ArchivesForums
 
about usforumsassessmentdefensepapersmagazinesmiscellaneouslinkscareers


Welcome to the Exploits for January, 2000 Section.
Some of these exploits are from Bugtraq

To change sort order, click on the category.
Sorted By: File Name.

File Name Downloads File Size Last Modified
0001-exploits.tgz6923183249Feb 1 13:27:24 2000
Packet Storm new exploits for Janurary, 2000.
ADMsximap.c29853814Jan 26 19:36:07 2000
Solaris Solstice Internet Mail IMAP4 Server x86 exploit. By K2
altavista.txt9829801Jan 12 13:10:11 2000
Exploit information for the recent bugs in the Altavista Search Engine to read any file on the system. By RC courtesy of Bugtraq
analogx.www.txt40112840Jan 2 11:07:10 2000
Local / Remote GET Buffer Overflow Vulnerability in AnalogX SimpleServer:WWW HTTP Server v1.1. Windows 95 is confirmed vulnerable, possibly other platforms. By Underground Security Systems Research
asp8.htm40071674Jan 31 17:36:19 2000
Windows NT webservers using ASP can under some circumstances reveal the path of the server. A variable holds information about the internal structure of the website. Homepage here.
autobuse-angel.txt23893476Jan 31 18:36:05 2000
Autobuse.pl and angel.pl both use /tmp insecurely. By John Daniele courtesy of Bugtraq
bind15.htm27135445Jan 20 18:09:10 2000
If you're running BIND 8.2.2, and you have the victim.dom name servers in your cache, and victim.dom changes its server names, then any user who can make recursive queries through your cache can break your victim.dom lookups until the old records time out. The complete attack is one brief burst of legitimate packets. This is, of course, not as disastrous as BIND's next buffer overflow, but it's still an interesting example of how an attacker can use BIND's bogus ``credibility'' mechanism to exacerbate the effects of a seemingly minor bug. Homepage here.
bindview.nt-local.tx..>48025485Jan 14 15:49:01 2000
Due to a flaw in the NtImpersonateClientOfPort Windows NT 4 system call, any local user on a machine is able to impersonate any other user on the machine, including LocalSystem. We have written a demonstration exploit which allows any user to spawn a cmd.exe window as LocalSystem. All Windows NT 4.0 systems up to and including SP6a are vulnerable. Homepage here.
bnc246290029403Jan 5 05:45:39 2000
Remote exploit for bnc 2.4.6 - Linux binary only. By Kaot
bruterh.sh54192588Jan 31 18:40:03 2000
Brute-force Linux-PAM password cracker for RedHat. Supply a wordlist, take a coffee. Nothing in system logs. Performance-tuning possible. By Michal Zalewski
bypass.viruscheck.tx..>421279540Jan 31 18:28:01 2000
Many virus checking software skips directories entitled \\recycled or similar. This allows viruses and trojans a safe haven on many Windows 95, 98, and NT systems. Exploit code included. Homepage here. By Neil Bortnak courtesy of Bugtraq
checkpoint-fw1.vuln...>49521543Jan 21 17:38:13 2000
Outlines two basic vulnerabilities in Checkpoint's Firewall-1. The first is an authentication problem which allows easy brute force attacks; the second allows you to use the first to remotely administer someone else's firewall without their knowledge.
fastrack.remote.txt32767129Jan 2 11:07:04 2000
A vulnerability in Netscape FastTrack 2.01a will allow any remote user to execute commands as the user running the httpd daemon (probably nobody). I've only tested the version of Netscape FastTrack that comes with SCO UnixWare 7.1, 2.01a. I'm not sure what other platforms, if any, are vulnerable. Unixware exploit included. By Brock Tellier
fw1_script.tags.txt2432495Jan 31 18:43:24 2000
The "Strip Script Tags" feature in Firewall-1 can be circumvented by adding an extra less than sign before the SCRIPT tag. The code will still execute in both Navigator and Explorer. Homepage here. By Arne Vidstrom courtesy of Bugtraq
gh-plus.c29776451Jan 10 13:58:12 2000
Remote exploit for PowerScripts PlusMail (all versions to current). Plusmail is an extremely popular cgi-based administration tool that allows you to remotely administer your website with a graphical control panel interface. The password file, however, is set with permissions rw enabled. All platforms are affected. By Ytcracker
hotmail.java.txt66822234Jan 12 13:04:33 2000
Georgi Guninski security advisory #5 - Yet another Hotmail security hole. Hotmail allows executing JavaScript code in email messages using vascript, which may compromise user's Hotmail mailbox when viewed with Internet Explorer. Includes exploit code. Homepage here. By Georgi Guninski courtesy of Bugtraq
icq11.htm43745421Jan 20 18:09:10 2000
OS tested was Windows 2000 and ICQ v99b 1.1.1.1. ICQ is a very popular chat client that is affected by a exploitable buffer overflow when it parses an URL sent by another user. What this means is that arbitary assembly code can be run on the remote machine. Homepage here.
ie5.cross-frame.txt39662380Jan 7 16:27:37 2000
Internet Explorer 5.01 under Windows 95 and 5.5 under WinNT 4.0 (suppose other versions are also vulnerable) allows circumventing "Cross frame security policy" by accessing the DOM of "old" documents using IMG SRC="javascript:..." and a design flaw in IE. This exposes the whole DOM of the target document and opens lots of security risks. This allows reading local files, reading files from any host, window spoofing, getting cookies, etc. Demonstration available here. By Georgi Guninski courtesy of Bugtraq
iis4.webhits.txt52907887Jan 27 16:39:52 2000
Cerberus Information Security Advisory (CISADV000126) - Internet Information Server 4.0 ships with an ISAPI application webhits.dll that provides hit-highlighting functionality for Index Server. A vulnerability exists in webhits that allows an attacker to break out of the web virtual root file system and gain unathorized access to other files on the same logical disk drive. This vulnerability can also be used to obtain the source of Active Server Pages or any other server side script file which often contain UserIDs and passwords as well as other sensitive information. Vulnerable systems include Microsoft Windows NT 4 running Internet Information Server 4, all service packs. Microsoft FAQ on this issue is here. Homepage here. By David Litchfield
iis53.htm33144218Jan 26 13:08:50 2000
MS IIS 5.0 has problems handling a specific form of URL ending with "ida". The extension ida has been taken from the Bugtraq posting "IIS revealing webdirectories" The problem causes 2 kind of results. The one result is that the server responds with a message like "URL String too long"; "Cannot find the specified path" The other error causes the server to terminate with an Access Violation. When the server "Access violates" it displays as last message. Homepage here.
iiscat.c4043959Jan 31 16:33:56 2000
IIScat exploits the recent Microsoft Index Server vulnerability to read any file on the server. By Fredrick Widlund
iMailv5.txt41041994Jan 4 00:49:22 2000
On iMail Server 5.0 for Windows NT 4.0 SP 6a, a malicous user can read and send emails as any other user on the system. The issue lies in how iMail handles the creating of new email accounts, and how it stores them. Exploit instructions included. By Simon
inetserv.htm266510990Jan 26 13:08:50 2000
InetServ 3.0 (Windows NT) advisory and remote exploit. Homepage here.
javascript.hotmail.t..>43631940Jan 7 13:16:40 2000
Hotmail allows executing JavaScript code in email messages using "@import url(javascript:...)", which may compromise user's Hotmail mailbox when viewed with Internet Explorer. Includes exploit code. Homepage here. By Georgi Guninski
krnl110.htm290831232Jan 26 13:08:50 2000
Stream.c summary - DoS attack due to bug in many unix kernels, including Linux, Solaris, and all of the BSDs. Homepage here.
mi009en.htm320614396Jan 14 04:01:50 2000
RESTRICTING A RESTRICTED FTP - How to exploit common misconfigurations in wu-ftpd that allows usersi who may not have permission to login to execute arbitrary code on the FTP server. Homepage here. By Flow
mi019en.htm245818933Jan 14 04:01:50 2000
A practical vulnerability analysis (How The PcWeek crack was done). Homepage here. By Jfs
mi020.htm414810236Jan 7 13:16:40 2000
Phorum 3.07 web discussion software contains several remotely exploitable bugs. Exploit descriptions included. By JFs
mi021.htm23037417Dec 27 09:39:21 1999
w3-msql (miniSQL 2.0.4.1 - 2.0.11) Solaris x86 remote exploit. Distribution of miniSQL packet (http://hughes.com.au) comes with a cgi (w3-msql) that can be xploited to run arbitrary code under httpd uid. Homepage here. By Zhodiac
midikeys.htm17905759Jan 14 04:01:50 2000
The IRIX setuid root binary midikeys can be used to read any file on the system using its gui interface. It can also be used to edit anyfile on the system. Homepage here.
mix.htm25941538Jan 31 17:45:23 2000
Microimages X server for Windows allows anyone to kill your session and start an xterm on your machine if they know you are using the software. Homepage here.
mo2.htm18463228Jan 29 10:28:38 1980
Microsoft Office Converter Module Overflow - By using a hexadecimal editor to insert specially-malformed information into a document, a malicious user could cause Word to run code of his or her choice when the document was opened using an affected version of the converter. Homepage here.
msadc-trojan.pl21781423Jan 10 03:04:16 2000
This script will upload a trojan to an RDS vulnerable site running NT and execute the trojan. Homepage here. By Bansh33
mysql.grant.txt50696047Jan 12 13:15:33 2000
Anyone with access to a running MySQL and GRANT privilege for any database or table in it, can change any MySQL-password he wishes, including the MySQL superusers. This makes all default-configured MySQL very vulnerable. Homepage here. By Viktor Fougstedt courtesy of Bugtraq
nortel.htm22722423Jan 26 13:08:50 2000
Nortel's new Contivity seris extranet switches give administrators the ability to enable a small HTTP server and use Nortel's web based administration utility to handle configuration and maitenance. The server runs atop the VxWorks operating system and is located in the directory /system/manage. A CGI application, /system/manage/cgi/cgiproc that is used to display the administration html pages does not properly authenticate users prior to processing requests. An intruder can view any file on the switch without logging in. Homepage here.
nscape58.htm22931713Jan 9 18:46:11 2000
After executing the testommunicator 4.7 (NT/win2k) vulnerability - After executing the test hyperlink on beavuh.org's page on his client machine, he was able telnet to a remote shell on port 6968 of my client machine. Test your browser at www.beavuh.org. Homepage here.
omnis.txt7125090Jan 22 22:07:00 2000
Vulnerabilities in OMNIS, affecting many applications. Omnis is a Rapid Application Development environment which is portable to Win, Mac, and Linux. One of the features that Omnis provides for attaching to the database is the ability to encrypt fields, and obscure them from prying eyes. In actuality, this encryption is extremely weak, and I accidentally discovered the encryption technique and post a detailed explanation of it here. By Eric Stevens
pamslam.sh45141180Jan 7 15:42:27 2000
pamslam - vulnerability in Redhat Linux 6.1 and PAM pam_start. both 'pam' and 'userhelper' (a setuid binary that comes with the 'usermode-1.15' rpm) follow .. paths. Since pam_start calls down to _pam_add_handler(), we can get it to dlopen any file on disk. 'userhelper' being setuid means we can get root. By Dildog
perloverflow.tar.gz22792901Jan 7 14:28:52 2000
Possible overflow in perl/kernel/vm (dont know which). Strace included. Appears to cause root owned processes to die if run by a normal user (under linux-2.2.13). By Anarchy
plusmail.c33115216Jan 11 13:34:34 2000
PlusMail CGI remote exploit - This posts the form to the victim, reads the data, binds to a port on the local machine, then you open up a browser and go to http://localhost:4040. Homepage here. By Missnglnk
pm-exploit.c3581688Jan 7 17:26:38 2000
Plusmail remote exploit - plusmail fails to check authenticity before creating new accounts. Homepage: http://www.synnergy.net. By Headflux
pmtu.htm21392242Jan 31 18:06:57 2000
An HP-UX 10.30/11.00 system can be used as an IP traffic amplifier. Small amounts of inbound traffic can result in larger amounts of outbound traffic, using ICMP MTU discovery packets. Homepage here.
procfs4.htm25548985Jan 31 18:00:06 2000
All flavors of BSD have local root procfs holes. Exploit included. Homepage here.
qib.tgz333713321Jan 12 13:41:33 2000
QIB - Remote access through Linux LPD. Binds a shell to port 26092. By Dildog
qmail-pop3d-vchkpw.c27362504Jan 26 16:14:32 2000
Remote exploit for the inter7 supported vchkpw/vpopmail package for (replacement for chkeckpasswd). Tested on Sol/x86,linux/x86,Fbsd/x86 against linux-2.2.1 and FreeBSD 3.[34]-RELEASE, running vpopmail-3.4.10a/vpopmail-3.4.11[b-e]. Unofficial patch here. Homepage here. By K2
qpop-exploit-net.c31306566Jan 28 11:45:53 2000
A modified version of the original qpopper 3.0beta29 exploit by Zhodiac, added network support (no need for netcat) and allowed the user to specify which command to execute. Homepage here. By Missnglnk
qpop-xploit.c29373472Jan 26 19:27:10 2000
Remote linux x86 exploit for Qpopper 3.0beta29 and below. (not 2.5.3) Overflows the LIST command and spawns a shell with the UID of the user who logged in (requires valid account), and GID mail. Homepage here. By Zhodiac courtesy of Bugtraq
raq2.admin.exploit.t..>20122545Jan 31 13:26:00 2000
Exploit for Cobalt Raq2 Server. Requires Site Administrator access to one of the accounts on the server. By Skirkham courtesy of Bugtraq
rdisk.htm20511645Jan 26 13:08:50 2000
There exists a vulnerability in rdisk (Windows NT) which causes the contents of the registry hives to be exposed to Everyone during updating of the repair info. Homepage here.
recover.htm23051693Jan 14 04:01:50 2000
The 'recover' command in Solstice Backup (Sun's relabeled version of Legato Networker) on a Unix machine authorized to perform restore operations from the backup server can be used to by a normal user to restore any file accessible to the machine in a readable-to-them state (although it cannot be used to overwrite system files). This can be used to get your own copy of /etc/shadow for password cracking purposes. Homepage here.
rightfax.txt24122003Jan 31 18:52:32 2000
RightFax Web Client v5.2 allows anyone to hijack user's faxes. By Et Lownoise courtesy of Bugtraq
rtf.htm21942568Jan 26 13:08:50 2000
RTF files consist of text and control information. The control information is specified via directives called control words. The default RTF reader that ships as part of many Windows platforms has an unchecked buffer in the portion of the reader that parses control words. If an RTF file contains a specially-malformed control word, it could cause the application to crash. Homepage here.
skey.htm21564959Jan 26 19:19:14 2000
w00w00 Security Advisory - S/Key & OPIE Database Vulnerability affecting most Unixes (not NetBSD) running skey-2.2. (possibly earlier versions too) allowing offline password cracking. Homepage here. By Harikiri
skrypt.sh41051400Jan 10 14:11:22 2000
Wu-ftpd 2.4 remote root exploit for SuSE. Tested on SuSE 6.0 running Wu-ftpd 2.4.2-beta18.
sms.htm29971713Jan 31 17:51:52 2000
SMS 2.0 Remote Control (for Windows NT) introduces a security risk that will allow the attacker to run programs in system context, due to the fact that the executable used for the remote control service is copied to the workstation without any special permission settings to prevent a user from replacing the executable. Homepage here.
smtp2.htm21066483Jan 26 13:08:50 2000
USSR Labs found following. A memory leak exists in the Super Mail Transfer Package that may cause an NT host to stop functioning and/or need to be rebooted. The memory leak may occur when you connect to the SMTP port, all information you send to the system will be stored in memory, and SMTP support multiples HELO/ MAIL FROM/ RCPT TO / DATA in the same connection. If you did multiple HELO/ MAIL FROM/ RCPT TO / DATA in the same connection the memory may not be deallocated. This condition may cause the computer to stop functioning the moment memory runs out. Homepage here.
solinger.c19451805Jan 5 12:29:04 2000
"solinger" Denial Of Service - bind 8.1.*, 8.2, 8.2.1 - causes a bind8 server to stop responding to requests for up to 120 seconds. Quick proof of concept of the bug pointed out by ISC. Homepage here. By Mixter
spank.txt119878448Jan 26 19:43:54 2000
Explanation of the 'spank' attack - a new breed stream/raped. Stream/Raped mearly flooded the host with ack's (or no flags) and came from random ips with random sequence numbers and/or ack numbers. The difference now is that this not only does the previous stuff, but also directly attacks from and to multicast addresses as well. By Tim Yardley
subseven.htm5930883Jan 31 17:55:24 2000
There is a buffer overflow in Subseven 2.1a causing it to quit quietly, crash, or overwrite variables. Homepage here.
supermail.nt.txt28782456Jan 13 11:54:39 2000
A memory leak exists in the Super Mail Transfer Package for Windows NT that may cause an NT host to stop functioning and/or need to be rebooted. DoS exploit description included. By Underground Security Systems Research
tb2.htm28032583Jan 26 13:08:50 2000
Timbuktu Pro 32 (TB2) from Netopia sends user IDs and passwords in clear text. When TB2 is used to remote control a machine that is not logged in or is locked, any user ID and password that is typed in is sent in clear text. A malicious user on the network can "sniff" the packets and gain the NT User IDs and passwords of any one using TB2 to remotely control a NT machine. Homepage here.
update.htm19452023Jan 20 18:09:10 2000
orel Linux comes with a program called "Corel Update" to manage the ".deb" files. This X oriented program is setuid root. The program is "get_it" and it's located in the /usr/X11R6/bin directory. If you can run it, it's easy to get root privileges in your system. Homepage here.
userrooter.sh4206872Jan 7 14:54:19 2000
RedHat PAM/userhelper(8) exploit. By S
uw-ppptalk.c22231212Jan 21 16:41:49 2000
UnixWare 7 exploit for /usr/bin/ppptalk. By K2
vcasel.htm19052855Jan 21 16:41:49 2000
Vcasel (Visual Casel) is apparently intended as some sort of addon to Novell Netware 3.X and above. The program does succeed in limiting the names of the files executed, but there is no path verification. Homepage here.
vi.htm21161127Jan 14 04:01:50 2000
Vi uses /tmp insecurely on OpenBSD, FreeBSD and Debian. This has been fixed in FreeBSD 2.2-STABLE, 3.4-STABLE and 4.0-CURRENT (04.01.2000). Homepage here.
vmware.htm28402172Jan 26 19:21:35 2000
w00w00 Security Advisory - Linux VMware 1.1.2 Symlink Vulnerability. VMware stores temporary log files within the /tmp directory. It does not check whether all of these files exist prior to creation, resulting in the potential for a symlink attack. Homepage here. By Harikiri
vpopmail.txt22932378Jan 26 19:24:44 2000
w00w00 Security Advisory - qmail-pop3d may pass an overly long command argument to it's password authentication service. When vpopmail is used to authenticate user information a remote attacker may compromise the privilege level that vpopmail is running, naturally root. Homepage here. By K2
vwall3.htm19603486Jan 21 16:41:49 2000
By sending an SMTP message with a malformed attachment, it is possible for malicious code to avoid detection by Trend Micro's InterScan SMTP scanner version 3.0.1 for Solaris. Other versions may be affected as well, but were not tested. Homepage here.
warftp.txt49144822Jan 7 17:26:38 2000
All versions of War-ftpd have serious security issues. The current release has some serious problems with the parsing of macros which can be exploited without even logging in. By Sir Dystic courtesy of Bugtraq
website.htm29064045Jan 26 13:08:50 2000
WebSite Pro is also revealing the webdirectory of each Website by a simple command line. This bug is similar to the "IIS revealing webdirectories" bug reported. On WebSitePro the diference ist the way you retrieve the path. Homepage here.
winamp.win98.txt430113229Jan 7 13:16:40 2000
A stack based buffer overflow in Winamp 2.10 for Win 98 has been found. The attack is carried out through .pls files which winamp uses for playlists. This is unnerving as it is a feasible plan to trade playlists on irc during a mp3 trading session with someone. Exploit code included. Homepage here. By here.
yahoo2.htm36991628Jan 26 13:08:50 2000
Jaynus Jaynus found following. He read over the ICQ overflow that had been found so he was curious if this existed in any other clients. Upon testing the below URL, yahoo pager/messenger crashed in the same was as ICQ. Homepage here.
 
 
Privacy Statement