Packet Storm new exploits for February, 2003.
56b6ce1737cf291ed367043a6093f98c942e2ffafe4f83b8be26a04711cc0ad8
Local root exploit for slocate on Linux-Sparc.
4120fc3b286e38064f2f473b07a64a039c06d26733b33dc3ed74f8aa307fa14c
Yabase v1.5.0 remote exploit to spawn bash shell with Apache uid.
58656cc32a0af4370be32b024340a8b698195d4cb03ac29dfab328c01e3fb61e
Moxftp v2.2 and below contains buffer overflow vulnerabilities which allow remote code execution. Includes exploit code which sends a shell.
54be2adad039f538737f860941fe34b2b93d3ad224244b1cd758a91759d8f841
HPUX local buffer overflow exploit for stmkfont which attempts to spawn a gid=bin shell. Tested on HPUX B11.11.
cb3cda59c47ee977fe8004ec47bb58b34e2ca538f7e6f2573d4b7e8b6ebd05b3
Cpanel 5 and below remote exploit which allows users to view any file or execute remote commands due to an insecure open call in guestbook.cgi. Local root vulnerabilities also exist.
872dc79f37bab68ceed000840eafddb4a2ece4fdb910242de487ea4a95d25073
Nethack v3.4.0 local buffer overflow exploit which spawns a shell as uid=games. Runs /usr/games/lib/nethackdir/nethack.
d36c9676766104ed6f0e30024d355ec827f58589e60d86e963361827c6ef5db0
Cpanel + Openwebmail local root exploit in perl which affects Cpanel 5 and below. Attempts to copy a suid root zsh into /tmp by exploiting /usr/local/cpanel/base/openwebmail/oom.
b8529d38cfef755d74cff0d812d2ae5a837fb4a77d433c676607eab5980c5ef1
Parameter validation bugs exist in Emumail v5.x which allow remote denial of service and allow remote users to view any account history.
cec95ac394f94a6a107b3b73afcbbd0745d9caee836bd489e7c7cee5e292d689
BisonFTP v4.r2 remote denial of service exploit in perl. Tested against Windows 98.
97d8de62192a0625ac18734043ac9b63b6773448e623ae0e3bef47baf8a7cf53
Efstool Local root exploit for redhat. Requires efstool to be +s for root exploitation. Useful for breaking out from restricted shells. Tested on Redhat 7.1, 7.2, and 7.3.
56fbeadf6c3197a29e31b79d12722accbedb224cb521f2116eb46f376cf8854d
Chat Local root exploit for redhat. Requires chat to be +s for root exploitation. Useful for breaking out from restricted Shells. Tested on Redhat 7.1, 7.2, and 7.3.
a38709858c17621a4940bea65d88f2f573fdcbf9e2cf26ccd0d9873946196a70
/usr/sbin/pwck local root exploit for linux. Affects only +s pwck, remember though its a good way to break free from restricted shells - even to the same UID. Tested on Red Hat 7.1, 7.2, and 7.3.
b75ad70961e03feeb4b123acf7bf9b70259f02d79f6d5b5aa604e838ec59e647
Absolute Telnet v2.00 buffer overflow exploit in perl. Creates a fake server for the client to connect to, and sends an overflow string once it connects. Tested against Windows XP, based on an advisory by kain@ircop.dk.
af8d5ae98253a8deeb5f462c4c4313d439dc7c3a4d6ee776926612f86b27c414
Yabase v1.5.0 and below remote scanner / exploit tool which takes advantage of a bug in an include named Packages.php.
c4f2966de2f40c8fd232eab6f99e412b3fbb10932ea8de84a7fcfcf3f680f25d
Remote root exploit for Realserver 8 on several Windows platforms.
90292d4e257cdbfdf377651683c109aa8ae179a5a90d51aef9d7f78c2125337f
A specially constructed Java Applet crashes Opera versions 6.05 and 7.01. Opera's own class files in the opera.jar library are susceptible to a buffer overrun which causes a JVM crash and then crashes Opera.
348fa9d0eb2e4f65de49b13f851cd88cba36942bf730efaae4b722eecbce6fa8
Local Exploit for a buffer overflow in /usr/ports/games/nethack32 which gives a privilege escalation to group id games.
abb5288b7bfd7cc323676bad19715c4a998d3dc8a42907c4990dee00d5bc2822
Solaris "at -r" tmp race condition exploit which allows users to remove any file on the system.
0e4eab68b09f0e8fa8ff07d18d3403760f7028cb038b1899882f303593f7e53a
Both the 32 FTP Client version p9.49.01 and ByteCatcher FTP Client V1.04b are susceptible to being crashed due to a large banner. Arbitrary code execution against the client may be possible.
dbd4fb324ffcac9ecb0d8c4f98982a0eb9e3c1f0b1ca20e8533d6773e2440c31
Majordomo, the popular mailing list utility, defaults which_access to open in the configuration file. A list of email accounts for a mailing list can be compromised by this de-facto setting by sending which @. Patch included.
8efeb015e6583cfd9603c53d758fcd752e89c4d7096f788f8d997d1a1b2f0abe