New exploits for October, 1999.
f36c0681b3c2bb6aa5d6c5458d942f533cfcc1598e2275904cc28b03901f95c6
IE 5.0 cross-frame vulnerabilities are back again. Test page here.
58513adbb0b9d1e19f086121a59e9d5025328e58bcdf654d047fb1f967cd60d9
Problem: The encryption algorithm used to save passwords to disk is weak and easily broken. Decryption program here.
1b3afabfd5ff939a69eb0863f8806b0965927000c94e385fd52ea151fcac902f
Axent Raptor 6.0 'IP Options DOS'. Tested on Intel/*BSD systems. Exercises the IP options bug reported in Raptor 6.0, this bug is fixed by an Axent official patch available here.
e50c15da4d68cb8bc5970d2a2c0384d6e488c7b916efa9e7038b05fb41efe598
The WFTPD v2.34,v2.40 Server and earlier a vulnerable to remotely exploitable buffer overflow. This can result in a denial of service and at worst in arbitrary code being executed on the system.
1da511ef5ea23df545a0b22c5a4538820e140e48715c156edb886c816c2c16b1
URL Live! 1.0 WebServer for Windows95/98/NT which is released by Pacific Software Publishing, Inc. (http://www.urllive.com/) also has a "../" security problem, any users can download any files on the victim host.
c64939edba329091851ebb821f527ea204471836402e1d30c11570c20750b105
Zeus is a high-performance webserver available from Zeus Technologies (www.zeus.co.uk). There's a myriad of problems, that when combined together, could yield a remote root compromise.
65d6f38cd31d99a0d42671ac5798e0b7297ec2bffefafb358fe4c9721a74e92b
Forged packets can be send out from a Linux system, for example for NFS attacks or any other protocol relying on addresses for authentification, even when protected from the outside interfaces by firewalling rules. Most of the time, existing firewalling rules are bypassed. This requires at least a shell account on the system.
8d159590c7c839774eb2f8a7c4dddf0737f16a6cf7e3d10393036232f45f5469
If you have installed Microsoft Office 2000 or keep current on your Windows Updates, you may have noticed a new WebFolders namespace in Windows Explorer. The fun part is that WebFolders have some significant weaknesses (inherited from FrontPage) and are such a new concept that it turns out they make a great entry point into a remote server.
01adda0b5af462be99d4d8071315e8516891937780a27b461c6b4e7ab4d80727
Remote exploit for dopewars-1.4.4. Exploit works for servers as well as clients. Produces a shell.
6ba59e6009b05be123b6af5928e78b018f173818061ec3c4bfedafabca9b0987
imagemap CGI which is distributed with OmniHTTPd 1.01 and Pro2.04 has a buffer overflow bug, I coded an exploit which can execute any command on the victim host. The Shadow Penguin Security.
934905f1f9f1cb9de1cc562db508da34d8ccefe4d46bd6355fecc4455384cec2
With FireWall-1 Version 4.0 Checkpoint introduced support for the Lightweight Directory Access Protocol (LDAP) for user authentication. It looks like there's a bug in Checkpoint's ldap code which under certain circumstances can lead to unauthorized access to protected systems behind the firewall.
2f81200bc55676da2428f3831cedb8e4b15c6bd29aae46ce2333a5340e0d9e94
Red Hat 6.0 vulnerability in xmonisdn which allows reading of arbitrary files via core dumps. Exploit included.
93fa2b6b0baa727fccdfca70c6a58035f2f78a8ecd0bd5d33fb613043d0fd500
Internet Explorer 5.0 under Windows 95 and WinNT 4.0 (suppose Win98 is vulnerable) allows reading local files and text/HTML files from any domain. Window spoofing is possible. It is also possible in some cases to read files behind fiewall. Example code here.
ae28152f3141ef6c3d473a077670277333c83e16b166924e3ecccd5099c6e352
There might be a really nasty stack smash bug in linux-2.2.12 and 2.0.38. If I am reading this correctly, the implications of this bug could be very dire. It may be possible to easily obtain root privilege on any box running this kernel. Includes comments by Alan Cox.
26882e3fac59928336c10c9962f8a3f5cce1846683fd03a227f0f61b771d35be
A serious security hole has been found in the web configuration utility that comes with OpenLink 3.2. This hole will allow remote users to execute arbitrary code as the user id under which the web configurator is run (inherited from the request broker, oplrqb). The hole is a run-of-the-mill buffer overflow, due to lack of parameter checking when strcpy() is used.
b36a8272ac716effd911a885be7e5ec3e74fe7e469278cc4955a647b5a86bbe3
Any user may overwrite any file with group auth (i.e. /etc/shadow, /etc/passwd) using /etc/sysadm.d/bin/userOsa.
efdff100c4986b360fdb21f715839b67fb3d8d0b39aa721df77706513060b1a7
An overflow in /opt/K/SCO/Unix/5.0.5Eb/.softmgmt/var/usr/bin/cancel which will allow any user to gain lp privs.
9a4e597b84c8c1eb31bb630c9cc574cac8e99b62e17a606be42a39e44a6790f1
Windows 95 updated RDS exploit.
149a610621db59471d4420731c09658ea691396164cc0d8d1ac34ce2e22ef793
IE 5.0 vulnerability - reading local (and from any domain, probably window spoofing is possible) files using IFRAME and document.execCommand. Includes exploit. Demonstration code Here.
9675de24df2217c21e2f6231a2c519019a809807235ded9783257956a7c2f796
WinNT.Infis is an executable file with .EXE extension that installs itself as a native Windows NT system driver. Alert from Finjan
23e7fbdac27458b692f699f8b02855358119285d3d4e180ca6f8cd287273b70a
The NASHUATEC D445 printer is vulnerable to many attacks
394d23effdf942f93c8f35952664715426d28a4501b41528f8f01ed69afed5fc
Sil of AntiOffline has discovered a disturbing bug in cans of Pepsi and Diet Pepsi. Apparently he has notified the vendors of this problem, yet they steadfastly refuse to release a patch. All known versions are affected. With Coke and Pepsi having most of the market share in cola drinks, surely this is an another argument for more soft drink diversity!
d269a0eb52cf0d0eab565a5afb0264fff9a992aef99a2ba9e47ea522849a6eee
Oracle installations with the 'Oracle Intelligent Agent' installed have a path related vulnerability. The problem lies in the dbsnmp program located in $ORACLE_HOME/bin . This setuid root program calls a tcl script (nmiconf.tcl) located by default in $ORACLE_HOME/network/agent/config. The problem is that the dbsnmp script relies on an environment variable (the path to nmiconf.tcl) which can be a set by a user. Therefore, intruders can force the script to execute a trojaned version of nmiconf.tcl which will run as root.
0f333e0cee58f483618cb5b045cda5dd5f3845e5f50149416ee043fd7957d53a
A vulnerability in Internet Explorer 5 that allows a malicious web site operator to read files on the computer of a person who visited the site.
b74388296f34727128150446873f6059bf6a0fdc3c669e2df6b4c0cde7827891