Packet Storm new exploits for July, 2001.
b4863126ff2fc2dfc583371bf0a760afd9759f3f9860f92371e5e1c697f2f552
The Windows 2000 telnetd service is vulnerable to a remote denial of service attack. The service crashes when scanned for the recent AYT telnetd vulnerability discovered by Scut. Includes SPtelnetAYT.c, a scanner for the AYT vulnerability in telnet daemons build upon the BSD source.
0ef77272ca00d7561e2ec1a992da524fa9ac1e25f7723de4dd30a596d8a408ce
/usr/bin/pileup local root exploit. Tested against Debian 2.2.
91ffd9b5c600d6641fc76b93d1585a6c5bdb92d4d9d1ce2ffd0e8c74e173e9b9
Squid can be used to port scan if set up as a httpd accelerator (reverse proxy). Tested on Redhat 7.0.
40e7bb73d56456e9d9dcc70a1024c98673b814cb113d372d8513594c244df0fb
IBM DB2 (which works under W98/NT/2000) Proof of concept Denial of Service. Sending 1 byte to port 6789 or 6790 IBM DB2 crashes, as described in ibm.db2.dos.txt.
44d64dfbdbb1557b294143c33f8c5588ad8abdebac45e6280e99353be9cf7797
Pic / LPRng format string remote exploit. Pic is part of the groff package. It is used by troff-to-ps.fpi as uid lp when perl, troff and LPRng are installed. Tested against Redhat 7.0 (groff-1.16-7).
7f88ccf027b5e0d7c51b9f01279051f34a9d4df2f8d1ae6ccce5a1fbec9db7ff
The Mambo Site Server v3.0.0 - 3.0.5 contains a vulnerability which allows users to gain administrative privileges by changing global variables via URL parsing.
130f26d521cff30052559a9d02cc0b8dd1f05866aefac6e2932959bd6a3d136d
Windows 2000 remote IIS .ida exploit - Spawns a shell on port 8008. Tested on Win2k with no service pack and SP2. Includes instructions on finding the offset.
a5c87b494e047e53be40395d92e556f28ceb11a767e48bdc5dfaeb792bf0cbf2
Attqt.pl is a tool for sending banned attachments through SMTP gateways by adding an invalid character to the filename. This is known to work on MailMarshall and TrendMicro Scanmail, others are probably vulnerable.
1a58cc9c0872e25c6653fb79721d64cc43fbadc32d4cce480e6cf5df091aa5b3
Briis-1.pl is a unicode / decode IIS attack tool which includes SSL support under Linux. Features many checks for CMD.EXE, Caches the found directory, SSL support with SSLeay (Unix), Easy to use text file upload, Easy to use / encoding option, Relative path name program execution, and Virtual host support. More info available here.
02d511ae9e47f8a3122d180ba75ec52c4603ad0f5b0dc7d8ad3579832c4c1fdc
Ktvision v0.1.1-271 and below symlink local root exploit. Tested against SuSE 7.1.
7484393e8ed414c9a92178e33e802ebab4f5ba09c299bb89762e99c3e225abf9
Tarantella 3.01 ttawebtop.cgi "show files" exploit. '..' and '/' are not filtered while processing user input, so it is possible to enter arbitrary values to retrieve files from remote sever, which should not be accessible normally. Exploit URL included.
9d5f4ace0d04cf6c840c506cafe1e2d3223f2c0444093380f59b04e3a168c8d5
/usr/local/bin/filter local exploit. Gives GID=mail. More information available <a href="http://www.tao.ca/fire/bos/0354.html"here.</a> Tested against Slackware 3.1. Exploits the nlspath buffer overflow.
ba1c94f39c9843539d6330b83182ca2c4e79cc085b9114c402708728dea02aae
FreeBSD 3.1 - 4.3 local root exploit - Uses the signal condition vulnerability discovered by G. Guninski.
877ecb999c4cc6e021713bc69df6e18a70c93bcd73f813c5488ecc59bcd1edb6
qDefense Advisory Number QDAV-2001-7-3 - Interactive Story does not properly validate the contents of a hidden field entitled "next". Setting that field to the name of a file, and using double dots and poison nulls, an attacker can cause Interactive Story to display the contents of any file. Exploit URL included.
97e8dec2dd73cc70c28c0ffa336013bf512a8924ca83704f520ae24b059baa61
Sneaky2.sh is a swiss army knife for Hotmail/Messenger. Implements Spoofing/brute force/misconception/unexpected input Class Attacks. Will spoof Hotmail/messenger server to recover user hotmail/password, crash messenger client, remotely inject and execute malicious exe on the victim host.
a20cd1bbf47e56f622a99907ad68665a56c73da31f4c7353938fa59ca1b6d1f4
Slackware 8.0 local root exploit - Creates a suid shell when "modprobe lp" is run from the startup scripts.
b8b095012e691aba701cd6577f74f4427437ebc53c5be9b4cc9758dc3d3cfeeb
Checkpoint Firewall-1's SecureRemote allows any IP to connect and download sensitive network information. This perl script gives a potential attacker a wealth of information including ip addresses, network masks (and even friendly descriptions).
e3619e7d295ef6e80dc77aada9c151eaf7aeff1c25021ef117f8331019de3414
Cfingerd v1.4.3 remote root exploit for Linux. Binds to port 113 and sends bogus ident information.
badd5107b708ecea2476eda90f2a5fe6efe2f9988539733c58710c082a2510d6
Qflood.c fills up a Quake server with spoofed "unconnected" clients, disallowing other players the ability to connect to the server since the player limit fills up quickly. Additionally, if the server does not support multiple clients from the same IP address, it will disconnect legitimate players if the spoofed connection request matches that player.
95dc326a06fe3c681ddfaa0640318f142424dde88304e2016971c379de4e6763
Slackware 8.0 and below ships with /var/man/cat* chmodded 1777, making it vulnerable to symlink attacks. This exploit creates a suid shell with the UID of the user running man.
0fb25cf68a4fba71eceef2ca23db4efbe592af7e1416b2d13051e5e4b6990a46
Local root exploit for /usr/bin/ml85p, a suid binary which is vulnerable to a local symlink attack. It is included in Mandrake 8.0 by default.
7fc636ec99a7121c1576f6a3baa4cfa2f6d10bc5a5797fccdad14335a04ae46a
Xxman.sh is a local root exploit for an insecure system call in xman.
dd25b5e529ce5af581d7a7a71daf938f6d23f44ce00583eff27d6eb652b11730
Current versions of xdm are sensitive to trivial brute force attack if it is compiled with bad options, mainly HasXdmXauth. Without this option, cookie is generated from gettimeofday(2). If you know starting time of xdm login session, computation of the cookie just takes a few seconds.
0231e769ce0cf64ff3d44ec208793b0c73a09fcdaf72f77222399557a47d9b35
Nerf Group Security Advisory #4 - Microsoft IIS 4 and 5 can be crashed remotely by reading device files (com1, com2, etc). Exploit URL included.
0f02809f7d12dc60415cd1b19bbc6cce5a88d1a6a9c0de0f91484303085ba0d6