ArchivesForums
 
about usforumsassessmentdefensepapersmagazinesmiscellaneouslinkscareers


Welcome to the Exploits for September, 2000 Section.

Some of these exploits are from Bugtraq and Security Bugware

To Change Sort Order, Click On A Category.
Sorted By: Last Modified.

File Name Downloads File Size Last Modified
0009-exploits.tgz0167744Nov 2 2000 01:21:32
Packet Storm new exploits for September, 2000.
csm.proxy.bypass.txt116738Oct 5 2000 18:21:05
The CSM proxy server's siteblocker feature can be bypassed by setting up your web browser to use an external proxy. By Hermann Tischendorf
DST2K0035.txt2574910Oct 4 2000 18:04:03
Delphis Consulting Plc Security Team Advisory DST2K0035 - CyberOffice Shopping Cart v2 under Windows NT allows remote users to gain access to the main database by default.  Homepage: http://www.delphisplc.com/thinking/whitepapers.
ezbounce.c8716526Sep 29 2000 15:27:58
Ezbounce version (0.85.2 and probably others) remote overflow exploit for RedHat 6.0. By SectorX
netscape.overflow.tx..>17681478Sep 28 2000 15:51:39
Netscape Navigator is vulnerable to trivial, remote buffer overflow attack when viewing prepared html. By Michal Zalewski
siemens.ipphone.txt5822414Sep 28 2000 15:50:02
The Siemens HiNet LP 5100 IP-phone is vulnerable to a buffer overflow when the GET request method is used with a large request size. Vulnerability can lead to a partial or complete crash of phone services. By Michal Zalewski
DST2K0042.txt4174607Sep 28 2000 15:44:34
Delphis Consulting Plc Security Team Advisory DST2K0042 - The following vulnerability in Web+ Application Server under Linux has been discovered. Severity: High. If the default example scripts are installed it is possible to execute/read any file which Web+ user (default is 'nobody') has access to using the Web+Ping example. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Security Team
DST2K0037.txt3433730Sep 28 2000 15:41:15
Delphis Consulting Plc Security Team Advisory DST2K0037 - It is possible to bypass the quotas imposed by QuotaAdvisor by utilizing data streams alternative to the default. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Security Team
DST2K0032.txt2684304Sep 28 2000 15:28:05
DST2K0032: Multiple Issues with Talentsoft WebPlus Application Server. Delphis Consulting Internet Security Team (DCIST) discovered low to medium severity vulnerabilities in Webplus under Windows NT.  Homepage: http://www.delphisplc.com/thinking/whitepapers/. By DCIST
innd.c7827984Sep 28 2000 15:23:02
INND/NNRP remote root overflow. Overflow occurs in the From: field. Affects INND/NNRP versions prior to 1.6.X. Author Unknown.
linstatex.c12526344Sep 28 2000 15:17:44
Remote root overflow for linux rpc.statd SM_UNMON_ALL vulnerability. Author Unknown.
rudp.c7997767Sep 28 2000 15:16:44
GDM Remote Exploit based on the original bug found by Chris Evans. Vulnerable version : gdm-2.0beta2-23 ( gnome and single version ). Not Vulnerable : 1.0.0.35. Vulnerable Platforms : RedHat 6.0-6.2. By Crashkiller
fi.sh3821120Sep 28 2000 15:13:56
FlagShip (from Red Hat Application CD) is a Database Development System for xBase based applications on nearly all Unix brands. Problem: /usr/bin/FSserial is world-writeable! We can replace it with an trojan and trick root to execute it. OS affected: Red Hat 6.0. By Narrow
axur.c94118878Sep 28 2000 15:12:17
Q-POP 2.53 Remote Overflow. By Gustavo Scotti
xloadx.c3572021Sep 28 2000 15:10:36
Sco 5.0.4 local overflow using xload.  Homepage: http://members.tripod.com/~ochodedos. By doble
wu30.c6338185Sep 28 2000 15:08:53
Remote root exploit for wu-ftpd on SCO unix. Based on: ADMwuftpd.c from duke. By The Dark Raver
wu-lnx.c17977138Sep 28 2000 15:06:26
Linux wu-ftpd - 2.6.0(1) (tested on RH6.2 wu from rpm). By vsz_
tsql.c4551640Sep 28 2000 15:05:17
Msql local overflow. Author Unknown.
xsunsploit.c4401589Sep 28 2000 15:04:20
Solaris 7 Xsun(suid) local overflow - Solaris 2.7/(2.6?) x86 sploit no sparc code. By DiGiT
sco-httpx.c4171653Sep 28 2000 15:02:51
Scounix httpd Remote Exploit.
qpop3b.c6488240Sep 28 2000 15:01:33
QPOP 3.0beta AUTH remote root stack overflow (linux x86 version)
cxterm.c4031699Sep 28 2000 15:00:38
Local exploit for cxterm 5.1-p1. Tested on: RedHat 5.2/6.0, Slackware 3.6. By warning3@hotmail.com
12250.c5991405Sep 28 2000 14:59:02
IMAPrev1 12.2xx exploit (lsub bug). Slackware 4.0 remote overflow. By del0rean
winshellcode.h67023790Sep 28 2000 14:57:20
WinShellCode. win32 portbinding shellcode.  Homepage: http://www.cnns.net. By sunx
A092600-156714389Sep 28 2000 14:37:22
Atstake Security Advisory - PalmOS Password Retrieval and Decoding. Severity: Moderate. PalmOS offers a built-in Security application which is used for the legitimate user to protect and hide records from unauthorized users by means of a password. Passwords can easily be obtained and decoded allowing an attacker to access all private records on a Palm device.  Homepage: http://www.atstake.com/research/advisories/2000/. By Kingpin
unixware.scohelp.txt3776643Sep 28 2000 14:31:04
CORE SDI Security Advisory - SCO Unixware 7 default installation includes scohelp, an http server that listens on port 457/tcp and allows access to manual pages and other documentation files. The search CGI script provided for that purpose has a vulnerability that could allow any remote attacker to execute arbitrary code on the vulnerable machine with privileges of user "nobody". Homepage: http://www.core-sdi.com. By Ivan Arce
brwgate-dos.c4201688Sep 27 2000 14:48:46
Denial of service for NetcPlus BrowseGate 2.80 for Windows NT and 2000 when you sned more than 8000 characters in a GET / http-request, causing the system to crash.  Homepage: http://securax.org/incubus. By incubus
pine421.txt3993868Sep 27 2000 14:44:05
Proof of Concept. There exists a vulnerability in Pine 4.21 involving the portion of code in charge of peroidically checking email when a pine client is open. By Arkane
alabanza.txt3852474Sep 27 2000 14:13:13
This hole is for the control panel of all Alabanza based resellers/hosts. There could be more bugs. This is serious enough since you can delete all resold domains for a particulr webhosting company. You can also change the default MX and CNAME records of all associated domains. By Weihan Leow
klogd.exploit.txt5693259Sep 27 2000 14:01:49
Klogd Local Exploit. Envcheck is a Linux/x86 kernel module which strips dangerous environment variables before executing a new program, and which can be used to log these probably threatening events. However, a recent format string handling bug in klogd allows an attacker to overflow its buffer and execute arbitrary code.  Homepage: http://www.iki.fi/ee/. By Esa Etelavuori
cisco.tar.gz5217373Sep 23 2000 12:49:02
Denial of service exploit for CiscoSecure ACS for Windows NT Server prior to release 2.4(3), as described in cisco.00-09-21.ciscosecure. Sends an oversized URL to TCP port 2002, causing the CSAdmin module to crash.  Homepage: http://www.8op.com/rsh. By Doom and Netsym
tco.txt14714393Sep 21 2000 17:05:59
Synnergy Laboratories Advisory SLA-2000-14 - The BSD/Linux telnet client has a stack overflow which is not usually a security problem, except in the case of a restricted shell environment which allows users to set environment variables and run telnet. Perl proof of concept exploit included.  Homepage: http://www.synnergy.net. By Dethy
webtv.tar.gz690654Sep 21 2000 16:59:40
Exploit for the recently published Denial of Service Vulnerability in WebTV for Windows discussed on Bugtraq ID 1671 published on 9/12/2000. By Doom and Netsym
multihtml.c13454884Sep 19 2000 17:17:00
Multihtml.c is a remote exploit for /cgi-bin/multihtml.pl, versions previous to 2.2 which spawns a remote shell.  Homepage: http://www.r00tabega.org. By Bansh33, Zillion
VIGILANTE-2000013.tx..>6391335Sep 19 2000 16:07:14
Vigilante Advisory #13 - WinCOM LPD V1.00.90 for Windows NT contains a denial of service vulnerability. A steady stream of LPD options sent to TCP port 515 will eventually consume all the memory on that host.  Homepage: http://www.vigilante.com. By Vigilante
napster.path-disclos..>20642168Sep 19 2000 15:27:25
Napster sends the full path of all the MP3's it sends to the remote user. By Wade Lewis
hhp-kermit_smash.c2411786Sep 19 2000 15:13:47
C-Kermit local exploit. Versions 7.0.197 and below are vulnerable. Tested on Slackware 7, where it is not suid. It is suid on Olivetti X/OS R2.3, 3.x.  Homepage: http://www.hhp-programming.net. By Loophole
klogd-linux.txt21923718Sep 18 2000 18:41:44
Kernel logging daemon klogd in the sysklogd package for Linux contains a "format bug" making it vulnerable to local root compromise (successfully tested on Linux/x86). There's also a possibility for remote vulnerability under certain (rather unprobable) circumstances and a more probable semi-remote exploitableness with knfsd.  Homepage: http://www.secmod.com. By Jouko Pynnen
VIGILANTE-2000012.tx..>6782206Sep 18 2000 16:59:56
Vigilante Advisory #12 - Mdaemon 3.1.1 for Windows NT includes Webconfig and Worldclient which listen to TCP port 3000 and 3001. They both are vulnerable to a heap overflow vulnerability which could be used to execute arbitrary code. Fix available here.  Homepage: http://www.vigilante.com. By Vigilante
win_2000.telnet.tgz183014812Sep 15 2000 15:27:02
The Windows 2000 Telnet client can be launched via email or browser and automatically passes NTLM authentication credentials to a telnet server. Proof of concept exploit includes a modified telnet server which causes the w2k telnet client to auto authenticate and prehash-ntlm.c which can be used to launch a dictionary attack against a retrieved hash. By Monti
MultiHTML.txt14091392Sep 15 2000 15:21:31
MultiHTML (/cgi-bin/multihtml.pl)is a CGI script which has a vulnerability allowing remote users to read any file on the webserver. By Niels Heinen
sambar-http.txt13522138Sep 14 2000 17:37:10
Sambar Server 4.4 Beta 3 and below for WinNT, Win95 OSR2, (possibly Linux affected) contains a vulnerability which allows remote users to browse the filesystem of the webserver. Fix available here. Homepage: http://www.synnergy.net. By Dethy
VIGILANTE-2000011.tx..>5752082Sep 13 2000 13:27:12
Vigilante Advisory #11 - Lotus Domino ESMTP Service Lotus Domino Release 5.0.2a contains a buffer overflow in the processing of SMTp commands, causing the service to crash. Tested on OS/2 Warp 4.5, it is assumed that other platforms are vulnerable as well. Homepage: http://www.vigilante.com. By Vigilante
VIGILANTE-2000010.tx..>5592336Sep 13 2000 12:48:08
Vigilante Advisory #10 - Intel Express Switch series 500 crashes when a malformed ICMP packet is sent to the Intel Express Switch or a host behind it. The switch looses all routing functionality but continues to function as a switch, except for the fact that learning also crashes, so new connections are not "picked up". Fix available here. Homepage: http://www.vigilante.com. By Vigilante
VIGILANTE-2000009.tx..>6312184Sep 13 2000 12:37:11
Vigilante Advisory #9 - Internet Information Server (IIS) 4.0 for Windows NT 4.0 is vulnerable to a denial of service attack as described in ms00-063 in which a certain series of requests can cause INETINFO.EXE to gradually consume all system ressources (99-100% CPU and all memory). When the pagefile can't expand any further, INETINFO.EXE is killed by the operating system. Homepage: http://www.vigilante.com. By Vigilante
explbsd395.c3504506Sep 12 2000 21:41:48
Screen 3.9.5 BSD local root exploit. Tested against OpenBSD. By Ihaquer
locale.c6903488Sep 12 2000 21:39:31
locale.c is a local root exploit for the glibc / locale format string bug. Tested against RedHat 6.2 with kernel 2.2.16. Homepage: http://www.nsfocus.com. By Warning3
screen-expl.c4032125Sep 12 2000 21:35:32
Screen 3.7.6 (and others) local root exploit. By Ihaquer
yabb.txt7712240Sep 12 2000 21:31:58
Yabb 9.1.2000 and prior for Windows and Unix is a web based BBS system which has a vulnerability in YaBB.pl which allows remote attackers to view any file on the system. Homepage: http://www.synnergy.net. By Kostas Petrakis
rovikingxploit.c89610846Sep 12 2000 21:28:58
Robotex Viking Server 1.0.6 Build 355 and prior for Windows 95 and NT remote buffer overflow exploit. Binds a shell to a port. By Wildcoyote
mobiusdocdix.c6869954Sep 12 2000 21:26:10
Mobius DocumentDirect for the Internet 1.2 remote exploit. Binds a shell to a port. By Wildcoyote
winweb.c3651575Sep 12 2000 21:20:00
winweb.c exploits the con/con bug to crash the Windows 98 webserver. By Castrol
bland.c3448862Sep 12 2000 21:16:08
bland.c exploits a bug in Guantlet 5.0 which causes the firewall to hang when an invalid ICMP packet is sent to a machine which is forwarded through the firewall. Homepage: http://www.msg.net/firewalls/tis. By Mike Frantzen
fp-ext-dos.sh5561026Sep 12 2000 21:11:41
Frontpage Server Extension shtml.exe denial of service attack. Based on an advisory by www.xato.net. Vulnerable systems include Microsoft Windows 95, 98, NT 4.0 and NT 2000. Homepage: http://grazer.gz.ee. By Grazer
zgv-exploit.c4131601Sep 12 2000 20:43:37
Zgv 3.0 local exploit for Linux. Homepage: http://b0f.freebsd.lublin.pl. By Slash
rumple.tgz2443072Sep 12 2000 20:40:43
rumple.tgz exploits the recent ld.so unsetenv vulnerability in Caldera Openlinux. By Nimrood
eject.locale.c4294929Sep 12 2000 20:12:50
Solaris 2.x locale exploit - exploits /usr/bin/msgfmt and /usr/bin/eject locale format bug for local root access. Homepage: http://www.nsfocus.com. By Warning3
horde-imp.txt8093075Sep 12 2000 17:21:12
The IMP-2.2.0 webmail interface contains a bug in the the library file "horde.lib" which allows commands to be executed under the UID which the webserver runs as. Exploit information included. Patch available here. By Christian Winter
i-was-bored.c3094478Sep 12 2000 11:30:50
Darxite Daemon v0.4 password authentication buffer overflow exploit. Spawns a remote shell. Homepage: http://www.synnergy.net. By Scrippie
typsoft-ftpd.txt6012318Sep 12 2000 11:27:39
TYPSoft FTP Server 0.78 for Windows 9X and WinNT is vulnerable to a denial of service attack. Sending a long user or pass commands causes the server to hang and increase system resources. Perl exploit included. Homepage: http://www.synnergy.net. By Dethy
anyportal-0.1.txt11601731Sep 11 2000 12:54:48
Anyportal v0.1 allows remote users to read any file on the webserver by submitting modified forms. Homepage: http://www.nightbird.free.fr. By Zorgon
phpPhotoAlbum.txt7851649Sep 11 2000 12:46:49
phpPhotoAlbum v0.99 and below for Windows and Unix allows remote users to read any file on the system with priviledges as the httpd. Fix available here. Homepage: http://www.synnergy.net. By Pestilence
SRADV00001.txt2934805Sep 11 2000 11:54:13
Secure Reality Pty Ltd. Security Advisory #1 - PHP's handling of uploads permits a remote attacker to manipulate PHP applications into opening arbitrary files on the server with the permission level of the user running the server. Almost any PHP program which provides upload capability is vulnerable. Homepage: http://www.securereality.com.au. By Secure Reality Advisories
expl395.c24216615Sep 8 2000 16:06:01
Screen 3.9.5 and below local root exploit for Linux. Tested against SuSE 6.1. By Ihaquer
glibc-language.c22964337Sep 8 2000 16:02:45
GLIBC 2.1 language local root exploit. Includes bypassing Solar Designer Stack Patch. Tested against Debian 2.1/2.2, exploits Glibc and /usr/bin/msgfmt. By Z33d
Gopher2.3.1p0.c2888477Sep 8 2000 15:53:51
Gopher2.3.1p0 and below has many overflowable functions in the daemon. Most of them overflow with hardcoded data that gets passed along - making it not possible to change any pointers. The "halidate" function contains an exploitable buffer overflow - exploit code for linux included. Note: This is not related to the other vulnerability, authenticate.c, which has since been patched in 2.3.1p0. 2.3.1p0 is vulnerable to this. Homepage: http://www.fakehalo.org. By Vade79
killbnc.c15722735Sep 8 2000 09:41:25
BNC 2.6.4 remote denial of service exploit. Causes all users who are connected to IRC by BNC by exhausting the resources of the BNC server. Homepage: http://www.fakehalo.org. By Vade79
adv_telnet1.txt29182455Sep 7 2000 12:54:11
Hyperterminal, the default telnet program on Windows 98, contains a buffer overflow vulnerability. It is possible to exploit via IE using a long telnet: URL. Homepage: http://www.meliksah.net. By Meliksah Ozoral
auction.weaver.pl7892369Sep 6 2000 16:10:39
Auction Weaver 1.02 Lite remote proof of concept exploit. Spawns an xterm by exploiting an insecure open() call. Homepage: http://teleh0r.cjb.net. By Telehor
icq.greeting-card.tx..>2175383Sep 6 2000 16:04:20
The ICQ Greeting Card service allows HTML commands to be sent to the target user. Any malicious HTML such as file:///c:/con/con can crash the system or exploit other HTML based vulnerabilities. Homepage: http://www.meliksah.net. By Meliksah Ozoral
VIGILANTE-2000008.tx..>7102142Sep 6 2000 14:41:23
Vigilante Advisory #8 - NTMail Configuration Service v5 & v6 denial of service. The web configuration running on TCP port 8000 does not flush incomplete HTTP requests, and thus it is possible to use up all the server ressources within a very short time. Homepage: http://www.vigilante.com. By Vigilante
cpmdaemon.txt91813346Sep 6 2000 14:33:27
cpmdaemon is a program that runs as a daemon or a cgi which allows changing of passwords. It allows brute force dictionary attacks against user passwords without any logging. Includes exp_cpmdaemon.c proof of concept code. Homepage: http://www.s0d.org. By El Nahual
wftpd241-12-2.txt870875Sep 5 2000 22:08:25
WFTPD/WFTPD Pro 2.41 RC12 devulges sensitive information by revealing the full path of the current directory. This is fixed in WFTPD/WFTPD Pro 2.41 RC13. Exploit details included. Homepage: http://bluepanda.box.sk. By Blue Panda
wftpd241-12.txt7731603Sep 5 2000 22:06:19
WFTPD/WFTPD Pro 2.41 RC12 contains a remote denial of service vulnerability which does not require a valid login/password. Perl exploit code included. Homepage: http://bluepanda.box.sk. By Blue Panda
thatware.txt5132739Sep 1 2000 11:00:20
Thatware is a news portal administration tool. The security vulnerabilities in Thatware allows attacker to gain administrative access to the application. Two exploits included. Fix: For a quick fix, simply rename admin.php3 and simply quote all numeric data in SQL statements. By Fabian Clone