ArchivesForums
 
about usforumsassessmentdefensepapersmagazinesmiscellaneouslinkscareers


Welcome to the Exploits for August, 2000 Section.

Some of these exploits are from Bugtraq and Security Bugware

To Change Sort Order, Click On A Category.
Sorted By: Last Modified.

File Name Downloads File Size Last Modified
irix.telnetd.txt168221301Sep 13 2000 12:11:15
A serious vulnerability has been found in IRIX telnetd which can give remote root access to any IRIX 6.2-6.5.8[m,f] system. The vulnerability occurrs when one of the environment variables contains a format string which is passed on to the syslog() function. Proof of concept exploit included (updated version - compiler and little endian fixes). Fix available here. Homepage: http://lsd-pl.net. By LSD
A090800-12405930Sep 11 2000 10:17:57
@stake Advisory A090800-1 - Application: Mobius DocumentDirect for the Internet 1.2, Platform: Windows NT 4.0, Severity: There are several buffer overflow conditions that could result in execution of arbitrary code or a denial of service. Homepage: http://www.atstake.com/research/advisories/2000/.
horde.txt2423312Sep 11 2000 10:09:56
The $from-bug is in the horde library file 'horde.lib', (on debian systems installed in /usr/share/horde/lib/horde.lib) in line 1108 belonging to function "mailfrom". In this file there is a call to "popen" with an unchecked "from:"-line as argument. Bug found and exploited by Jens "atomi" Steube, Fixed and documentated by Christian "thepoet" Winter
websitepro.txt3063528Sep 11 2000 09:58:50
WebSite Pro is a Web Server for Win95/98/NT platforms. The vulnerability (or bad server administration) allows any user to create arbitrary files with arbitrary text on the victim machine, from the Internet web browser. By a default installation, any user can create or uploads files to the victim machine running a vulnerable version of WebSite Pro. The problem is a bad "protection access" of the main directories on the machine. By Crono
0008-exploits.tgz35901090974Sep 8 2000 15:50:47
Packet Storm new exploits for August, 2000.
dmplay.c2352352Sep 7 2000 15:40:01
/usr/sbin/dmplay local exploit for Irix 6.2 and 6.3. Homepage: http://lsd-pl.net.
trans.pl3301154Sep 7 2000 15:34:23
Win2k IIS remote exploit - Retrieves files using the Translate: f bug. By Roelof Temmingh
outlookmailxploit.zi..>461190823Sep 7 2000 15:32:37
Microsoft Outlook remote exploit coded in delphi. Includes source code. By Fbyte
inpview.c2231265Sep 7 2000 15:30:59
/usr/lib/InPerson/inpview local exploit for irix 6.5 and 6.5.8. Homepage: http://lsd-pl.net.
eject3.c2191692Sep 7 2000 15:30:10
/usr/sbin/eject local exploit for Irix 6.2. Homepage: http://lsd-pl.net.
libxt2.c2142471Sep 7 2000 15:29:14
libxt.so HOME environment variable local buffer overflow exploit for Irix 6.2 and 6.3. Homepage: http://lsd-pl.net.
pset2.c2152295Sep 7 2000 15:28:02
/sbin/pset local exploit for Irix 6.2 and 6.3. Homepage: http://lsd-pl.net.
gr_osview.c2181758Sep 7 2000 15:27:15
/usr/sbin/gr_osview local exploit for Irix 6.2 and 6.3. Homepage: http://lsd-pl.net.
irix-libc.c2193111Sep 7 2000 15:26:12
libc.so NLSPATH local exploit for Irix 6.2. Homepage: http://lsd-pl.net.
libgl.c2162287Sep 7 2000 15:25:04
libgl.so HOME environment variable local exploit for irix 6.2. Homepage: http://lsd-pl.net.
login2.c2211594Sep 7 2000 15:24:02
/usr/lib/iaf/scheme (login) local exploit for Irix 5.3. Homepage: http://lsd-pl.net.
libxaw.c2172109Sep 7 2000 15:23:14
libxaw.so inputmethod local exploit for irix 6.2. Homepage: http://lsd-pl.net.
mail.c2242616Sep 7 2000 15:22:04
/usr/bin/mail local exploit for Irix 6.2 and 6.3. Homepage: http://lsd-pl.net.
irix-xlock.c2201744Sep 7 2000 15:21:02
Irix 6.3/6.2 /usr/bin/X11/xlock local buffer overflow exploit. Homepage: http://lsd-pl.net.
named2.c29210303Sep 7 2000 15:19:49
Irix 6.2/5.3 named iquery remote root buffer overflow exploit. Spawns a bindshell. Homepage: http://lsd-pl.net.
autofsd.c2542254Sep 7 2000 15:17:52
Autofsd remote buffer overflow exploit for Irix 6.4 and 6.5. Homepage: http://lsd-pl.net.
arrayd.c2844658Sep 7 2000 15:17:00
Irix 6.5/6.4/6.3/6.2 arrayd remote buffer overflow exploit as described in CA-99-09-arrayd.txt. Homepage: http://lsd-pl.net.
objectserver2.c2316357Sep 7 2000 14:04:56
SGI objectserver "export" exploit - Remotely adds new entry to the export list on the IRIX system. See our SGI objectserver "account" exploit for more information. Only directories that aren't supersets of already exported ones can be added to the export list. Homepage: http://lsd-pl.net.
irix_rpc_ttdbserverd..>2927902Sep 7 2000 14:00:57
rpc.ttdbserverd remote root exploit for irix 5.2 5.3 6.2 6.3 6.4 6.5 6.5.2. Homepage: http://lsd-pl.net.
lp.c2222321Sep 7 2000 13:59:48
/usr/bin/lp local root exploit for solaris 2.7 x86. Homepage: http://lsd-pl.net.
libc2-x86.c2234779Sep 7 2000 13:58:44
libc.so LC_MESSAGES local exploit for solaris 2.7 x86. Homepage: http://lsd-pl.net.
netpr-x86.c2132480Sep 7 2000 13:57:54
/usr/lib/lp/bin/netpr local root exploit for solaris 2.7 x86. Homepage: http://lsd-pl.net.
libnsl-x86.c2173125Sep 7 2000 13:56:58
libnsl.so gethostbyname() for solaris 2.5 2.5.1 x86. Homepage: http://lsd-pl.net.
fdformat-x86.c2222222Sep 7 2000 13:54:56
/bin/fdformat for solaris 2.5 2.5.1 x86. Homepage: http://lsd-pl.net.
kcms_configure-x86.c2172217Sep 7 2000 13:54:13
/usr/openwin/bin/kcms_configure for solaris 2.5.1 2.7 x86. Homepage: http://lsd-pl.net.
lpstat-x86.c2212114Sep 7 2000 13:52:37
/usr/bin/lpstat local root exploit for solaris 2.7 x86. Homepage: http://lsd-pl.net.
tip.c2292961Sep 7 2000 13:50:32
/usr/bin/tip local root exploit for solaris 2.6 2.7 x86. Homepage: http://lsd-pl.net.
xlock-x86.c2232152Sep 7 2000 13:49:34
/usr/openwin/bin/xlock local root exploit for solaris 2.5 2.5.1 x86. Homepage: http://lsd-pl.net.
ufsdump-x86.c2153114Sep 7 2000 13:47:58
/usr/lib/fs/ufs/ufsdump local root exploit for solaris 2.6 2.7 x86. Homepage: http://lsd-pl.net.
pgxconfig.sh2201093Sep 7 2000 13:45:13
TechSource Raptor GFX configurator (pgxconfig) local root exploit. By Suid
libc-x86.c2193608Sep 7 2000 13:39:17
libc.so getopt() local root exploit for solaris 2.5 2.5.1 x86. Homepage: http://lsd-pl.net.
eject-x86.c2282120Sep 7 2000 13:37:23
/usr/bin/eject local root exploit for solaris 2.5 2.5.1 x86. Homepage: http://lsd-pl.net.
dtprintinfo.c2343389Sep 7 2000 13:36:20
/usr/dt/bin/dtprintinfo local root exploit for solaris 2.6 2.7 x86. Homepage: http://lsd-pl.net.
xsun-x86.c2202138Sep 7 2000 13:33:09
/usr/openwin/bin/xsun local root exploit for solaris 2.6 2.7 x86. Homepage: http://lsd-pl.net.
gtkicq.c2562547Sep 7 2000 13:30:51
gtkicq-0.62 local exploit. Overflows the HOME environment variable. By Sebastien Roy
nlps_server.c2323669Sep 7 2000 13:29:13
listen/nlps_server remote buffer overflow exploit for solaris 2.4 2.5 2.5.1 x86. Homepage: http://lsd-pl.net.
dtaction2.c2322196Sep 7 2000 13:27:51
/usr/dt/bin/dtaction local root exploit for solaris 2.6 x86. Homepage: http://lsd-pl.net.
dtaction.c2322154Sep 7 2000 13:26:51
/usr/dt/bin/dtaction local root exploit for solaris 2.5.1 x86. Homepage: http://lsd-pl.net.
libnsl.c2231619Sep 7 2000 13:25:26
libnsl.so gethostbyname() local root exploit for solaris 2.5 2.5.1 sparc. Homepage: http://lsd-pl.net.
rpc_cmsd.c37512135Sep 7 2000 13:24:36
rpc.cmsd remote root exploit for solaris 2.5 2.5.1 2.6 2.7 sparc. Homepage: http://lsd-pl.net.
rpc_ttdbserverd.c3378792Sep 7 2000 13:23:37
rpc.ttdbserverd remote root exploit for solaris 2.3 2.4 2.5 2.5.1 2.6 sparc. Homepage: http://lsd-pl.net.
libc2.c2434268Sep 7 2000 13:22:43
libc.so LC_MESSAGES local root exploit for solaris 2.6 2.7 sparc. Homepage: http://lsd-pl.net.
eject.c2381650Sep 7 2000 13:21:45
/bin/eject local root exploit for solaris 2.5 2.5.1 sparc. Homepage: http://lsd-pl.net.
fdformat.c2291782Sep 7 2000 13:20:54
/bin/fdformat local root exploit for solaris 2.5 2.5.1 sparc. Homepage: http://lsd-pl.net.
ffbconfig.c2231801Sep 7 2000 13:19:33
/usr/sbin/ffbconfig local root exploit for solaris 2.5 2.5.1 sparc. Homepage: http://lsd-pl.net.
kcms_configure.c2122237Sep 7 2000 13:18:46
/usr/openwin/bin/kcms_configure local root exploit for solaris 2.7 sparc. Homepage: http://lsd-pl.net.
netpr.c2102080Sep 7 2000 13:16:29
/usr/lib/lp/bin/netpr local root exploit for solaris 2.7 sparc. Homepage: http://lsd-pl.net.
lpstat.c2211732Sep 7 2000 13:15:46
/usr/bin/lpstat local root exploit for solaris 2.7 sparc. Homepage: http://lsd-pl.net.
lpset.c2291747Sep 7 2000 13:14:06
/usr/bin/lpset local root exploit for solaris 2.6 2.7 sparc. Homepage: http://lsd-pl.net.
rdist.c1992124Sep 7 2000 13:11:52
/bin/rdist local root exploit for solaris 2.4 2.5 2.5.1 sparc. Homepage: http://lsd-pl.net.
ufs-restore.c2082081Sep 7 2000 13:10:28
/usr/lib/fs/ufs/ufsrestore local root exploit for solaris 2.5 2.5.1 2.6 sparc. Homepage: http://lsd-pl.net.
xsun.c2441683Sep 7 2000 13:09:30
/usr/openwin/bin/xsun local root exploit for solaris 2.6 2.7 sparc. Homepage: http://lsd-pl.net.
libc.c2131897Sep 7 2000 13:07:37
libc.so getopt() local root exploit for Solaris 2.4 2.5 2.5.1 sparc. Homepage: http://lsd-pl.net.
libxt.c2062244Sep 7 2000 13:06:34
libxt.so local root exploit for Solaris 2.4 2.5 2.5.1 sparc. Homepage: http://lsd-pl.net.
passwd.c2271642Sep 7 2000 13:05:25
/bin/passwd local root exploit for Solaris 2.5 / 2.5.1. Homepage: http://lsd-pl.net.
dtprint-info.c2512341Sep 7 2000 13:02:45
/usr/dt/bin/dtprintinfo local root exploit for Solaris 2.6 / 2.7. Homepage: http://lsd-pl.net.
msw2ktelnetdos.sh2541763Sep 7 2000 12:59:27
Windows 2000 telnet server denial of service exploit. By Wildcoyote
awcrash.c3372830Sep 7 2000 12:57:15
awcrash.c exploits a buffer overflow vulnerability in Windows 95 and 98 which will result in a crash if a filename with an extension longer that 232 characters is accessed. Although arbitrary code could be executed via this manner, it would have to be composed of valid filename character values only. By Wildcoyote
CIMcheck2.pl4102264Sep 1 2000 10:08:07
CIMcheck2.pl is an updated version of the CIMcheck.pl exploit checker for the Compaq Insight Manager root dot dot bug. Updates include: Fixed Errors and Better Input features. The remote webserver must be running NT with port 2301 open. The exploit opens up the full vulnerable url and attempts to get the sam._ backup password file from the remote repa ir directory. You can specify which file you want to download, default is the /wi k nnt/repair/ directory and the sam._ backup password file. Homepage: http://TheGovernment.com/cyrax. By Neon.
cmctl_exp453587Aug 31 2000 19:01:46
This script is an exploit that is an addendum to ID 170 in the Bugtraq database. ID 170 lists several Oracle setuid executables but does not offer any exploit information. This code exploits the cmctl command by violating its trust in the integrity of the ORACLE_HOME and ORA_HOME environment variables. When the command "cmctl start cmadmin" is executed, it looks under the ORACLE_HOME\bin directory and attempts to execute cmadmin. The ORACLE_HOME variable can be modified to create a change in the path of execution. By Kevin Wenchel
dievqs.pl405744Aug 31 2000 18:50:41
DoS exploit vulnerability test script. Affected: vqServer 1.4.49. There is a DoS possible in vqServer 1.4.49 if the remote host gets a GET command with approx 65000 chars in it. Homepage: http://www.ro0t.nu/csl. By sinfony
clientagent662.txt3742968Aug 31 2000 16:01:58
Client Agent 6.62 for Unix Vulnerability, Tested on a Debian 2.2.14, Client Agent has a hole allowing to execute an arbitrary code by root without its knowing. In the meantime, some conditions are necessary to exploit this vulnerability. Client Agent is used with ARCserveIT, the safe software. It must be installed on all the workstations. A global configuration file agent.cfg keep every sub-agents installed on your system. This file is in /usr/CYEagent, and receive the information from the sub-agent when the script /opt/uagent/uagensetup is run. Homepage: http://www.nightbird.free.fr. By zorgon
vpn-root.txt4772506Aug 31 2000 15:55:18
RapidStream has hard-coded the 'rsadmin' account into the sshd binary in the appliance OS. The account has been given a 'null' password in which password assignment and authentication was expected to be handled by the RapidStream software itself. The vendor failed to realize that arbitrary commands could be appended to the ssh string when connecting to the SSH server on the remote vpn. This in effect could lead to many things, including the ability to spawn a remote root shell on the vpn. By Loki
AccountManSploit.zip7661412Aug 30 2000 17:36:50
Product: Account Manager, Versions: ALL including LITE and PRO haven't been able to test ENTERPRISE, OS: Unix and Winnt, Vendor: Notified, http://www.cgiscriptcenter.com/, The Problem: The Script allows any remote user access to the Administration Control Panel through overwriting the Admin Password with one of their own making. By n30
HWA-warpcrash.c3982802Aug 30 2000 16:56:28
HWA-warpcrash - Systems Affected: OS/2 Warp 4.5 FTP server V4.0/4.2, OS/2 Warp 4.5 FTP server V4.3, Probably other versions of the software as well. Problem: The FTP server that comes with OS/2 Warp 4.5 TCP/IP can be brought down by a malicious connection attempt. Homepage: http://www.hwa-security.net. By eth0
CIMcheck.pl4942352Aug 30 2000 15:24:11
CIMcheck.exe is an exploit for the Compaq Insight Manager root dot dot bug. The remote webserver must be running NT with port 2301 open. The exploit opens up the full vulnerable url and attempts to get the sam._ backup password file from the remote repa ir directory. You can specify which file you want to download, default is the /wi k nnt/repair/ directory and the sam._ backup password file. Perl2exe binary. Perl2exe binary available here here. Homepage: http://TheGovernment.com/cyrax. By Neon
CIMcheck.exe336553689Aug 30 2000 15:07:22
CIMcheck.exe is an exploit for the Compaq Insight Manager root dot dot bug. The remote webserver must be running NT with port 2301 open. The exploit opens up the full vulnerable url and attempts to get the sam._ backup password file from the remote repa ir directory. You can specify which file you want to download, default is the /wi k nnt/repair/ directory and the sam._ backup password file. Perl2exe binary. Homepage: http://TheGovernment.com/cyrax. By Neon
webmail.txt11427708Aug 30 2000 14:45:09
-Web Application Security Survey- Results show that Microsoft Hotmail, Excite, Altavista, E-Bay, Lycos, Netscape WebMail, E-Trade, Infoseek/Go.com and their users are all currently vulnerable to web based attack. The following report is the result of a two hour security survey of high profile webmail and auction services offered free over the internet. This survey is in no way extensive or thorough. It serves only as "proof of concept" that these types of services are vulnerable to attack on a wide scale. All the following vulnerabilities are currently active as of Aug. 25, 2000. The following webmail vulnerabilities all stem from the same problem. The attacker has the ability to pass unfiltered malicious HTML/JavaScript into the target users web environment. By D-Krypt.
fpage-DoS.pl6164865Aug 30 2000 14:24:30
Fpage-DoS.pl - Info based attacks DoS Front page. To exploit this vunerability you must have the extensions "/ _ vti_bin/shtml.exe in your server. This is a demonstration script to remotely overflow various server buffers, resulting in a denial of service, for TESTING purposes only. Runs on *nix & Windows with perl. Homepage: www.raza-mexicana.org. By alt3kx
FtpdXploit2000.tar46420480Aug 30 2000 01:41:33
This is an exploit that explores the vulnerability of the versions 2.4.4, 2.5.0 and 2.6.0 of Wu-ftpd. Written in Portugese. Homepage: http://www.geocities.com/cultbh.
Critical_Path_CSS2867803Aug 29 2000 17:41:07
A simple flaw in the web mail service offered by Critical Path (www.cp.net) allows an attacker to gain full access of any webmail account. The attack falls under the umbrella of cross-site scripting, which was addressed in detail by CERT in their advisory CA-2000-02, entitled "Malicious HTML Tags Embedded in Client Web Requests." The bug is aggravated by an defective session token scheme. By Jeffrey W. Baker
WDK_v1.0.vuln.txt2411517Aug 28 2000 20:34:19
The Javaserver Webserver Development Kit (WDK) v1.0 contains a .. vulnerability allowing remote attackers to read any file on the system with the permissions of the webserver. The server typically resides on TCP port 8080 and instructions for identifying this server are given. By Kevin Finisterre
vqserver.dos.txt2252228Aug 28 2000 20:25:00
vqServer version 1.4.49 is vulnerable to a denial of service attack by sending a malformed URL request. Tested on Windows version. The latest edition of vqServer (1.9.47) is unaffected. Homepage: http://dhcorp.cjb.net. By nemesystm
VIGILANTE-20000076191871Aug 28 2000 02:16:01
Vigilante Advisory #7 - A malicious user can crash an Intel Express 550F or a host behind it by sending a packet with a malformed header. To restart the box you need remove it from it's power source as the reset button loses functionality as well. Affected systems: Intel Express Switch 550F - Firmware version 2.63 - Firmware version 2.64. Homepage: http://www.vigilante.com. By Vigilante
bubonic.c21356625Aug 28 2000 02:06:39
Bubonic.c is a denial of service tool that sends random TCP packets with random settings. Tested against Windows 2000 and RedHat Zoot. Homepage: http://www.antioffline.com. By Sil
daemonic.c10788144Aug 28 2000 01:55:49
Dameonic.c is a theoretical router based denial of service attack that exploits a weakness within the Border Gateway Protocol (BGP). If a malicious user sends spoofed malformed packets to a neighboring router, the peer will ignore it and possibly kill the session entirely. Written on a Ultra 5 running Linux Zoot, this has been compiled on Linux, OpenBSD, Solaris without problems. Homepage: http://www.antioffline.com. By Sil
subscribeme.txt02010Aug 24 2000 13:29:08
Sorry, a description is unavailable.
spad02.txt08894Aug 24 2000 10:57:43
Sorry, a description is unavailable.
php-nuke.txt5241799Aug 24 2000 10:09:49
A short advisory on how to manipulate a bug in the PHP-nuke Web Portal System to allow you to gain administrative access. By Starman_Jones
labs51.txt7764816Aug 24 2000 09:53:33
USSR Labs Advisory #51 - There is a remote denial of service caused by a buffer overflow memory problem in the rpc module of the Pragma TelnetServer 2000 for Windows NT/2000. The included shell code causes the system to crash. Homepage: http://www.ussrback.com.
darxite.tar.gz6714738Aug 22 2000 17:03:59
Darxite, a daemon that retrieves files via FTP or HTTP, has several vulnerabilities throughout the code that allow a local/remote user to crash the servers, as well as a passwd authentication remote overflow, allowing remote shell access as the uid of the darxite daemon. Exploit and advisory included. Tested against Linux x86 systems. Homepage: http://www.synnergy.net. By dethy
xslrnpull.c8982272Aug 22 2000 16:39:37
Slrnpull.c exploits a local buffer overflow vulnerability in slrnpull version 0.9.6.2, which is setgid news. Tested against RedHat 6.2. Homepage: http://www.fakehalo.org. By Vade79
PHP-Nuke.c16062800Aug 21 2000 15:29:53
A vulnerability in the way PHP-Nuke, a news site administrative tool, authenticates administrative accounts, allows a remote attacker to gain administrative access to the application. Attacker could edit users, articles, topics, banners, assign authors, etc By Fabian Clone
htgrep.c8492386Aug 21 2000 14:04:12
Htgrep has a vulnerability which allows a remote user to read arbitrary files on the system with the priviledge of the user running the program. By n30
srcgrab.pl.txt17227692Aug 17 2000 10:28:32
Srcgrab.pl exploits the Translate:f bug as described in ms00-058. The vulnerability, present in IIS 4.0 and Windows 2000 Frontpage server extensions, allows a remote user to retrieve the source of .asa and .asp pages. By Smiler
crackncftp.c11275056Aug 16 2000 18:45:04
The ncftp client uses an easily decrypted scheme to save passwords to remote FTP sites in a bookmark file. Crackncftp.c provides the plaintext when from the encrypted string. Homepage: http://zorgon.freeshell.org. By Zorgon
ie5-msn.exec.txt18108941Aug 15 2000 17:12:00
Georgi Guninski security advisory #18 - Two serious vulnerabilities have been found Microsoft products - Internet Explorer 5.5/5.x may execute arbitrary programs when visiting a web page, reading HTML based mail with Outlook, or simply browsing folders as web pages. In addition, the default installation of Windows 2000 allows Local Administrator compromise via opening local folders as web pages. In both cases a malicous person may take full control over user's computer / server. Includes proof of concept HTML code. Demonstration available here. Homepage: http://www.nat.bg/~joro. By Georgi Guninski
rapidstream.vpn.txt7592409Aug 15 2000 16:41:19
RapidStream VPN nodes has hard-coded the 'rsadmin' account into the sshd binary in the appliance OS. The account has been given a 'null' password in which password assignment and authentication was expected to be handled by the RapidStream software itself. The vendor failed to realize that arbitrary commands could be appended to the ssh string when connecting to the SSH server on the remote vpn. This in effect could lead to many things, including the ability to spawn a remote root shell on the vpn. By Loki courtesy of Bugtraq.
linsql.c152539781Aug 15 2000 16:32:36
Linsql is a simple command-line client for MS SQL server which can execute arbitrary SQL queries and OS commands on an MS-SQL hosts that uses a blank 'sa' password, a common default configuration. By Herbless courtesy of Bugtraq.
VIGILANTE-2000006.tx..>6581763Aug 15 2000 15:48:42
Vigilante Security Advisory - The OS/2 Warp 4.5 FTP Server contains denial of service vulnerabilities which allow anyone who can connect to port 21 to crash the service. Fix available here. Homepage: http://www.vigilante.com. By Vigilante
VIGILANTE-2000005.tx..>6272090Aug 15 2000 15:44:08
Vigilante Security Advisory - Watchguard Firebox Authentication dos vulnerability. Sending a malformed URL to tcp port 4100 causes Watchguard to shut down and require a reboot to restart. Fix available here. Homepage: http://www.vigilante.com. By Vigilante
lyris.3-4.txt769721Aug 14 2000 22:22:23
Versions 3 and 4 of the Lyris List Manager allow any mailing list subscriber to gain access to the administrative interface of that list by changing a form before submitting it. Fix available here. By Adam Hupp courtesy of Bugtraq.
form-totaller.txt11951879Aug 14 2000 13:29:59
Form-Totaller version 1.0 (form-totaller.cgi) trusts user input for filenames, allowing a remote user to read any file on the webserver. By Signal 9
everythingform.txt15991850Aug 14 2000 13:25:42
The Everything Form (everythingform.cgi) contains remote vulnerabilities which allow any file on the sytem to be read. By Signal 9
wais.pl.advisory.txt92613976Aug 14 2000 10:36:58
The wais.pl CGI written by Tony Sanders provides means to access the waisq WAIS client via the webserver. Waisq contains buffer overflows allowing remote code execution which can be exploited via wais.pl. In addition, files owned by nobody on the webserver can be overwritten with arbitrary content. Includes exploit for Linux/x86. Homepage: http://www.synnergy.net. By Scrippie
wcGoph.c8007419Aug 13 2000 17:04:33
Gopher+ v2.3.1p0 remote exploit - Spawns a remote shell on tcp port 36864 under the UID that the gopher+ daemon runs as. Tested against Linux Slackware 3.6 / 7.0. By WC
ssexploit502x.pl130915331Aug 12 2000 17:29:18
Statistics Server 5.02x for Windows contains a buffer overflow caused by a long GET request. Includes perl exploit which spawns a winshell with system privileges on port 8008 on Statistics Server 5.02x/Win2k. Homepage: http://www.deepzone.org. By Nemo
statdx.c123019060Aug 12 2000 16:00:27
Redhat Linux rpc.statd remote buffer overflow exploit. Tested against Redhat 6.0, 6.1, and 6.2. By Ron1n
xgopher.c10737768Aug 12 2000 15:57:45
Gopher+ daemon v2.3 remote root buffer overflow exploit - Tested against Slackware Linux 3.6 and 7.0. Adds a line to /etc/passwd. Homepage: http://www.fakehalo.org. By Vade79
hpux.ftpd.txt3551080Aug 10 2000 15:59:15
HPUX's ftpd contains a remotely exploitable format string vulnerability in the PASS command. Homepage: http://www.freebsd.lublin.pl. By Venglin
totalbill.c3242742Aug 10 2000 15:40:07
Totalbill is a complete billing and provisioning system for ISPs which contains remote root vulnerabilities. By Brian Masney
word-access.txt11322984Aug 9 2000 16:23:51
Georgi Guninski security advisory #17 - MS Word and MS Access 2000 (with or without Service Release 1a) allow executing arbitrary programs if a Word document is opened. This may be exploited also by visiting a web page with IE or opening/previewing HTML email message with Outlook. In order this to work, the user must be able to access a mdb file, which resides either on an UNC share or a local drive. This allows taking full control over user's computer. Demonstration exploit available here or here. Homepage: http://www.nat.bg/~joro. By Georgi Guninski
robpoll-cgi-problem...>7572266Aug 9 2000 14:31:28
Robpoll.cgi is a free cgi based admin program for Unix and NT which has remote vulnerabilities allowing remote users to execute any command on the remote system with the priveleges of the web server. In addition, anyone can read any file on the remote system with the webserver UID. Homepage: http://www.hertmx.org. By Alt3kx
suidperlhack.pl17155797Aug 9 2000 01:18:25
suidperlhack.pl is a Suidperl v5.00503 and below local root exploit which hsa been ported to perl to increase portability. Tested against BSD. Homepage: http://www.cs.uni-potsdam.de/homepages/students/linuxer. By Sebastian Krahmer
bohttpd.vulnerabilit..>7981344Aug 8 2000 20:18:35
A vulnerability has been found in Dan Brumleve's Brown Orifice HTTPD (BOHTTPD) which is a web server and file sharing tool that runs as a Java Applet in Netscape Navigator. By specifying "\.." in HTTP requests to the server, an attacker can navigate the server's file system and view/download any files. Homepage: http://www.etl.go.jp/~takagi. By Hiromitsu Takagi
xperl.sh24825756Aug 8 2000 17:19:43
Suidperl v5.00503 and below local root exploit which exploits an undocumented /bin/mail feature when perl wants to notify root on inode race conditions. Tested on Redhat 6.x/7.0. Homepage: http://lcamtuf.na.export.pl. By Michal Zalewski
BOHTTPD-0.1.tar.gz61517766Aug 8 2000 16:50:55
New bugs were discovered in Netscape's implementation of Java has been found which allows a remote site to read any file on the client machine and to set up a Java server which anyone can connect to. Brown Orifice HTTPD starts a Java server which allows others to read files on your machine. Demonstration available here. Homepage: http://www.brumleve.com/BrownOrifice/BOHTTPD.cgi. By Dan Brumleve
xitdos.c8885547Aug 8 2000 16:05:50
Xitami Webserver v2.4d3 and below are vulnerable to a remote dos attack. Sending malformed data to port 81 will cause the server to stop responding. Tested agasinst Xitami on Win95/98/NT4.0. By Mozy
tin_bof.c11805033Aug 4 2000 18:41:05
Tin v1.4.3 local linux/x86 buffer overflow exploit which spawns a gid=news shell if /usr/bin/tin is setgid. Homepage: http://www.fakehalo.org. By Vade79
servu25e.txt23301600Aug 3 2000 17:30:36
FTP Serv-U 2.5e for Windows will stack fault if sent a string containing a large number of null bytes. The system Serv-U is running on may become sluggish/unstable and eventually bluescreen. A valid user/pass combination is not required to take advantage of this vulnerability. Perl proof of exploit code included. Homepage: http://bluepanda.box.sk. By Blue Panda
012.txt12514572Aug 2 2000 12:44:15
Pgxconfig is a Raptor graphics card configuration tool for Solaris which has multiple local vulnerabilities. The environment is not sanitized and root privileges are not dropped, allowing commands to be run as root. Local root exploit included. Homepage: http://www.suid.kg. By Suid courtesy of Bugtraq
rpc.statd.x86.c21716169Aug 2 2000 12:07:47
Linux/x86 rpc.statd remote root exploit. By Doing courtesy of Bugtraq
ntop.advisory.txt9251897Aug 2 2000 11:59:43
Ntop -w allows remote users who have permission to view traffic stats to view any file on the system as root. Homepage: http://www.hackerslab.org. By Dubhe courtesy of Bugtraq
FS-073100-10-BEA.txt6935037Aug 2 2000 11:44:19
Foundstone Security Advisory FS-073100-10-BEA - It is possible to compile and execute any arbitrary file within the web document root directory of the WebLogic server as if it were a JSP/JHTML file, even if the file type is not .jsp or .jhtml. If applications residing on the WebLogic server write to files within the web document root directory, it is possible to insert executable code in the form of JSP or JHTML tags and have the code compiled and executed using WebLogic's handlers. This can potentially cause an attacker to gain administrative control of the underlying operating systems. Homepage: http://www.foundstone.com/advisories.htm. By Shreeraj Shah