Kevin Finisterre

**Name of the Vulnerable Software and Affected Versions** Unitree robotic products (Go2, G1, H1, and B2 devices) **Description** Multiple Unitree robotic products sharing a common firmware contain a command injection issue. An attacker can inject a malicious string during WiFi configuration via a BLE module, and then trigger a restart of the WiFi service. This allows the attacker to execute commands as root through the `wpa supplicant restart.sh` shell script. The vulnerability affects devices using firmware derived from the MIT Cheetah codebase, including the G1 (humanoid) and Go2 (quadruped) branches. **Recommendations** Unitree Go2 robots: Consider temporarily disabling the bluetooth protocol as a mitigation measure. Unitree G1 robots: Consider temporarily disabling the bluetooth protocol as a mitigation measure. Unitree H1 robots: Consider temporarily disabling the bluetooth protocol as a mitigation measure. Unitree B2 robots: Consider temporarily disabling the bluetooth protocol as a mitigation measure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** UnitreeRobotics Zhexi/Oray (affected versions not specified) **Description** The issue concerns an undocumented backdoor in the robotic device. This backdoor allows the manufacturer and anyone with the correct API key to gain complete remote control over the device using the CloudSail remote access service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DJI drone devices sold in 2017 through 2022 **Description** The issue concerns DJI drone devices broadcasting unencrypted information about the drone operator's physical location via the AeroScope protocol. **Recommendations** For DJI drone devices sold in 2017 through 2022, consider disabling the AeroScope protocol until a patch or fix is available to prevent the broadcast of unencrypted location information.

**Name of the Vulnerable Software and Affected Versions** Wyse Device Manager (WDM) versions 4.7.x **Description** The issue allows remote attackers to obtain management access without requiring authentication for commands. This can be achieved by sending a crafted query, such as a V52 query, which can trigger actions like powering off the device. **Recommendations** For Wyse Device Manager (WDM) versions 4.7.x, consider restricting access to the `hagent.exe` component to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the ability to send crafted queries to the affected system.

**Name of the Vulnerable Software and Affected Versions** Wyse Device Manager versions 4.7.x **Description** The issue concerns multiple buffer overflows that allow remote attackers to execute arbitrary code. This can be achieved via the User-Agent HTTP header to hserver.dll or through unspecified input to hagent.exe. **Recommendations** For Wyse Device Manager versions 4.7.x, consider restricting access to hserver.dll and hagent.exe to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using the User-Agent HTTP header in requests to hserver.dll. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DevonIT thin-client management tool (affected versions not specified) **Description** The issue allows remote attackers to obtain administrative control over client machines by discovering a shared secret used for authentication. This is possible because the secret is transmitted in cleartext, making it easier for attackers to sniff the network and discover the secret value. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DevonIT thin-client management tool (affected versions not specified) **Description** A buffer overflow issue in the tm-console-bin component of the DevonIT thin-client management tool may allow remote attackers to execute arbitrary code. The specific vectors used for the attack are not specified. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Wyse ThinOS versions prior to 6.5 **Description** A buffer overflow issue allows remote attackers to cause a denial of service, potentially leading to a crash, and possibly execute arbitrary code via a long string to the LPD service. **Recommendations** For versions prior to 6.5, update to version 6.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the LPD service to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X versions prior to 10.6.3 **Description** The issue allows local users to gain privileges through vectors related to the use of wheel group membership during access to user account home directories. **Recommendations** For versions prior to 10.6.3, update to version 10.6.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Java SE versions 1.3.x prior to 1.3.1 27 Java SE versions 1.4.x prior to 1.4.2 24 Java SE versions 5.0 prior to Update 22 Java SE versions 6 prior to Update 17 **Description** The issue is a stack-based buffer overflow in the `HsbParser.getSoundBank` function. This allows remote attackers to execute arbitrary code via a long file: URL in an argument. **Recommendations** For Java SE versions 1.3.x prior to 1.3.1 27, update to version 1.3.1 27 or later. For Java SE versions 1.4.x prior to 1.4.2 24, update to version 1.4.2 24 or later. For Java SE versions 5.0 prior to Update 22, update to Update 22 or later. For Java SE versions 6 prior to Update 17, update to Update 17 or later.

**Name of the Vulnerable Software and Affected Versions** CitectSCADA versions 6 and 7 CitectFacilities version 7 **Description** The issue is a stack-based buffer overflow in the ODBC server service, which allows remote attackers to execute arbitrary code. This can be achieved by sending a long string in the second application packet in a TCP session on port 20222. **Recommendations** For CitectSCADA versions 6 and 7, and CitectFacilities version 7, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X version 10.5.1 **Description** The issue involves an insecure file operation in Spin Tracer, allowing local users to execute arbitrary code via unspecified output files. **Recommendations** For Apple Mac OS X version 10.5.1, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenBase versions 10.0.5 and earlier **Description** The issue allows remote authenticated users to potentially execute arbitrary code or cause a denial of service, resulting in a daemon crash. This is achieved by creating a stored procedure with a long name and then invoking this procedure, which triggers heap corruption. **Recommendations** For OpenBase versions 10.0.5 and earlier, consider restricting the creation of stored procedures with long names as a temporary workaround until a patch is available. Additionally, limit access to procedure invocation to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** OpenBase versions 10.0.5 and earlier **Description** The issue allows remote authenticated users to execute arbitrary commands via shell metacharacters in arguments to certain stored procedures, including (1) AsciiBackup and (2) OEMLicenseInstall, and possibly others. **Recommendations** For OpenBase versions 10.0.5 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** McAfee VirusScan for Mac (Virex) versions prior to 7.7 patch 1 **Description** The issue allows local users to change permissions of arbitrary files via a symlink attack on /Library/Application Support/Virex/VShieldExclude.txt. This can be exploited to execute arbitrary commands, for example, by symlinking to the root crontab file. **Recommendations** For versions prior to 7.7 patch 1, update to version 7.7 patch 1 or later to resolve the issue. As a temporary workaround, consider restricting access to the VShieldExclude.txt file to prevent symlink attacks until a patch is applied.

Name of the Vulnerable Software and Affected Versions: Mac OS X versions 10.4.11 and earlier Description: A buffer overflow issue exists in the Apple Minimal SLP v2 Service Agent (slpd) that allows local users, and possibly remote attackers, to gain privileges and possibly execute arbitrary code via a registration request with an invalid `attr-list` field. Recommendations: For Mac OS X versions 10.4.11 and earlier, update to a version later than 10.4.11 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple iPhoto versions 6.0.5 and prior to 6.0.6 **Description** The issue allows remote user-assisted attackers to execute arbitrary code via a crafted photocast with format string specifiers in the title of an RSS iPhoto feed. **Recommendations** For Apple iPhoto versions 6.0.5 and prior to 6.0.6, update to version 6.0.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple QuickTime version 7.1.3 **Description** A buffer overflow issue exists, allowing remote attackers to execute arbitrary code via a long `rtsp://` URI. The `rtsp://` handler fails to validate a supplied URL string, resulting in a stack overflow. With a specially crafted URL, an attacker can cause arbitrary code execution, leading to a loss of integrity. **Recommendations** For Apple QuickTime version 7.1.3, consider disabling the `rtsp://` handler until a patch is available to prevent potential exploitation. Restrict access to the vulnerable module to minimize the risk of arbitrary code execution. Avoid using long `rtsp://` URIs in the affected QuickTime version until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** NetBSD versions prior to 20061203 NetBSD-current before 20050914 Apple Mac OS X before 2007-004 **Description** The issue is related to a buffer overflow in the glob implementation, which can be exploited by remote authenticated users to execute arbitrary code. This is achieved by providing a long pathname that results from path expansion, affecting the FTP daemon and tnftpd. **Recommendations** For NetBSD versions prior to 20061203, update to a version after 20061203 to resolve the issue. For NetBSD-current before 20050914, update to a version after 20050914 to resolve the issue. For Apple Mac OS X before 2007-004, update to a version after 2007-004 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Kerio WebSTAR (4D WebSTAR Server Suite) versions 5.4.2 and earlier **Description** The issue is related to an untrusted search path vulnerability in WSAdminServer and WSWebServer components. This vulnerability allows local users with webstar privileges to gain root privileges by utilizing a malicious libucache.dylib helper library in the current working directory. **Recommendations** For Kerio WebSTAR (4D WebSTAR Server Suite) versions 5.4.2 and earlier, consider restricting access to the WSAdminServer and WSWebServer components until a fix is available. As a temporary workaround, avoid using the vulnerable components in a manner that could lead to exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.