Welcome to the Exploits for August, 2000 Section. | |||
Some of these exploits are from Bugtraq and Security Bugware | |||
To Change Sort Order, Click On A Category. | File Name | Downloads | File Size | Last Modified |
irix.telnetd.txt | 1682 | 21301 | Sep 13 2000 12:11:15 |
A serious vulnerability has been found in IRIX telnetd which can give remote root access to any IRIX 6.2-6.5.8[m,f] system. The vulnerability occurrs when one of the environment variables contains a format string which is passed on to the syslog() function. Proof of concept exploit included (updated version - compiler and little endian fixes). Fix available here. Homepage: http://lsd-pl.net. By LSD | |||
A090800-1 | 240 | 5930 | Sep 11 2000 10:17:57 |
@stake Advisory A090800-1 - Application: Mobius DocumentDirect for the Internet 1.2, Platform: Windows NT 4.0, Severity: There are several buffer overflow conditions that could result in execution of arbitrary code or a denial of service. Homepage: http://www.atstake.com/research/advisories/2000/. | |||
horde.txt | 242 | 3312 | Sep 11 2000 10:09:56 |
The $from-bug is in the horde library file 'horde.lib', (on debian systems installed in /usr/share/horde/lib/horde.lib) in line 1108 belonging to function "mailfrom". In this file there is a call to "popen" with an unchecked "from:"-line as argument. Bug found and exploited by Jens "atomi" Steube, Fixed and documentated by Christian "thepoet" Winter | |||
websitepro.txt | 306 | 3528 | Sep 11 2000 09:58:50 |
WebSite Pro is a Web Server for Win95/98/NT platforms. The vulnerability (or bad server administration) allows any user to create arbitrary files with arbitrary text on the victim machine, from the Internet web browser. By a default installation, any user can create or uploads files to the victim machine running a vulnerable version of WebSite Pro. The problem is a bad "protection access" of the main directories on the machine. By Crono | |||
0008-exploits.tgz | 3590 | 1090974 | Sep 8 2000 15:50:47 |
Packet Storm new exploits for August, 2000. | |||
dmplay.c | 235 | 2352 | Sep 7 2000 15:40:01 |
/usr/sbin/dmplay local exploit for Irix 6.2 and 6.3. Homepage: http://lsd-pl.net. | |||
trans.pl | 330 | 1154 | Sep 7 2000 15:34:23 |
Win2k IIS remote exploit - Retrieves files using the Translate: f bug. By Roelof Temmingh | |||
outlookmailxploit.zi..> | 461 | 190823 | Sep 7 2000 15:32:37 |
Microsoft Outlook remote exploit coded in delphi. Includes source code. By Fbyte | |||
inpview.c | 223 | 1265 | Sep 7 2000 15:30:59 |
/usr/lib/InPerson/inpview local exploit for irix 6.5 and 6.5.8. Homepage: http://lsd-pl.net. | |||
eject3.c | 219 | 1692 | Sep 7 2000 15:30:10 |
/usr/sbin/eject local exploit for Irix 6.2. Homepage: http://lsd-pl.net. | |||
libxt2.c | 214 | 2471 | Sep 7 2000 15:29:14 |
libxt.so HOME environment variable local buffer overflow exploit for Irix 6.2 and 6.3. Homepage: http://lsd-pl.net. | |||
pset2.c | 215 | 2295 | Sep 7 2000 15:28:02 |
/sbin/pset local exploit for Irix 6.2 and 6.3. Homepage: http://lsd-pl.net. | |||
gr_osview.c | 218 | 1758 | Sep 7 2000 15:27:15 |
/usr/sbin/gr_osview local exploit for Irix 6.2 and 6.3. Homepage: http://lsd-pl.net. | |||
irix-libc.c | 219 | 3111 | Sep 7 2000 15:26:12 |
libc.so NLSPATH local exploit for Irix 6.2. Homepage: http://lsd-pl.net. | |||
libgl.c | 216 | 2287 | Sep 7 2000 15:25:04 |
libgl.so HOME environment variable local exploit for irix 6.2. Homepage: http://lsd-pl.net. | |||
login2.c | 221 | 1594 | Sep 7 2000 15:24:02 |
/usr/lib/iaf/scheme (login) local exploit for Irix 5.3. Homepage: http://lsd-pl.net. | |||
libxaw.c | 217 | 2109 | Sep 7 2000 15:23:14 |
libxaw.so inputmethod local exploit for irix 6.2. Homepage: http://lsd-pl.net. | |||
mail.c | 224 | 2616 | Sep 7 2000 15:22:04 |
/usr/bin/mail local exploit for Irix 6.2 and 6.3. Homepage: http://lsd-pl.net. | |||
irix-xlock.c | 220 | 1744 | Sep 7 2000 15:21:02 |
Irix 6.3/6.2 /usr/bin/X11/xlock local buffer overflow exploit. Homepage: http://lsd-pl.net. | |||
named2.c | 292 | 10303 | Sep 7 2000 15:19:49 |
Irix 6.2/5.3 named iquery remote root buffer overflow exploit. Spawns a bindshell. Homepage: http://lsd-pl.net. | |||
autofsd.c | 254 | 2254 | Sep 7 2000 15:17:52 |
Autofsd remote buffer overflow exploit for Irix 6.4 and 6.5. Homepage: http://lsd-pl.net. | |||
arrayd.c | 284 | 4658 | Sep 7 2000 15:17:00 |
Irix 6.5/6.4/6.3/6.2 arrayd remote buffer overflow exploit as described in CA-99-09-arrayd.txt. Homepage: http://lsd-pl.net. | |||
objectserver2.c | 231 | 6357 | Sep 7 2000 14:04:56 |
SGI objectserver "export" exploit - Remotely adds new entry to the export list on the IRIX system. See our SGI objectserver "account" exploit for more information. Only directories that aren't supersets of already exported ones can be added to the export list. Homepage: http://lsd-pl.net. | |||
irix_rpc_ttdbserverd..> | 292 | 7902 | Sep 7 2000 14:00:57 |
rpc.ttdbserverd remote root exploit for irix 5.2 5.3 6.2 6.3 6.4 6.5 6.5.2. Homepage: http://lsd-pl.net. | |||
lp.c | 222 | 2321 | Sep 7 2000 13:59:48 |
/usr/bin/lp local root exploit for solaris 2.7 x86. Homepage: http://lsd-pl.net. | |||
libc2-x86.c | 223 | 4779 | Sep 7 2000 13:58:44 |
libc.so LC_MESSAGES local exploit for solaris 2.7 x86. Homepage: http://lsd-pl.net. | |||
netpr-x86.c | 213 | 2480 | Sep 7 2000 13:57:54 |
/usr/lib/lp/bin/netpr local root exploit for solaris 2.7 x86. Homepage: http://lsd-pl.net. | |||
libnsl-x86.c | 217 | 3125 | Sep 7 2000 13:56:58 |
libnsl.so gethostbyname() for solaris 2.5 2.5.1 x86. Homepage: http://lsd-pl.net. | |||
fdformat-x86.c | 222 | 2222 | Sep 7 2000 13:54:56 |
/bin/fdformat for solaris 2.5 2.5.1 x86. Homepage: http://lsd-pl.net. | |||
kcms_configure-x86.c | 217 | 2217 | Sep 7 2000 13:54:13 |
/usr/openwin/bin/kcms_configure for solaris 2.5.1 2.7 x86. Homepage: http://lsd-pl.net. | |||
lpstat-x86.c | 221 | 2114 | Sep 7 2000 13:52:37 |
/usr/bin/lpstat local root exploit for solaris 2.7 x86. Homepage: http://lsd-pl.net. | |||
tip.c | 229 | 2961 | Sep 7 2000 13:50:32 |
/usr/bin/tip local root exploit for solaris 2.6 2.7 x86. Homepage: http://lsd-pl.net. | |||
xlock-x86.c | 223 | 2152 | Sep 7 2000 13:49:34 |
/usr/openwin/bin/xlock local root exploit for solaris 2.5 2.5.1 x86. Homepage: http://lsd-pl.net. | |||
ufsdump-x86.c | 215 | 3114 | Sep 7 2000 13:47:58 |
/usr/lib/fs/ufs/ufsdump local root exploit for solaris 2.6 2.7 x86. Homepage: http://lsd-pl.net. | |||
pgxconfig.sh | 220 | 1093 | Sep 7 2000 13:45:13 |
TechSource Raptor GFX configurator (pgxconfig) local root exploit. By Suid | |||
libc-x86.c | 219 | 3608 | Sep 7 2000 13:39:17 |
libc.so getopt() local root exploit for solaris 2.5 2.5.1 x86. Homepage: http://lsd-pl.net. | |||
eject-x86.c | 228 | 2120 | Sep 7 2000 13:37:23 |
/usr/bin/eject local root exploit for solaris 2.5 2.5.1 x86. Homepage: http://lsd-pl.net. | |||
dtprintinfo.c | 234 | 3389 | Sep 7 2000 13:36:20 |
/usr/dt/bin/dtprintinfo local root exploit for solaris 2.6 2.7 x86. Homepage: http://lsd-pl.net. | |||
xsun-x86.c | 220 | 2138 | Sep 7 2000 13:33:09 |
/usr/openwin/bin/xsun local root exploit for solaris 2.6 2.7 x86. Homepage: http://lsd-pl.net. | |||
gtkicq.c | 256 | 2547 | Sep 7 2000 13:30:51 |
gtkicq-0.62 local exploit. Overflows the HOME environment variable. By Sebastien Roy | |||
nlps_server.c | 232 | 3669 | Sep 7 2000 13:29:13 |
listen/nlps_server remote buffer overflow exploit for solaris 2.4 2.5 2.5.1 x86. Homepage: http://lsd-pl.net. | |||
dtaction2.c | 232 | 2196 | Sep 7 2000 13:27:51 |
/usr/dt/bin/dtaction local root exploit for solaris 2.6 x86. Homepage: http://lsd-pl.net. | |||
dtaction.c | 232 | 2154 | Sep 7 2000 13:26:51 |
/usr/dt/bin/dtaction local root exploit for solaris 2.5.1 x86. Homepage: http://lsd-pl.net. | |||
libnsl.c | 223 | 1619 | Sep 7 2000 13:25:26 |
libnsl.so gethostbyname() local root exploit for solaris 2.5 2.5.1 sparc. Homepage: http://lsd-pl.net. | |||
rpc_cmsd.c | 375 | 12135 | Sep 7 2000 13:24:36 |
rpc.cmsd remote root exploit for solaris 2.5 2.5.1 2.6 2.7 sparc. Homepage: http://lsd-pl.net. | |||
rpc_ttdbserverd.c | 337 | 8792 | Sep 7 2000 13:23:37 |
rpc.ttdbserverd remote root exploit for solaris 2.3 2.4 2.5 2.5.1 2.6 sparc. Homepage: http://lsd-pl.net. | |||
libc2.c | 243 | 4268 | Sep 7 2000 13:22:43 |
libc.so LC_MESSAGES local root exploit for solaris 2.6 2.7 sparc. Homepage: http://lsd-pl.net. | |||
eject.c | 238 | 1650 | Sep 7 2000 13:21:45 |
/bin/eject local root exploit for solaris 2.5 2.5.1 sparc. Homepage: http://lsd-pl.net. | |||
fdformat.c | 229 | 1782 | Sep 7 2000 13:20:54 |
/bin/fdformat local root exploit for solaris 2.5 2.5.1 sparc. Homepage: http://lsd-pl.net. | |||
ffbconfig.c | 223 | 1801 | Sep 7 2000 13:19:33 |
/usr/sbin/ffbconfig local root exploit for solaris 2.5 2.5.1 sparc. Homepage: http://lsd-pl.net. | |||
kcms_configure.c | 212 | 2237 | Sep 7 2000 13:18:46 |
/usr/openwin/bin/kcms_configure local root exploit for solaris 2.7 sparc. Homepage: http://lsd-pl.net. | |||
netpr.c | 210 | 2080 | Sep 7 2000 13:16:29 |
/usr/lib/lp/bin/netpr local root exploit for solaris 2.7 sparc. Homepage: http://lsd-pl.net. | |||
lpstat.c | 221 | 1732 | Sep 7 2000 13:15:46 |
/usr/bin/lpstat local root exploit for solaris 2.7 sparc. Homepage: http://lsd-pl.net. | |||
lpset.c | 229 | 1747 | Sep 7 2000 13:14:06 |
/usr/bin/lpset local root exploit for solaris 2.6 2.7 sparc. Homepage: http://lsd-pl.net. | |||
rdist.c | 199 | 2124 | Sep 7 2000 13:11:52 |
/bin/rdist local root exploit for solaris 2.4 2.5 2.5.1 sparc. Homepage: http://lsd-pl.net. | |||
ufs-restore.c | 208 | 2081 | Sep 7 2000 13:10:28 |
/usr/lib/fs/ufs/ufsrestore local root exploit for solaris 2.5 2.5.1 2.6 sparc. Homepage: http://lsd-pl.net. | |||
xsun.c | 244 | 1683 | Sep 7 2000 13:09:30 |
/usr/openwin/bin/xsun local root exploit for solaris 2.6 2.7 sparc. Homepage: http://lsd-pl.net. | |||
libc.c | 213 | 1897 | Sep 7 2000 13:07:37 |
libc.so getopt() local root exploit for Solaris 2.4 2.5 2.5.1 sparc. Homepage: http://lsd-pl.net. | |||
libxt.c | 206 | 2244 | Sep 7 2000 13:06:34 |
libxt.so local root exploit for Solaris 2.4 2.5 2.5.1 sparc. Homepage: http://lsd-pl.net. | |||
passwd.c | 227 | 1642 | Sep 7 2000 13:05:25 |
/bin/passwd local root exploit for Solaris 2.5 / 2.5.1. Homepage: http://lsd-pl.net. | |||
dtprint-info.c | 251 | 2341 | Sep 7 2000 13:02:45 |
/usr/dt/bin/dtprintinfo local root exploit for Solaris 2.6 / 2.7. Homepage: http://lsd-pl.net. | |||
msw2ktelnetdos.sh | 254 | 1763 | Sep 7 2000 12:59:27 |
Windows 2000 telnet server denial of service exploit. By Wildcoyote | |||
awcrash.c | 337 | 2830 | Sep 7 2000 12:57:15 |
awcrash.c exploits a buffer overflow vulnerability in Windows 95 and 98 which will result in a crash if a filename with an extension longer that 232 characters is accessed. Although arbitrary code could be executed via this manner, it would have to be composed of valid filename character values only. By Wildcoyote | |||
CIMcheck2.pl | 410 | 2264 | Sep 1 2000 10:08:07 |
CIMcheck2.pl is an updated version of the CIMcheck.pl exploit checker for the Compaq Insight Manager root dot dot bug. Updates include: Fixed Errors and Better Input features. The remote webserver must be running NT with port 2301 open. The exploit opens up the full vulnerable url and attempts to get the sam._ backup password file from the remote repa ir directory. You can specify which file you want to download, default is the /wi k nnt/repair/ directory and the sam._ backup password file. Homepage: http://TheGovernment.com/cyrax. By Neon. | |||
cmctl_exp | 453 | 587 | Aug 31 2000 19:01:46 |
This script is an exploit that is an addendum to ID 170 in the Bugtraq database. ID 170 lists several Oracle setuid executables but does not offer any exploit information. This code exploits the cmctl command by violating its trust in the integrity of the ORACLE_HOME and ORA_HOME environment variables. When the command "cmctl start cmadmin" is executed, it looks under the ORACLE_HOME\bin directory and attempts to execute cmadmin. The ORACLE_HOME variable can be modified to create a change in the path of execution. By Kevin Wenchel | |||
dievqs.pl | 405 | 744 | Aug 31 2000 18:50:41 |
DoS exploit vulnerability test script. Affected: vqServer 1.4.49. There is a DoS possible in vqServer 1.4.49 if the remote host gets a GET command with approx 65000 chars in it. Homepage: http://www.ro0t.nu/csl. By sinfony | |||
clientagent662.txt | 374 | 2968 | Aug 31 2000 16:01:58 |
Client Agent 6.62 for Unix Vulnerability, Tested on a Debian 2.2.14, Client Agent has a hole allowing to execute an arbitrary code by root without its knowing. In the meantime, some conditions are necessary to exploit this vulnerability. Client Agent is used with ARCserveIT, the safe software. It must be installed on all the workstations. A global configuration file agent.cfg keep every sub-agents installed on your system. This file is in /usr/CYEagent, and receive the information from the sub-agent when the script /opt/uagent/uagensetup is run. Homepage: http://www.nightbird.free.fr. By zorgon | |||
vpn-root.txt | 477 | 2506 | Aug 31 2000 15:55:18 |
RapidStream has hard-coded the 'rsadmin' account into the sshd binary in the appliance OS. The account has been given a 'null' password in which password assignment and authentication was expected to be handled by the RapidStream software itself. The vendor failed to realize that arbitrary commands could be appended to the ssh string when connecting to the SSH server on the remote vpn. This in effect could lead to many things, including the ability to spawn a remote root shell on the vpn. By Loki | |||
AccountManSploit.zip | 766 | 1412 | Aug 30 2000 17:36:50 |
Product: Account Manager, Versions: ALL including LITE and PRO haven't been able to test ENTERPRISE, OS: Unix and Winnt, Vendor: Notified, http://www.cgiscriptcenter.com/, The Problem: The Script allows any remote user access to the Administration Control Panel through overwriting the Admin Password with one of their own making. By n30 | |||
HWA-warpcrash.c | 398 | 2802 | Aug 30 2000 16:56:28 |
HWA-warpcrash - Systems Affected: OS/2 Warp 4.5 FTP server V4.0/4.2, OS/2 Warp 4.5 FTP server V4.3, Probably other versions of the software as well. Problem: The FTP server that comes with OS/2 Warp 4.5 TCP/IP can be brought down by a malicious connection attempt. Homepage: http://www.hwa-security.net. By eth0 | |||
CIMcheck.pl | 494 | 2352 | Aug 30 2000 15:24:11 |
CIMcheck.exe is an exploit for the Compaq Insight Manager root dot dot bug. The remote webserver must be running NT with port 2301 open. The exploit opens up the full vulnerable url and attempts to get the sam._ backup password file from the remote repa ir directory. You can specify which file you want to download, default is the /wi k nnt/repair/ directory and the sam._ backup password file. Perl2exe binary. Perl2exe binary available here here. Homepage: http://TheGovernment.com/cyrax. By Neon | |||
CIMcheck.exe | 336 | 553689 | Aug 30 2000 15:07:22 |
CIMcheck.exe is an exploit for the Compaq Insight Manager root dot dot bug. The remote webserver must be running NT with port 2301 open. The exploit opens up the full vulnerable url and attempts to get the sam._ backup password file from the remote repa ir directory. You can specify which file you want to download, default is the /wi k nnt/repair/ directory and the sam._ backup password file. Perl2exe binary. Homepage: http://TheGovernment.com/cyrax. By Neon | |||
webmail.txt | 1142 | 7708 | Aug 30 2000 14:45:09 |
-Web Application Security Survey- Results show that Microsoft Hotmail, Excite, Altavista, E-Bay, Lycos, Netscape WebMail, E-Trade, Infoseek/Go.com and their users are all currently vulnerable to web based attack. The following report is the result of a two hour security survey of high profile webmail and auction services offered free over the internet. This survey is in no way extensive or thorough. It serves only as "proof of concept" that these types of services are vulnerable to attack on a wide scale. All the following vulnerabilities are currently active as of Aug. 25, 2000. The following webmail vulnerabilities all stem from the same problem. The attacker has the ability to pass unfiltered malicious HTML/JavaScript into the target users web environment. By D-Krypt. | |||
fpage-DoS.pl | 616 | 4865 | Aug 30 2000 14:24:30 |
Fpage-DoS.pl - Info based attacks DoS Front page. To exploit this vunerability you must have the extensions "/ _ vti_bin/shtml.exe in your server. This is a demonstration script to remotely overflow various server buffers, resulting in a denial of service, for TESTING purposes only. Runs on *nix & Windows with perl. Homepage: www.raza-mexicana.org. By alt3kx | |||
FtpdXploit2000.tar | 464 | 20480 | Aug 30 2000 01:41:33 |
This is an exploit that explores the vulnerability of the versions 2.4.4, 2.5.0 and 2.6.0 of Wu-ftpd. Written in Portugese. Homepage: http://www.geocities.com/cultbh. | |||
Critical_Path_CSS | 286 | 7803 | Aug 29 2000 17:41:07 |
A simple flaw in the web mail service offered by Critical Path (www.cp.net) allows an attacker to gain full access of any webmail account. The attack falls under the umbrella of cross-site scripting, which was addressed in detail by CERT in their advisory CA-2000-02, entitled "Malicious HTML Tags Embedded in Client Web Requests." The bug is aggravated by an defective session token scheme. By Jeffrey W. Baker | |||
WDK_v1.0.vuln.txt | 241 | 1517 | Aug 28 2000 20:34:19 |
The Javaserver Webserver Development Kit (WDK) v1.0 contains a .. vulnerability allowing remote attackers to read any file on the system with the permissions of the webserver. The server typically resides on TCP port 8080 and instructions for identifying this server are given. By Kevin Finisterre | |||
vqserver.dos.txt | 225 | 2228 | Aug 28 2000 20:25:00 |
vqServer version 1.4.49 is vulnerable to a denial of service attack by sending a malformed URL request. Tested on Windows version. The latest edition of vqServer (1.9.47) is unaffected. Homepage: http://dhcorp.cjb.net. By nemesystm | |||
VIGILANTE-2000007 | 619 | 1871 | Aug 28 2000 02:16:01 |
Vigilante Advisory #7 - A malicious user can crash an Intel Express 550F or a host behind it by sending a packet with a malformed header. To restart the box you need remove it from it's power source as the reset button loses functionality as well. Affected systems: Intel Express Switch 550F - Firmware version 2.63 - Firmware version 2.64. Homepage: http://www.vigilante.com. By Vigilante | |||
bubonic.c | 2135 | 6625 | Aug 28 2000 02:06:39 |
Bubonic.c is a denial of service tool that sends random TCP packets with random settings. Tested against Windows 2000 and RedHat Zoot. Homepage: http://www.antioffline.com. By Sil | |||
daemonic.c | 1078 | 8144 | Aug 28 2000 01:55:49 |
Dameonic.c is a theoretical router based denial of service attack that exploits a weakness within the Border Gateway Protocol (BGP). If a malicious user sends spoofed malformed packets to a neighboring router, the peer will ignore it and possibly kill the session entirely. Written on a Ultra 5 running Linux Zoot, this has been compiled on Linux, OpenBSD, Solaris without problems. Homepage: http://www.antioffline.com. By Sil | |||
subscribeme.txt | 0 | 2010 | Aug 24 2000 13:29:08 |
Sorry, a description is unavailable. | |||
spad02.txt | 0 | 8894 | Aug 24 2000 10:57:43 |
Sorry, a description is unavailable. | |||
php-nuke.txt | 524 | 1799 | Aug 24 2000 10:09:49 |
A short advisory on how to manipulate a bug in the PHP-nuke Web Portal System to allow you to gain administrative access. By Starman_Jones | |||
labs51.txt | 776 | 4816 | Aug 24 2000 09:53:33 |
USSR Labs Advisory #51 - There is a remote denial of service caused by a buffer overflow memory problem in the rpc module of the Pragma TelnetServer 2000 for Windows NT/2000. The included shell code causes the system to crash. Homepage: http://www.ussrback.com. | |||
darxite.tar.gz | 671 | 4738 | Aug 22 2000 17:03:59 |
Darxite, a daemon that retrieves files via FTP or HTTP, has several vulnerabilities throughout the code that allow a local/remote user to crash the servers, as well as a passwd authentication remote overflow, allowing remote shell access as the uid of the darxite daemon. Exploit and advisory included. Tested against Linux x86 systems. Homepage: http://www.synnergy.net. By dethy | |||
xslrnpull.c | 898 | 2272 | Aug 22 2000 16:39:37 |
Slrnpull.c exploits a local buffer overflow vulnerability in slrnpull version 0.9.6.2, which is setgid news. Tested against RedHat 6.2. Homepage: http://www.fakehalo.org. By Vade79 | |||
PHP-Nuke.c | 1606 | 2800 | Aug 21 2000 15:29:53 |
A vulnerability in the way PHP-Nuke, a news site administrative tool, authenticates administrative accounts, allows a remote attacker to gain administrative access to the application. Attacker could edit users, articles, topics, banners, assign authors, etc By Fabian Clone | |||
htgrep.c | 849 | 2386 | Aug 21 2000 14:04:12 |
Htgrep has a vulnerability which allows a remote user to read arbitrary files on the system with the priviledge of the user running the program. By n30 | |||
srcgrab.pl.txt | 1722 | 7692 | Aug 17 2000 10:28:32 |
Srcgrab.pl exploits the Translate:f bug as described in ms00-058. The vulnerability, present in IIS 4.0 and Windows 2000 Frontpage server extensions, allows a remote user to retrieve the source of .asa and .asp pages. By Smiler | |||
crackncftp.c | 1127 | 5056 | Aug 16 2000 18:45:04 |
The ncftp client uses an easily decrypted scheme to save passwords to remote FTP sites in a bookmark file. Crackncftp.c provides the plaintext when from the encrypted string. Homepage: http://zorgon.freeshell.org. By Zorgon | |||
ie5-msn.exec.txt | 1810 | 8941 | Aug 15 2000 17:12:00 |
Georgi Guninski security advisory #18 - Two serious vulnerabilities have been found Microsoft products - Internet Explorer 5.5/5.x may execute arbitrary programs when visiting a web page, reading HTML based mail with Outlook, or simply browsing folders as web pages. In addition, the default installation of Windows 2000 allows Local Administrator compromise via opening local folders as web pages. In both cases a malicous person may take full control over user's computer / server. Includes proof of concept HTML code. Demonstration available here. Homepage: http://www.nat.bg/~joro. By Georgi Guninski | |||
rapidstream.vpn.txt | 759 | 2409 | Aug 15 2000 16:41:19 |
RapidStream VPN nodes has hard-coded the 'rsadmin' account into the sshd binary in the appliance OS. The account has been given a 'null' password in which password assignment and authentication was expected to be handled by the RapidStream software itself. The vendor failed to realize that arbitrary commands could be appended to the ssh string when connecting to the SSH server on the remote vpn. This in effect could lead to many things, including the ability to spawn a remote root shell on the vpn. By Loki courtesy of Bugtraq. | |||
linsql.c | 1525 | 39781 | Aug 15 2000 16:32:36 |
Linsql is a simple command-line client for MS SQL server which can execute arbitrary SQL queries and OS commands on an MS-SQL hosts that uses a blank 'sa' password, a common default configuration. By Herbless courtesy of Bugtraq. | |||
VIGILANTE-2000006.tx..> | 658 | 1763 | Aug 15 2000 15:48:42 |
Vigilante Security Advisory - The OS/2 Warp 4.5 FTP Server contains denial of service vulnerabilities which allow anyone who can connect to port 21 to crash the service. Fix available here. Homepage: http://www.vigilante.com. By Vigilante | |||
VIGILANTE-2000005.tx..> | 627 | 2090 | Aug 15 2000 15:44:08 |
Vigilante Security Advisory - Watchguard Firebox Authentication dos vulnerability. Sending a malformed URL to tcp port 4100 causes Watchguard to shut down and require a reboot to restart. Fix available here. Homepage: http://www.vigilante.com. By Vigilante | |||
lyris.3-4.txt | 769 | 721 | Aug 14 2000 22:22:23 |
Versions 3 and 4 of the Lyris List Manager allow any mailing list subscriber to gain access to the administrative interface of that list by changing a form before submitting it. Fix available here. By Adam Hupp courtesy of Bugtraq. | |||
form-totaller.txt | 1195 | 1879 | Aug 14 2000 13:29:59 |
Form-Totaller version 1.0 (form-totaller.cgi) trusts user input for filenames, allowing a remote user to read any file on the webserver. By Signal 9 | |||
everythingform.txt | 1599 | 1850 | Aug 14 2000 13:25:42 |
The Everything Form (everythingform.cgi) contains remote vulnerabilities which allow any file on the sytem to be read. By Signal 9 | |||
wais.pl.advisory.txt | 926 | 13976 | Aug 14 2000 10:36:58 |
The wais.pl CGI written by Tony Sanders provides means to access the waisq WAIS client via the webserver. Waisq contains buffer overflows allowing remote code execution which can be exploited via wais.pl. In addition, files owned by nobody on the webserver can be overwritten with arbitrary content. Includes exploit for Linux/x86. Homepage: http://www.synnergy.net. By Scrippie | |||
wcGoph.c | 800 | 7419 | Aug 13 2000 17:04:33 |
Gopher+ v2.3.1p0 remote exploit - Spawns a remote shell on tcp port 36864 under the UID that the gopher+ daemon runs as. Tested against Linux Slackware 3.6 / 7.0. By WC | |||
ssexploit502x.pl | 1309 | 15331 | Aug 12 2000 17:29:18 |
Statistics Server 5.02x for Windows contains a buffer overflow caused by a long GET request. Includes perl exploit which spawns a winshell with system privileges on port 8008 on Statistics Server 5.02x/Win2k. Homepage: http://www.deepzone.org. By Nemo | |||
statdx.c | 1230 | 19060 | Aug 12 2000 16:00:27 |
Redhat Linux rpc.statd remote buffer overflow exploit. Tested against Redhat 6.0, 6.1, and 6.2. By Ron1n | |||
xgopher.c | 1073 | 7768 | Aug 12 2000 15:57:45 |
Gopher+ daemon v2.3 remote root buffer overflow exploit - Tested against Slackware Linux 3.6 and 7.0. Adds a line to /etc/passwd. Homepage: http://www.fakehalo.org. By Vade79 | |||
hpux.ftpd.txt | 355 | 1080 | Aug 10 2000 15:59:15 |
HPUX's ftpd contains a remotely exploitable format string vulnerability in the PASS command. Homepage: http://www.freebsd.lublin.pl. By Venglin | |||
totalbill.c | 324 | 2742 | Aug 10 2000 15:40:07 |
Totalbill is a complete billing and provisioning system for ISPs which contains remote root vulnerabilities. By Brian Masney | |||
word-access.txt | 1132 | 2984 | Aug 9 2000 16:23:51 |
Georgi Guninski security advisory #17 - MS Word and MS Access 2000 (with or without Service Release 1a) allow executing arbitrary programs if a Word document is opened. This may be exploited also by visiting a web page with IE or opening/previewing HTML email message with Outlook. In order this to work, the user must be able to access a mdb file, which resides either on an UNC share or a local drive. This allows taking full control over user's computer. Demonstration exploit available here or here. Homepage: http://www.nat.bg/~joro. By Georgi Guninski | |||
robpoll-cgi-problem...> | 757 | 2266 | Aug 9 2000 14:31:28 |
Robpoll.cgi is a free cgi based admin program for Unix and NT which has remote vulnerabilities allowing remote users to execute any command on the remote system with the priveleges of the web server. In addition, anyone can read any file on the remote system with the webserver UID. Homepage: http://www.hertmx.org. By Alt3kx | |||
suidperlhack.pl | 1715 | 5797 | Aug 9 2000 01:18:25 |
suidperlhack.pl is a Suidperl v5.00503 and below local root exploit which hsa been ported to perl to increase portability. Tested against BSD. Homepage: http://www.cs.uni-potsdam.de/homepages/students/linuxer. By Sebastian Krahmer | |||
bohttpd.vulnerabilit..> | 798 | 1344 | Aug 8 2000 20:18:35 |
A vulnerability has been found in Dan Brumleve's Brown Orifice HTTPD (BOHTTPD) which is a web server and file sharing tool that runs as a Java Applet in Netscape Navigator. By specifying "\.." in HTTP requests to the server, an attacker can navigate the server's file system and view/download any files. Homepage: http://www.etl.go.jp/~takagi. By Hiromitsu Takagi | |||
xperl.sh | 2482 | 5756 | Aug 8 2000 17:19:43 |
Suidperl v5.00503 and below local root exploit which exploits an undocumented /bin/mail feature when perl wants to notify root on inode race conditions. Tested on Redhat 6.x/7.0. Homepage: http://lcamtuf.na.export.pl. By Michal Zalewski | |||
BOHTTPD-0.1.tar.gz | 615 | 17766 | Aug 8 2000 16:50:55 |
New bugs were discovered in Netscape's implementation of Java has been found which allows a remote site to read any file on the client machine and to set up a Java server which anyone can connect to. Brown Orifice HTTPD starts a Java server which allows others to read files on your machine. Demonstration available here. Homepage: http://www.brumleve.com/BrownOrifice/BOHTTPD.cgi. By Dan Brumleve | |||
xitdos.c | 888 | 5547 | Aug 8 2000 16:05:50 |
Xitami Webserver v2.4d3 and below are vulnerable to a remote dos attack. Sending malformed data to port 81 will cause the server to stop responding. Tested agasinst Xitami on Win95/98/NT4.0. By Mozy | |||
tin_bof.c | 1180 | 5033 | Aug 4 2000 18:41:05 |
Tin v1.4.3 local linux/x86 buffer overflow exploit which spawns a gid=news shell if /usr/bin/tin is setgid. Homepage: http://www.fakehalo.org. By Vade79 | |||
servu25e.txt | 2330 | 1600 | Aug 3 2000 17:30:36 |
FTP Serv-U 2.5e for Windows will stack fault if sent a string containing a large number of null bytes. The system Serv-U is running on may become sluggish/unstable and eventually bluescreen. A valid user/pass combination is not required to take advantage of this vulnerability. Perl proof of exploit code included. Homepage: http://bluepanda.box.sk. By Blue Panda | |||
012.txt | 1251 | 4572 | Aug 2 2000 12:44:15 |
Pgxconfig is a Raptor graphics card configuration tool for Solaris which has multiple local vulnerabilities. The environment is not sanitized and root privileges are not dropped, allowing commands to be run as root. Local root exploit included. Homepage: http://www.suid.kg. By Suid courtesy of Bugtraq | |||
rpc.statd.x86.c | 2171 | 6169 | Aug 2 2000 12:07:47 |
Linux/x86 rpc.statd remote root exploit. By Doing courtesy of Bugtraq | |||
ntop.advisory.txt | 925 | 1897 | Aug 2 2000 11:59:43 |
Ntop -w allows remote users who have permission to view traffic stats to view any file on the system as root. Homepage: http://www.hackerslab.org. By Dubhe courtesy of Bugtraq | |||
FS-073100-10-BEA.txt | 693 | 5037 | Aug 2 2000 11:44:19 |
Foundstone Security Advisory FS-073100-10-BEA - It is possible to compile and execute any arbitrary file within the web document root directory of the WebLogic server as if it were a JSP/JHTML file, even if the file type is not .jsp or .jhtml. If applications residing on the WebLogic server write to files within the web document root directory, it is possible to insert executable code in the form of JSP or JHTML tags and have the code compiled and executed using WebLogic's handlers. This can potentially cause an attacker to gain administrative control of the underlying operating systems. Homepage: http://www.foundstone.com/advisories.htm. By Shreeraj Shah | |||