Welcome to the Exploits for September, 2000 Section. | |||
Some of these exploits are from Bugtraq and Security Bugware | |||
To Change Sort Order, Click On A Category. | File Name | Downloads | File Size | Last Modified |
0009-exploits.tgz | 0 | 167744 | Nov 2 2000 01:21:32 |
Packet Storm new exploits for September, 2000. | |||
csm.proxy.bypass.txt | 116 | 738 | Oct 5 2000 18:21:05 |
The CSM proxy server's siteblocker feature can be bypassed by setting up your web browser to use an external proxy. By Hermann Tischendorf | |||
DST2K0035.txt | 257 | 4910 | Oct 4 2000 18:04:03 |
Delphis Consulting Plc Security Team Advisory DST2K0035 - CyberOffice Shopping Cart v2 under Windows NT allows remote users to gain access to the main database by default. Homepage: http://www.delphisplc.com/thinking/whitepapers. | |||
ezbounce.c | 871 | 6526 | Sep 29 2000 15:27:58 |
Ezbounce version (0.85.2 and probably others) remote overflow exploit for RedHat 6.0. By SectorX | |||
netscape.overflow.tx..> | 1768 | 1478 | Sep 28 2000 15:51:39 |
Netscape Navigator is vulnerable to trivial, remote buffer overflow attack when viewing prepared html. By Michal Zalewski | |||
siemens.ipphone.txt | 582 | 2414 | Sep 28 2000 15:50:02 |
The Siemens HiNet LP 5100 IP-phone is vulnerable to a buffer overflow when the GET request method is used with a large request size. Vulnerability can lead to a partial or complete crash of phone services. By Michal Zalewski | |||
DST2K0042.txt | 417 | 4607 | Sep 28 2000 15:44:34 |
Delphis Consulting Plc Security Team Advisory DST2K0042 - The following vulnerability in Web+ Application Server under Linux has been discovered. Severity: High. If the default example scripts are installed it is possible to execute/read any file which Web+ user (default is 'nobody') has access to using the Web+Ping example. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Security Team | |||
DST2K0037.txt | 343 | 3730 | Sep 28 2000 15:41:15 |
Delphis Consulting Plc Security Team Advisory DST2K0037 - It is possible to bypass the quotas imposed by QuotaAdvisor by utilizing data streams alternative to the default. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Security Team | |||
DST2K0032.txt | 268 | 4304 | Sep 28 2000 15:28:05 |
DST2K0032: Multiple Issues with Talentsoft WebPlus Application Server. Delphis Consulting Internet Security Team (DCIST) discovered low to medium severity vulnerabilities in Webplus under Windows NT. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By DCIST | |||
innd.c | 782 | 7984 | Sep 28 2000 15:23:02 |
INND/NNRP remote root overflow. Overflow occurs in the From: field. Affects INND/NNRP versions prior to 1.6.X. Author Unknown. | |||
linstatex.c | 1252 | 6344 | Sep 28 2000 15:17:44 |
Remote root overflow for linux rpc.statd SM_UNMON_ALL vulnerability. Author Unknown. | |||
rudp.c | 799 | 7767 | Sep 28 2000 15:16:44 |
GDM Remote Exploit based on the original bug found by Chris Evans. Vulnerable version : gdm-2.0beta2-23 ( gnome and single version ). Not Vulnerable : 1.0.0.35. Vulnerable Platforms : RedHat 6.0-6.2. By Crashkiller | |||
fi.sh | 382 | 1120 | Sep 28 2000 15:13:56 |
FlagShip (from Red Hat Application CD) is a Database Development System for xBase based applications on nearly all Unix brands. Problem: /usr/bin/FSserial is world-writeable! We can replace it with an trojan and trick root to execute it. OS affected: Red Hat 6.0. By Narrow | |||
axur.c | 941 | 18878 | Sep 28 2000 15:12:17 |
Q-POP 2.53 Remote Overflow. By Gustavo Scotti | |||
xloadx.c | 357 | 2021 | Sep 28 2000 15:10:36 |
Sco 5.0.4 local overflow using xload. Homepage: http://members.tripod.com/~ochodedos. By doble | |||
wu30.c | 633 | 8185 | Sep 28 2000 15:08:53 |
Remote root exploit for wu-ftpd on SCO unix. Based on: ADMwuftpd.c from duke. By The Dark Raver | |||
wu-lnx.c | 1797 | 7138 | Sep 28 2000 15:06:26 |
Linux wu-ftpd - 2.6.0(1) (tested on RH6.2 wu from rpm). By vsz_ | |||
tsql.c | 455 | 1640 | Sep 28 2000 15:05:17 |
Msql local overflow. Author Unknown. | |||
xsunsploit.c | 440 | 1589 | Sep 28 2000 15:04:20 |
Solaris 7 Xsun(suid) local overflow - Solaris 2.7/(2.6?) x86 sploit no sparc code. By DiGiT | |||
sco-httpx.c | 417 | 1653 | Sep 28 2000 15:02:51 |
Scounix httpd Remote Exploit. | |||
qpop3b.c | 648 | 8240 | Sep 28 2000 15:01:33 |
QPOP 3.0beta AUTH remote root stack overflow (linux x86 version) | |||
cxterm.c | 403 | 1699 | Sep 28 2000 15:00:38 |
Local exploit for cxterm 5.1-p1. Tested on: RedHat 5.2/6.0, Slackware 3.6. By warning3@hotmail.com | |||
12250.c | 599 | 1405 | Sep 28 2000 14:59:02 |
IMAPrev1 12.2xx exploit (lsub bug). Slackware 4.0 remote overflow. By del0rean | |||
winshellcode.h | 670 | 23790 | Sep 28 2000 14:57:20 |
WinShellCode. win32 portbinding shellcode. Homepage: http://www.cnns.net. By sunx | |||
A092600-1 | 567 | 14389 | Sep 28 2000 14:37:22 |
Atstake Security Advisory - PalmOS Password Retrieval and Decoding. Severity: Moderate. PalmOS offers a built-in Security application which is used for the legitimate user to protect and hide records from unauthorized users by means of a password. Passwords can easily be obtained and decoded allowing an attacker to access all private records on a Palm device. Homepage: http://www.atstake.com/research/advisories/2000/. By Kingpin | |||
unixware.scohelp.txt | 377 | 6643 | Sep 28 2000 14:31:04 |
CORE SDI Security Advisory - SCO Unixware 7 default installation includes scohelp, an http server that listens on port 457/tcp and allows access to manual pages and other documentation files. The search CGI script provided for that purpose has a vulnerability that could allow any remote attacker to execute arbitrary code on the vulnerable machine with privileges of user "nobody". Homepage: http://www.core-sdi.com. By Ivan Arce | |||
brwgate-dos.c | 420 | 1688 | Sep 27 2000 14:48:46 |
Denial of service for NetcPlus BrowseGate 2.80 for Windows NT and 2000 when you sned more than 8000 characters in a GET / http-request, causing the system to crash. Homepage: http://securax.org/incubus. By incubus | |||
pine421.txt | 399 | 3868 | Sep 27 2000 14:44:05 |
Proof of Concept. There exists a vulnerability in Pine 4.21 involving the portion of code in charge of peroidically checking email when a pine client is open. By Arkane | |||
alabanza.txt | 385 | 2474 | Sep 27 2000 14:13:13 |
This hole is for the control panel of all Alabanza based resellers/hosts. There could be more bugs. This is serious enough since you can delete all resold domains for a particulr webhosting company. You can also change the default MX and CNAME records of all associated domains. By Weihan Leow | |||
klogd.exploit.txt | 569 | 3259 | Sep 27 2000 14:01:49 |
Klogd Local Exploit. Envcheck is a Linux/x86 kernel module which strips dangerous environment variables before executing a new program, and which can be used to log these probably threatening events. However, a recent format string handling bug in klogd allows an attacker to overflow its buffer and execute arbitrary code. Homepage: http://www.iki.fi/ee/. By Esa Etelavuori | |||
cisco.tar.gz | 521 | 7373 | Sep 23 2000 12:49:02 |
Denial of service exploit for CiscoSecure ACS for Windows NT Server prior to release 2.4(3), as described in cisco.00-09-21.ciscosecure. Sends an oversized URL to TCP port 2002, causing the CSAdmin module to crash. Homepage: http://www.8op.com/rsh. By Doom and Netsym | |||
tco.txt | 1471 | 4393 | Sep 21 2000 17:05:59 |
Synnergy Laboratories Advisory SLA-2000-14 - The BSD/Linux telnet client has a stack overflow which is not usually a security problem, except in the case of a restricted shell environment which allows users to set environment variables and run telnet. Perl proof of concept exploit included. Homepage: http://www.synnergy.net. By Dethy | |||
webtv.tar.gz | 690 | 654 | Sep 21 2000 16:59:40 |
Exploit for the recently published Denial of Service Vulnerability in WebTV for Windows discussed on Bugtraq ID 1671 published on 9/12/2000. By Doom and Netsym | |||
multihtml.c | 1345 | 4884 | Sep 19 2000 17:17:00 |
Multihtml.c is a remote exploit for /cgi-bin/multihtml.pl, versions previous to 2.2 which spawns a remote shell. Homepage: http://www.r00tabega.org. By Bansh33, Zillion | |||
VIGILANTE-2000013.tx..> | 639 | 1335 | Sep 19 2000 16:07:14 |
Vigilante Advisory #13 - WinCOM LPD V1.00.90 for Windows NT contains a denial of service vulnerability. A steady stream of LPD options sent to TCP port 515 will eventually consume all the memory on that host. Homepage: http://www.vigilante.com. By Vigilante | |||
napster.path-disclos..> | 2064 | 2168 | Sep 19 2000 15:27:25 |
Napster sends the full path of all the MP3's it sends to the remote user. By Wade Lewis | |||
hhp-kermit_smash.c | 241 | 1786 | Sep 19 2000 15:13:47 |
C-Kermit local exploit. Versions 7.0.197 and below are vulnerable. Tested on Slackware 7, where it is not suid. It is suid on Olivetti X/OS R2.3, 3.x. Homepage: http://www.hhp-programming.net. By Loophole | |||
klogd-linux.txt | 2192 | 3718 | Sep 18 2000 18:41:44 |
Kernel logging daemon klogd in the sysklogd package for Linux contains a "format bug" making it vulnerable to local root compromise (successfully tested on Linux/x86). There's also a possibility for remote vulnerability under certain (rather unprobable) circumstances and a more probable semi-remote exploitableness with knfsd. Homepage: http://www.secmod.com. By Jouko Pynnen | |||
VIGILANTE-2000012.tx..> | 678 | 2206 | Sep 18 2000 16:59:56 |
Vigilante Advisory #12 - Mdaemon 3.1.1 for Windows NT includes Webconfig and Worldclient which listen to TCP port 3000 and 3001. They both are vulnerable to a heap overflow vulnerability which could be used to execute arbitrary code. Fix available here. Homepage: http://www.vigilante.com. By Vigilante | |||
win_2000.telnet.tgz | 1830 | 14812 | Sep 15 2000 15:27:02 |
The Windows 2000 Telnet client can be launched via email or browser and automatically passes NTLM authentication credentials to a telnet server. Proof of concept exploit includes a modified telnet server which causes the w2k telnet client to auto authenticate and prehash-ntlm.c which can be used to launch a dictionary attack against a retrieved hash. By Monti | |||
MultiHTML.txt | 1409 | 1392 | Sep 15 2000 15:21:31 |
MultiHTML (/cgi-bin/multihtml.pl)is a CGI script which has a vulnerability allowing remote users to read any file on the webserver. By Niels Heinen | |||
sambar-http.txt | 1352 | 2138 | Sep 14 2000 17:37:10 |
Sambar Server 4.4 Beta 3 and below for WinNT, Win95 OSR2, (possibly Linux affected) contains a vulnerability which allows remote users to browse the filesystem of the webserver. Fix available here. Homepage: http://www.synnergy.net. By Dethy | |||
VIGILANTE-2000011.tx..> | 575 | 2082 | Sep 13 2000 13:27:12 |
Vigilante Advisory #11 - Lotus Domino ESMTP Service Lotus Domino Release 5.0.2a contains a buffer overflow in the processing of SMTp commands, causing the service to crash. Tested on OS/2 Warp 4.5, it is assumed that other platforms are vulnerable as well. Homepage: http://www.vigilante.com. By Vigilante | |||
VIGILANTE-2000010.tx..> | 559 | 2336 | Sep 13 2000 12:48:08 |
Vigilante Advisory #10 - Intel Express Switch series 500 crashes when a malformed ICMP packet is sent to the Intel Express Switch or a host behind it. The switch looses all routing functionality but continues to function as a switch, except for the fact that learning also crashes, so new connections are not "picked up". Fix available here. Homepage: http://www.vigilante.com. By Vigilante | |||
VIGILANTE-2000009.tx..> | 631 | 2184 | Sep 13 2000 12:37:11 |
Vigilante Advisory #9 - Internet Information Server (IIS) 4.0 for Windows NT 4.0 is vulnerable to a denial of service attack as described in ms00-063 in which a certain series of requests can cause INETINFO.EXE to gradually consume all system ressources (99-100% CPU and all memory). When the pagefile can't expand any further, INETINFO.EXE is killed by the operating system. Homepage: http://www.vigilante.com. By Vigilante | |||
explbsd395.c | 350 | 4506 | Sep 12 2000 21:41:48 |
Screen 3.9.5 BSD local root exploit. Tested against OpenBSD. By Ihaquer | |||
locale.c | 690 | 3488 | Sep 12 2000 21:39:31 |
locale.c is a local root exploit for the glibc / locale format string bug. Tested against RedHat 6.2 with kernel 2.2.16. Homepage: http://www.nsfocus.com. By Warning3 | |||
screen-expl.c | 403 | 2125 | Sep 12 2000 21:35:32 |
Screen 3.7.6 (and others) local root exploit. By Ihaquer | |||
yabb.txt | 771 | 2240 | Sep 12 2000 21:31:58 |
Yabb 9.1.2000 and prior for Windows and Unix is a web based BBS system which has a vulnerability in YaBB.pl which allows remote attackers to view any file on the system. Homepage: http://www.synnergy.net. By Kostas Petrakis | |||
rovikingxploit.c | 896 | 10846 | Sep 12 2000 21:28:58 |
Robotex Viking Server 1.0.6 Build 355 and prior for Windows 95 and NT remote buffer overflow exploit. Binds a shell to a port. By Wildcoyote | |||
mobiusdocdix.c | 686 | 9954 | Sep 12 2000 21:26:10 |
Mobius DocumentDirect for the Internet 1.2 remote exploit. Binds a shell to a port. By Wildcoyote | |||
winweb.c | 365 | 1575 | Sep 12 2000 21:20:00 |
winweb.c exploits the con/con bug to crash the Windows 98 webserver. By Castrol | |||
bland.c | 344 | 8862 | Sep 12 2000 21:16:08 |
bland.c exploits a bug in Guantlet 5.0 which causes the firewall to hang when an invalid ICMP packet is sent to a machine which is forwarded through the firewall. Homepage: http://www.msg.net/firewalls/tis. By Mike Frantzen | |||
fp-ext-dos.sh | 556 | 1026 | Sep 12 2000 21:11:41 |
Frontpage Server Extension shtml.exe denial of service attack. Based on an advisory by www.xato.net. Vulnerable systems include Microsoft Windows 95, 98, NT 4.0 and NT 2000. Homepage: http://grazer.gz.ee. By Grazer | |||
zgv-exploit.c | 413 | 1601 | Sep 12 2000 20:43:37 |
Zgv 3.0 local exploit for Linux. Homepage: http://b0f.freebsd.lublin.pl. By Slash | |||
rumple.tgz | 244 | 3072 | Sep 12 2000 20:40:43 |
rumple.tgz exploits the recent ld.so unsetenv vulnerability in Caldera Openlinux. By Nimrood | |||
eject.locale.c | 429 | 4929 | Sep 12 2000 20:12:50 |
Solaris 2.x locale exploit - exploits /usr/bin/msgfmt and /usr/bin/eject locale format bug for local root access. Homepage: http://www.nsfocus.com. By Warning3 | |||
horde-imp.txt | 809 | 3075 | Sep 12 2000 17:21:12 |
The IMP-2.2.0 webmail interface contains a bug in the the library file "horde.lib" which allows commands to be executed under the UID which the webserver runs as. Exploit information included. Patch available here. By Christian Winter | |||
i-was-bored.c | 309 | 4478 | Sep 12 2000 11:30:50 |
Darxite Daemon v0.4 password authentication buffer overflow exploit. Spawns a remote shell. Homepage: http://www.synnergy.net. By Scrippie | |||
typsoft-ftpd.txt | 601 | 2318 | Sep 12 2000 11:27:39 |
TYPSoft FTP Server 0.78 for Windows 9X and WinNT is vulnerable to a denial of service attack. Sending a long user or pass commands causes the server to hang and increase system resources. Perl exploit included. Homepage: http://www.synnergy.net. By Dethy | |||
anyportal-0.1.txt | 1160 | 1731 | Sep 11 2000 12:54:48 |
Anyportal v0.1 allows remote users to read any file on the webserver by submitting modified forms. Homepage: http://www.nightbird.free.fr. By Zorgon | |||
phpPhotoAlbum.txt | 785 | 1649 | Sep 11 2000 12:46:49 |
phpPhotoAlbum v0.99 and below for Windows and Unix allows remote users to read any file on the system with priviledges as the httpd. Fix available here. Homepage: http://www.synnergy.net. By Pestilence | |||
SRADV00001.txt | 293 | 4805 | Sep 11 2000 11:54:13 |
Secure Reality Pty Ltd. Security Advisory #1 - PHP's handling of uploads permits a remote attacker to manipulate PHP applications into opening arbitrary files on the server with the permission level of the user running the server. Almost any PHP program which provides upload capability is vulnerable. Homepage: http://www.securereality.com.au. By Secure Reality Advisories | |||
expl395.c | 2421 | 6615 | Sep 8 2000 16:06:01 |
Screen 3.9.5 and below local root exploit for Linux. Tested against SuSE 6.1. By Ihaquer | |||
glibc-language.c | 2296 | 4337 | Sep 8 2000 16:02:45 |
GLIBC 2.1 language local root exploit. Includes bypassing Solar Designer Stack Patch. Tested against Debian 2.1/2.2, exploits Glibc and /usr/bin/msgfmt. By Z33d | |||
Gopher2.3.1p0.c | 288 | 8477 | Sep 8 2000 15:53:51 |
Gopher2.3.1p0 and below has many overflowable functions in the daemon. Most of them overflow with hardcoded data that gets passed along - making it not possible to change any pointers. The "halidate" function contains an exploitable buffer overflow - exploit code for linux included. Note: This is not related to the other vulnerability, authenticate.c, which has since been patched in 2.3.1p0. 2.3.1p0 is vulnerable to this. Homepage: http://www.fakehalo.org. By Vade79 | |||
killbnc.c | 1572 | 2735 | Sep 8 2000 09:41:25 |
BNC 2.6.4 remote denial of service exploit. Causes all users who are connected to IRC by BNC by exhausting the resources of the BNC server. Homepage: http://www.fakehalo.org. By Vade79 | |||
adv_telnet1.txt | 2918 | 2455 | Sep 7 2000 12:54:11 |
Hyperterminal, the default telnet program on Windows 98, contains a buffer overflow vulnerability. It is possible to exploit via IE using a long telnet: URL. Homepage: http://www.meliksah.net. By Meliksah Ozoral | |||
auction.weaver.pl | 789 | 2369 | Sep 6 2000 16:10:39 |
Auction Weaver 1.02 Lite remote proof of concept exploit. Spawns an xterm by exploiting an insecure open() call. Homepage: http://teleh0r.cjb.net. By Telehor | |||
icq.greeting-card.tx..> | 2175 | 383 | Sep 6 2000 16:04:20 |
The ICQ Greeting Card service allows HTML commands to be sent to the target user. Any malicious HTML such as file:///c:/con/con can crash the system or exploit other HTML based vulnerabilities. Homepage: http://www.meliksah.net. By Meliksah Ozoral | |||
VIGILANTE-2000008.tx..> | 710 | 2142 | Sep 6 2000 14:41:23 |
Vigilante Advisory #8 - NTMail Configuration Service v5 & v6 denial of service. The web configuration running on TCP port 8000 does not flush incomplete HTTP requests, and thus it is possible to use up all the server ressources within a very short time. Homepage: http://www.vigilante.com. By Vigilante | |||
cpmdaemon.txt | 918 | 13346 | Sep 6 2000 14:33:27 |
cpmdaemon is a program that runs as a daemon or a cgi which allows changing of passwords. It allows brute force dictionary attacks against user passwords without any logging. Includes exp_cpmdaemon.c proof of concept code. Homepage: http://www.s0d.org. By El Nahual | |||
wftpd241-12-2.txt | 870 | 875 | Sep 5 2000 22:08:25 |
WFTPD/WFTPD Pro 2.41 RC12 devulges sensitive information by revealing the full path of the current directory. This is fixed in WFTPD/WFTPD Pro 2.41 RC13. Exploit details included. Homepage: http://bluepanda.box.sk. By Blue Panda | |||
wftpd241-12.txt | 773 | 1603 | Sep 5 2000 22:06:19 |
WFTPD/WFTPD Pro 2.41 RC12 contains a remote denial of service vulnerability which does not require a valid login/password. Perl exploit code included. Homepage: http://bluepanda.box.sk. By Blue Panda | |||
thatware.txt | 513 | 2739 | Sep 1 2000 11:00:20 |
Thatware is a news portal administration tool. The security vulnerabilities in Thatware allows attacker to gain administrative access to the application. Two exploits included. Fix: For a quick fix, simply rename admin.php3 and simply quote all numeric data in SQL statements. By Fabian Clone | |||