admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-05-28 01:02:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2017/CVE-2017-93xx/CVE-2017-9392.json
René Helmke 7791f18b51 bootstrap
2023-05-16 16:09:41 +02:00

162 lines
6.7 KiB
JSON
Raw Blame History

{
"id": "CVE-2017-9392",
"sourceIdentifier": "cve@mitre.org",
"published": "2019-06-17T21:15:09.613",
"lastModified": "2019-06-20T13:29:45.970",
"vulnStatus": "Analyzed",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url \"/port_3480\". It seems that the UPnP services provide \"request_image\" as one of the service actions for a normal user to retrieve an image from a camera that is controlled by the controller. It seems that the \"res\" (resolution) parameter passed in the query string is not sanitized and is stored on the stack which allows an attacker to overflow the buffer. The function \"LU::Generic_IP_Camera_Manager::REQ_Image\" is activated when the lu_request_image is passed as the \"id\" parameter in the query string. This function then calls \"LU::Generic_IP_Camera_Manager::GetUrlFromArguments\". This function retrieves all the parameters passed in the query string including \"res\" and then uses the value passed in it to fill up buffer using the sprintf function. However, the function in this case lacks a simple length check and as a result an attacker who is able to send more than 184 characters can easily overflow the values stored on the stack including the $RA value and thus execute code on the device."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en los dispositivos VeraEdge versi\u00f3n 1.7.19 y Veralite versi\u00f3n 1.7.481 de Vera . El dispositivo proporciona servicios UPnP que est\u00e1n disponibles en el puerto 3480 y tambi\u00e9n pueden ser accedidos por medio del puerto 80 mediante la url \"/port_3480\". Parece que los servicios UPnP proporcionan \"request_image\" como una de las acciones de servicio para que un usuario normal recupere una imagen de una c\u00e1mara que es controlada por el controlador. Al parecer el par\u00e1metro \"res\" (resoluci\u00f3n) pasado en la cadena de consulta no est\u00e1 saneado y se almacena en la pila, lo que permite a un atacante desbordar el b\u00fafer. La funci\u00f3n \"LU::Generic_IP_Camera_Manager::REQ_Image\" se activa cuando lu_request_image se pasa como el par\u00e1metro \"id\" en la cadena de consulta. Esta funci\u00f3n llama a \"LU::Generic_IP_Camera_Manager::GetUrlFromArguments\". Esta funci\u00f3n recupera todos los par\u00e1metros pasados ??en la cadena de consulta incluyendo \"res\" y despu\u00e9s usa el valor pasado en ella para llenar el b\u00fafer usando la funci\u00f3n sprintf. Sin embargo, la funci\u00f3n en este caso carece de una comprobaci\u00f3n de longitud simple y, como resultado, un atacante que puede enviar m\u00e1s de 184 caracteres puede desbordar f\u00e1cilmente los valores almacenados en la pila, incluyendo el valor de $RA y as\u00ed ejecutar el c\u00f3digo en el dispositivo."
}
],
"metrics": {
"cvssMetricV30": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9
}
],
"cvssMetricV2": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "SINGLE",
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0
},
"baseSeverity": "HIGH",
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-119"
}
]
}
],
"configurations": [
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:getvera:veraedge_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "1.7.19",
"matchCriteriaId": "49C1D79D-A586-4D41-A10C-1815E6E0D765"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:getvera:veraedge:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0A3D3CAC-84A4-4F14-8FB6-1E6437F8D2C0"
}
]
}
]
},
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:getvera:veralite_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "1.7.481",
"matchCriteriaId": "AC96E7A8-DB6C-47C8-9B33-AE4ED418C70E"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:getvera:veralite:-:*:*:*:*:*:*:*",
"matchCriteriaId": "914728A7-7BA3-4612-A6AA-172B24431947"
}
]
}
]
}
],
"references": [
{
"url": "http://packetstormsecurity.com/files/153242/Veralite-Veraedge-Router-XSS-Command-Injection-CSRF-Traversal.html",
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
]
},
{
"url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Vera_sec_issues.pdf",
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
]
},
{
"url": "https://seclists.org/bugtraq/2019/Jun/8",
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink