Welcome to the Exploits for February, 2000 Section. | |||
Some of these exploits are from Bugtraq | |||
To change sort order, click on the category. | |||
File Name | Downloads | File Size | Last Modified |
0002-exploits.tgz | 4635 | 118734 | Mar 1 00:31:58 2000 |
Packet Storm new exploits for February, 2000. | |||
aix-snmp.txt | 2356 | 924 | Feb 18 12:11:42 2000 |
On AIX 4.2 and 4.3, the SNMP daemon is enabled by default and two community names are enabled with read/write privileges. The community names are "private" and "system", but are only allowed from localhost connections. Nevertheless, a local user may install an SNMP client, and modify sensitive variables. By Harikiri courtesy of Bugtraq | |||
amd.tgz | 3042 | 5129 | Feb 8 10:18:54 2000 |
rpc.amd remote exploit with spoofed source address. Homepage here. By Lamagra | |||
anywhere-3.1.3.txt | 2593 | 1247 | Feb 10 18:14:02 2000 |
Anywhere Mail Server Ver.3.1.3 for Windows contains a remote DoS vulnerability, via a long RETR string over port 110. Also multiple connections will kill the sendmail server. By Nobuo Miwa courtesy of Bugtraq | |||
apcd.c | 545 | 1990 | Feb 10 18:19:11 2000 |
Debian 2.1 local root exploit - A vulnerability exists in the apcd package shipped with Debian 2.1. By WC | |||
apcd.sh | 1449 | 787 | Feb 23 05:13:20 2000 |
Debian 2.1 local exploit - A vulnerability exists in the apcd package shipped with Debian 2.1. | |||
asmon.sh | 1469 | 1001 | Feb 22 23:22:12 2000 |
asmon.sh - A vulnerability exists in both the ascpu and asmon ports to FreeBSD. Local root overflow. FreeBSD 3.4, 3.3, 3.2, 3.1, and 3.0 are affected. | |||
asp.runtime-error.tx..> | 4514 | 2406 | Feb 10 18:22:00 2000 |
Active server pages (ASP) with runtime errors expose a security hole that publishes the full source code name to the caller. If these scripts are published on the internet before they are debugged by the programmer, the major search engines index them. These indexed ASP pages can be then located with a simple search. The search results publish the full path and file name for the ASP scripts. This URL can be viewed in a browser and may reveal full source code with details of business logic, database location and structure. Homepage here. By Jerry Walsh courtesy of Bugtraq | |||
axis700.txt | 5284 | 1906 | Feb 9 16:06:56 2000 |
Bypassing authentication on Axis 700 Network Scanner - By modifying an URL, outsiders can access administrator URLs without entering username and password. Tested on Axis 700 Network Scanner Server version 1.12. By Ian Vitek courtesy of Bugtraq | |||
bordermanager-dos.tx..> | 3745 | 2811 | Feb 9 15:54:56 2000 |
Novell Bordermanager 3.0 through 3.5 is vulnerable to a slow DoS. After 2 days, the firewall will deny all requests, and eventually crash completely. By Chicken Man courtesy of Bugtraq | |||
cern-pss.txt | 2891 | 4163 | Feb 4 13:43:58 2000 |
CERN 3.0A Heap overflow advisory - There is a heap overflow that wastes memory space in the CERN/3.0A webserver. Close to 50000 bytes of the heap will be ruined! DoS example included. By Scrippie | |||
cfing.c | 2624 | 5625 | Feb 10 18:19:11 2000 |
Cfingerd 1.3.3 (*BSD) local root buffer overflow exploit. By Babica Padlina | |||
css.htm | 1607 | 18590 | Feb 17 11:56:25 2000 |
Cross Site Scripting Summary - Malicious HTML tags (especially scripting tags) can be embedded in client web requests. Homepage here. | |||
doscmd.c | 2575 | 1781 | Feb 10 18:19:11 2000 |
FreeBSD 3.4-STABLE /usr/bin/doscmd local exploit. By Babica Padlina | |||
ebpd.tgz | 1919 | 9084 | Feb 22 10:45:05 2000 |
This script sniffs traffic on the network watching for ebay userids and passwords. This is only possible because (as of this writing), ebay does not encrypt passwords -- they are sent in the clear. Homepage here. By Richard Fromm | |||
fbsd-ping.txt | 2252 | 4809 | Feb 24 13:59:11 2000 |
FreeBSD is vulnerable to a DoS vulnerability involving high speed pinging with packets over 8184 bytes. Unofficial patch included. Homepage here. By Omachonu Ogali | |||
flexlm.sh | 2364 | 490 | Feb 22 23:18:30 2000 |
Solaris (x86/7.0/2.6) local exploit for Sun's WorkShop 5.0 compilers and other products which use the FlexLM license management system. | |||
frontpage.doubledot...> | 5400 | 887 | Feb 18 12:17:13 2000 |
Frontpage-PWS32/3.0.2.926 (probably others) allows reading of any file on the system by putting /.../ into the url. By Jan van de Rijt courtesy of Bugtraq | |||
ftp-ozone.c.txt | 2279 | 3410 | Feb 22 10:36:09 2000 |
Exploit for recent FW-1 FTP problems - Demonstrate a basic layer violation in "stateful" firewall inspection of application data (ftp within IP packets). Checkpoint alert about this vulnerability here. Homepage here. By Dug Song | |||
fw-13.htm | 1904 | 14200 | Feb 17 11:56:25 2000 |
Checkpoint-1 and other firewall vulnerability - The low-down of it is fooling a firewall into opening "a TCP port of your choice" against an FTP server. Or, if you're running an evil FTP server, having it open ports against clients accessing the server. Homepage here. | |||
fw1-ftp.txt | 3871 | 6405 | Feb 10 18:28:46 2000 |
FireWall-1 FTP Server Vulnerability Background Paper #1 - The basic idea of the described attack is to subvert the security policy implemented by a stateful firewall. This is done by triggering the generation of a TCP packet that, when inspected by the firewall, will change the firewall's internal state such that an attacker is able to establish a TCP connection to a filtered port through the firewall. This packet is the server response to a PASV user request during a FTP session. By John McDonald courtesy of Bugtraq | |||
fw1-pasv.txt | 3565 | 2291 | Feb 10 18:16:32 2000 |
It is possible to cause certain firewalls to open up any TCP port of your choice against FTP servers that are "protected" by those firewalls. This is done by fooling the FTP server into echoing "227 PASV" commands out through the firewall. Firewall-1 v3 and v4 are known to be affected. Homepage here. By Mikael Olsson courtesy of Bugtraq | |||
ignite.htm | 1403 | 1186 | Feb 17 11:56:25 2000 |
Ignite-UX bug in HP-9000 Series700/800 running release HP-UX 11.X only. Each password field in /etc/passwd should be "*" in a trusted system. This is normally handled automatically. One way for the password field to be set to a blank is to create a system image of a trusted system with Ignite-UX and not save /etc/passwd. Homepage here. | |||
inetserv-3.0.c | 2183 | 7108 | Feb 10 13:52:42 2000 |
InetServ 3.0 remote DoS exploit. Homepage here. By Dr. Fdisk | |||
instructor.c | 1377 | 5709 | Feb 1 23:02:22 2000 |
instructor.c is an OpenBSD 2.5 DoS attack which attempts to execute every 32 bit instruction. It is useful for people who are trying to find hidden features, or hidden bugs in their hardware or operating system. Many "features" have been found with this program. Homepage here. By David Goldsmith | |||
iplanet.dos.txt | 1939 | 3357 | Feb 23 22:06:09 2000 |
Sun iPlanet Web Server, Enterprise Edition 4.1 on Linux is vulnerable to a remote DoS attack. Many GET requests cause a kernel panic. By Eiji Ohki courtesy of Bugtraq | |||
kppp-1.6.14.txt | 2507 | 236 | Feb 10 14:06:53 2000 |
Kppp 1.6.14 has a vulnerability that allows a local user to display the saved PPP password. By Rarez | |||
Linbert.txt | 2282 | 1944 | Feb 16 12:45:23 2000 |
Linberto v1.0.2 (Q-Bert linux clone) can overwrite any file on the system, via insecure use of /tmp. By Grampa Elite | |||
linux-dump.txt | 2345 | 1826 | Feb 29 16:46:59 2000 |
/sbin/dump on Linux is vulnerable to a local buffer overflow attack. Patch included. Homepage here. By Kim Yong-jun courtesy of Bugtraq | |||
linux.2.2.x.icmp.dos..> | 1945 | 3277 | Feb 17 00:54:42 2000 |
Redhat Linux 6.0 icmp DOS. | |||
microsoft-install.tx..> | 1981 | 1826 | Feb 22 16:17:24 2000 |
An ActiveX control shipped with IE can be used to install software components signed by Microsoft without prompting the user. This of course raises trust issues. Someone, not necessarily Microsoft, could use this control to install a Microsoft signed component in your system. By Juan Carlos Garcia Cuartango courtesy of Bugtraq | |||
microsoft.vm.java.tx..> | 3660 | 6131 | Feb 1 13:48:04 2000 |
Another security hole in Microsoft Virtual Machine for Java has been discovered that allows a java applet to read any file on the system. This vulnerability is quite dangerous and immediate de-activation of the IE Java function provided by Microsoft is highly recommended. By Dr. Hiromitsu Takagi courtesy of Bugtraq | |||
mmsu-dos.c | 2202 | 6176 | Feb 25 15:43:56 2000 |
Microsoft Media Server 4.1 - Denial of Service exploit. This code will crash the Microsoft Media Unicast Server for Windows NT. We have tested this against machines running SP4 and SP6. Exploits the bug in ms00-013 Homepage here. By Kit Knox | |||
mysql.txt | 4868 | 5341 | Feb 9 16:02:40 2000 |
There exists a vulnerability in the password checking routines in the latest versions of the MySQL server, that allows any user on a host that is allowed to connect to the server, to skip password authentication, and access databases. All versions of MySQL up to 3.22.26a are vulnerable. By Emphyrio courtesy of Bugtraq | |||
newsbug.txt | 2121 | 10480 | Feb 28 16:36:47 2000 |
Netscape and Outlook are vulnerable to a DoS attack involving bogus news group file entries. Demonstration page here. During testing in approximately 50% of the time OE would crash before it could be stopped. Another bug, similar to Georgi Guninskis' word pad code execution but it uses a .shs (scrap file) is also described, demonstration available here. Homepage here. By Sugien | |||
outblaze.htm | 1970 | 23975 | Feb 23 12:25:20 2000 |
Remote vulnerabilies in the popular free email software Outblaze - By using authentication strings in the URL after logging in to a mailbox, Outblaze-powered e-mail accounts are left vulnerable to unauthorized access. Anyone who discovers that string before a login session expires can gain full access to any Outblaze-powered e-mail account. By including HTML tags in an e-mail message, one can easily obtain the authorization string for a login session. HTML can also be embedded within a subject so that the victim need not even view the e-mail to be vulnerable. By Sozni | |||
outlook5.vuln.txt | 3630 | 1354 | Feb 1 16:40:23 2000 |
Georgi Guninski security advisory #6 - Outlook Express 5.01 and Internet Explorer 5.01 under Windows 95 (others too) allow reading subsequently opened email messages after a hostile message is opened. Exploit code included. Workaround: Disable Active Scripting. Homepage here. By Georgi Guninski courtesy of Bugtraq | |||
poorman.txt | 2986 | 1787 | Feb 7 12:05:19 2000 |
It is possible to cause the BeOS PoorMan webserver to crash (remotly) by sending a given URL to the server. By Jonathan Provencher | |||
proftp_ppc.c | 3668 | 7046 | Feb 11 13:50:35 2000 |
Proftpd (<= pre6) linux ppc remote exploit. By Lamagra. | |||
qpop-list.c | 633 | 14543 | Feb 22 01:03:00 2000 |
Qpop3.0b30 and below buffer overflow exploit. Remote, but requires username and password. Homepage here. By Portal | |||
qpop-xtnd.c | 634 | 13794 | Feb 11 01:06:00 2000 |
Linux x86 exploit for Qualcomm Popper 3.0b?? (was fixed silently) Remote, but requires username / password. Homepage here. By Portal | |||
rcgixploit.c.txt | 4205 | 6883 | Feb 16 13:13:37 2000 |
Remote CGI exploit - Attempts to exploit five common CGI bugs and retrieve /etc/passwd. By Zinc_Sh | |||
redhat-man.c | 2646 | 1430 | Feb 28 16:04:16 2000 |
Redhat /usr/bin/man exploit (gid=15 leads to potential root compromise). Homepage here. By Przemyslaw Frasunek | |||
rfp2k01.txt | 7515 | 25154 | Feb 3 12:44:31 2000 |
"How I hacked PacketStorm Forums" - A look at hacking wwwthreads via SQL. This is more of a technical paper than an advisory, but it does explain how I used a vulnerability in the wwwthreads package to gain administrative access and some 800 passwords to PacketStorm's discussion forum. Homepage here. By Rain Forrest Puppy | |||
rpcclnt.htm | 1638 | 5159 | Feb 17 11:56:25 2000 |
When an NT 4.0 workstation or backup domain controller is joined to a domain, the trust account password is set to a well-known initial value. If you are concerned about internal network security, this is not really an acceptable risk. Homepage here. | |||
sambar.bat.txt | 3590 | 1002 | Feb 23 22:16:53 2000 |
All versions of Sambar server running under Windows NT and 2000 (95/98 not vulnerable) have vulnerabilities which allow remote command execution. By Georgi Chorbadzhiyski courtesy of Bugtraq | |||
sco.snmpd.txt | 3118 | 5519 | Feb 9 16:04:44 2000 |
The default configuration of SCO OpenServer 5.0.5 allows local users read/write access to SNMPD via a default writable community string. This configuration has been verified on SCO OpenServer 5.0.5 and may be present in earlier versions. By Shawn Bracken courtesy of Bugtraq | |||
serv-u.25b.txt | 5249 | 1717 | Feb 4 12:01:41 2000 |
Serv-u FTP-Server v2.5b for Win9x/WinNTFTP-Server v2.5b will crash if you upload a malformed link file and type the ftp command LIST, due to overflow in Windows API SHGetPathFromIDList. By Underground Security Systems Research | |||
SHGetPathFromIDList...> | 3300 | 4293 | Feb 4 13:17:45 2000 |
Windows Api SHGetPathFromIDList Buffer Overflow - All Structure lengths, or Length of string, can be a modified or altered and cause whatever handles the shortcuts to crash. By Underground Security Systems Research | |||
slzbserv.c | 1288 | 5202 | Feb 2 23:49:08 2000 |
slzbserv.c - local/remote exploit for ZBServer PRO 1.50-r1x (WinNT). ZBServer PRO 1.50-r1x exploit gets remote servers's full control, allows you to run arbitrary code. Tested on debian. By Zan | |||
snmp.writable.txt | 2912 | 2636 | Feb 18 12:01:37 2000 |
Many devices come from the manufacturer configured with snmp enabled and unlimited access with *write* privledges. It allows attacker to modify routing tables, status of network interfaces and other vital system data, and seems to be extermely dangerous. To make things even worse, some devices seems to tell that write permission for given community is disabled, but you can still successfully write to it. This is a list of devices with default writable configurations. By Michal Zalewski courtesy of Bugtraq | |||
snmp10.htm | 1540 | 4911 | Feb 17 11:56:25 2000 |
Monty originally cobbled this together to keep the network admins he worked with from doing annoying things like keeping tftp daemons running on his Unix hosts for weeks on end. Its pretty handy for that too. May this script (grabrtrconf.sh) help make SNMP die the sad lonely death it deserves once and for all! Homepage here. | |||
ssh-xauth.txt | 2973 | 2004 | Feb 25 15:36:21 2000 |
If X11forwarding is turned on, and remote xauth is patched, sshing into a compromised server can allow programs to be run on under your ssh client. This is turned on by default in ssh1, ssh2, and openssh. By Brian Caswell courtesy of Bugtraq | |||
sshd.locked-accts.tx..> | 2442 | 3850 | Feb 16 14:51:08 2000 |
In some cases where a system must be configured so that specific users only have access to POP, FTP, or restricted shell, the addition of the SSH protocol server (sshd) may create a security hole allowing the user to make tcp connections appearing to be from root at the attacked host. By Marc Schaefer courtesy of Bugtraq | |||
stream2.c | 881 | 7152 | Jun 21 11:23:40 2000 |
stream2.c is a remote dos attack which uses ACK packets to consume large amounts of CPU. This DoS targets FreeBSD, Linux, and Solaris. | |||
surfcontrol.txt | 3590 | 2238 | Feb 3 15:37:22 2000 |
surfCONTROL SuperScout 2.6.1.6 allows web users to view websites blocked by the classification database. By Mike C courtesy of Bugtraq | |||
tinyftpd.exploit.txt | 2634 | 8578 | Feb 1 13:04:33 2000 |
Tiny FTPd 0.52 beta3 (Windows FTP Server) has remotely exploitable buffer overflow vulnerabilities. Even anonymous users can execute code. Exploit tested on Windows98(+IE5.01). Homepage here. By Unyun courtesy of Bugtraq | |||
twinge.c | 5850 | 5267 | Feb 10 18:19:11 2000 |
Crashes almost any Windows box on your local network. Compiles on linux. Cycles through many different types of ICMP packets. By Sinkhole courtesy of Bugtraq | |||
ultimatebb.txt | 5505 | 1607 | Feb 16 14:47:24 2000 |
The Ultimate Bulletin Board has remote vulnerabilities, shell commands can be executed. By Sergei A. Golubchik courtesy of Bugtraq | |||
umount.c | 2533 | 1880 | Feb 10 18:19:11 2000 |
FreeBSD 3.3-RELEASE /sbin/umount local exploit. By Babica Padlina | |||
warftpd-dos.c | 3805 | 4192 | Feb 2 16:12:51 2000 |
War-ftpd for Windows95/98/NT is vulnerable to a buffer overflow in the MKD/CWD commands until version 1.71-0. DoS exploit included. By Toshimi Makino | |||
win2k.install.txt | 6781 | 701 | Feb 18 12:05:52 2000 |
During the installation process of Windows 2000 professionnal anyone can connect to the ADMIN$ share as ADMINISTRATOR whithout any password. By Stephane Aubert courtesy of Bugtraq | |||
wordpad-ie.txt | 2636 | 1507 | Feb 23 22:13:36 2000 |
Georgi Guninski security advisory #7 - There is a vulnerability in Wordpad which allows executing arbitrary programs without warning the user after activating an embedded or linked object. This may be also exploited in IE for Win9x. Demonstration which starts AUTOEXEC.BAT available here. Homepage here. By Georgi Guninski"> courtesy of Bugtraq | |||
Xitami-2.4d4.dos.txt | 2305 | 2408 | Feb 29 15:40:19 2000 |
The Xitami Windows 95/98 webserver is vulnerable to a remote DoS attack. Homepage here. By Nemesystm | |||
zeus.null.txt | 3642 | 2277 | Feb 9 15:58:55 2000 |
The Zeus Web Server does not parse null terminated strings properly, and can reveal the source to CGI scripts under certain circumstances. By Julian Midgley courtesy of Bugtraq | |||
Privacy Statement | |||