Packet Storm new exploits for November, 2003.
abfe42e253ad217f0f0a4ff4f555ab636c547d5998b83691d7a14190dff0eedb
The RNN Guestbook version 1.2 has multitudes of vulnerabilities. They range from allowing a remote attacker to execute commands to the ability to achieve full administrative access without authentication. Full descriptions and exploitation enclosed.
bbc07675f04461c29b805cfaf9019fee859075f88d1bcbb7eef350c4e27c9d74
Remote exploit that makes use of a SQL injection vulnerability that exists in the viewtopic.php file in phpBB version 2.06. Using a malformed query against the searching functionality, the MD5 password hash will be exposed. Related type of vulnerability here.
ed5d998c736d0f35a74e85810a46c3439dadbda8c6b535de6997f2c5b2730fc6
Bugtraq Security Systems Security Advisory - Multiple vulnerabilities have been discovered in the Applied Watch Command Center IDS. Two exploits have been released to demonstrate these flaws. The first, appliedsnatch.c, allows a remote attacker to add a user to the console without having to authenticate to the system. The second, addrule.c, allows a remote attacker to add custom IDS alerts to all sensor nodes in a network, enabling a human denial-of-service attack by making good packets look bad.
89d611aba3b2b3bd598156b14a689aeb759d16617579758d1bce7e8b845eb94c
EPIC4 remote exploit that acts as an IRC server and makes use of a stack-based overflow in EPIC4 versions later than pre2.003. Upon success, this exploit yields a shell with the privileges of the user id connecting into the server.
273d77c8e43b800a86bb9732a9c1177bb69c666f29a6a87155e45205edc257b2
My_eGallery versions below 3.1.1.g has PHP files which do not filter all parameters fed to functions, allowing a malicious attacker the ability to execute any command as the user id the webserver is running under. Vendor supplied patch available here.
83bc5a715a3f8b447cc27c88355d9454d43230e49474dacf297362b2f0d3486f
CommerceSQL shopping cart allows remote file reading via a directory traversal vulnerability in its index.cgi.
6f4df4b2df394eb3256053752a246944664140cbf21550acf95750c5516627ce
The embedded webserver for the Thomson TCM315 cable modem is vulnerable to a buffer overflow during a typical GET method HTTP request.
9fe3659ee27d616cce7a519a8bdc569a333a69876d8490c3875cba0299d02fe9
Security Corporation Security Advisory [SCSA-021]: vBPortal versions 2.0 alpha 8.1 and below allow a remote attacker the ability to send mail anonymously via a vulnerability in its friend.php script.
c4d06783f91cb24e63610106d750abfba594dd5975bdd6cc9027faca6c37e247
webfs 1.7.x remote root exploit that binds a shell to port 26112 and makes use of a User-Agent buffer overflow.
b99a529cd0c9633b8757d0805ef4ef7815dc5ea637c2438a987d2ca956da300b
A bug exists in MSN's Messenger client that allows a user's IP address to be exposed due to improper parsing of the Ip-Address field when parsing requests.
11b8007718efec8768261dc195d3d80f9c2678aab4655d151fba650b133b883d
Remote exploit for mod_gzip when in debug mode for versions 1.2.26.1a and below. Yields user id of the webserver. Tested against RedHat 8.0 and FreeBSD 4.7.
84af6d61c9fc50f2b274b91ce6e52fe5474e910aad12553f3e47926b21d32e6e
OpenBSD v3.3 and below local root and v3.4 local denial of service exploit which uses a kernel based stack overflow vulnerability in ICBS. Patch available for v3.3 here. Also works against OpenBSD v2.x.
02d1b6e6fd805a42150e80b21f685c51c4db5a62cb4d1d9e22b42e2992724a5c
IA WebMail Server v3.1 and below (iaregdll.dll version 1.0.0.5) remote exploit in perl. Tested against Windows XP Home SP1 and Windows 2000 Pro SP4. Included shellcode downloads netcat and spawns a shell.
46b9847fb05761825572db77b563585c6c829d08fe1ddd7ba09ddacbc98ff73b
Rolis Guestbook version 1.0 is susceptible to php injection cross site scripting attacks.
79e815ebb7be676e76426a0e17297e327cf6c44d0c6d1dacc79e8088de2b8dc8
phpWebFileManager version 2.0.0 is susceptible to a directory traversal attack due to a lack of input validation.
11a43dc0602f1582c83e6543b3980c8c54dc65ad457fb56add731e8860a3b758
NetServe version 1.0.7 suffers from a directory traversal vulnerability that allows a remote attack to download any file outside of the webroot. Using this knowledge, a remote attacker can exploit this vulnerability to access the config.dat file that holds the login and password for the administrative account. Tested on Microsoft Windows XP and 2000.
852c4463ccb97a58ecaf9041db4c846ee003660cb27e1d5da9855d1d9bf1cbe7
pServ 2.0.x Beta webserver remote exploit that makes use of the User-Agent HTTP Header buffer overflow.
5c7a46786ee5ec0c5d78688145e1527fbd30b89d6df3a01b81f5ebb54be1a36d
Frontpage Server Extensions remote exploit which creates a shell on tcp port 9999 and uses the bug described in ms03-051. Tested on Windows 2000 Professional SP3 English version, fp30reg.dll ver 4.0.2.5526. Bug discovered by Brett Moore.
0525c03ba09b7ba2b7fdb64cf62b8da14bba89c6449b6742c2eab4d12dda2e59
Local root exploit for terminatorX version 3.81 and below that makes use of LADSPA_PATH environment variable vulnerability.
4f35813134f00f905885cf87adaabd4c29fb3fb47e5d26036019542fc4d90a1a
0verkill version 0.16 local proof of concept exploit that makes use of a stack overflow when reading in the HOME environment variable.
d9ffab67b02140a647fe3c11ab803aecd99d5a2a8a0012207686042adbb302e3
UnAce version 2.20 local proof of concept exploit. Original vulnerability discovery made by MegaHz. Tested on Debian 3.0.
4cb6fde86f0cb3e02c0caaad2773c007f7043f6b1029f4337860c1836f828169
UnAce version 2.20 local proof of concept exploit. Original vulnerability discovery made by MegaHz. Bruteforcing option included.
d191042bbe5c634e4f3a8ef7041d81538d5210cf278f7e65753a216a082b7361
Six step cache attach for Internet Explorer v6sp1 (up to date on 10/30/2003) which combines several older unpatched and recently discovered vulnerabilities to execute code remotely by viewing a web page or HTML email. More information available here.
94ea12a634a074b51cb882c92f07466864fecdcb97c1c35652f1946575389bb0
Remote denial of service exploit for MyServer 0.5. Malicious payload crashes the server giving a runtime error. Tested on Windows XP Pro SP1 and Windows 2000 SP3.
e035fca3aada6de19f50360c4b2ef07a3ea8445d6717a098382a678b587a876c