about usforumsassessmentdefensepapersmagazinesmiscellaneouslinkscareers

Welcome to the Exploits for January, 2000 Section.
Some of these exploits are from Bugtraq

To Change Sort Order, Click On A Category.
Sorted By: Last Modified.

File Name Downloads File Size Last Modified
0001-exploits.tgz6923183249Feb 1 2000 13:27:24
Packet Storm new exploits for Janurary, 2000.
rightfax.txt24122003Jan 31 2000 18:52:32
RightFax Web Client v5.2 allows anyone to hijack user's faxes. By Et Lownoise courtesy of Bugtraq
fw1_script.tags.txt2432495Jan 31 2000 18:43:24
The "Strip Script Tags" feature in Firewall-1 can be circumvented by adding an extra less than sign before the SCRIPT tag. The code will still execute in both Navigator and Explorer. Homepage here. By Arne Vidstrom courtesy of Bugtraq
bruterh.sh54192588Jan 31 2000 18:40:03
Brute-force Linux-PAM password cracker for RedHat. Supply a wordlist, take a coffee. Nothing in system logs. Performance-tuning possible. By Michal Zalewski
autobuse-angel.txt23893476Jan 31 2000 18:36:05 and both use /tmp insecurely. By John Daniele courtesy of Bugtraq
bypass.viruscheck.tx..>421279540Jan 31 2000 18:28:01
Many virus checking software skips directories entitled \\recycled or similar. This allows viruses and trojans a safe haven on many Windows 95, 98, and NT systems. Exploit code included. Homepage here. By Neil Bortnak courtesy of Bugtraq
pmtu.htm21392242Jan 31 2000 18:06:57
An HP-UX 10.30/11.00 system can be used as an IP traffic amplifier. Small amounts of inbound traffic can result in larger amounts of outbound traffic, using ICMP MTU discovery packets. Homepage here.
procfs4.htm25548985Jan 31 2000 18:00:06
All flavors of BSD have local root procfs holes. Exploit included. Homepage here.
subseven.htm5930883Jan 31 2000 17:55:24
There is a buffer overflow in Subseven 2.1a causing it to quit quietly, crash, or overwrite variables. Homepage here.
sms.htm29971713Jan 31 2000 17:51:52
SMS 2.0 Remote Control (for Windows NT) introduces a security risk that will allow the attacker to run programs in system context, due to the fact that the executable used for the remote control service is copied to the workstation without any special permission settings to prevent a user from replacing the executable. Homepage here.
mix.htm25941538Jan 31 2000 17:45:23
Microimages X server for Windows allows anyone to kill your session and start an xterm on your machine if they know you are using the software. Homepage here.
asp8.htm40071674Jan 31 2000 17:36:19
Windows NT webservers using ASP can under some circumstances reveal the path of the server. A variable holds information about the internal structure of the website. Homepage here.
iiscat.c4043959Jan 31 2000 16:33:56
IIScat exploits the recent Microsoft Index Server vulnerability to read any file on the server. By Fredrick Widlund
raq2.admin.exploit.t..>20122545Jan 31 2000 13:26:00
Exploit for Cobalt Raq2 Server. Requires Site Administrator access to one of the accounts on the server. By Skirkham courtesy of Bugtraq
qpop-exploit-net.c31306566Jan 28 2000 11:45:53
A modified version of the original qpopper 3.0beta29 exploit by Zhodiac, added network support (no need for netcat) and allowed the user to specify which command to execute. Homepage here. By Missnglnk
iis4.webhits.txt52907887Jan 27 2000 16:39:52
Cerberus Information Security Advisory (CISADV000126) - Internet Information Server 4.0 ships with an ISAPI application webhits.dll that provides hit-highlighting functionality for Index Server. A vulnerability exists in webhits that allows an attacker to break out of the web virtual root file system and gain unathorized access to other files on the same logical disk drive. This vulnerability can also be used to obtain the source of Active Server Pages or any other server side script file which often contain UserIDs and passwords as well as other sensitive information. Vulnerable systems include Microsoft Windows NT 4 running Internet Information Server 4, all service packs. Microsoft FAQ on this issue is here. Homepage here. By David Litchfield
spank.txt119878448Jan 26 2000 19:43:54
Explanation of the 'spank' attack - a new breed stream/raped. Stream/Raped mearly flooded the host with ack's (or no flags) and came from random ips with random sequence numbers and/or ack numbers. The difference now is that this not only does the previous stuff, but also directly attacks from and to multicast addresses as well. By Tim Yardley
ADMsximap.c29853814Jan 26 2000 19:36:07
Solaris Solstice Internet Mail IMAP4 Server x86 exploit. By K2
qpop-xploit.c29373472Jan 26 2000 19:27:10
Remote linux x86 exploit for Qpopper 3.0beta29 and below. (not 2.5.3) Overflows the LIST command and spawns a shell with the UID of the user who logged in (requires valid account), and GID mail. Homepage here. By Zhodiac courtesy of Bugtraq
vpopmail.txt22932378Jan 26 2000 19:24:44
w00w00 Security Advisory - qmail-pop3d may pass an overly long command argument to it's password authentication service. When vpopmail is used to authenticate user information a remote attacker may compromise the privilege level that vpopmail is running, naturally root. Homepage here. By K2
vmware.htm28402172Jan 26 2000 19:21:35
w00w00 Security Advisory - Linux VMware 1.1.2 Symlink Vulnerability. VMware stores temporary log files within the /tmp directory. It does not check whether all of these files exist prior to creation, resulting in the potential for a symlink attack. Homepage here. By Harikiri
skey.htm21564959Jan 26 2000 19:19:14
w00w00 Security Advisory - S/Key & OPIE Database Vulnerability affecting most Unixes (not NetBSD) running skey-2.2. (possibly earlier versions too) allowing offline password cracking. Homepage here. By Harikiri
qmail-pop3d-vchkpw.c27362504Jan 26 2000 16:14:32
Remote exploit for the inter7 supported vchkpw/vpopmail package for (replacement for chkeckpasswd). Tested on Sol/x86,linux/x86,Fbsd/x86 against linux-2.2.1 and FreeBSD 3.[34]-RELEASE, running vpopmail-3.4.10a/vpopmail-3.4.11[b-e]. Unofficial patch here. Homepage here. By K2
yahoo2.htm36991628Jan 26 2000 13:08:50
Jaynus Jaynus found following. He read over the ICQ overflow that had been found so he was curious if this existed in any other clients. Upon testing the below URL, yahoo pager/messenger crashed in the same was as ICQ. Homepage here.
website.htm29064045Jan 26 2000 13:08:50
WebSite Pro is also revealing the webdirectory of each Website by a simple command line. This bug is similar to the "IIS revealing webdirectories" bug reported. On WebSitePro the diference ist the way you retrieve the path. Homepage here.
tb2.htm28032583Jan 26 2000 13:08:50
Timbuktu Pro 32 (TB2) from Netopia sends user IDs and passwords in clear text. When TB2 is used to remote control a machine that is not logged in or is locked, any user ID and password that is typed in is sent in clear text. A malicious user on the network can "sniff" the packets and gain the NT User IDs and passwords of any one using TB2 to remotely control a NT machine. Homepage here.
smtp2.htm21066483Jan 26 2000 13:08:50
USSR Labs found following. A memory leak exists in the Super Mail Transfer Package that may cause an NT host to stop functioning and/or need to be rebooted. The memory leak may occur when you connect to the SMTP port, all information you send to the system will be stored in memory, and SMTP support multiples HELO/ MAIL FROM/ RCPT TO / DATA in the same connection. If you did multiple HELO/ MAIL FROM/ RCPT TO / DATA in the same connection the memory may not be deallocated. This condition may cause the computer to stop functioning the moment memory runs out. Homepage here.
rtf.htm21942568Jan 26 2000 13:08:50
RTF files consist of text and control information. The control information is specified via directives called control words. The default RTF reader that ships as part of many Windows platforms has an unchecked buffer in the portion of the reader that parses control words. If an RTF file contains a specially-malformed control word, it could cause the application to crash. Homepage here.
rdisk.htm20511645Jan 26 2000 13:08:50
There exists a vulnerability in rdisk (Windows NT) which causes the contents of the registry hives to be exposed to Everyone during updating of the repair info. Homepage here.
nortel.htm22722423Jan 26 2000 13:08:50
Nortel's new Contivity seris extranet switches give administrators the ability to enable a small HTTP server and use Nortel's web based administration utility to handle configuration and maitenance. The server runs atop the VxWorks operating system and is located in the directory /system/manage. A CGI application, /system/manage/cgi/cgiproc that is used to display the administration html pages does not properly authenticate users prior to processing requests. An intruder can view any file on the switch without logging in. Homepage here.
krnl110.htm290831232Jan 26 2000 13:08:50
Stream.c summary - DoS attack due to bug in many unix kernels, including Linux, Solaris, and all of the BSDs. Homepage here.
inetserv.htm266510990Jan 26 2000 13:08:50
InetServ 3.0 (Windows NT) advisory and remote exploit. Homepage here.
iis53.htm33144218Jan 26 2000 13:08:50
MS IIS 5.0 has problems handling a specific form of URL ending with "ida". The extension ida has been taken from the Bugtraq posting "IIS revealing webdirectories" The problem causes 2 kind of results. The one result is that the server responds with a message like "URL String too long"; "Cannot find the specified path" The other error causes the server to terminate with an Access Violation. When the server "Access violates" it displays as last message. Homepage here.
omnis.txt7125090Jan 22 2000 22:07:00
Vulnerabilities in OMNIS, affecting many applications. Omnis is a Rapid Application Development environment which is portable to Win, Mac, and Linux. One of the features that Omnis provides for attaching to the database is the ability to encrypt fields, and obscure them from prying eyes. In actuality, this encryption is extremely weak, and I accidentally discovered the encryption technique and post a detailed explanation of it here. By Eric Stevens
checkpoint-fw1.vuln...>49521543Jan 21 2000 17:38:13
Outlines two basic vulnerabilities in Checkpoint's Firewall-1. The first is an authentication problem which allows easy brute force attacks; the second allows you to use the first to remotely administer someone else's firewall without their knowledge.
vwall3.htm19603486Jan 21 2000 16:41:49
By sending an SMTP message with a malformed attachment, it is possible for malicious code to avoid detection by Trend Micro's InterScan SMTP scanner version 3.0.1 for Solaris. Other versions may be affected as well, but were not tested. Homepage here.
vcasel.htm19052855Jan 21 2000 16:41:49
Vcasel (Visual Casel) is apparently intended as some sort of addon to Novell Netware 3.X and above. The program does succeed in limiting the names of the files executed, but there is no path verification. Homepage here.
uw-ppptalk.c22231212Jan 21 2000 16:41:49
UnixWare 7 exploit for /usr/bin/ppptalk. By K2
update.htm19452023Jan 20 2000 18:09:10
orel Linux comes with a program called "Corel Update" to manage the ".deb" files. This X oriented program is setuid root. The program is "get_it" and it's located in the /usr/X11R6/bin directory. If you can run it, it's easy to get root privileges in your system. Homepage here.
icq11.htm43745421Jan 20 2000 18:09:10
OS tested was Windows 2000 and ICQ v99b ICQ is a very popular chat client that is affected by a exploitable buffer overflow when it parses an URL sent by another user. What this means is that arbitary assembly code can be run on the remote machine. Homepage here.
bind15.htm27135445Jan 20 2000 18:09:10
If you're running BIND 8.2.2, and you have the victim.dom name servers in your cache, and victim.dom changes its server names, then any user who can make recursive queries through your cache can break your victim.dom lookups until the old records time out. The complete attack is one brief burst of legitimate packets. This is, of course, not as disastrous as BIND's next buffer overflow, but it's still an interesting example of how an attacker can use BIND's bogus ``credibility'' mechanism to exacerbate the effects of a seemingly minor bug. Homepage here.
bindview.nt-local.tx..>48025485Jan 14 2000 15:49:01
Due to a flaw in the NtImpersonateClientOfPort Windows NT 4 system call, any local user on a machine is able to impersonate any other user on the machine, including LocalSystem. We have written a demonstration exploit which allows any user to spawn a cmd.exe window as LocalSystem. All Windows NT 4.0 systems up to and including SP6a are vulnerable. Homepage here.
vi.htm21161127Jan 14 2000 04:01:50
Vi uses /tmp insecurely on OpenBSD, FreeBSD and Debian. This has been fixed in FreeBSD 2.2-STABLE, 3.4-STABLE and 4.0-CURRENT (04.01.2000). Homepage here.
recover.htm23051693Jan 14 2000 04:01:50
The 'recover' command in Solstice Backup (Sun's relabeled version of Legato Networker) on a Unix machine authorized to perform restore operations from the backup server can be used to by a normal user to restore any file accessible to the machine in a readable-to-them state (although it cannot be used to overwrite system files). This can be used to get your own copy of /etc/shadow for password cracking purposes. Homepage here.
midikeys.htm17905759Jan 14 2000 04:01:50
The IRIX setuid root binary midikeys can be used to read any file on the system using its gui interface. It can also be used to edit anyfile on the system. Homepage here.
mi019en.htm245818933Jan 14 2000 04:01:50
A practical vulnerability analysis (How The PcWeek crack was done). Homepage here. By Jfs
mi009en.htm320614396Jan 14 2000 04:01:50
RESTRICTING A RESTRICTED FTP - How to exploit common misconfigurations in wu-ftpd that allows usersi who may not have permission to login to execute arbitrary code on the FTP server. Homepage here. By Flow
supermail.nt.txt28782456Jan 13 2000 11:54:39
A memory leak exists in the Super Mail Transfer Package for Windows NT that may cause an NT host to stop functioning and/or need to be rebooted. DoS exploit description included. By Underground Security Systems Research
qib.tgz333713321Jan 12 2000 13:41:33
QIB - Remote access through Linux LPD. Binds a shell to port 26092. By Dildog
mysql.grant.txt50696047Jan 12 2000 13:15:33
Anyone with access to a running MySQL and GRANT privilege for any database or table in it, can change any MySQL-password he wishes, including the MySQL superusers. This makes all default-configured MySQL very vulnerable. Homepage here. By Viktor Fougstedt courtesy of Bugtraq
altavista.txt9829801Jan 12 2000 13:10:11
Exploit information for the recent bugs in the Altavista Search Engine to read any file on the system. By RC courtesy of Bugtraq 12 2000 13:04:33
Georgi Guninski security advisory #5 - Yet another Hotmail security hole. Hotmail allows executing JavaScript code in email messages using vascript, which may compromise user's Hotmail mailbox when viewed with Internet Explorer. Includes exploit code. Homepage here. By Georgi Guninski courtesy of Bugtraq
plusmail.c33115216Jan 11 2000 13:34:34
PlusMail CGI remote exploit - This posts the form to the victim, reads the data, binds to a port on the local machine, then you open up a browser and go to http://localhost:4040. Homepage here. By Missnglnk
skrypt.sh41051400Jan 10 2000 14:11:22
Wu-ftpd 2.4 remote root exploit for SuSE. Tested on SuSE 6.0 running Wu-ftpd 2.4.2-beta18.
gh-plus.c29776451Jan 10 2000 13:58:12
Remote exploit for PowerScripts PlusMail (all versions to current). Plusmail is an extremely popular cgi-based administration tool that allows you to remotely administer your website with a graphical control panel interface. The password file, however, is set with permissions rw enabled. All platforms are affected. By Ytcracker
msadc-trojan.pl21781423Jan 10 2000 03:04:16
This script will upload a trojan to an RDS vulnerable site running NT and execute the trojan. Homepage here. By Bansh33
nscape58.htm22931713Jan 9 2000 18:46:11
After executing the testommunicator 4.7 (NT/win2k) vulnerability - After executing the test hyperlink on's page on his client machine, he was able telnet to a remote shell on port 6968 of my client machine. Test your browser at Homepage here.
warftp.txt49144822Jan 7 2000 17:26:38
All versions of War-ftpd have serious security issues. The current release has some serious problems with the parsing of macros which can be exploited without even logging in. By Sir Dystic courtesy of Bugtraq
pm-exploit.c3581688Jan 7 2000 17:26:38
Plusmail remote exploit - plusmail fails to check authenticity before creating new accounts. Homepage: By Headflux
ie5.cross-frame.txt39662380Jan 7 2000 16:27:37
Internet Explorer 5.01 under Windows 95 and 5.5 under WinNT 4.0 (suppose other versions are also vulnerable) allows circumventing "Cross frame security policy" by accessing the DOM of "old" documents using IMG SRC="javascript:..." and a design flaw in IE. This exposes the whole DOM of the target document and opens lots of security risks. This allows reading local files, reading files from any host, window spoofing, getting cookies, etc. Demonstration available here. By Georgi Guninski courtesy of Bugtraq
pamslam.sh45141180Jan 7 2000 15:42:27
pamslam - vulnerability in Redhat Linux 6.1 and PAM pam_start. both 'pam' and 'userhelper' (a setuid binary that comes with the 'usermode-1.15' rpm) follow .. paths. Since pam_start calls down to _pam_add_handler(), we can get it to dlopen any file on disk. 'userhelper' being setuid means we can get root. By Dildog
userrooter.sh4206872Jan 7 2000 14:54:19
RedHat PAM/userhelper(8) exploit. By S
perloverflow.tar.gz22792901Jan 7 2000 14:28:52
Possible overflow in perl/kernel/vm (dont know which). Strace included. Appears to cause root owned processes to die if run by a normal user (under linux-2.2.13). By Anarchy
winamp.win98.txt430113229Jan 7 2000 13:16:40
A stack based buffer overflow in Winamp 2.10 for Win 98 has been found. The attack is carried out through .pls files which winamp uses for playlists. This is unnerving as it is a feasible plan to trade playlists on irc during a mp3 trading session with someone. Exploit code included. Homepage here. By here.
mi020.htm414810236Jan 7 2000 13:16:40
Phorum 3.07 web discussion software contains several remotely exploitable bugs. Exploit descriptions included. By JFs>43631940Jan 7 2000 13:16:40
Hotmail allows executing JavaScript code in email messages using "@import url(javascript:...)", which may compromise user's Hotmail mailbox when viewed with Internet Explorer. Includes exploit code. Homepage here. By Georgi Guninski
solinger.c19451805Jan 5 2000 12:29:04
"solinger" Denial Of Service - bind 8.1.*, 8.2, 8.2.1 - causes a bind8 server to stop responding to requests for up to 120 seconds. Quick proof of concept of the bug pointed out by ISC. Homepage here. By Mixter
bnc246290029403Jan 5 2000 05:45:39
Remote exploit for bnc 2.4.6 - Linux binary only. By Kaot
iMailv5.txt41041994Jan 4 2000 00:49:22
On iMail Server 5.0 for Windows NT 4.0 SP 6a, a malicous user can read and send emails as any other user on the system. The issue lies in how iMail handles the creating of new email accounts, and how it stores them. Exploit instructions included. By Simon
analogx.www.txt40112840Jan 2 2000 11:07:10
Local / Remote GET Buffer Overflow Vulnerability in AnalogX SimpleServer:WWW HTTP Server v1.1. Windows 95 is confirmed vulnerable, possibly other platforms. By Underground Security Systems Research
fastrack.remote.txt32767129Jan 2 2000 11:07:04
A vulnerability in Netscape FastTrack 2.01a will allow any remote user to execute commands as the user running the httpd daemon (probably nobody). I've only tested the version of Netscape FastTrack that comes with SCO UnixWare 7.1, 2.01a. I'm not sure what other platforms, if any, are vulnerable. Unixware exploit included. By Brock Tellier
mi021.htm23037417Dec 27 1999 09:39:21
w3-msql (miniSQL - 2.0.11) Solaris x86 remote exploit. Distribution of miniSQL packet ( comes with a cgi (w3-msql) that can be xploited to run arbitrary code under httpd uid. Homepage here. By Zhodiac
mo2.htm18463228Jan 29 1980 10:28:38
Microsoft Office Converter Module Overflow - By using a hexadecimal editor to insert specially-malformed information into a document, a malicious user could cause Word to run code of his or her choice when the document was opened using an affected version of the converter. Homepage here.