Packet Storm new exploits for April, 2001.
1ee99a479d4700f9ed4ba3fc1f4a5c8f7734614567248a0d84cc0031c6ff919f
Novell Border Manager Enterprise Edition 3.5 remote denial of service attack. Sends 256+ SYN's to TCP port 353.
151fcdb66c1879a5f063dde6c0d4e7a4d0ebc3ae5887d7c236aae3bc6b13e312
Andrisk Security Advisory 2# - Cerberus FTP Server 1.05 for Windows 9x/NT allows remote users without accounts to view any file on the server.
ac36f5c4f40ea379968ee64d982cb79cad04d53d8808bf71cd2833ea937ccc41
The Unix versions of the PerlCal CGI script have vulnerabilities which allow website visitors to view any file on the webserver. Exploit URL included.
6008fabe1a329e1cad455aa8c84eeb5e7a5393d69a639699c592aa9613882baf
Irix Netprint local root exploit. Exploits netprint's -n option. Tested on IRIX 6.2, but should work on other versions.
e1b15bb0206ea96a407bd99676b571620fc56bbe407ca2fe157fa97b328c6b5b
A bug in FTP server v0.25 for Windows 9x/NT has a bug which allows remote users to download and view any file on the system.
910a99610a7baee20dce791605ca8060728ec4d8313637c82ca433e38c3120c8
Hylafax (/usr/libexec/fax/hfaxd) format string local root exploit. Tested on hylafax-4.0pl2-2.
27326b522b9dab8a30cd201131238bab6559ce649d75129f48fd4a1556aa0ffe
IIS Unicode graphical exploit for Windows. This is an updated version of Unisploit1.0-FireLust which has more cool stuff.
7001b497fb792bdfb74ef2a47fefe2e51fb5b4b9c317143fd9521347b0356319
Securax / Hexyn Security Advisory #19 - FTP Server Denial Of Service tested on Serv-U FTP Server, G6 FTP Server and WarFTPd Server. The servers will freeze for about one second, and the CPU usage will go through the roof. Includes perl exploit.
2d2c1f7da07480b818ba73c4939a20bb83cb1d28705c9d63c332c2c8acb5f5fe
Securax / Hexyn Security Advisory #18 - Savant WWW Server is an HTTP server for Windows 9x/NT. A bug allows any user to change to any directory, and in most cases, execute MS-DOS commands.
6f737629eeb7c998b7477e842ffe7e837b20a277e54d231e927e0c33aa58dc9b
Securax / Hexyn Security Advisory #17 - Bison FTP Server is an FTP server for Windows 9x/NT. A bug allows any user to change to any directory.
51cbeefe5885ffa571c47f49a694aff56ebe3391b705e2d1ab287c0dd17fcb5a
Securax / Hexyn Security Advisory #16 - G6 FTP Server is an FTP server for Windows 9x/NT. A bug allows any user to change to c:\ and sub directories.
43d9198ebb5fa6616439c99764fe5b23245afb02e05b085d7cf0550c2d427b77
Securax / Hexyn Security Advisory #15 - G6 FTP Server is a popular FTP server for Windows 9x/NT. A bug allows any user to change to the directory G6 was installed in. Due to good programming, the only way to exploit this bug is by viewing the full installation path. Downloading the user-file (Users.ini) is impossible.
8f913b2f91d2258ffaa0aeccb96c5ccf8854a601e46af43354cba4bda021b2e3
TalkBack.cgi directory traversal remote exploit.
396c1d51895015c18e8733df3f237702266c9de2fd99fca89addccdee7fc09e6
Cfingerd prior to v1.4.2 remote root format string exploit. Includes information on finding offsets. Tested against Debian cfingerd v1.3.2, 1.4.0, 1.4.1, and RedHat 7.0 cfingerd 1.3.2.
27d6d03e401bbc5d64121d7bf098b55babef4798dff575768d01cd2abac1b648
Unidebug is another exploit for the begging-to-get-patched IIS unicode bug. Takes advantage of the DOS/Win debug.exe to create binary files on the remote site.
8e17e7b0f8c5238e4b25523275f6838f53fb410606405d67218f8f95d39afcd6
Georgi Guninski security advisory #43, 2001 - It is possible to execute Active Scripting with the help of XML and XSL even if Active Scripting is disabled in all security zones. This is especially dangerous in email messages. Though this is not typical exploit itself, it may be used in other exploits especially in email. To use the demonstration, disable Active Scripting and click here. If you see any message box you are vulnerable.
c7fe5497623b82391c2f6f8c4e0d6f0cddd8405282c73ba789be9d2a1a709bdc
Removing the SUID bit from xlock causes enter to work as a password to unlock the screen for all users except root. With no SUID bit it can no longer read /etc/shadow, creating a blank .xlockrc, causing enter to be a valid password.
7a3fc00fea0ff0994ae858e317eefc68874f30058a8c8af694cc82126a795089
Fancylogin 0.99.7 buffer overflow exploit. Fancylogin is usually not +s so this exploit isn't that dangerous. Tested on debian potato and kernel 2.2.18 and 2.2.19.
29d03dc71d859bbe4e1a2875ecdcaa1d77c2adb10f17069da1e18b83a08771c0
Security flaw in Linux 2.4 IPTables using FTP PORT - If an attacker can establish an FTP connection passing through a Linux 2.4.x IPTables firewall with the state options allowing "related" connections (almost 100% do), he can insert entries into the firewall's RELATED ruleset table allowing the FTP Server to connect to any host and port protected by the firewalls rules, including the firewall itself. Advisory available here.
ae3602a2f75b24ef995eb290537dc514837d292b96235e884dbb43f17d8b9bcc
FreeBSD-4.2-Stable ftpd GLOB remote root exploit in perl. This version requires user access and writeable home dir without chroot.
d9d003dd6fbf397662aaadea0cda37b79f4f487bbe81f0f4dca4c6995f5cb632
Denial of Service in Microsoft ISA server v1.0 - Microsoft ISA Server 1.0 on Windows 2000 Server SP1 is vulnerable to a simple network-based attack which stops all incoming and outgoing web traffic from passing through the firewall until the firewall is rebooted or the affected service is restarted. Exploit URL's included.
9d02d2508ec99a83764ebc8949250bbaa3f6a7f94d64565ec9d94e4721d64d5d
OpenBSD 2.x remote root GLOB exploit w/ chroot break. It is possible to exploit an anonymous ftp without write permission under certain circumstances. This is most likely to succeed if there is a single directory somewhere with more than 16 characters in its name. With write permissions, one could easily create such a directory.
5e2903fcb27602a8d106b23765838518455a5fb29fed0495120e4cdf16853274
Georgi Guninski security advisory #42, 2001 - By double clicking from Window Explorer or Internet Explorer on filenames with innocent extensions the user may be tricked to execute arbitrary programs. If the file extension has a certain CLSID, then Windows explorer and IE do not show the CLSID and only the harmless looking extension. Demonstration available here.
4343d6e471cf14bde5baebc0d0bf30f0bf01a8f1220ae414f85aef130a942a42
FreeBSD v4.2 ftpd remote root exploit. Uses a GLOB vulnerability. Requires an account on the machine. Compiles on FreeBSD, Linux, and Solaris. Includes information on finding offsets.
540b154821aa64ba0fdf0fbba86a254d332881eacb9247606a8b7fde62483b1e