Many devices come from the manufacturer configured with snmp enabled and unlimited access with *write* privledges. It allows attacker to modify routing tables, status of network interfaces and other vital system data, and seems to be extermely dangerous. To make things even worse, some devices seems to tell that write permission for given community is disabled, but you can still successfully write to it. This is a list of devices with default writable configurations.
64b8dfa2a60e46777335afd3866fb129ffab8f3f3c77ea49b736b92fb1b23445Cross Site Scripting Summary - Malicious HTML tags (especially scripting tags) can be embedded in client web requests.
9c3ae91b3585c42ccfc911b0c21507edb3a0aa2e02019c97dbcf50880d0da02bCheckpoint-1 and other firewall vulnerability - The low-down of it is fooling a firewall into opening "a TCP port of your choice" against an FTP server. Or, if you're running an evil FTP server, having it open ports against clients accessing the server.
d3c08340f210729ab1830b529790957de036e964233c20d7dcad334c181bc68aIgnite-UX bug in HP-9000 Series700/800 running release HP-UX 11.X only. Each password field in /etc/passwd should be "*" in a trusted system. This is normally handled automatically. One way for the password field to be set to a blank is to create a system image of a trusted system with Ignite-UX and not save /etc/passwd.
b11a24cc1c75ed0842663732f1a37175e911393590dd0651271d4b3a4c315e19When an NT 4.0 workstation or backup domain controller is joined to a domain, the trust account password is set to a well-known initial value. If you are concerned about internal network security, this is not really an acceptable risk.
68323e351a6c2397613bb4b0fc46638389b1e97ca43f93e696395cce94ef330eMonty originally cobbled this together to keep the network admins he worked with from doing annoying things like keeping tftp daemons running on his Unix hosts for weeks on end. Its pretty handy for that too. May this script (grabrtrconf.sh) help make SNMP die the sad lonely death it deserves once and for all!
b10303fcc51c90a6d201075efe4f67a027ca4794f56d6e741bb7f4b814941a74Redhat Linux 6.0 icmp DOS.
40490f52e3fd9e97c44df5798ad0375e29f6b3330a93280dbbf11fb22b08588cIn some cases where a system must be configured so that specific users only have access to POP, FTP, or restricted shell, the addition of the SSH protocol server (sshd) may create a security hole allowing the user to make tcp connections appearing to be from root at the attacked host.
b2f8217f0471c597f8b0ac1f18a5b0315b75631438e85a978bfca358a4096d15The Ultimate Bulletin Board has remote vulnerabilities, shell commands can be executed.
6f14b2a46264398f2e18dc20d896d923f9f645d34bc82fc9b8747296efba605bRemote CGI exploit - Attempts to exploit five common CGI bugs and retrieve /etc/passwd.
05e74e98183b7cb1bbc6794eb099c849d9fdaff69f95e8b0149838f908faeb88Linberto v1.0.2 (Q-Bert linux clone) can overwrite any file on the system, via insecure use of /tmp.
6c7927b9fd086ea0c82ab43be5519e598d06858818773d8713d6cdf708f9508aProftpd (<= pre6) linux ppc remote exploit.
6794b66bd9b67beb831092c9ee6bb6d6a88f66d33536244eea1007cad32cadbaLinux x86 exploit for Qualcomm Popper 3.0b?? (was fixed silently) Remote, but requires username / password.
ee5bf46e3b23428524f1537aa6b73d69ca254a1b739cf8bccec5390219672ff9FireWall-1 FTP Server Vulnerability Background Paper #1 - The basic idea of the described attack is to subvert the security policy implemented by a stateful firewall. This is done by triggering the generation of a TCP packet that, when inspected by the firewall, will change the firewall's internal state such that an attacker is able to establish a TCP connection to a filtered port through the firewall. This packet is the server response to a PASV user request during a FTP session.
fcb6f48f31d6598b702db1e3ab3a2478a63a0a80c8c9de809337c6e185b65a4aActive server pages (ASP) with runtime errors expose a security hole that publishes the full source code name to the caller. If these scripts are published on the internet before they are debugged by the programmer, the major search engines index them. These indexed ASP pages can be then located with a simple search. The search results publish the full path and file name for the ASP scripts. This URL can be viewed in a browser and may reveal full source code with details of business logic, database location and structure.
8df08f77a97c4061a43c01be319e5ef4511a09240fd42e5c021cd65c36a798afCfingerd 1.3.3 (*BSD) local root buffer overflow exploit.
5097329aa98ef60c423e4f68641079c5f39fc54d6c9cb6c8ce27b39693f13f56FreeBSD 3.4-STABLE /usr/bin/doscmd local exploit.
240aafd27efd7ec32f33b54c6a35ce6df301d9a00e9f637b34305726c91908baCrashes almost any Windows box on your local network. Compiles on linux. Cycles through many different types of ICMP packets.
2575111d1cf5e36392a4463a57706b1b04889b8ee26fbe68c73a9d0a0787c259FreeBSD 3.3-RELEASE /sbin/umount local exploit.
05c1e68a23b63191f9b39ac50e86987af8789d42d2f9bc5feda53505bfd8947eIt is possible to cause certain firewalls to open up any TCP port of your choice against FTP servers that are "protected" by those firewalls. This is done by fooling the FTP server into echoing "227 PASV" commands out through the firewall. Firewall-1 v3 and v4 are known to be affected.
02813345d04b4c54a9270f3a6f8c304ab46a80dcf60f14aab96e9458dbf927ddAnywhere Mail Server Ver.3.1.3 for Windows contains a remote DoS vulnerability, via a long RETR string over port 110. Also multiple connections will kill the sendmail server.
898ce037d5ae22060272023db6f516430cb43637744b94e23045e20f85dc5447Kppp 1.6.14 has a vulnerability that allows a local user to display the saved PPP password.
8d19332151732e5697e7f7163003d6acf0c93e1dbfc58fe97ed5779abc51b4cbInetServ 3.0 remote DoS exploit.
745955650f792ca0b47cdd962de7a7acf7142588a0956916494311e2965dafa0Bypassing authentication on Axis 700 Network Scanner - By modifying an URL, outsiders can access administrator URLs without entering username and password. Tested on Axis 700 Network Scanner Server version 1.12.
62be7cce360cae03aa7cf171c9411f06a344a3d1ae4af8abcb8218e26c1b8673The default configuration of SCO OpenServer 5.0.5 allows local users read/write access to SNMPD via a default writable community string. This configuration has been verified on SCO OpenServer 5.0.5 and may be present in earlier versions.
3c82f312504d022a8c22babfcbc6580fa23cc95dd9cd9e92a5e994687ae533a7
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed