Packet Storm new exploits for January, 2003.
05e9bf140090db0cdb886afeb952996de9fc46088acb9fcee3c4fd94972e4c8d
Cups v1.1.17 and below remote exploit which spawns a shell as lp. Modified version of the original sigcups.c exploit.
5a88fad62d69412d2762fa193f415a3d84cba3182a07cc0ff828178c6b46a28d
The at utility in Solaris has name handling and race condition vulnerabilities. Using the -r switch to remove a job allows an attacker to remove any file on the filesystem as root. Although at filters out absolute paths, a simple ../ directory traversal maneuver allows an attacker to remove files out of the allowed boundary.
a1784e9527e8a56be1b234c7034c3ab545ca36e2fe248fa59675016423982b32
PlatinumFTPserver, the server engine that runs as an application on Windows 9x and a service under NT/2K/XP, has a directory traversal vulnerability that allows remote attackers to enter directories that reside outside the bounding FTP root directory. Another vulnerability exists which allows an attacker to commit a DoS against the server. Version affected: 1.0.7. Version Unaffected: 1.0.8.
c7ace983a16f1593ea028a5dac902b90df0c5d6b3660d969f8a1ce3ae3aa446e
Hypermail 2, a popular tool that converts mails into html, has two buffer overflows. One exists in the hypermail program itself and another is in the CGI program mail. The overflow in the main program can be overflowed by sending an email while the CGI program can be overflowed by a DNS server being populated with faulty information. Versions affected: 2.1.3, 2.1.4, 2.1.5, possibly others. 2.1.6 is not affected.
61a11ef37ef28b1b5d6f5cb454068252442924f04a265874f41380b4830f4637
ISC dhcpd v3.0.1rc8 and below remote root format string exploit. Tested against Debian 3.0, Mandrake 8.1, Red Hat 7.2, 7.3, and 8.0, and SuSE 7.3. Includes the option to check for vulnerability on any platform by crashing the service.
dc98b1acb4120f20825c608246e44cb64ff5010e26e9ed5cbf306e84e6158122
Middle2.c allows you to recover SMB password in clear text (from the network) when they should be encrypted. It operates a man in the middle attack with complete traffic redirection which does not need forwarding with transparent proxy. Tested under linux Debian 3.0.
18f22c6992e48334f8c4b0ca6be36741d629ca0678cb948420ade1db050b284e
Stunnel v3.15 - 3.21 remote format string exploit. Tested against Red Hat 7.2, 7.3, 8.0, Slackware 8.1, Debian GNU 3.0, and Mandrake 9.0. More information on the bug available here.
532b98b86e389878816da8e1e91e5367bcb977b9463a85ff0fd56f7f70b0b4fd
PHP 3.0.16 and below remote format string exploit for Linux/x86. Gives a uid=nobody shell. File logging must be enabled for this exploit to work. Includes offset brute forcing and instructions for finding offsets.
f8889150d30826db631280ac6c92c44dad3ef711b843e0bf21d413cdc2f3a9ee
Tanne v0.6.17 remote root format string exploit for Linux/x86 which has been tested against Redhat 6.1, 7.0, and 8.0. Tanne is a secure http session management tool sometimes used in online banking.
da9f92a56a163886c4fa2c4713b9b1b4479b84cef14ca23a9215b34ebff7284f
S8forum GPG remote exploit in java which emulates a shell with the privileges of the web server.
6342a6fd1f38dcf1c43fb0d0655ae621b3266214cdc4e9874d5d0732191bf60b
Efstrip is an exploit for the efstool vulnerability. Unlike other exploits for this vulnerability, Efstrip is robust, doesn't need a wide range of attack options, and doesn't need brute forcing. It actually ./works.
a0fa492bfaf986c0a0bcba194d566ba90078b5c1cf124df1293a16b9fb3336b6
The S8forum v3.0 allows remote users to execute commands on the webserver. Includes exploit instructions and patch included.
30057e99c24735c79779fce73a458ca76ecbcde0426e92f90b9db9f2e1b9e561
Cups v1.1.17 and below remote exploit which spawns a shell as lp. Tested against Gentoo Linux with cups-1.1.17_pre20021025 installed.
fd6664e13f9fdddcf6bf6c5f5bab39ed00c719fa6c0d965f76c0958998152656
Mysqlsuite includes three tools which take advantage of the vulnerability in check_scramble() function of mysql described in mysql.4.0.5a.txt. Mysqlhack allows remote command execution with a valid mysql user and pass. Mysqlgetusers allows you do a dictionary login-only attack to find other users. Mysqlexploit spawns a shell on port 10000 on vulnerable linux mysql servers with a valid mysql login and pass and writable database. Fixed in Mysql v3.23.54.
5c2113bbb28fb3db28e5790a86c03b3c83871154d3a6e756b9d3bbcc18b27f48
Smart Search CGI remote exploit in perl which attempts to spawn netcat listening with a shell.
041548a5386dcb8a831010770b868c0816b690100bcfde2bdb33e64959bd23d6
Crashms exploits the microsoft-ds bug and crashes windows machines via tcp port 445. Sends many 10k blocks of NULLs, causing blue screens on unpatched Windows 2000 boxes with microsoft-ds running on port 445.
76d264a71d11fe7e7cc4f6e42545ed890402ae980da59da4b8a1a8cce3ad3211