVRT-2007-6 Sentinel Protection Server Directory Traversal
Severity: High
Date discovered: October 10, 2007
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Corey LeBleu
Vulnerability Description: A classic directory traversal condition exists within the Sentinel Protection Server. By sending in an HTTP GET request with a path of a file proceeded by and escaped traversal sequence, an attacker can leverage an arbitrary file access condition on the affected system
Solution Description: Digital Defense, Inc. initially notified SafeNet on October 12, 2007 and received confirmation from the notification on October 30, 2007.
SafeNet informed DDI that it would be releasing a patch for this flaw on November 16, 2007. At this time, DDI does not have a resolution number for the SafeNet patch for this flaw.
Tested Systems / Software (with versions): Sentinel Protection Server 7.1
ther versions may be vulnerable to this flaw.
Vendor Contact: SafeNet, www.safenet-inc.com
Title: DDIVRT-2007-5 NetSupport Manager Client Buffer Overflow
Severity: Medium
Date discovered: September 4, 2007
Discovered by: Digital Defense, Inc. Vulnerability Research Team
Credit: sxkeebler and r@b13$
Vulnerability Description: The NetSupport Manager client that listens on TCP port 5405 does not properly validate input supplied during the initial connection sequence. Specifically, during the configuration exchange part of the initial connection setup, the client does not appear to validate the supplied data which can result in a DoS of the NetSupport Manager client
or the host in general. Remote code exploitation is also thought to be possible. Within Technical Document ID TD545, NetSupport acknowledges that this flaw is present in unspecified versions of NetSupport School Student.
Solution Description: Digital Defense, Inc. notified NetSupport on September 9, 2007 of this flaw but did not receive any response or acknowledgement from the vendor. However, NetSupport has released a patch for this flaw as described by NetSupport Technical Document ID TD545.
Tested Systems / Software (with versions): NetSupport Manager 10.20 running on Windows XP SP2 and Windows 2K3 SP2.
NetSupport acknowledges in Technical Document ID TD545 that the following versions of the NetSupport Manager are vulnerable to this flaw: NSM 10.00, NSS 9.00, NSM 10.20
Vendor Contact: NetSupport, http://www.netsupport-inc.com/
Title: DDIVRT-2007-4 NetSupport Manager Authentication Bypass
Severity: High
Date discovered: September 4, 2007
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: sxkeebler and r@b13s
Vulnerability Description: The NetSupport Manager client that listens on TCP port 5405 does not properly handle authentication sessions. It is possible to pose as the NetSupport Manager, associate to a client, and then issue commands without performing the authentication sequence. Both the basic and advanced authentication schemes can be bypassed in the same manner. When properly exploited, this flaw will results in a complete compromise of the target system.
Solution Description: Digital Defense, Inc. notified NetSupport on September 9, 2007 of this flaw but did not receive any response or acknowledgement from the vendor. However, NetSupport has released a patch for this flaw as described by NetSupport Technical Document ID TD543.
Tested Systems / Software (with versions): NetSupport Manager 10.20 running on Windows XP SP2 and Windows 2K3 SP2. NetSupport acknowledges in Technical Document ID TD543 that the following versions of the NetSupport Manager are vulnerable to this flaw: SM 5.00, NSM 5.01, NSM 5.02, NSM 5.02f1, NSM 5.03, NSM 5.05, NSM 5.30, NSM 5.31, NSM 6.00, NSM 6.10, NSM 6.11, NSM 7.01, NSM 7.10, NSM 8.00, NSM 8.10, NSM 9.00, NSM 8.50, NSM 8.60, NSM 9.10, NSM 9.50, NSM 9.60, NSM 10.00, NSM 10.20
Vendor Contact: NetSupport, http://www.netsupport-inc.com/
Title: TFTPdWin 0.4.2 Server Directory Traversal Vulnerability
Severity: High
Date Discovered: March 15, 2007
Discovered by: Digital Defense, Inc. Vulnerability Research Team
Vulnerability Description: The version of TFTPdWin contains a vulnerability that allows a potential intruder to gain read and write access to directories and files outside of the TFTP root. Successful exploitation of this vulnerability may also allow a remote, unauthenticated attacker to overwrite and modify system files, which could facilitate the execution of arbitrary code, the result of which could ultimately lead to a full system compromise.
Solution Description: No patch is available at this time.
Tested Systems / Software (with versions): Windows XP Professional Service Pack 2, TFTPdWin version 0.4.2. Other versions may be vulnerable.
Vendor Contact: ProSysInfo, www.prosysinfo.webpark.pl
Title: eFileCabinet Authentication Bypass
Severity: Medium
Date Discovered: December 20, 2006
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Vulnerability Description: The eFileCabinet software suite houses digital images of files. Though the eFileCabinet HTTP interface is password protected, it is possible to bypass said access controls to gain partial access to the eFileCabinet software. In order to bypass security, an attacker must supply a non-existent filecabinetnumber, such as 0. An attacker can utilize this access to partially navigate the eFileCabinet HTTP interface. Successful exploitation of this flaw could allow an attacker to create eFileCabinet drawers or potentially to obtain access to sensitive information.
Solution Description: The vendor has been notified of this flaw but has not provided a patch. For more information concerning the eFileCabinet Authentication Bypass flaw, please contact eFileCabinet.
Vendor Verified Systems / Software (with versions): Confirmed on eFileCabinet Version 3.3. Other versions may be vulnerable.
Vendor Contact: eFileCabinet, www.efilecabinet.com