Welcome to the Exploits for January, 2000 Section. | |||
Some of these exploits are from Bugtraq | |||
To Change Sort Order, Click On A Category. | |||
File Name | Downloads | File Size | Last Modified |
0001-exploits.tgz | 6923 | 183249 | Feb 1 13:27:24 2000 |
Packet Storm new exploits for Janurary, 2000. | |||
bypass.viruscheck.tx..> | 4212 | 79540 | Jan 31 18:28:01 2000 |
Many virus checking software skips directories entitled \\recycled or similar. This allows viruses and trojans a safe haven on many Windows 95, 98, and NT systems. Exploit code included. Homepage here. By Neil Bortnak courtesy of Bugtraq | |||
krnl110.htm | 2908 | 31232 | Jan 26 13:08:50 2000 |
Stream.c summary - DoS attack due to bug in many unix kernels, including Linux, Solaris, and all of the BSDs. Homepage here. | |||
bnc246 | 2900 | 29403 | Jan 5 05:45:39 2000 |
Remote exploit for bnc 2.4.6 - Linux binary only. By Kaot | |||
mi019en.htm | 2458 | 18933 | Jan 14 04:01:50 2000 |
A practical vulnerability analysis (How The PcWeek crack was done). Homepage here. By Jfs | |||
mi009en.htm | 3206 | 14396 | Jan 14 04:01:50 2000 |
RESTRICTING A RESTRICTED FTP - How to exploit common misconfigurations in wu-ftpd that allows usersi who may not have permission to login to execute arbitrary code on the FTP server. Homepage here. By Flow | |||
qib.tgz | 3337 | 13321 | Jan 12 13:41:33 2000 |
QIB - Remote access through Linux LPD. Binds a shell to port 26092. By Dildog | |||
winamp.win98.txt | 4301 | 13229 | Jan 7 13:16:40 2000 |
A stack based buffer overflow in Winamp 2.10 for Win 98 has been found. The attack is carried out through .pls files which winamp uses for playlists. This is unnerving as it is a feasible plan to trade playlists on irc during a mp3 trading session with someone. Exploit code included. Homepage here. By here. | |||
inetserv.htm | 2665 | 10990 | Jan 26 13:08:50 2000 |
InetServ 3.0 (Windows NT) advisory and remote exploit. Homepage here. | |||
mi020.htm | 4148 | 10236 | Jan 7 13:16:40 2000 |
Phorum 3.07 web discussion software contains several remotely exploitable bugs. Exploit descriptions included. By JFs | |||
procfs4.htm | 2554 | 8985 | Jan 31 18:00:06 2000 |
All flavors of BSD have local root procfs holes. Exploit included. Homepage here. | |||
spank.txt | 11987 | 8448 | Jan 26 19:43:54 2000 |
Explanation of the 'spank' attack - a new breed stream/raped. Stream/Raped mearly flooded the host with ack's (or no flags) and came from random ips with random sequence numbers and/or ack numbers. The difference now is that this not only does the previous stuff, but also directly attacks from and to multicast addresses as well. By Tim Yardley | |||
iis4.webhits.txt | 5290 | 7887 | Jan 27 16:39:52 2000 |
Cerberus Information Security Advisory (CISADV000126) - Internet Information Server 4.0 ships with an ISAPI application webhits.dll that provides hit-highlighting functionality for Index Server. A vulnerability exists in webhits that allows an attacker to break out of the web virtual root file system and gain unathorized access to other files on the same logical disk drive. This vulnerability can also be used to obtain the source of Active Server Pages or any other server side script file which often contain UserIDs and passwords as well as other sensitive information. Vulnerable systems include Microsoft Windows NT 4 running Internet Information Server 4, all service packs. Microsoft FAQ on this issue is here. Homepage here. By David Litchfield | |||
mi021.htm | 2303 | 7417 | Dec 27 09:39:21 1999 |
w3-msql (miniSQL 2.0.4.1 - 2.0.11) Solaris x86 remote exploit. Distribution of miniSQL packet (http://hughes.com.au) comes with a cgi (w3-msql) that can be xploited to run arbitrary code under httpd uid. Homepage here. By Zhodiac | |||
fastrack.remote.txt | 3276 | 7129 | Jan 2 11:07:04 2000 |
A vulnerability in Netscape FastTrack 2.01a will allow any remote user to execute commands as the user running the httpd daemon (probably nobody). I've only tested the version of Netscape FastTrack that comes with SCO UnixWare 7.1, 2.01a. I'm not sure what other platforms, if any, are vulnerable. Unixware exploit included. By Brock Tellier | |||
qpop-exploit-net.c | 3130 | 6566 | Jan 28 11:45:53 2000 |
A modified version of the original qpopper 3.0beta29 exploit by Zhodiac, added network support (no need for netcat) and allowed the user to specify which command to execute. Homepage here. By Missnglnk | |||
smtp2.htm | 2106 | 6483 | Jan 26 13:08:50 2000 |
USSR Labs found following. A memory leak exists in the Super Mail Transfer Package that may cause an NT host to stop functioning and/or need to be rebooted. The memory leak may occur when you connect to the SMTP port, all information you send to the system will be stored in memory, and SMTP support multiples HELO/ MAIL FROM/ RCPT TO / DATA in the same connection. If you did multiple HELO/ MAIL FROM/ RCPT TO / DATA in the same connection the memory may not be deallocated. This condition may cause the computer to stop functioning the moment memory runs out. Homepage here. | |||
gh-plus.c | 2977 | 6451 | Jan 10 13:58:12 2000 |
Remote exploit for PowerScripts PlusMail (all versions to current). Plusmail is an extremely popular cgi-based administration tool that allows you to remotely administer your website with a graphical control panel interface. The password file, however, is set with permissions rw enabled. All platforms are affected. By Ytcracker | |||
mysql.grant.txt | 5069 | 6047 | Jan 12 13:15:33 2000 |
Anyone with access to a running MySQL and GRANT privilege for any database or table in it, can change any MySQL-password he wishes, including the MySQL superusers. This makes all default-configured MySQL very vulnerable. Homepage here. By Viktor Fougstedt courtesy of Bugtraq | |||
midikeys.htm | 1790 | 5759 | Jan 14 04:01:50 2000 |
The IRIX setuid root binary midikeys can be used to read any file on the system using its gui interface. It can also be used to edit anyfile on the system. Homepage here. | |||
bindview.nt-local.tx..> | 4802 | 5485 | Jan 14 15:49:01 2000 |
Due to a flaw in the NtImpersonateClientOfPort Windows NT 4 system call, any local user on a machine is able to impersonate any other user on the machine, including LocalSystem. We have written a demonstration exploit which allows any user to spawn a cmd.exe window as LocalSystem. All Windows NT 4.0 systems up to and including SP6a are vulnerable. Homepage here. | |||
bind15.htm | 2713 | 5445 | Jan 20 18:09:10 2000 |
If you're running BIND 8.2.2, and you have the victim.dom name servers in your cache, and victim.dom changes its server names, then any user who can make recursive queries through your cache can break your victim.dom lookups until the old records time out. The complete attack is one brief burst of legitimate packets. This is, of course, not as disastrous as BIND's next buffer overflow, but it's still an interesting example of how an attacker can use BIND's bogus ``credibility'' mechanism to exacerbate the effects of a seemingly minor bug. Homepage here. | |||
icq11.htm | 4374 | 5421 | Jan 20 18:09:10 2000 |
OS tested was Windows 2000 and ICQ v99b 1.1.1.1. ICQ is a very popular chat client that is affected by a exploitable buffer overflow when it parses an URL sent by another user. What this means is that arbitary assembly code can be run on the remote machine. Homepage here. | |||
plusmail.c | 3311 | 5216 | Jan 11 13:34:34 2000 |
PlusMail CGI remote exploit - This posts the form to the victim, reads the data, binds to a port on the local machine, then you open up a browser and go to http://localhost:4040. Homepage here. By Missnglnk | |||
omnis.txt | 712 | 5090 | Jan 22 22:07:00 2000 |
Vulnerabilities in OMNIS, affecting many applications. Omnis is a Rapid Application Development environment which is portable to Win, Mac, and Linux. One of the features that Omnis provides for attaching to the database is the ability to encrypt fields, and obscure them from prying eyes. In actuality, this encryption is extremely weak, and I accidentally discovered the encryption technique and post a detailed explanation of it here. By Eric Stevens | |||
skey.htm | 2156 | 4959 | Jan 26 19:19:14 2000 |
w00w00 Security Advisory - S/Key & OPIE Database Vulnerability affecting most Unixes (not NetBSD) running skey-2.2. (possibly earlier versions too) allowing offline password cracking. Homepage here. By Harikiri | |||
warftp.txt | 4914 | 4822 | Jan 7 17:26:38 2000 |
All versions of War-ftpd have serious security issues. The current release has some serious problems with the parsing of macros which can be exploited without even logging in. By Sir Dystic courtesy of Bugtraq | |||
iis53.htm | 3314 | 4218 | Jan 26 13:08:50 2000 |
MS IIS 5.0 has problems handling a specific form of URL ending with "ida". The extension ida has been taken from the Bugtraq posting "IIS revealing webdirectories" The problem causes 2 kind of results. The one result is that the server responds with a message like "URL String too long"; "Cannot find the specified path" The other error causes the server to terminate with an Access Violation. When the server "Access violates" it displays as last message. Homepage here. | |||
website.htm | 2906 | 4045 | Jan 26 13:08:50 2000 |
WebSite Pro is also revealing the webdirectory of each Website by a simple command line. This bug is similar to the "IIS revealing webdirectories" bug reported. On WebSitePro the diference ist the way you retrieve the path. Homepage here. | |||
ADMsximap.c | 2985 | 3814 | Jan 26 19:36:07 2000 |
Solaris Solstice Internet Mail IMAP4 Server x86 exploit. By K2 | |||
vwall3.htm | 1960 | 3486 | Jan 21 16:41:49 2000 |
By sending an SMTP message with a malformed attachment, it is possible for malicious code to avoid detection by Trend Micro's InterScan SMTP scanner version 3.0.1 for Solaris. Other versions may be affected as well, but were not tested. Homepage here. | |||
autobuse-angel.txt | 2389 | 3476 | Jan 31 18:36:05 2000 |
Autobuse.pl and angel.pl both use /tmp insecurely. By John Daniele courtesy of Bugtraq | |||
qpop-xploit.c | 2937 | 3472 | Jan 26 19:27:10 2000 |
Remote linux x86 exploit for Qpopper 3.0beta29 and below. (not 2.5.3) Overflows the LIST command and spawns a shell with the UID of the user who logged in (requires valid account), and GID mail. Homepage here. By Zhodiac courtesy of Bugtraq | |||
mo2.htm | 1846 | 3228 | Jan 29 10:28:38 1980 |
Microsoft Office Converter Module Overflow - By using a hexadecimal editor to insert specially-malformed information into a document, a malicious user could cause Word to run code of his or her choice when the document was opened using an affected version of the converter. Homepage here. | |||
perloverflow.tar.gz | 2279 | 2901 | Jan 7 14:28:52 2000 |
Possible overflow in perl/kernel/vm (dont know which). Strace included. Appears to cause root owned processes to die if run by a normal user (under linux-2.2.13). By Anarchy | |||
vcasel.htm | 1905 | 2855 | Jan 21 16:41:49 2000 |
Vcasel (Visual Casel) is apparently intended as some sort of addon to Novell Netware 3.X and above. The program does succeed in limiting the names of the files executed, but there is no path verification. Homepage here. | |||
analogx.www.txt | 4011 | 2840 | Jan 2 11:07:10 2000 |
Local / Remote GET Buffer Overflow Vulnerability in AnalogX SimpleServer:WWW HTTP Server v1.1. Windows 95 is confirmed vulnerable, possibly other platforms. By Underground Security Systems Research | |||
bruterh.sh | 5419 | 2588 | Jan 31 18:40:03 2000 |
Brute-force Linux-PAM password cracker for RedHat. Supply a wordlist, take a coffee. Nothing in system logs. Performance-tuning possible. By Michal Zalewski | |||
tb2.htm | 2803 | 2583 | Jan 26 13:08:50 2000 |
Timbuktu Pro 32 (TB2) from Netopia sends user IDs and passwords in clear text. When TB2 is used to remote control a machine that is not logged in or is locked, any user ID and password that is typed in is sent in clear text. A malicious user on the network can "sniff" the packets and gain the NT User IDs and passwords of any one using TB2 to remotely control a NT machine. Homepage here. | |||
rtf.htm | 2194 | 2568 | Jan 26 13:08:50 2000 |
RTF files consist of text and control information. The control information is specified via directives called control words. The default RTF reader that ships as part of many Windows platforms has an unchecked buffer in the portion of the reader that parses control words. If an RTF file contains a specially-malformed control word, it could cause the application to crash. Homepage here. | |||
raq2.admin.exploit.t..> | 2012 | 2545 | Jan 31 13:26:00 2000 |
Exploit for Cobalt Raq2 Server. Requires Site Administrator access to one of the accounts on the server. By Skirkham courtesy of Bugtraq | |||
qmail-pop3d-vchkpw.c | 2736 | 2504 | Jan 26 16:14:32 2000 |
Remote exploit for the inter7 supported vchkpw/vpopmail package for (replacement for chkeckpasswd). Tested on Sol/x86,linux/x86,Fbsd/x86 against linux-2.2.1 and FreeBSD 3.[34]-RELEASE, running vpopmail-3.4.10a/vpopmail-3.4.11[b-e]. Unofficial patch here. Homepage here. By K2 | |||
supermail.nt.txt | 2878 | 2456 | Jan 13 11:54:39 2000 |
A memory leak exists in the Super Mail Transfer Package for Windows NT that may cause an NT host to stop functioning and/or need to be rebooted. DoS exploit description included. By Underground Security Systems Research | |||
nortel.htm | 2272 | 2423 | Jan 26 13:08:50 2000 |
Nortel's new Contivity seris extranet switches give administrators the ability to enable a small HTTP server and use Nortel's web based administration utility to handle configuration and maitenance. The server runs atop the VxWorks operating system and is located in the directory /system/manage. A CGI application, /system/manage/cgi/cgiproc that is used to display the administration html pages does not properly authenticate users prior to processing requests. An intruder can view any file on the switch without logging in. Homepage here. | |||
ie5.cross-frame.txt | 3966 | 2380 | Jan 7 16:27:37 2000 |
Internet Explorer 5.01 under Windows 95 and 5.5 under WinNT 4.0 (suppose other versions are also vulnerable) allows circumventing "Cross frame security policy" by accessing the DOM of "old" documents using IMG SRC="javascript:..." and a design flaw in IE. This exposes the whole DOM of the target document and opens lots of security risks. This allows reading local files, reading files from any host, window spoofing, getting cookies, etc. Demonstration available here. By Georgi Guninski courtesy of Bugtraq | |||
vpopmail.txt | 2293 | 2378 | Jan 26 19:24:44 2000 |
w00w00 Security Advisory - qmail-pop3d may pass an overly long command argument to it's password authentication service. When vpopmail is used to authenticate user information a remote attacker may compromise the privilege level that vpopmail is running, naturally root. Homepage here. By K2 | |||
pmtu.htm | 2139 | 2242 | Jan 31 18:06:57 2000 |
An HP-UX 10.30/11.00 system can be used as an IP traffic amplifier. Small amounts of inbound traffic can result in larger amounts of outbound traffic, using ICMP MTU discovery packets. Homepage here. | |||
hotmail.java.txt | 6682 | 2234 | Jan 12 13:04:33 2000 |
Georgi Guninski security advisory #5 - Yet another Hotmail security hole. Hotmail allows executing JavaScript code in email messages using vascript, which may compromise user's Hotmail mailbox when viewed with Internet Explorer. Includes exploit code. Homepage here. By Georgi Guninski courtesy of Bugtraq | |||
vmware.htm | 2840 | 2172 | Jan 26 19:21:35 2000 |
w00w00 Security Advisory - Linux VMware 1.1.2 Symlink Vulnerability. VMware stores temporary log files within the /tmp directory. It does not check whether all of these files exist prior to creation, resulting in the potential for a symlink attack. Homepage here. By Harikiri | |||
update.htm | 1945 | 2023 | Jan 20 18:09:10 2000 |
orel Linux comes with a program called "Corel Update" to manage the ".deb" files. This X oriented program is setuid root. The program is "get_it" and it's located in the /usr/X11R6/bin directory. If you can run it, it's easy to get root privileges in your system. Homepage here. | |||
rightfax.txt | 2412 | 2003 | Jan 31 18:52:32 2000 |
RightFax Web Client v5.2 allows anyone to hijack user's faxes. By Et Lownoise courtesy of Bugtraq | |||
iMailv5.txt | 4104 | 1994 | Jan 4 00:49:22 2000 |
On iMail Server 5.0 for Windows NT 4.0 SP 6a, a malicous user can read and send emails as any other user on the system. The issue lies in how iMail handles the creating of new email accounts, and how it stores them. Exploit instructions included. By Simon | |||
javascript.hotmail.t..> | 4363 | 1940 | Jan 7 13:16:40 2000 |
Hotmail allows executing JavaScript code in email messages using "@import url(javascript:...)", which may compromise user's Hotmail mailbox when viewed with Internet Explorer. Includes exploit code. Homepage here. By Georgi Guninski | |||
solinger.c | 1945 | 1805 | Jan 5 12:29:04 2000 |
"solinger" Denial Of Service - bind 8.1.*, 8.2, 8.2.1 - causes a bind8 server to stop responding to requests for up to 120 seconds. Quick proof of concept of the bug pointed out by ISC. Homepage here. By Mixter | |||
nscape58.htm | 2293 | 1713 | Jan 9 18:46:11 2000 |
After executing the testommunicator 4.7 (NT/win2k) vulnerability - After executing the test hyperlink on beavuh.org's page on his client machine, he was able telnet to a remote shell on port 6968 of my client machine. Test your browser at www.beavuh.org. Homepage here. | |||
sms.htm | 2997 | 1713 | Jan 31 17:51:52 2000 |
SMS 2.0 Remote Control (for Windows NT) introduces a security risk that will allow the attacker to run programs in system context, due to the fact that the executable used for the remote control service is copied to the workstation without any special permission settings to prevent a user from replacing the executable. Homepage here. | |||
recover.htm | 2305 | 1693 | Jan 14 04:01:50 2000 |
The 'recover' command in Solstice Backup (Sun's relabeled version of Legato Networker) on a Unix machine authorized to perform restore operations from the backup server can be used to by a normal user to restore any file accessible to the machine in a readable-to-them state (although it cannot be used to overwrite system files). This can be used to get your own copy of /etc/shadow for password cracking purposes. Homepage here. | |||
pm-exploit.c | 358 | 1688 | Jan 7 17:26:38 2000 |
Plusmail remote exploit - plusmail fails to check authenticity before creating new accounts. Homepage: http://www.synnergy.net. By Headflux | |||
asp8.htm | 4007 | 1674 | Jan 31 17:36:19 2000 |
Windows NT webservers using ASP can under some circumstances reveal the path of the server. A variable holds information about the internal structure of the website. Homepage here. | |||
rdisk.htm | 2051 | 1645 | Jan 26 13:08:50 2000 |
There exists a vulnerability in rdisk (Windows NT) which causes the contents of the registry hives to be exposed to Everyone during updating of the repair info. Homepage here. | |||
yahoo2.htm | 3699 | 1628 | Jan 26 13:08:50 2000 |
Jaynus Jaynus found following. He read over the ICQ overflow that had been found so he was curious if this existed in any other clients. Upon testing the below URL, yahoo pager/messenger crashed in the same was as ICQ. Homepage here. | |||
checkpoint-fw1.vuln...> | 4952 | 1543 | Jan 21 17:38:13 2000 |
Outlines two basic vulnerabilities in Checkpoint's Firewall-1. The first is an authentication problem which allows easy brute force attacks; the second allows you to use the first to remotely administer someone else's firewall without their knowledge. | |||
mix.htm | 2594 | 1538 | Jan 31 17:45:23 2000 |
Microimages X server for Windows allows anyone to kill your session and start an xterm on your machine if they know you are using the software. Homepage here. | |||
msadc-trojan.pl | 2178 | 1423 | Jan 10 03:04:16 2000 |
This script will upload a trojan to an RDS vulnerable site running NT and execute the trojan. Homepage here. By Bansh33 | |||
skrypt.sh | 4105 | 1400 | Jan 10 14:11:22 2000 |
Wu-ftpd 2.4 remote root exploit for SuSE. Tested on SuSE 6.0 running Wu-ftpd 2.4.2-beta18. | |||
uw-ppptalk.c | 2223 | 1212 | Jan 21 16:41:49 2000 |
UnixWare 7 exploit for /usr/bin/ppptalk. By K2 | |||
pamslam.sh | 4514 | 1180 | Jan 7 15:42:27 2000 |
pamslam - vulnerability in Redhat Linux 6.1 and PAM pam_start. both 'pam' and 'userhelper' (a setuid binary that comes with the 'usermode-1.15' rpm) follow .. paths. Since pam_start calls down to _pam_add_handler(), we can get it to dlopen any file on disk. 'userhelper' being setuid means we can get root. By Dildog | |||
vi.htm | 2116 | 1127 | Jan 14 04:01:50 2000 |
Vi uses /tmp insecurely on OpenBSD, FreeBSD and Debian. This has been fixed in FreeBSD 2.2-STABLE, 3.4-STABLE and 4.0-CURRENT (04.01.2000). Homepage here. | |||
iiscat.c | 4043 | 959 | Jan 31 16:33:56 2000 |
IIScat exploits the recent Microsoft Index Server vulnerability to read any file on the server. By Fredrick Widlund | |||
subseven.htm | 5930 | 883 | Jan 31 17:55:24 2000 |
There is a buffer overflow in Subseven 2.1a causing it to quit quietly, crash, or overwrite variables. Homepage here. | |||
userrooter.sh | 4206 | 872 | Jan 7 14:54:19 2000 |
RedHat PAM/userhelper(8) exploit. By S | |||
altavista.txt | 9829 | 801 | Jan 12 13:10:11 2000 |
Exploit information for the recent bugs in the Altavista Search Engine to read any file on the system. By RC courtesy of Bugtraq | |||
fw1_script.tags.txt | 2432 | 495 | Jan 31 18:43:24 2000 |
The "Strip Script Tags" feature in Firewall-1 can be circumvented by adding an extra less than sign before the SCRIPT tag. The code will still execute in both Navigator and Explorer. Homepage here. By Arne Vidstrom courtesy of Bugtraq | |||