Welcome to the Exploits for April, 2000 Section. | |||
Some of these exploits are from Bugtraq and Security Bugware | |||
To Change Sort Order, Click On A Category. | |||
File Name | Downloads | File Size | Last Modified |
RFP2K02.txt | 4816 | 7470 | Apr 14 13:25:13 2000 |
RFP2K02 - "Netscape engineers are weenies!" AKA a back door in Microsoft FrontPage extensions/authoring components. Anyone with web authoring permission can use a backdoor in dvwssr.dll to read .asp (and .asa) files under the web root. As Microsoft has told me, the immediate problem is moreso the fact that any developer of one particular virtual site can download the .asp code of other virtual sites on the same system. Includes dvwssr.pl, a perl based exploit. Homepage here. By Rain Forrest Puppy | |||
netsurfer.txt | 3765 | 1906 | Apr 18 15:34:23 2000 |
Local users can steal credit card numbers and personal information from a Netsurfer e-commerace site due to bad default permissions. By Elsewhere | |||
winreal.6-7.txt | 3676 | 4229 | Apr 6 12:05:41 2000 |
There is a buffer overflow in the Win32 RealPlayer Basic client versions 6 and 7 which occurs when a long location to play string is entered. Using the HTML "EMBED" tag to embed RealPlayer in a webpage and setting the "AUTOSTART=true" flag, you can force RealPlayer to start automatically, triggering the overflow condition. It appears that arbitrary code could be exploited simply by *VISITING* a webpage with the malicious embedded RealPlayer tags. MacOS and linux versions appear not to be vulnerable. By Adam Muntner courtesy of Bugtraq | |||
Fortres4-analysis.tx..> | 3637 | 6680 | Apr 11 18:33:57 2000 |
Fortres 4.0 security software for Windows has an easily decrypted password. Qbasic source includeed to crack the simple encryption. By Frost Byte | |||
0004-exploits.tgz | 3523 | 208103 | May 19 10:56:12 2000 |
Packet Storm new exploits for April, 2000. | |||
4man.c | 2927 | 1247 | Apr 27 14:10:24 2000 |
redhat 6.1 /usr/bin/man exploit. Homepage here. By Kil3r | |||
DeCRYPTO.zip | 2909 | 71912 | Apr 12 15:24:04 2000 |
CRYPTOCard's CRYPTOAdmin pin can be decrypted from the .pdb file - Windows 9X demonstration program. Homepage here. By Kingpin | |||
ADV-150400.txt | 2664 | 3470 | Apr 23 02:35:38 2000 |
Microsoft Frontpage CERN Image Map Dispatcher (/cgi-bin/htimage.exe) comes by default and has three vulnerabilities. The full path to the root directory is revealed, a buffer overflow was found - remote code execution may be possable, and files on the server may be accessed. Homepage here. By Narrow | |||
qpopper.fgets.txt | 2552 | 4022 | Apr 27 15:24:55 2000 |
Sorry, a description is unavailable. | |||
ooo1.txt | 2503 | 5042 | Apr 15 02:20:17 2000 |
Netscape PublishingXpert 2.* file-reading/dir-listing vuln in PSCOErrPage.htm - On SunOS 5.5.1 and 5.6 (possibly others), Netscape PublishingXpert 2.* can read any file on the system. Many large e-commerace sites are vulnerable to this. Exploit details included. By \x00\x00 | |||
beos.dos.txt | 2447 | 2104 | Apr 7 21:01:54 2000 |
The BeOS networking stack crashes when certain malformed packets are sent to it. This document explains two such packets and includes CASL scripts for packet generation. By Tim Newsham courtesy of Bugtraq | |||
linux-masq-udp.txt | 2423 | 8673 | Apr 3 19:19:24 2000 |
Linux 2.2.x IP Masquerading allows UDP packets in from the outside until the firewall times out. Under certain rare conditions, a UDP based service could be exploited from the outside. By H D Moore courtesy of Bugtraq | |||
dsnhack.pl | 2365 | 11668 | Apr 15 02:33:17 2000 |
NewDSN.exe/CTGuestB.idc/Details.idc remote NT exploit. Homepage here. By Scrippie | |||
RDS_Toolkit.zip | 2363 | 6768 | Apr 18 15:48:06 2000 |
RDS Toolkit is another addon for msadc.pl. It is similar to spawncmd.pl which spawns a remote command on a NT machine using RDS, but the RDS Toolkit works in Windows and Unix based systems. By Narrow | |||
cc-pinextract.txt | 2294 | 11818 | Apr 12 15:18:10 2000 |
CRYPTOCard's CRYPTOAdmin software is a challenge/response user authentication administration system. The PT-1 token, which runs on a PalmOS device, generates the one-time-password response. A PalmOS .PDB file is created for each user and loaded onto their Palm device. By gaining access to the .PDB file, the legitimate user's PIN can be determined through a series of DES decrypts-and-compares. Using the demonstration tool, the PIN can be determined in under 5 minutes on a Pentium III 450MHz. Homepage here. By Kingpin | |||
snmpx.sh | 2211 | 842 | Apr 3 16:26:12 2000 |
Solaris 2.6 snmpdx remote exploit. Homepage here. By Acz | |||
ircii-4.4.c | 2177 | 2730 | Apr 6 17:55:52 2000 |
ircii-4.4 exploit - buffer overflow in ircii dcc chat's allows arbitrary code execution. Tested against SuSE 6.x and Redhat. Homepage here. By Bladi | |||
cache-control.txt | 2139 | 5264 | Apr 3 18:58:51 2000 |
HTTP cache-control headers such as If-Modified-Since allow servers to track individual users in a manner similar to cookies, but with less constraints. This is a problem for user privacy against which browsers currently provide little protection. By Martin Pool courtesy of Bugtraq | |||
mailform.txt | 2111 | 5231 | Apr 7 10:48:49 2000 |
MailForm v1.91 for Windows 95 and NT 4.0 allows potentially dangerous parameters to be specified by anyone who can execute it. The web interface allows remote users to execute arbitrary commands. Exploit code included. Homepage here. By Chopsui-cide | |||
ide_expl.mrc | 2007 | 5209 | Apr 19 14:46:37 2000 |
ide_expl.mrc is an ircii-4-4 exploit ported to mirc5.7, works reverse to ircii-4.4.c. You send the chat request instead of having them chat you, attempts to execute /bin/sh. Homepage here. By Vade79 | |||
sourcegrab.pl | 2006 | 1491 | Apr 12 15:03:03 2000 |
Exploit for Microsoft Index Server 2.0 hithighlight exploit (as described in ms00-006) which allows you to view any file in the wwwroot directory and down. By x00x00 | |||
ms00-019.info.txt | 1979 | 686 | Apr 7 11:17:44 2000 |
Exploit information for the "Virtualized UNC Share" problem talked about in MS00-019 which yeilds the source of .asp's. By Rain Forrest Puppy | |||
RFP2K03.txt | 1869 | 38140 | Apr 20 13:06:42 2000 |
RFP2K03 - Contemplations on dvwssr.dll and how it affects life. Lots of information here. Also includes a fixed versoin of the perl exploit. Homepage here. By Rain Forrest Puppy | |||
dig.c | 1759 | 963 | Apr 25 12:51:02 2000 |
dig v2.2 local buffer overflow exploit for x86 linux. Note that dig isn't suid/sgid on some platforms, yet on some it is. Homepage here. By Anathema | |||
panda-sec.zip | 1759 | 1190 | Apr 22 23:57:18 2000 |
Panda Security 3.0 for Windows 95 and 98 can be bypassed. Panda Security 3.0 is vulnerable to indirect registry key modifications, which allow Panda Security keys to be manipulated by any logged-on user. Because of a lack in system integrity checks, the entire software package could be uninstalled by a user. This zipfile contains demonstration exploit code. Homepage here. By Deepzone Security | |||
sftp02b.c | 1749 | 2147 | Apr 28 12:01:19 2000 |
Smart FTP v0.2 Beta denial of service. Homepage here. By Chopsui-cide | |||
kill_nwtcp.c | 1715 | 2157 | Apr 23 00:37:05 2000 |
Novell Netware 5.1 Remote Administration Service contains a buffer overflow that could allow an attacker to launch a denial of service attack against the system, or possibly inject code into the operating system for execution. DoS exploit included. Homepage here. By Michal Zalewski | |||
imap_core.sh | 1699 | 6352 | Apr 19 01:05:27 2000 |
imap_core.sh is a quick proof of concept tool that causes some imapd implementations to dump core. Unfortunately the core file contains the password and shadow password file in it! Homepage here. By Mudge | |||
lcdproc-exploit.c | 1670 | 5497 | Apr 23 18:58:51 2000 |
LCDproc is a system to display system information and other data on an LCD display which uses client / server communication. The server is vulnerable to remote buffer overflow allowing an attacker to remotely execute arbitrary code or cause the LCDproc server to crash. Patch available here. By Andrew Hobgood | |||
mmdump.pl | 1661 | 6520 | Apr 27 14:26:06 2000 |
Meeting Maker is a networked calendaring/scheduling software package that's estimated to be installed on over 700,000 desktops. Clients send passwords to a Meeting Maker server encoded using a polyalphabetic substitution cipher. Included perl script will decode passwords sent over the net. By Matt Power courtesy of Bugtraq. | |||
fcheck.txt | 1657 | 3307 | Apr 6 17:09:05 2000 |
Fcheck, a file integrity checker written in perl, can be subverted by a malicious user to execute arbitrary commands as root by creating files with shell metacharacters in their names. Version v.2.7.45 and below is vulnerable. By Matt Carothers courtesy of Bugtraq | |||
fdmnt-smash.c | 1641 | 3126 | Apr 3 16:28:34 2000 |
fdmount local root exploit - tested on Slackware 4.0. Must be in the floppy group. Homepage here. By Scrippie | |||
str-msgchk.c | 1618 | 2085 | Apr 3 16:30:59 2000 |
mh/msgchk and mh/inc demonstration local exploit for FreeBSD / BSDI. Homepage here. By Stran9er | |||
lpset.sh | 1605 | 627 | Apr 27 14:12:55 2000 |
/usr/bin/lpset vulnerability in Solaris/SPARC 2.7. Homepage here. By Noir | |||
austnethack.tgz | 1567 | 5925 | Apr 28 12:04:09 2000 |
How AustNet's Virtual World was hacked to reveal users real IP. Slightly crippled demonstration code included. Lots of information on the austnet hack available here. By FallenAngel | |||
wmaker.c | 1552 | 1781 | Apr 23 18:27:28 2000 |
Windowmaker 0.62.0 buffer overflow exploit - Although wmaker is not suid by default, this code will overflow the $DISPLAY environment variable. Homepage here. By Sectorx | |||
FreeOnline.txt | 1545 | 2008 | May 4 00:07:41 2000 |
FreeOnline currently makes it's free users surf non-free zones for 30 minutes and 2hour lots within certain hours of the day. If you are a FreeOnline user which I currently am you may be interested to know that there is a way out to non-free sites using a site which FreeOnline does acknowledge as a site to be surfed at any times. By rarez | |||
ltrust.c | 1544 | 774 | Apr 19 00:52:05 2000 |
Linux kernel 2.2.14 local DoS - When accessing a file or directory with a very long path the process hangs in an unkillable state. All other processes are SEGFAULTing when trying to access unkillable process' /proc entry. So system utilities ps, w, top, killall and the like are stoppping working. Except that, the system continues to function normally. The only solution is reboot. Homepage here. | |||
sunkill.c | 1540 | 2365 | Apr 21 23:54:14 2000 |
sunkill.c - Remote solaris 2.5.1 dos exploit. Opens a telnet connection on the victim machine and sends a few bad telnet negotiation options, then flooods the port with lots of ^D characters, using all available kernel memory. Homepage here. | |||
bizdb.htm | 1534 | 904 | Apr 19 00:41:50 2000 |
BizDB is a web databse integration product using perl CGI scripts. One of the scripts, bizdb-search.cgi, has an unchecked open() call and can therefore be made to execute commands at the privilege level of the webserver. Remote exploit included. Homepage here. | |||
rmp_query.c | 1534 | 2181 | Apr 6 18:00:33 2000 |
This script exploits a vulnerability in the default installation of Caldera OpenLinux 2.3 which allows an attacker to obtain a listing of the packages, and versions of packages installed on this system, allowing an attacker to remotely determine vulnerabilities. Homepage here. By Alhambra | |||
lprm-bsd.c | 1531 | 6821 | Apr 19 01:21:01 2000 |
lprm-bsd.c - Exploit for lprm local root vulnerability in OpenBSD and FreeBSD-stable. Homepage here. By Niall Smart | |||
named_dump.sh | 1525 | 684 | Apr 19 01:08:20 2000 |
ISC BIND 4.9.7-T1B local exploit - The named daemon will dump the named database to /var/tmp/named_dump.db when it receives a SIGINT signal. It does not check for symbolic links while doing so and can be made to overwrite any file in the system. Homepage here. | |||
imwheel_ex.c | 1525 | 994 | Apr 27 13:36:06 2000 |
imwheel local root exploit (as discussed in RHSA-2000:016-02). By Funkysh | |||
lincity.c | 1504 | 1054 | Apr 19 01:43:09 2000 |
lincity-svga local buffer overflow. Homepage here. By TFreak | |||
razor.dvwssr.txt | 1475 | 4360 | Apr 23 00:16:06 2000 |
BindView RAZOR Team Analysis of DVWSSR.DLL - The risks of having dvwssr.dll are not as severe as originally reported in media outlets Friday morning, but still severe enough that system administrators responsible for NT systems to investigate. The risks involve whether or not a certain DLL is loaded, how rights are set, and potentially how Front Page 98 is used. Homepage here. By Simple Nomad | |||
freebsd.mtr.c | 1460 | 1618 | Apr 24 15:32:29 2000 |
FreeBSD mtr-0.41 local root exploit. Homepage here. By Venglin | |||
solx86-imapd.c | 1458 | 2892 | Apr 25 12:42:44 2000 |
imapd IMAP4rev1 v10.205 remote root exploit, solaris x86. Exploits the AUTHENTICATE overflow, yielding a remote root shell. Homepage here. By Anathema | |||
xdnewsweb.pl | 1455 | 2627 | Apr 27 08:53:08 2000 |
Vulnerability found in cgi DNEWSWEB used for reading news groups from web. Its possible to overflow stack and read any file from remote host with web server rights. All versions and for all OSes exploitable. Example of reading file /etc/passwd for Linux included. Fixed in dnews 5.4c1, available here. By djHD | |||
oracle.sh | 1446 | 1481 | Apr 3 13:04:00 2000 |
Oracle 8.1.5i install exploit - If Oracle is installed after this script has ran, roots .rhosts can be overwritten. Homepage here. | |||
scx-sa-02.txt | 1428 | 6868 | Apr 21 16:51:04 2000 |
Securax Security Advisory #2 - When the Microsoft Windows explorer tries to access parsing a filename that contains over 129 chars in the extension, a buffer will overflow, causing explorer to crash. EIP is overwritten, remote code execution is possible. By Zoa_Chien | |||
sparc_lpset.c | 1395 | 2047 | Apr 27 13:38:49 2000 |
/usr/bin/lpset local root exploit for sparc. By Laurent Levier | |||
b0f3-ncurses.txt | 1391 | 1493 | Apr 24 15:37:30 2000 |
BufferOverflow Security Advisory #3 - libncurses buffer overflow in NCURSES 1.8.6 on FreeBSD 3.4-STABLE. Setuid programs linked with libncurses can be exploited to obtain root access. Homepage here. By Venglin | |||
sol7.lp.c | 1377 | 1467 | Apr 27 13:43:18 2000 |
Solaris 2.7 /usr/bin/lp local exploit, i386. By Digit | |||
RUS-CERT.200004-01.t..> | 1333 | 14149 | Apr 23 00:30:13 2000 |
RUS-CERT Advisory 200004-01: GNU Emacs 20 - Several vulnerabilities were discovered in all Emacs versions up to 20.6, including allowing unprivileged local users to eavesdrop the communication between Emacs and its subprocesses, Emacs Lisp tempfile problems, and the history of recently typed keys may expose passwords. The following systems were tested vulnerable: Linux, FreeBSD (and probably other *BSD variants), HP-UX 10.x, 11.00, and AIX 4. Solaris and DG/UX are unaffected. | |||
solx86-nisd.c | 1317 | 5279 | Apr 25 12:41:12 2000 |
rpc.nisd remote root overflow, solaris 2.4 x86. Solaris 2.5.0 and 2.5.1 work with different offset. Homepage here. By Anathema | |||
xsun2.c | 1304 | 1812 | Apr 27 13:41:03 2000 |
xsun2.c is a Solaris 7 x86 local root stack overflow for /usr/openwin/bin/Xsun. By Digit | |||
lpset.c | 1293 | 3054 | Apr 25 12:39:30 2000 |
/usr/bin/lpset local root stack overflow for Solaris 7, x86. Homepage here. By Anathema | |||
ypghost050.tar.gz | 1284 | 14609 | Apr 22 00:03:14 2000 |
ypghost is a remote NIS exploit that spoofs UDP packets. Uses libpcap. Homepage here. By Arny | |||
hupux.sh | 1268 | 1645 | Apr 21 23:51:09 2000 |
hupux.sh hp-ux 09.04 local exploit - Takes advantage of default world writable /usr/local/bin. Homepage here. | |||
xsun.c | 1224 | 2929 | Apr 25 12:35:21 2000 |
xsun.c is a Solaris 7 x86 local root stack overflow for /usr/openwin/bin/Xsun. Homepage here. By Anathema | |||
bedie.tar.gz | 1184 | 656 | Apr 19 00:46:11 2000 |
bedie is a beos (5.0/4.5) local dos exploit which exploits a kernel bug. ASM source and binary included. Homepage here. By Konstantin Boldyshev | |||
ypk.tar.gz | 1023 | 1865 | Apr 7 13:04:00 2000 |
ypk.tar.gz exploits the remote root sunos 4.1.3 ypupdated / keyserv vulnerability. Homepage here. | |||
rdist-bsd.c | 1017 | 1948 | Apr 22 00:06:36 2000 |
rdist-bsd.c is a /usr/bin/rdist local exploit for freebsd. Homepage here. By el8 | |||
yapp_exploit.c | 954 | 3260 | Apr 11 13:04:00 2000 |
Local buffer overflow exploit for Yapp Conferencing System, Version 2.2. Homepage here. By Dave Bowman | |||