Skip to content

Latest commit

 

History

History
191 lines (121 loc) · 23.7 KB

index.md

File metadata and controls

191 lines (121 loc) · 23.7 KB
<iframe src="https://ghbtns.com/github-btn.html?user=WinMin&repo=Protocol-Vul&type=star&count=true&size=large" frameborder="0" scrolling="0" width="170" height="30" title="GitHub"></iframe>

Protocol-Vulnerability

This project aims to keep an archive of the most severe vulnerabilities found in widespread protocols.

Table of contents

AFP (Apple Filing Protocol)

ID/Alias Description References
CVE-2018-1160 Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution. Exploiting an 18 Year Old Bug
Netatalk CVE-2018–1160 越界写漏洞分析
CVE-2021-31439 The specific flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Synology DiskStation Manager Netatalk dsi_doff Heap-based Buffer Overflow Remote Code Execution Vulnerability

BGP (Border Gateway Protocol)

ID/Alias Description References
BGP Hijacking A BGP hijack occurs when a malicious node deceives another node, lying about what the routes are for its neighbors. Without any security protocols, this misinformation can propagate from node to node, until a large number of nodes now know about, and attempt to use these incorrect, nonexistent, or malicious routes. Essentially, an undetectable (from the victim's side) public address spoofing attack. BGP Hijacking BlogPost by CloudFlare

BLE(Bluetooth Low Energy)

ID/Alias Description References
CVE-2020-9770
BLESA
BLESA takes advantage of the fact that re-authentication of cryptographic keys is optional under the BLE standard. An attacker can eavesdrop and spoof the data. As the BLE advertising packets are sent in plain text, an attacker can mimic the server by sending the same packets and cloning its MAC address. By doing so, the attacker can transmit spoofed advertising packets whenever the client starts a new session with the previously-paired server. News Article
Research Paper
CVE-2020-9770
CVE-2020-15802
BLURtooth
BLURtooth (the BLUR attacks) exploits the lack of cross-transport key validation, allowing an attacker to bypass Bluetooth Classic and Bluetooth Low Energy security mechanisms. This affects the Cross-Transport Key Derivation (CTKD) component in Bluetooth 4.0 to Bluetooth 5.0 CVE-2020-15802
BLURtooth Website

BlueTooth

ID/Alias Description References
BlueBorne
Multiple CVEs
RCE on Android: CVE-2017-0781 & CVE-2017-0782. MiTM on Windows: CVE-2017-8628. RCE on iOS: CVE-2017-14315. BlueBorne contains even more vulnerabilites, but we only list the highest severity ones. BlueBorne Blog BlueBorne Poc Code
CVE-2020-15802
BLURtooth
BLURtooth (the BLUR attacks) exploits the lack of cross-transport key validation, allowing an attacker to bypass Bluetooth Classic and Bluetooth Low Energy security mechanisms. This affects the Cross-Transport Key Derivation (CTKD) component in Bluetooth 4.0 to Bluetooth 5.0 CVE-2020-15802
BLURtooth Website
CVE-2020-0022
BlueFrag
In reassemble_and_dispatch of packet_fragmenter.cc, there is possible out of bounds write due to an incorrect bounds calculation. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation. CVE-2020-0022 an Android 8.0-9.0 Bluetooth Zero-Click RCE – BlueFrag
CVE-2020-10135
BIAS
Legacy pairing and secure-connections pairing authentication in Bluetooth® BR/EDR Core Specification v5.2 and earlier may allow an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key. BIAS
CVE-2019-9506
KNOB
The specification of Bluetooth includes an encryption key negotiation protocol that allows to negotiate encryption keys with 1 Byte of entropy without protecting the integrity of the negotiation process. A remote attacker can manipulate the entropy negotiation to let any standard compliant Bluetooth device negotiate encryption keys with 1 byte of entropy and then brute force the low entropy keys in real time. KNOB Attack
BleedingTooth Potential security vulnerabilities in BlueZ may allow escalation of privilege or information disclosure. BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities. CVE-2020-12351
CVE-2020-12352
CVE-2020-24490

CPD (Cisco Discovery Protocol)

ID/Alias Description References
CDPwn Armis labs discovered 5 zero day vulnerabilities affecting a wide array of Cisco products, including Cisco routers, switches, IP Phones and IP cameras. Four of the vulnerabilities enable Remote Code Execution (RCE). The latter is a Denial of Service (DoS) vulnerability that can halt the operation of entire networks. Armis-CDPwn-WP

DNS

ID/Alias Description References
CVE-2020-1350
SIGRed
a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response. As the service is running in elevated privileges (SYSTEM), if exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure. SIGRed – Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers
CVE-2020-1350 (SIGRed) - Windows DNS DoS Exploit
DNSpooq Cache Poisoning and RCE in Popular DNS Forwarder dnsmasq DNSpooq_Technical-Whitepaper
NAME: WRECK Breaking and f ixing DNS implementations White Paper
blackhat-asia-21-Slides

EtherNet/IP

ID/Alias Description References
OpENer ENIP/CIP Stack Vulnerabilities The OpENer EtherNet/IP stack implements the familiar ENIP and CIP protocols that run inside numerous commercial products for use across the industrial domain. Its popularity among the major SCADA vendors that use it puts a premium on finding security vulnerabilities before threat actors can exploit them. Claroty Discloses OpENer ENIP/CIP Stack Vulnerabilities

IPP (Internet Printing Protocol)

ID/Alias Description References
CVE-2019-8675 Stephan Zeisberg discovered that the CUPS SNMP backend incorrectly handled encoded ASN.1 inputs. A remote attacker could possibly use this issue to cause CUPS to crash by providing specially crafted network traffic.

LTE

ID/Alias Description References
ReVoLTE ReVoLTE exploits an LTE implementation flaw to recover the contents of an encrypted VoLTE call. This enables an adversary to eavesdrop on VoLTE phone calls. ReVoLTE makes use of a predictable keystream reuse, which was discovered by Raza & Lu. Eventually, the keystream reuse allows an adversary to decrypt a recorded call with minimal resources. ReVoLTE WebSite
Mobile Sentinel: A ReVoLTE detector

LoRaWAN

ID/Alias Description References
loradawn LoRaDawn is a series of vulnerabilities in LoRaWAN discovered by Tencent Blade Team that can cause Remote Denial of service of LoRaWAN node and potential code execution of LoRaWAN gateway under certain conditions.As a well-known LoRaWAN protocol stack, LoRaMac-Node is widely used in nodes and modules of LoRaWAN vendors.CVE-2020-11068 LoRaMac, CVE-2020-4060 LoRa Basics™ Station LoRaDawn - Multiple LoRaWAN Security Vulnerabilities

PPP (Point-to-Point Protocol)

ID/Alias Description References
CVE-2020-8597 a buffer overflow vulnerability in pppd due to a logic flaw in the packet processor of the Extensible Authentication Protocol (EAP). An unauthenticated, remote attacker who sends a specially crafted EAP packet to a vulnerable PPP client or server could cause a denial-of-service condition or gain arbitrary code execution. Exploiting CVE-2020–8597

SLP (Service Location Protocol)

ID/Alias Description References
CVE-2019-5544 The vulnerability is due to a heap overwrite issue in OpenSLP used in ESXi and Horizon DaaS appliances. Malicious users with access to port 427 on the ESXi host or any Horizon DaaS platform through the network may overwrite the heap of the OpenSLP service, eventually causing remote code execution. openslp 1.2.1, 2.0.0 heap overflow vulnerability

SMB (Server Message Block)

ID/Alias Description References
MS17-010
EternalBlue
EternalBlue (patched by Microsoft via MS17-010) is a security flaw related to how a Windows SMB 1.0 (SMBv1) server handles certain requests. If successfully exploited, it can allow attackers to execute arbitrary code in the target system. MS17-010
CVE-2020-0796
SMBGhost
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability. CVE-2020-0796 Remote Code Execution POC
SMBGhost_RCE_PoC

SNMP (Simple Network Management Protocol)

ID/Alias Description References
CVE-2017-6736 The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 12.0 through 12.4 and 15.0 through 15.6 and IOS XE 2.2 through 3.17 contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities. The vulnerabilities are due to a buffer overflow condition in the SNMP subsystem of the affected software. CVE-2017-6736 思科IOS系统远程代码执行漏洞分析

TCP/IP

ID/Alias Description References
Urgent11 The Urgent11 security flaws reside in the TCP/IP (IPnet) networking stack, which is a component of the VxWorks RTOS that manages the device's ability to connect to the internet or to other devices on a local network. [Urgent11 Technical White Paper]([https://info.armis.com/rs/645-PDC-047/images/Urgent11%20Technical%20White%20Paper.pdf](https://info.armis.com/rs/645-PDC-047/images/Urgent11 Technical White Paper.pdf))
CVE-2020-11896
Ripple20
CVE-2020-11896 is a critical vulnerability in Treck TCP/IP stack. It allows for Remote Code execution by any attacker that can send UDP packets to an open port on the target device. A prerequisite of this vulnerability is that the device supports IP fragmentation with IP tunneling. In some of the cases where this prerequisite is not met, there will remain a DoS vulnerability. JSOF_Ripple20_Technical_Whitepaper_June20
CVE-2020-16898
Bad Neighbor
A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets that use Option Type 25 (Recursive DNS Server Option) and a length field value that is even. CVE-2020-16898: “Bad Neighbor”
Amnesia:33 AMNESIA:33 is the first study we have published under Project Memoria. In this study, we discuss the results of the security analysis of seven open source TCP/IP stacks and report a bundle of 33 new vulnerabilities found in four of the seven analyzed stacks that are used by major IoT, OT and IT device vendors. Amnesia:33

TPD

ID/Alias Description References
TPD protocol The vulnerability resides in the sync-server daemon, running on the TP-Link Archer A7 (AC1750) router. This vulnerability can be remotely exploited by an attacker on the LAN side of the router, without authentication. The sync-server does not respond to network requests, but parses some data written in a shared memory by the tdpServer daemon. By sending carefully choosen data to tdpServer and appropriate timings, arbitrary code execution in sync-server is achieved and attacker gains total control of the router with highest level of privileges. This vulnerability is referenced under the CVE-2021-27246. Pwn2Own Tokyo 2020: Defeating the TP-Link AC1750 | Synacktiv

Thunderbolt

ID/Alias Description References
Thunderspy Thunderspy targets devices with a Thunderbolt port. If your computer has such a port, an attacker who gets brief physical access to it can read and copy all your data, even if your drive is encrypted and your computer is locked or set to sleep. thunderspy

UPNP (Universal Plug and Play)

ID/Alias Description References
CVE-2017-17215 Huawei HG532 with some customized versions has a remote code execution vulnerability. An authenticated attacker could send malicious packets to port 37215 to launch attacks. Successful exploit could lead to the remote execution of arbitrary code. Huawei HG532 系列路由器远程命令执行漏洞分析
CVE-2020-12695
CallStranger
The CallStranger vulnerability that is found in billions of UPNP devices can be used to exfiltrate data (even if you have proper DLP/border security means) or scan your network or even cause your network to participate in a DDoS attack.The vulnerability – CallStranger – is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet facing and billions of LAN devices. CallStranger

WLAN

ID/Alias Description References
CVE-2019-10539
Qualpwn
Possible buffer overflow issue due to lack of length check when parsing the extended cap IE header length. QualPwn - Exploiting Qualcomm WLAN and Modem Over The Air
CVE-2019-11151 Memory corruption issues in Intel(R) WIFI Drivers before version 21.40 may allow a privileged user to potentially enable escalation of privilege, denial of service, and information disclosure via local access. ANALYZING A TRIO OF REMOTE CODE EXECUTION BUGS IN INTEL WIRELESS ADAPTERS
CVE-2019-15126
Kr00k
is a vulnerability in Broadcom and Cypress Wi-Fi chips that allows unauthorized decryption of some WPA2-encrypted traffic. Wi-Fi WPA2 “Kr00k”窃密漏洞分析与复现

Related Resources

Network-Communication-Protocols.pdf

Contributors