Welcome to the Exploits for May, 2000 Section. | |||
Some of these exploits are from Bugtraq and Security Bugware | |||
To Change Sort Order, Click On A Category. | |||
File Name | Downloads | File Size | Last Modified |
jolt2.c | 7303 | 4187 | May 28 00:27:57 2000 |
jolt2.c exploits the recent "IP Fragment Reassembly" Windows remote denial of service vulnerability described in ms00-029. Tested against Win98, WinNT4/SP5,6, Win2K from linux. Allows the user to specify UDP or ICMP and send a spoofed source address. Linux and Windows binaries available here. By Phoenix | |||
hack-hm-1.1.txt | 6146 | 4178 | May 10 18:09:51 2000 |
Hotmail is vulnerable to yet another serious security problem involving javascript. Windows, MacOS, and Linux users are affected. Consequences include hotmail account takeover, redirecting a hotmail user to any site, or access to the users computer if combined with other known exploits. By Hawaiian Superman | |||
filemaker.pro5 | 4935 | 3443 | May 17 10:21:55 2000 |
The precise details of how to exploit these holes is minimized to prevent compromising the integrity of all current Internet-accessible FileMaker Pro 5 databases and mail servers. However, details can be easily deduced by referencing the FileMaker Pro 5 documentation and by consulting the FileMaker XML Technology Overview white paper available via the FileMaker XML Central Web site. | |||
napstir.c | 4070 | 2140 | May 11 15:39:55 2000 |
Gnapster and possibly other napster clients do not check the integrity of filenames in download requests. Any filename that the client user has read access to may be downloaded. Also includes some service denial techniques. By S | |||
ISS.txt | 3190 | 2128 | May 2 13:29:33 2000 |
Internet Scanner and the Real Secure products can both be used for bad. Submitted Anonymously. | |||
0005-exploits.tgz | 3071 | 400774 | Jul 13 11:49:11 2000 |
Packet Storm new exploits for May, 2000. | |||
icq.web.front.dos.tx..> | 3041 | 2066 | May 30 20:56:28 2000 |
ICQ Web Front Remote denial of service vulnerability - ICQ 2000a, 99b, and 99a contain a vulnerability in the personal web server. Guestbook.cgi, installed by default, crashes when sent a long name. Homepage here. By Meliksah Ozoral | |||
watcheador.zip | 2946 | 174158 | May 13 23:22:11 2000 |
Watcheador is a Windows application allows you to view ASP source code using the Index Server bug in IIS 4 & IIS 5. Written in Delphi 4.0. Comments in spanish. By Leon De Juda | |||
b0f5-Qpopper.txt | 2904 | 5946 | May 24 12:55:59 2000 |
BufferOverflow Security Advisory #5 - Remote shell via Qpopper2.53. qpop_euidl.c exploit included. Requires a qpop account and gives UID mail. Homepage here. By Prizm | |||
RFParalyze.txt | 2723 | 5731 | May 3 14:56:44 2000 |
Through a netbios session request packet with a NULL source name, Windows 9[5,8] show a number of odd responses. Everything from lockups, reboots and "the blue screen of death", to total loss of network connectivity. Source code included. Reverse engineered from a binary exploit already in use. By Rain Forest Puppy and Evan Brewer. Homepages at www.el8.org and www.wiretrip.net. | |||
tcpb.c | 2653 | 7029 | May 1 14:03:18 2000 |
A backdoor over non connected and spoofed tcp packets. Homepage here. By CyRaX | |||
ftpexp.c | 2559 | 2458 | May 15 13:01:56 2000 |
FTP Server (Version 6.2/OpenBSD/Linux-0.10) and 6.3 ?? getwd() overflow. linux exploit, remote penetration. Submitted Anonymously. | |||
5niffi7.c | 2507 | 11722 | May 27 01:41:51 2000 |
5niffi7.c - Remote root exploit for sniffit (-L mail) 0.3.7.beta on Debian 2.2. Includes a detailed explanation of how the exploit works. By MaXX | |||
Animal.c | 2505 | 2302 | May 27 01:17:28 2000 |
Gauntlet firewall remote proof of concept code, tested against BSDI. By Gramble | |||
bugzilla.txt | 2456 | 8782 | May 11 18:00:26 2000 |
BufferOverflow Advisory: Unchecked system call in Bugzilla 2.8. The script used to submit new bugs, process_bug.cgi, is vulnerable because it does not check the contents of the who field. Includes perl remote exploit code. Homepage here. By {} | |||
netsolbug.txt | 2397 | 2128 | May 9 14:43:18 2000 |
Major security issue with networksolutions.com(easysteps.pl). This is being distributed amongst the irc. Homepage here. By vade79 | |||
ismyasp.pl | 2228 | 2412 | May 15 13:15:22 2000 |
LoWNOISE - ISMyASP - IIS ASP source code viewer using the ISM.DLL buffer truncation bug. By Efrain 'ET' Torres | |||
sniffit.c | 2225 | 3587 | May 18 02:24:13 2000 |
Sniffit 0.3.7beta Linux/x86 Remote Exploit. Tested on RedHat 5.2, 6.0, 6.2. Homepage here. By FuSyS | |||
Xsh0k.c | 2064 | 4435 | May 25 03:32:41 2000 |
Xwindows remote dos attack - creates a sequence of socket connections to tcp port 6000. Xwindows slows to a crawl and sometimes does not respond to user input. Homepage here. By Norby | |||
netprex.c | 1890 | 13152 | May 14 17:39:38 2000 |
netprex.c is a SPARC / i386 buffer overflow root exploit for /usr/lib/lp/bin/netpr. Tested on Solaris 2.6 & 2.7. By Cheez Whiz | |||
windows2k.iss | 1827 | 1091 | May 17 11:40:59 2000 |
There is a security problem with shtml.exe that allows anyone to explore the local path of IIS web server. Found by Frankie Zie. | |||
allmanage.pl.txt | 1823 | 1013 | May 13 23:31:31 2000 |
Websites using Allmanage Website Administration Software 2.6 with the upload ability contain an easily exploited vulnerability wich gives you full add/del/change access in the user-account directories and you can change the files in the main directory of the CGI script. By Bighawk | |||
cart32scan.pl | 1801 | 1542 | May 2 13:53:33 2000 |
Script used to scan for the Cart32 vulnerability. Anonymously Submitted. | |||
xsol-x.c | 1797 | 2212 | May 19 11:55:37 2000 |
/usr/local/games/xsoldier local root exploit. Tested under Mandrake 7.0. Homepage here. By Larry W. Cashdollar | |||
RFP2K04.txt | 1789 | 5058 | May 17 10:31:12 2000 |
RFP2K04 - Mining BlackICE with RFPickAxe. BlackICE IDS uses a management console called ICECap to collect and monitor alerts sent by the various installed BlackICE agents. The ICECap user console sits on port 8081 and has the default login of 'iceman' with no password. The second problem is that the software uses, by default, the Microsoft Jet 3.5 engine to store alerts. If you couple that with the shell VBA problem (CVE: CAN-2000-0325), that means you can push alerts that contain commands to be executed on the ICECap system. Includes RFPickaxe.pl demo exploit. Homepage here. By Rain Forrest Puppy | |||
l0phtl0phe-kid.c | 1761 | 4367 | May 18 22:57:00 2000 |
l0phtl0phe-kid.c - Easy antisniff v1.02 exploit. l0pht messed up the fix for their problem in antisniff by not regarding the type signedness properties of the char and int values used, resulting in a cool of method bypassing the extra length + strncat checks. This version has been made easy enough for script kiddies to use - to avoid that "doesn't work" lamer claim. Homepage here. By Scut | |||
elm-smash.c | 1746 | 2267 | May 5 12:03:19 2000 |
This exploit spawns an EGID mail shell on the default Slackware 4 install. Homepage here. By scrippie | |||
ADMDNews.zip | 1737 | 3833 | May 18 02:35:36 2000 |
ADMDNews_v2 - WinNT/Win2K x86 exploit for NetWin (www.netwinsite.com) DNews server (v5.0f - v5.3e3) gupcgi.exe/dnewsweb.exe CGIs. This program exploits the buffer overflow condition in gupcgi.exe/dnewsweb.exe CGIs while processing the "cmd" parameter. Tested and confirmed under WinNT 4.0 SP5/SP6 & Win2K Beta 3 RC2 (build 2128). By Joey__ | |||
klogin.c | 1694 | 3570 | May 19 11:18:05 2000 |
BSDI 4.0.1 klogin remote root buffer overflow. The bug is actually in the kerberos library so this affects all kerb services (kerbIV). This code should need minimal (if any) modification to use on other kerberos services. By Duke | |||
hack-hm-1.0.txt | 1687 | 4662 | Apr 10 13:04:00 2000 |
Hotmail is vulnerable to yet another serious security problem involving javascript. Windows, MacOS, and Linux users are affected. Filters may be bypassed by putting line feeds in the middle of the javascript code, the browser will remove the line feeds and execute it. By Hawaiian Superman | |||
ssibug | 1658 | 923 | May 27 00:36:34 2000 |
The thttpd web server comes with a CGI script called /cgi-bin/ssi which allows any file on the system to be read. Exploit URL included. Homepage here. By DiGiT | |||
beos5-dos.txt | 1647 | 2050 | May 19 10:41:22 2000 |
AUX Technologies Security Advisory - Be/OS Remote Denial of Service. The Be/OS Operating System version 5.0 has a vulnerability in the tcp fragmentation which can lock up the system, requiring a cold reset. The bug can be reproduced using ISIC-0.05. Homepage here. By Visi0n | |||
mailx.c | 1641 | 1453 | Jun 1 11:41:41 2000 |
Mailx local exploit - Tested on Slackware 3.6, 4.0, and 7.0 and Debian 2.0r2, 2.1, 2.2. Gives GID mail shell. By Funkysh | |||
sms.c | 1632 | 2324 | May 31 15:35:49 2000 |
sms.c is a remote SMS 1.8.2 (mail2sms gateway) long subject line remote buffer overflow exploit. Send the mail generated by this program and a shell will be listening on port 2222. Offsets adjusted for redhat. Homepage here. By Venglin | |||
connect.asm | 1627 | 3152 | May 4 16:47:42 2000 |
Passive Connection Shellcode. Source is well documented. Homepage here. By scrippie | |||
l0phtl0phe.c | 1613 | 5516 | May 18 15:29:50 2000 |
l0phtl0phe.c - antisniff exploit (1.02 included). l0pht messed up the fix for their problem in antisniff by not regarding the type signedness properties of the char and int values used, resulting in a cool of method bypassing the extra length + strncat checks. Homepage here. By Scut | |||
socket-dos.c | 1610 | 1167 | May 23 11:48:29 2000 |
socket-dos.c is a local ssh-1.2.27 exploit which creates a UNIX domain socket with an arbitrary file name anywhere in the filesystem on some machines. Homepage here. | |||
elm-ex.c | 1604 | 1505 | May 27 17:04:14 2000 |
Elm 2.5 PL3 exploit tested under linux Slackware 3.6, 4.0, 7.0. Homepage here. By Xfer | |||
sniffitexp.c | 1602 | 4384 | May 23 11:25:28 2000 |
Sniffit 0.3.7Beta Remote Exploit - sniffit has to be running (-L mail) flag set for this to work. Tested on RedHat 6.0. Homepage here. By Noir | |||
xaosexp.c | 1590 | 1301 | May 27 00:46:34 2000 |
/usr/bin/xaos local root buffer overflow exploit. Works on suse 6.1, and could be modified for 6.2. Homepage here. By DiGiT | |||
allmanage.pl-admin.t..> | 1546 | 1165 | May 15 13:07:13 2000 |
New Vulnerability found in Allmanage. This one gives access to the main admin panel where you can set a lot of options and variables. Websites using Allmanage Website Administration Software 2.6 with the upload ability contain an easily exploited vulnerability wich gives you full add/del/change access in the user-account directories and you can change the files in the main directory of the CGI script. By Bighawk | |||
nhc.kp.txt | 1511 | 8737 | May 5 11:57:12 2000 |
It is possible to cause a kernel panic on systems running NetBSD by sending a packet remotely with an unaligned IP Timestamp option. Homepage here. By ipfreely | |||
cart32scan.c | 1509 | 3347 | May 4 14:21:25 2000 |
Originally posted on BugTraq in regards to the Cart32 vulnerability. This code checks to see if the host is active and then makes a http connection to the victim. It then scans the victim for the vulnerable version of cart32 and prints to stdout telling you if the server is vulnerable or not. By rossex | |||
fdmountx.c | 1499 | 1039 | May 25 11:44:18 2000 |
/usr/bin/fdmount local linux exploit. Homepage here. By War | |||
gnomelib.sh | 1474 | 2122 | May 18 02:41:35 2000 |
SuSE 6.3 and 6.4 Glomelib local root exploit. All gnome apps have an exploitable buffer overflow when getting the DISPLAY environment variable. By Bladi and Almudena | |||
DST2K0007.txt | 1456 | 2464 | Jun 2 13:02:20 2000 |
Delphis Consulting Plc Security Team Advisory DST2K0007 - Buffer Overrun in ITHouse Mail Server v1.04 for Microsoft Windows NT v4.0 Workstation (SP6). Sending an email via SMTP to an IT House Mail Server with a recipient's name in excess of 2270 bytes causes the IT House Mail Server to buffer overrun overwriting the EIP, allowing an attacker to execute arbitrary code on the the server. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Consulting Security Team | |||
DST2K0008.txt | 1451 | 2725 | Jun 2 12:49:34 2000 |
Delphis Consulting Plc Security Team Advisory DST2K0008 - Buffer Overrun in Sambar Server 4.3 (Production). By using the default finger script shipped with Sambar server it is possible to cause an Buffer overrun in sambar.dll overwriting the EIP allowing the execution of arbitry code. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Consulting Security Team | |||
killsentry.c | 1445 | 4670 | May 23 10:42:01 2000 |
killsentry.c shows that automatic firewalling is a bad idea by sending spoofed FIN packets from different hosts in an attempt to confuse Portsentry. Tested on FreeBSD 3.2. By Andrew Alston | |||
spad01.txt | 1440 | 3710 | Jun 1 15:35:12 2000 |
Security Point Advisory #001 - Java Internet Shop allows users to change the prices on items. The Danish Shopexpress, and the English Zilron StoreCreator version 3.0 and below are vulnerable, an estimated 2500 online shops are running this software. Homepage here. By Security Point, Inc | |||
Mail_bof.c | 1424 | 2160 | Jun 1 00:05:35 2000 |
/usr/bin/Mail local linux exploit which gives gid=12 shell. Tested against Slackware 3.6 and 7.0. Homepage here. By Vade79 | |||
mdbms.c | 1385 | 6547 | Jun 1 11:30:41 2000 |
MDBMS V0.96b6 remote root exploit - This code demonstrates a MDBMS v0.96b6 vulnerability which allows any remote user to exec a root shell. Tested on Linux SuSE 6.3. By TDP | |||
filterape.c | 1376 | 2686 | May 25 11:42:02 2000 |
filterape.c exploits a new elm buffer overflow to get EGID mail on Slackware. Homepage here. By Scrippie | |||
nis-spoof.c | 1373 | 8039 | May 11 20:10:07 2000 |
nis-spoof.c spoofs the response from a NIS server to a client. Homepage here. By Trevor Schroeder | |||
kill_sntsd.pl | 1366 | 1301 | Jun 1 11:02:20 2000 |
A remote buffer overflow has been disvovered in the Simple Network Time Sync daemon and client version 1.0, tested on Redhat 6.1. Possible remote root compromise - denial of service exploit included. By Ben Taylor | |||
DoS-CProxyv3.3 | 1344 | 2423 | May 17 15:37:27 2000 |
Remote Denial of Service for CProxy v3.3 - Service Pack 2. This program xploits an overflow vulnerability in CProxy 3.3 SP2 HTTP Service (8080), causing server shutdown. By tdp@psynet.net. | |||
SSG-arp.c | 1340 | 3253 | May 7 20:02:47 2000 |
SSG-arp.c - AIX 4.1.4.0 local root /usr/sbin/arp exploit. Homepage here. By Cripto | |||
Emurl2.0.windows | 1334 | 1945 | May 17 15:43:53 2000 |
Users can access the mailbox's content of anybody on the system. They can also steal their POP passwords since Emurl allows you to fetch your POP email from more than one source. | |||
elm_again.c | 1311 | 2183 | May 26 22:03:43 2000 |
elm_again.c exploits another buffer overflow in elm v2.5 giving a gid=12 shell if /usr/bin/elm is SGID. Tested on Slackware 3.6 and RedHat on elm2.5PL3. Homepage here. By Vade79 | |||
majordomo.txt | 1307 | 9265 | May 31 21:21:42 2000 |
The mailinglist software majordomo has several local vulnerabilties. Local commands can be run wuth the UID and GID equal to the one used for majordomo. Exploit details and patch included. Homepage here. By Federico Schwindt | |||
ultraboardv1.6 | 1291 | 819 | May 17 10:47:08 2000 |
By using the good old NullByte(\000) its possible to open "any" file on the webserver(with its permissions) running the "UltraBoard" forum-software. By rudic. | |||
wemilo.tcl | 1275 | 3998 | May 29 18:10:38 2000 |
Remote Cart32 exploit - Though L0pht released an advisory and patch for the well known Cart32 bug, this is the first exploit released to date. Allows remote command execution. Homepage here. By Futant | |||
7350kscd.tar.gz | 1259 | 8307 | May 15 12:43:59 2000 |
New TESO kscd exploit (cd player is KDE multimedia package) Homepage here. By TESO | |||
ezboard-scx-sa-03.tx..> | 1253 | 2868 | May 26 12:06:35 2000 |
Securax-SA-03 - Ezboard v5.3.9 remote dos attack via wildcards in URL. By Frazzle_Freckle | |||
access.counter-4.0.7..> | 1241 | 1223 | May 26 16:47:12 2000 |
A popular CGI web page acess counter, version 4.0.7 by George Burgyan permits execution of arbitrary commands as a result of unchecked user input. Commands are executed as the same permission of the webserver. By Howard M. Kash III | |||
RFP2K05.txt | 1241 | 3870 | May 19 09:13:41 2000 |
NetProwler 3.0, a network based intrusion detection system, has a remote denial of service vulnerability. The software crashes when two fragmented IP packets are sent to an IP address that it is profiling. Netprowler must be profiling ftp in order for the exploit to work. Please note that Netprowler logs all incoming alerts to a Microsoft .mdb file. Please read RFP2K04.txt for more information. Homepage here. By Rain Forest Puppy | |||
joe-fixed.c | 1218 | 1626 | May 22 14:31:57 2000 |
joe v2.8 stack overflow. joe overflows when trying to open() $HOME/.joerc. This is simply proof of concept code, hopefully to get the bug fixed. It will attempt to spawn a rootshell. Homepage Here. By SectorX. | |||
cproxy.c | 1214 | 2410 | May 19 13:17:27 2000 |
Remote Denial of Service for CProxy v3.3 - Service Pack 2 for Windows NT. Homepage here. By TDP | |||
kshux.c | 1188 | 3908 | May 22 14:35:38 2000 |
kshux.c -- krshd remote root exploit. This program exploits a vulnerability in the 'krshd' daemon included with the MIT Kerberos distribution. All versions are apparently vulnerable. This exploit is for Linux/x86 with Kerberos version 1.0. By Jim Paris | |||
shellhit.c | 1185 | 1758 | May 22 10:47:15 2000 |
shellhit.c - TESO Hellkit contains a buffer overflow - exploit is just meant to be funny. To all scriptkiddies: You won't get root from this, go and find something more useful. Homepage here. By scrippie | |||
elm_bof25.c | 1181 | 2043 | May 26 14:17:11 2000 |
Elm v2.5 buffer overflow exploit which provides a gid=12 shell if /usr/bin/elm is SGID. Tested on elm 2.5PL1-3, on Red Hat. Perl script to find offsets included. Homepage here. By Vade79 | |||
fdmnt-smash2.c | 1173 | 3165 | May 17 09:33:38 2000 |
fdmount local root exploit - tested on Slackware 4.0. Must be in the floppy group. Modified from last version to work on Slackware 7. Homepage here. By Scrippie | |||
ascend.c | 1153 | 9820 | May 23 10:30:05 2000 |
Ascend remote denial of service - Upon receiving a packet with non zero length tcp offsets ascend terminal servers will crash. Linux based exploit included. Homepage here. By The Posse. | |||
swstack.txt | 1149 | 1237 | May 31 10:14:35 2000 |
Simple Web Server 0.5.1 stack overflow advisory. Allows eip to be overwritten. Homepage here. By SectorX | |||
cisco.00-05-14.http | 1129 | 29196 | May 17 13:44:07 2000 |
A defect in multiple releases of Cisco IOS software will cause a Cisco router or switch to halt and reload if the IOS HTTP service is enabled and browsing to "http:// | |||
Banner.rotating | 1128 | 2967 | May 17 15:40:57 2000 |
A file called adpassword.txt is world readable as it is assigned the wrong permissions. This will allow a malicious attacker to read the contents of the file, to crack the DES encrypted password it contains (using a common-or-garden password cracker), and to edit banner entries,to add or to remove banners. Homepage Here. By zillion. | |||
JANAHTTP.server | 1119 | 1318 | May 17 10:04:31 2000 |
Here is how to exploit the bug for cracking systems running Jana. I tested it with Jana 1.45 on Windows 98 and Windows 2000. 1. Open a browser window 2. Type i.e http://the.server.com/./.././.././.././windows/win.ini. By eAX. | |||
cisco.help | 1107 | 4957 | May 17 10:18:53 2000 |
It seems that, even though a regular (non-"enabled") user should not be able to see the access-lists or other security-related information in the router, one can do just that. The online help systems doesn't list the commands as being available, but out of 75 extra "show" options that are available in "enable" mode (on a 12.0(5)3640), only 13 were actually restricted. By Fernando Montenegro. | |||
cisco760.c | 1080 | 5137 | May 17 15:34:13 2000 |
Cisco 760 Series Connection Overflow. Affected Systems: Routers Cisco 760 Series. Others not tested. By Tiz.Telesup. | |||
RFPickaxe2.pl | 1080 | 2643 | May 31 16:41:05 2000 |
RFPickaxe2.pl is a windows port of RFP's RFPickaxe.pl demo exploit for the BlackICE IDS uses a management console. By Hypoclear | |||
elm_bof24.c | 1047 | 1945 | May 26 14:16:00 2000 |
Elm v2.4 buffer overflow exploit which provides a gid=12 shell if /usr/bin/elm is SGID. Tested on Slackware 3.6, elm 2.4PL25. Perl script to find offsets included. Homepage here. By Vade79 | |||
slirp_bof.c | 1038 | 2368 | May 31 16:16:23 2000 |
Slirp v1.0.10(RELEASE) local buffer overflow exploit for Linux which gives you a SGID shell if /usr/local/bin/slirp is mode 2755. Tested against Slackware 3.6. Includes perl script to find the offset. Homepage here. By Vade79 | |||
ksux.c | 1033 | 1291 | May 22 14:31:49 2000 |
ksux.c -- ksu exploit. This program exploits a vulnerability in the 'ksu' utility included with the MIT Kerberos distribution. Versions prior to 1.1.1 are vulnerable. This exploit is for Linux/x86 with Kerberos version 1.0. Exploits for other operating systems and versions of Kerberos should also work. By Jim Paris | |||
calendar.pl.vuln | 982 | 1808 | May 17 15:23:28 2000 |
Remote users can execute arbitrary commands on the web server with the priviledge level of the httpd process. Homepage Here. By Suid. | |||
ACROS-2000-04-06-1-P..> | 979 | 17712 | May 17 12:15:49 2000 |
Bypassing Warnings For Invalid SSL Certificates In Netscape Navigator. Homepage Here. | |||
bugzpladv1_eng.txt | 977 | 9741 | May 31 15:05:52 2000 |
BugzPL ADVISORY #1 - Bypassing restricted bash. bash-2 gives us the option to use a shell in restricted mode. Includes a patch to bash to eliminate most of the described attacks. By Arkth | |||
DoS.cayman | 962 | 1089 | May 17 11:37:31 2000 |
Simple DOS attack against Cayman 3220-H DSL Router. Large username or password strings sent to the Cayman HTTP admin interface restart the router. Router log will show "restart not in response to admin command". By Cassius. | |||
sses-sshauth.txt | 940 | 6110 | May 17 12:22:30 2000 |
A vulnerable secure shell distribution is available from the popular Zedz Consultants FTP site (formally known as replay.com). The RedHat Linux RPM ssh-1.2.27-8i.src.rpm contains a PAM patch which contains faulty logic allowing users to essentially pass through the username/password authentication step and gain shell access. Homepage Here. | |||
pam_console.bug | 939 | 2130 | May 17 10:13:37 2000 |
When accepting luser console login, pam_console called by /bin/login tries to be user-friendly, doing several chowns on devices like login tty and corresponding vcs[a] device, as well as other interesting devices: fd*, audio devices (dsp*, mixer*, audio*, midi*, sequencer), cdrom, streamer/zip drive devices, frame buffer devices, kbd*, js*, video*, radio*, winradio*, vtx*, vbi* and so on. Probably it's designed to make console logins more comfortable, but has DEADLY effects on servers with console luser-login ability (and that's quite common). | |||
disable.tcpdump | 937 | 4009 | May 17 10:24:06 2000 |
There is a way to disable tcpdump running on a remote host. By sending a carefully crafted UDP packet on the network which tcpdump monitors, it is possible, under certain circonstances, to make tcpdump fall into an infinite loop. Hugo Breton. | |||
netopia.advisory.r91..> | 918 | 2340 | May 17 16:34:42 2000 |
The Netopia R9100 permits a user not authorized with a special security password to neverthless modify the SNMP community strings, including enabling SNMP access that should be disabled. By Stephen Friedl. | |||
CISADV000504.txt | 910 | 3021 | May 17 11:13:45 2000 |
Cerberus Information Security Advisory (CISADV000504) - The Cerberus Security Team has found a remotely exploitable buffer overrun in Netwin's (http://netwinsite.com) DMailWeb (dmailweb/dmailweb.exe v2.5d), CGI program designed to give access to a user's SMTP and POP3 server over the world wide web. By supplying a specially formed QUERY_STRING to the program a buffer is overflowed allowing execution of arbitrary code compromising the web server. Homepage Here. By David Litchfield. | |||
CISADV000503.txt | 903 | 13488 | May 17 11:02:13 2000 |
Cerberus Information Security Advisory (CISADV000503) - The Cerberus Security Team has found a remotely exploitable buffer overrun in Lsoft's (www.lsoft.com) Listserv Web Archive component (wa/wa.exe v1.8d - this is the most recent version. Homepage Here. By David Litchfield. | |||
fork2.c | 903 | 555 | Apr 17 13:04:00 2000 |
This variation of forkbomb will still affect linux machines with process / user limits in effect. These processes are unkillable as of 2.2.5 and possibly 2.2.14. By Christophe Blaess | |||
CISADV000505.txt | 892 | 3049 | May 17 11:33:03 2000 |
Cerberus Information Security Advisory (CISADV000505) - The Cerberus Security Team has found a remotely exploitable buffer overrun in Netwin's (http://netwinsite.com) DNewsWeb (dnewsweb/dnewsweb.exe v5.3e1), CGI program designed to give access to NNTP services over the world wide web. By supplying a specially formed QUERY_STRING to the program a buffer is overflowed allowing execution of arbitrary code compromising the web server. Homepage Here. By Mark Litchfield. | |||
rm.racecondition | 870 | 945 | May 17 10:50:56 2000 |
If root ever does "rm -rf /tmp/foo" for a directory structure not completely owned by root, a local user can delete all files that root can. By Morten Welinder. | |||
dnsloop.tar.gz | 852 | 4061 | May 24 15:22:00 2000 |
There is a remote denial of service exploit against tcpdump. Tcpdump interprets UDP packets on port 53 as DNS traffic, however, domain names in DNS packets use a compression scheme that jumps to a particular offset in the packet to avoid multiple occurances. By sending a packet that has the offset set to a particular location and if a program trying to decompress the domain name does not have a strategy for avoiding infinite loops, tcpdump may fall into an infinite loop. By Hugo Breton | |||
teso-advisory-010.ta..> | 848 | 3358 | May 31 15:12:56 2000 |
TESO Security Advisory #10 - KDE KApplication {} configfile vulnerability. Due to insecure creation of configuration files via KApplication-class, local lusers can create arbitrary files when running setuid root KDE-programs. Tested with SuSE 6.4 standard installation under KDE 1.1.2. Homepage here. By Stealth | |||
nai.00-05-04.trendmi..> | 839 | 3359 | May 17 11:29:25 2000 |
Network Associates, Inc. COVERT Labs Security Advisory - An implementation flaw in the InterScan VirusWall SMTP gateway allows a remote attacker to execute code with the privileges of the daemon. Homepage Here. | |||
lpset.overflow | 834 | 1204 | May 17 11:54:35 2000 |
Here's an overflow exploit that works on a non-exec stack on x86 boxes. It demonstrates how it is possible to thread together several libc calls. By Tim Newsham. | |||
silent.delivery.txt | 829 | 6948 | May 13 17:06:00 2000 |
Silent delivery and installation of an executable on a target Windows computer is possible by combining some bugs. No client input other than opening an email or newsgroup post is neceassary, making the possibilities endless. The key component is from Georgi Guninski, the wordpad overflow. An ActiveX control does the rest. Exploit code included. | |||
CISADV000524b.txt | 806 | 3416 | May 24 17:43:00 2000 |
The Cerberus Security Team has discovered that a flaw in the Carello web shopping cart enables remote attackers to vi ew .asp files on the the server's computer Affected system: Windows NT running IIS. Homepage here. By Robert Horton | |||
elm_last.c | 726 | 2056 | May 31 16:12:00 2000 |
One last elm v2.4 / v2.5 exploit - gives EGID 12. This version works against almost all vulnerable versions of elm. Homepage here. By Vade79 | |||
CISADV000524a.txt | 717 | 3365 | May 26 17:11:00 2000 |
Cerberus Information Security Advisory (CISADV000524a) - The Cerberus Security Team has discovered a serious security flaw with Rockliffe's MailSite Management Agent for Windows (version 4.2.1.0). This server allows remote users to access their POP3 accounts and read their mail over HTTP. The service usually listens on TCP port 90. Unfortunately there exists a buffer overrun vulnerability that allows attackers to execute arbitrary code. As this service runs as system, by default, any code executed will run with system privileges - meaning any server running this agent could be fully compromised. Homepage here. | |||
lpsetexp.c | 697 | 1735 | May 26 00:51:00 2000 |
solaris 2.7 lpset local exploit, i386. Homepage here. By DiGiT | |||
DST2K0003.txt | 677 | 2940 | Jun 2 13:06:35 2000 |
Delphis Consulting Plc Security Team Advisory DST2K0003 - Buffer Overrun in NAI WebShield SMTP v4.5.44 Management Tool for Microsoft Windows NT v4.0 Server (SP6). Any user who can connect to tcp port 9999 can obtain a copy of the configuration. Secondly, if you pass an oversized buffer of 208 bytes or more within one of the configuration parameters the service will crash overwriting the stack but and the EIP with what ever was passed within the parameter. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Consulting Security Team | |||
elmex.c | 640 | 1200 | Jun 1 11:43:00 2000 |
Elm 2.4 PL25 local GID mail exploit. Tested under Slackware 3.6, 4.0, Redhat 5.0, and 5.1. By Funkysh | |||
DST2K0009.txt | 605 | 3208 | May 31 13:32:00 2000 |
Delphis Consulting Plc Security Team Advisory DST2K0009 - Userlisting Bug in Ipswitch WS_FTP Server 1.05E allows remote users to confuse the server manager. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Security Team | |||
jidex.c | 603 | 1877 | Jun 23 16:52:07 2000 |
Jidentd 1.0 IDENT server remote exploit. Tested under Slackware 3.6 and 4.0, Debian 2.1, Redhat 4.1, 5.0, 5.1 and 5.2. By Funkysh | |||