Packet Storm new exploits for July, 2001.
b4863126ff2fc2dfc583371bf0a760afd9759f3f9860f92371e5e1c697f2f552The Windows 2000 telnetd service is vulnerable to a remote denial of service attack. The service crashes when scanned for the recent AYT telnetd vulnerability discovered by Scut. Includes SPtelnetAYT.c, a scanner for the AYT vulnerability in telnet daemons build upon the BSD source.
0ef77272ca00d7561e2ec1a992da524fa9ac1e25f7723de4dd30a596d8a408ce/usr/bin/pileup local root exploit. Tested against Debian 2.2.
91ffd9b5c600d6641fc76b93d1585a6c5bdb92d4d9d1ce2ffd0e8c74e173e9b9Squid can be used to port scan if set up as a httpd accelerator (reverse proxy). Tested on Redhat 7.0.
40e7bb73d56456e9d9dcc70a1024c98673b814cb113d372d8513594c244df0fbIBM DB2 (which works under W98/NT/2000) Proof of concept Denial of Service. Sending 1 byte to port 6789 or 6790 IBM DB2 crashes, as described in ibm.db2.dos.txt.
44d64dfbdbb1557b294143c33f8c5588ad8abdebac45e6280e99353be9cf7797Pic / LPRng format string remote exploit. Pic is part of the groff package. It is used by troff-to-ps.fpi as uid lp when perl, troff and LPRng are installed. Tested against Redhat 7.0 (groff-1.16-7).
7f88ccf027b5e0d7c51b9f01279051f34a9d4df2f8d1ae6ccce5a1fbec9db7ffThe Mambo Site Server v3.0.0 - 3.0.5 contains a vulnerability which allows users to gain administrative privileges by changing global variables via URL parsing.
130f26d521cff30052559a9d02cc0b8dd1f05866aefac6e2932959bd6a3d136dWindows 2000 remote IIS .ida exploit - Spawns a shell on port 8008. Tested on Win2k with no service pack and SP2. Includes instructions on finding the offset.
a5c87b494e047e53be40395d92e556f28ceb11a767e48bdc5dfaeb792bf0cbf2Attqt.pl is a tool for sending banned attachments through SMTP gateways by adding an invalid character to the filename. This is known to work on MailMarshall and TrendMicro Scanmail, others are probably vulnerable.
1a58cc9c0872e25c6653fb79721d64cc43fbadc32d4cce480e6cf5df091aa5b3Briis-1.pl is a unicode / decode IIS attack tool which includes SSL support under Linux. Features many checks for CMD.EXE, Caches the found directory, SSL support with SSLeay (Unix), Easy to use text file upload, Easy to use / encoding option, Relative path name program execution, and Virtual host support. More info available here.
02d511ae9e47f8a3122d180ba75ec52c4603ad0f5b0dc7d8ad3579832c4c1fdcKtvision v0.1.1-271 and below symlink local root exploit. Tested against SuSE 7.1.
7484393e8ed414c9a92178e33e802ebab4f5ba09c299bb89762e99c3e225abf9Tarantella 3.01 ttawebtop.cgi "show files" exploit. '..' and '/' are not filtered while processing user input, so it is possible to enter arbitrary values to retrieve files from remote sever, which should not be accessible normally. Exploit URL included.
9d5f4ace0d04cf6c840c506cafe1e2d3223f2c0444093380f59b04e3a168c8d5/usr/local/bin/filter local exploit. Gives GID=mail. More information available <a href="http://www.tao.ca/fire/bos/0354.html"here.</a> Tested against Slackware 3.1. Exploits the nlspath buffer overflow.
ba1c94f39c9843539d6330b83182ca2c4e79cc085b9114c402708728dea02aaeFreeBSD 3.1 - 4.3 local root exploit - Uses the signal condition vulnerability discovered by G. Guninski.
877ecb999c4cc6e021713bc69df6e18a70c93bcd73f813c5488ecc59bcd1edb6qDefense Advisory Number QDAV-2001-7-3 - Interactive Story does not properly validate the contents of a hidden field entitled "next". Setting that field to the name of a file, and using double dots and poison nulls, an attacker can cause Interactive Story to display the contents of any file. Exploit URL included.
97e8dec2dd73cc70c28c0ffa336013bf512a8924ca83704f520ae24b059baa61Sneaky2.sh is a swiss army knife for Hotmail/Messenger. Implements Spoofing/brute force/misconception/unexpected input Class Attacks. Will spoof Hotmail/messenger server to recover user hotmail/password, crash messenger client, remotely inject and execute malicious exe on the victim host.
a20cd1bbf47e56f622a99907ad68665a56c73da31f4c7353938fa59ca1b6d1f4Slackware 8.0 local root exploit - Creates a suid shell when "modprobe lp" is run from the startup scripts.
b8b095012e691aba701cd6577f74f4427437ebc53c5be9b4cc9758dc3d3cfeebCheckpoint Firewall-1's SecureRemote allows any IP to connect and download sensitive network information. This perl script gives a potential attacker a wealth of information including ip addresses, network masks (and even friendly descriptions).
e3619e7d295ef6e80dc77aada9c151eaf7aeff1c25021ef117f8331019de3414Cfingerd v1.4.3 remote root exploit for Linux. Binds to port 113 and sends bogus ident information.
badd5107b708ecea2476eda90f2a5fe6efe2f9988539733c58710c082a2510d6Qflood.c fills up a Quake server with spoofed "unconnected" clients, disallowing other players the ability to connect to the server since the player limit fills up quickly. Additionally, if the server does not support multiple clients from the same IP address, it will disconnect legitimate players if the spoofed connection request matches that player.
95dc326a06fe3c681ddfaa0640318f142424dde88304e2016971c379de4e6763Slackware 8.0 and below ships with /var/man/cat* chmodded 1777, making it vulnerable to symlink attacks. This exploit creates a suid shell with the UID of the user running man.
0fb25cf68a4fba71eceef2ca23db4efbe592af7e1416b2d13051e5e4b6990a46Local root exploit for /usr/bin/ml85p, a suid binary which is vulnerable to a local symlink attack. It is included in Mandrake 8.0 by default.
7fc636ec99a7121c1576f6a3baa4cfa2f6d10bc5a5797fccdad14335a04ae46aXxman.sh is a local root exploit for an insecure system call in xman.
dd25b5e529ce5af581d7a7a71daf938f6d23f44ce00583eff27d6eb652b11730Current versions of xdm are sensitive to trivial brute force attack if it is compiled with bad options, mainly HasXdmXauth. Without this option, cookie is generated from gettimeofday(2). If you know starting time of xdm login session, computation of the cookie just takes a few seconds.
0231e769ce0cf64ff3d44ec208793b0c73a09fcdaf72f77222399557a47d9b35Nerf Group Security Advisory #4 - Microsoft IIS 4 and 5 can be crashed remotely by reading device files (com1, com2, etc). Exploit URL included.
0f02809f7d12dc60415cd1b19bbc6cce5a88d1a6a9c0de0f91484303085ba0d6
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed