Many devices come from the manufacturer configured with snmp enabled and unlimited access with *write* privledges. It allows attacker to modify routing tables, status of network interfaces and other vital system data, and seems to be extermely dangerous. To make things even worse, some devices seems to tell that write permission for given community is disabled, but you can still successfully write to it. This is a list of devices with default writable configurations.
64b8dfa2a60e46777335afd3866fb129ffab8f3f3c77ea49b736b92fb1b23445
Cross Site Scripting Summary - Malicious HTML tags (especially scripting tags) can be embedded in client web requests.
9c3ae91b3585c42ccfc911b0c21507edb3a0aa2e02019c97dbcf50880d0da02b
Checkpoint-1 and other firewall vulnerability - The low-down of it is fooling a firewall into opening "a TCP port of your choice" against an FTP server. Or, if you're running an evil FTP server, having it open ports against clients accessing the server.
d3c08340f210729ab1830b529790957de036e964233c20d7dcad334c181bc68a
Ignite-UX bug in HP-9000 Series700/800 running release HP-UX 11.X only. Each password field in /etc/passwd should be "*" in a trusted system. This is normally handled automatically. One way for the password field to be set to a blank is to create a system image of a trusted system with Ignite-UX and not save /etc/passwd.
b11a24cc1c75ed0842663732f1a37175e911393590dd0651271d4b3a4c315e19
When an NT 4.0 workstation or backup domain controller is joined to a domain, the trust account password is set to a well-known initial value. If you are concerned about internal network security, this is not really an acceptable risk.
68323e351a6c2397613bb4b0fc46638389b1e97ca43f93e696395cce94ef330e
Monty originally cobbled this together to keep the network admins he worked with from doing annoying things like keeping tftp daemons running on his Unix hosts for weeks on end. Its pretty handy for that too. May this script (grabrtrconf.sh) help make SNMP die the sad lonely death it deserves once and for all!
b10303fcc51c90a6d201075efe4f67a027ca4794f56d6e741bb7f4b814941a74
Redhat Linux 6.0 icmp DOS.
40490f52e3fd9e97c44df5798ad0375e29f6b3330a93280dbbf11fb22b08588c
In some cases where a system must be configured so that specific users only have access to POP, FTP, or restricted shell, the addition of the SSH protocol server (sshd) may create a security hole allowing the user to make tcp connections appearing to be from root at the attacked host.
b2f8217f0471c597f8b0ac1f18a5b0315b75631438e85a978bfca358a4096d15
The Ultimate Bulletin Board has remote vulnerabilities, shell commands can be executed.
6f14b2a46264398f2e18dc20d896d923f9f645d34bc82fc9b8747296efba605b
Remote CGI exploit - Attempts to exploit five common CGI bugs and retrieve /etc/passwd.
05e74e98183b7cb1bbc6794eb099c849d9fdaff69f95e8b0149838f908faeb88
Linberto v1.0.2 (Q-Bert linux clone) can overwrite any file on the system, via insecure use of /tmp.
6c7927b9fd086ea0c82ab43be5519e598d06858818773d8713d6cdf708f9508a
Proftpd (<= pre6) linux ppc remote exploit.
6794b66bd9b67beb831092c9ee6bb6d6a88f66d33536244eea1007cad32cadba
Linux x86 exploit for Qualcomm Popper 3.0b?? (was fixed silently) Remote, but requires username / password.
ee5bf46e3b23428524f1537aa6b73d69ca254a1b739cf8bccec5390219672ff9
FireWall-1 FTP Server Vulnerability Background Paper #1 - The basic idea of the described attack is to subvert the security policy implemented by a stateful firewall. This is done by triggering the generation of a TCP packet that, when inspected by the firewall, will change the firewall's internal state such that an attacker is able to establish a TCP connection to a filtered port through the firewall. This packet is the server response to a PASV user request during a FTP session.
fcb6f48f31d6598b702db1e3ab3a2478a63a0a80c8c9de809337c6e185b65a4a
Active server pages (ASP) with runtime errors expose a security hole that publishes the full source code name to the caller. If these scripts are published on the internet before they are debugged by the programmer, the major search engines index them. These indexed ASP pages can be then located with a simple search. The search results publish the full path and file name for the ASP scripts. This URL can be viewed in a browser and may reveal full source code with details of business logic, database location and structure.
8df08f77a97c4061a43c01be319e5ef4511a09240fd42e5c021cd65c36a798af
Cfingerd 1.3.3 (*BSD) local root buffer overflow exploit.
5097329aa98ef60c423e4f68641079c5f39fc54d6c9cb6c8ce27b39693f13f56
FreeBSD 3.4-STABLE /usr/bin/doscmd local exploit.
240aafd27efd7ec32f33b54c6a35ce6df301d9a00e9f637b34305726c91908ba
Crashes almost any Windows box on your local network. Compiles on linux. Cycles through many different types of ICMP packets.
2575111d1cf5e36392a4463a57706b1b04889b8ee26fbe68c73a9d0a0787c259
FreeBSD 3.3-RELEASE /sbin/umount local exploit.
05c1e68a23b63191f9b39ac50e86987af8789d42d2f9bc5feda53505bfd8947e
It is possible to cause certain firewalls to open up any TCP port of your choice against FTP servers that are "protected" by those firewalls. This is done by fooling the FTP server into echoing "227 PASV" commands out through the firewall. Firewall-1 v3 and v4 are known to be affected.
02813345d04b4c54a9270f3a6f8c304ab46a80dcf60f14aab96e9458dbf927dd
Anywhere Mail Server Ver.3.1.3 for Windows contains a remote DoS vulnerability, via a long RETR string over port 110. Also multiple connections will kill the sendmail server.
898ce037d5ae22060272023db6f516430cb43637744b94e23045e20f85dc5447
Kppp 1.6.14 has a vulnerability that allows a local user to display the saved PPP password.
8d19332151732e5697e7f7163003d6acf0c93e1dbfc58fe97ed5779abc51b4cb
InetServ 3.0 remote DoS exploit.
745955650f792ca0b47cdd962de7a7acf7142588a0956916494311e2965dafa0
Bypassing authentication on Axis 700 Network Scanner - By modifying an URL, outsiders can access administrator URLs without entering username and password. Tested on Axis 700 Network Scanner Server version 1.12.
62be7cce360cae03aa7cf171c9411f06a344a3d1ae4af8abcb8218e26c1b8673
The default configuration of SCO OpenServer 5.0.5 allows local users read/write access to SNMPD via a default writable community string. This configuration has been verified on SCO OpenServer 5.0.5 and may be present in earlier versions.
3c82f312504d022a8c22babfcbc6580fa23cc95dd9cd9e92a5e994687ae533a7