{"id": "SECURITYVULNS:DOC:159", "bulletinFamily": "software", "title": "Cayman 3220-H DSL Router DOS", "description": "-[ Cayman 3220-H DSL Router DOS ]-\r\n\r\n[ Intro ]\r\nSimple DOS attack against Cayman 3220-H DSL Router.\r\nThis message has been copied to Cayman.\r\n\r\n[ Description ]\r\nLarge username or password strings sent to the Cayman HTTP admin interface\r\nrestart the router.\r\nRouter log will show "restart not in response to admin command".\r\n\r\n[ Tested Versions ]\r\nHardware:\r\nCayman-DSL Model 3220-H, DMT-ADSL (Alcatel) plus 4-port hub\r\n\r\nSoftware:\r\nGatorSurf version 5.3.0 (build R1)\r\nGatorSurf version 5.3.0 (build R2)\r\nGatorSurf version 5.5.0 (build R0) <most recent version>\r\n\r\n[ Exploit ]\r\nOpen URL for router admin interface in your browser.\r\nUsername: ...................(x79 or more)\r\nAfter router restarts (10 seconds) hit refresh on your browser if you want\r\nto down it again.\r\n\r\nIf you want to be lame you could code this to keep a router down all day\r\nlong.\r\n\r\n- cassius@hushmail.com\r\n\r\n\r\nIMPORTANT NOTICE: If you are not using HushMail, this message could have been read\r\neasily by the many people who have access to your open personal email messages.\r\nGet your FREE, totally secure email address at http://www.hushmail.com.\r\n", "published": "2000-05-07T00:00:00", "modified": "2000-05-07T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:159", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:03", "edition": 1, "viewCount": 7, "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2018-08-31T11:10:03", "rev": 2}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB2526297", "KB2919355", "KB317244", "KB980408", "KB981401", "KB2785908", "KB953331", "KB2404575", "KB3191913", "KB2874216"]}], "modified": "2018-08-31T11:10:03", "rev": 2}, "vulnersScore": -0.3}, "affectedSoftware": []}

{"talos": [{"lastseen": "2021-01-26T17:42:49", "bulletinFamily": "info", "cvelist": ["CVE-2020-13582"], "description": "# Talos Vulnerability Report\n\n### TALOS-2020-1193\n\n## Micrium uC-HTTP HTTP Server unchecked return value denial-of-service vulnerability\n\n##### January 26, 2021\n\n##### CVE Number\n\nCVE-2020-13582\n\n### Summary\n\nA denial-of-service vulnerability exists in the HTTP Server functionality of Micrium uC-HTTP 3.01.00. A specially crafted HTTP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.\n\n### Tested Versions\n\nMicrium uC-HTTP 3.01.00\n\n### Product URLs\n\n<https://www.micrium.com/rtos/tcpip/>\n\n### CVSSv3 Score\n\n8.6 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H\n\n### CWE\n\nCWE-690 - Unchecked Return Value to NULL Pointer Dereference\n\n### Details\n\nThe uC-HTTP server implementation is designed to be used on embedded systems that are running the \u00b5C/OS II or \u00b5C/OS III RTOS kernels. This HTTP server supports many features including persistent connections, form processing, chunked transfer encoding, HTTP header fields processing, HTTP query string processing and dynamic content.\n\nThe HTTP server implementation includes support for parsing multipart forms. When looking for the `=` token within the boundary parameter, the code does not check the return value of `Str_Char_N` which returns a NULL pointer when the character is not found in the provided string. The pointer returned from `Str_Char_N` is incremented and then passed to the function `HTTP_StrGraphSrcFirst` which attempts to dereference this pointer whose value is `0x01` and results in invalid memory access. Below is the vulnerable piece of code found in the function `HTTPsReq_HdrParse` :\n \n \n /* Boundary located after '='. */\n p_val = Str_Char_N(p_val, len, ASCII_CHAR_EQUALS_SIGN);\n p_val++; /* Remove space before boundary val. */\n p_val = HTTP_StrGraphSrchFirst(p_val,\n len);\n \n\n### Crash Information\n \n \n Program received signal SIGSEGV, Segmentation fault.\n HTTP_StrGraphSrchFirst (p_str=0x1 <error: Cannot access memory at address 0x1>, str_len=65530) at ../../Common/http.c:157\n 157 while ((ASCII_IS_GRAPH(*p_char) == DEF_NO) &&\n (gdb) bt\n #0 HTTP_StrGraphSrchFirst (p_str=0x1 <error: Cannot access memory at address 0x1>, str_len=65530) at ../../Common/http.c:157\n #1 0x5655d07d in HTTPsReq_HdrParse (p_err=0xffffcd48, p_conn=0x565a7708 <Mem_Heap+1352>, p_instance=0x565a71dc <Mem_Heap+28>) at http-s_req.c:1655\n #2 HTTPsReq_Handle (p_instance=0x565a71dc <Mem_Heap+28>, p_conn=0x565a7708 <Mem_Heap+1352>) at http-s_req.c:325\n #3 0x56560ca2 in HTTPsConn_Process (p_instance=0x565a71dc <Mem_Heap+28>) at http-s_conn.c:159\n #4 0x56564c21 in HTTPsTask_InstanceTaskHandler (p_instance=0x565a71dc <Mem_Heap+28>) at http-s_task.c:814\n #5 HTTPsTask_InstanceTask (p_data=0x565a71dc <Mem_Heap+28>) at http-s_task.c:653\n #6 0x565653a5 in HTTPsTask_InstanceTaskCreate (p_instance=0x565a71dc <Mem_Heap+28>, p_err=0xffffce78) at http-s_task.c:331\n #7 0x5655ee96 in HTTPs_InstanceStart (p_instance=0x565a71dc <Mem_Heap+28>, p_err=0xffffce78) at http-s.c:811\n #8 0x5659f0ce in AppNoFS_Init () at ../Examples/NoFS/app/app_no_fs.c:122\n #9 0x56557326 in main (argc=1, argv=0xffffcf44) at ../Examples/NoFS/app/app_no_fs.c:133\n \n\n### Timeline\n\n2020-11-02 - Vendor Disclosure \n2021-01-22 - Vendor Patched \n2021-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Kelly Leuschner of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2020-1194\n\nPrevious Report\n\nTALOS-2020-1174\n", "edition": 1, "modified": "2021-01-26T00:00:00", "published": "2021-01-26T00:00:00", "id": "TALOS-2020-1193", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1193", "title": "Micrium uC-HTTP HTTP Server unchecked return value denial-of-service vulnerability", "type": "talos", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-26T17:42:16", "bulletinFamily": "info", "cvelist": ["CVE-2020-13583"], "description": "# Talos Vulnerability Report\n\n### TALOS-2020-1194\n\n## Micrium uC-HTTP HTTP Server null pointer dereference denial-of-service vulnerability\n\n##### January 26, 2021\n\n##### CVE Number\n\nCVE-2020-13583\n\n### Summary\n\nA denial-of-service vulnerability exists in the HTTP Server functionality of Micrium uC-HTTP 3.01.00. A specially crafted HTTP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.\n\n### Tested Versions\n\nMicrium uC-HTTP 3.01.00\n\n### Product URLs\n\n<https://www.micrium.com/rtos/tcpip/>\n\n### CVSSv3 Score\n\n8.6 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H\n\n### CWE\n\nCWE-476 - NULL Pointer Dereference\n\n### Details\n\nThe uC-HTTP server implementation is designed to be used on embedded systems that are running the \u00b5C/OS II or \u00b5C/OS III RTOS kernels. This HTTP server supports many features including persistent connections, form processing, chunked transfer encoding, HTTP header fields processing, HTTP query string processing and dynamic content.\n\nThe HTTP server implementation provides compile time configuration options to enable HTTP Forms. By default the server will have this compiler option enabled but the developer is expected to set the `FormCfgPtr` structure at compile time. If this structure isn\u2019t set, then a denial of service exists due to a NULL pointer dereference when trying to access memory that is allocated based on the existence of the `FormCfgPtr` structure.\n\nThis code snippet shows the behavior of the code if the compiler flags `HTTPs_CFG_FORM_EN` and `HTTPs_CFG_FORM_MULTIPART_EN` are set, and the `FormCfgPtr` is NULL, memory will not be allocated for the `FormBoundaryPtr` variable. This snippet is from the function `HTTPsMem_ConnGet`\n \n \n #if ((HTTPs_CFG_FORM_EN == DEF_ENABLED) && \\\n (HTTPs_CFG_FORM_MULTIPART_EN == DEF_ENABLED))\n if (p_cfg->FormCfgPtr != DEF_NULL) {\n \n if (p_cfg->FormCfgPtr->MultipartEn == DEF_ENABLED) {\n /* ------------- ACQUIRE FORM BOUNDARY BLK ------------ */\n p_conn->FormBoundaryPtr = (CPU_CHAR *)Mem_DynPoolBlkGet(&p_instance->PoolFormBoundary,\n &err_lib);\n \n\nLater, when processing Content Type multipart, the code attempts to place a null character at the end of a string pointed to by the pointer `FormBoundaryPtr`. The code does not check for a NULL pointer for either of the values `FormCfgPtr` or `FormBoundaryPtr` , which results in a NULL pointer dereference when `FormBoundaryPtr` is used. This is a code snippet from the function `HTTPsReq_HdrParse`\n \n \n /* Copy boundary val to Conn struct. */\n Str_Copy_N(p_conn->FormBoundaryPtr,\n p_val,\n len);\n /* Make sure to create a string. */\n p_conn->FormBoundaryPtr[len] = ASCII_CHAR_NULL;\n \n\n### Crash Information\n \n \n Program received signal SIGSEGV, Segmentation fault.\n HTTPsReq_HdrParse (p_err=0xffffcd48, p_conn=0x565a7708 <Mem_Heap+1352>, p_instance=0x565a71dc <Mem_Heap+28>) at http-s_req.c:1664\n 1664 p_conn->FormBoundaryPtr[len] = ASCII_CHAR_NULL;\n (gdb) bt\n #0 HTTPsReq_HdrParse (p_err=0xffffcd48, p_conn=0x565a7708 <Mem_Heap+1352>, p_instance=0x565a71dc <Mem_Heap+28>) at http-s_req.c:1664\n #1 HTTPsReq_Handle (p_instance=0x565a71dc <Mem_Heap+28>, p_conn=0x565a7708 <Mem_Heap+1352>) at http-s_req.c:325\n #2 0x56560ca2 in HTTPsConn_Process (p_instance=0x565a71dc <Mem_Heap+28>) at http-s_conn.c:159\n #3 0x56564c21 in HTTPsTask_InstanceTaskHandler (p_instance=0x565a71dc <Mem_Heap+28>) at http-s_task.c:814\n #4 HTTPsTask_InstanceTask (p_data=0x565a71dc <Mem_Heap+28>) at http-s_task.c:653\n #5 0x565653a5 in HTTPsTask_InstanceTaskCreate (p_instance=0x565a71dc <Mem_Heap+28>, p_err=0xffffce78) at http-s_task.c:331\n #6 0x5655ee96 in HTTPs_InstanceStart (p_instance=0x565a71dc <Mem_Heap+28>, p_err=0xffffce78) at http-s.c:811\n #7 0x5659f0ce in AppNoFS_Init () at ../Examples/NoFS/app/app_no_fs.c:122\n #8 0x56557326 in main (argc=1, argv=0xffffcf44) at ../Examples/NoFS/app/app_no_fs.c:133\n \n\n### Timeline\n\n2020-11-02 - Vendor Disclosure \n2021-01-22 - Vendor Patched \n2021-01-26- Public Release\n\n##### Credit\n\nDiscovered by Kelly Leuschner of Cisco Talos.\n\n* * *\n\nVulnerability Reports Previous Report\n\nTALOS-2020-1193\n", "edition": 1, "modified": "2021-01-26T00:00:00", "published": "2021-01-26T00:00:00", "id": "TALOS-2020-1194", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1194", "title": "Micrium uC-HTTP HTTP Server null pointer dereference denial-of-service vulnerability", "type": "talos", "cvss": {"score": 0.0, "vector": "NONE"}}], "rst": [{"lastseen": "2021-01-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **mastplay[.]se** in [RST Threat Feed](https://rstcloud.net/profeed) with score **22**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-24T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 159[.]253.220.21\nWhois:\n Created: 2014-04-15 21:00:00, \n Registrar: Loopia AB, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:2A0A4463-0C40-35E7-B756-256D8AF4265C", "href": "", "published": "2021-01-25T00:00:00", "title": "RST Threat feed. IOC: mastplay.se", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **my-favoritedessert[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2019-12-19T03:00:00, Last seen: 2021-01-24T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 159[.]100.251.128\nWhois:\n Created: 2013-06-18 20:45:16, \n Registrar: ENOM INC, \n Registrant: REDACTED FOR PRIVACY.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-19T00:00:00", "id": "RST:8DD380E8-C358-3E29-87C6-409A005902A5", "href": "", "published": "2021-01-25T00:00:00", "title": "RST Threat feed. IOC: my-favoritedessert.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **afrimini[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **22**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-24T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 159[.]100.251.128,198.41.0.4\nWhois:\n Created: 2018-09-24 15:54:41, \n Registrar: PDR Ltd dba PublicDomainRegistrycom, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:F1E70D47-FF39-390F-A37C-893B8196DF07", "href": "", "published": "2021-01-25T00:00:00", "title": "RST Threat feed. IOC: afrimini.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **ahmedshow[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **22**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-24T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 159[.]8.230.251\nWhois:\n Created: 2005-07-10 15:43:51, \n Registrar: ENOM INC, \n Registrant: REDACTED FOR PRIVACY.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:414F8B70-873C-3B14-9011-D6C7D6F60734", "href": "", "published": "2021-01-25T00:00:00", "title": "RST Threat feed. IOC: ahmedshow.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **mzbswh[.]xyz** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-01-24T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 159[.]89.137.199\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:8B128F92-0A69-3B74-A172-8BF8E79CEEA3", "href": "", "published": "2021-01-25T00:00:00", "title": "RST Threat feed. IOC: mzbswh.xyz", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **nab[.]serveo.net** in [RST Threat Feed](https://rstcloud.net/profeed) with score **22**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-24T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 159[.]89.214.31\nWhois:\n Created: 2017-04-18 15:45:18, \n Registrar: unknown, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:35F29213-3A45-36D7-9F9B-FD27C8003E23", "href": "", "published": "2021-01-25T00:00:00", "title": "RST Threat feed. IOC: nab.serveo.net", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **oconeemillworks[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **22**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-24T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 159[.]100.251.128\nWhois:\n Created: 2015-07-13 12:31:23, \n Registrar: GoDaddycom LLC, \n Registrant: Not Available From Registry.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:B4AEF93C-03AE-3852-AF7A-BA9CCBFB1C8B", "href": "", "published": "2021-01-25T00:00:00", "title": "RST Threat feed. IOC: oconeemillworks.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **offload2[.]icculus.org** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2020-02-28T03:00:00, Last seen: 2021-01-24T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 159[.]203.69.7\nWhois:\n Created: 2000-06-22 23:50:12, \n Registrar: unknown, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-02-28T00:00:00", "id": "RST:4976688A-AC77-3D28-8981-91ECF392EF46", "href": "", "published": "2021-01-25T00:00:00", "title": "RST Threat feed. IOC: offload2.icculus.org", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **mydati[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **22**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-24T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 159[.]89.184.27\nWhois:\n Created: 2007-08-21 04:20:07, \n Registrar: PDR Ltd dba PublicDomainRegistrycom, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:2FB14225-143D-3B6C-9A3F-D4B083B24EF3", "href": "", "published": "2021-01-25T00:00:00", "title": "RST Threat feed. IOC: mydati.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **myrltech[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **22**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-24T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 159[.]65.155.117\nWhois:\n Created: 2017-09-28 05:15:18, \n Registrar: NameCheap Inc, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:97F36F9D-78BD-3FAB-AD78-28A15A77D101", "href": "", "published": "2021-01-25T00:00:00", "title": "RST Threat feed. IOC: myrltech.com", "type": "rst", "cvss": {}}]}