Georgi Guninski security advisory #48, 2001 - There is local root compromise in FreeBSD 4.3 due to design flaw which allows injecting signal handlers in other processes. Includes vvfreebsd.c, a local root exploit.
7713d19bc24aa7a9762066afdba62b29c53aa85272d88cc6bfb733c93872c401
Georgi Guninski security advisory #47, 2001 - OpenBSD 2.8 and 2.9 have a race condition in the kernel which leads to local root compromise. By forking a few process it is possible to attach to +s pid with ptrace. Includes vvopenbsd.c, a local root exploit.
4688ad1afc259ebe9475d2938db6a97bb4b7bba11539103d8d09c14ea9d0232d
Georgi Guninski security advisory #46, 2001 - There is a buffer overflow in SunOS 5.8 x86 with $HOME and /usr/bin/mail leading to egid=mail. Includes exploit.
e879b1c4adebb7537847ceb4679cff3cda7379230d9c135006e688aecdd1a01e
Georgi Guninski security advisory #43, 2001 - It is possible to execute Active Scripting with the help of XML and XSL even if Active Scripting is disabled in all security zones. This is especially dangerous in email messages. Though this is not typical exploit itself, it may be used in other exploits especially in email. To use the demonstration, disable Active Scripting and click here. If you see any message box you are vulnerable.
c7fe5497623b82391c2f6f8c4e0d6f0cddd8405282c73ba789be9d2a1a709bdc
Georgi Guninski security advisory #42, 2001 - By double clicking from Window Explorer or Internet Explorer on filenames with innocent extensions the user may be tricked to execute arbitrary programs. If the file extension has a certain CLSID, then Windows explorer and IE do not show the CLSID and only the harmless looking extension. Demonstration available here.
4343d6e471cf14bde5baebc0d0bf30f0bf01a8f1220ae414f85aef130a942a42
Georgi Guninski security advisory #40 - Security bugs in interactions between IE 5.x, IIS 5.0 and Exchange 2000. If a malicious web page is browsed with IE it is possible to list the directories of arbitrary IIS 5.0 servers to which the browsing user has access. Under certain circumstances it is also possible to read the user's email or folders if it is stored on an Exchange 2000 server with web storage (it uses IIS 5.0). It is also possible to create (or probably modify) files on the Exchange 2000 server with web storage. Example exploit included.
205a751214009b7efd4735ff3f131ee63a782759f29f253d522602889ff54916
IIS 5.0 / Windows 2000 WebDAV remote denial of service exploit - Sends a specially crafted request, as described in MS01-016.
025cc976603fe7243eaee030053fb6e90d63847d20684126b98f538d5ccadbca
Georgi Guninski security advisory #31 - There is a security vulnerability in Windows Media Player 7 exploitable thru IE which allows reading local files and executing arbitrary programs. The problem is the WMP ActiveX Control which allows launching javascript URLs in arbitrary already open frames. This allows taking over the frame's DOM. Includes exploit code. Demonstration available here.
11004b7cb48703aa71daec5f42163b6badbcc9bd0443de3f14cd799110e779d8
Georgi Guninski security advisory #27 - There is a security vulnerability in IE 5.x, Outlook, and Outlook Express which allows searching for files with specific name (wildcards are allowed) or content. Combined with other local file reading vulnerabilities this allows attackers to search for and retrieve any file on a users drive. The problem is the "ixsso.query" ActiveXObject which is used to query the Indexing service and surprisingly it is marked safe for scripting. Exploit code included, demonstration available here.
3742942ac9c34bf744dba44bf01b4e6299d39d0c180e6b80617ec20f063387b0
Georgi Guninski security advisory #26 - Using specially designed URLs, IIS 5.0 may return user specified content to the browser. This poses great security risk, especially if the browser is JavaScript enabled and the problem is greater in IE. By clicking on links, just visiting hostile web pages or opening HTML email the target IIS sever may return user defined malicous active content. This is a bug in IIS 5.0, but it affects end users and is exploited with a browser. A typical exploit scenario is stealing cookies which may contain sensitive information.
6b6ccfbe0c8d541e629a7ae9731b71c0ae8c45f405aa6e7a7b3f0a9674808daa
Georgi Guninski security advisory #24 - IE 5.5, Outlook, and Outlook Express has a serious security vulnerability which allows remote users to read local files, arbitrary URLs, and local directory structure after viewing a web page or reading HTML message. The problem is that you are allowed to specify an arbitrary codebase for an applet loaded from here.
4c84e6a9bab5f1f849dc508650403150f24b823501e7ecc02ccf5a7182a26dbc
Georgi Guninski security advisory #23 - Internet Explorer 5.5/Outlook allow executing arbitray programs after viewing web page or email message. This very serious vulnerability may easily lead to taking full control over user's computer. The problem is the com.ms.activeX.ActiveXComponent java object, which allows creating and scripting arbitrary ActiveX objects, including those not marked safe for scripting. Demonstration available here.
27e12e35034dfe08d65a2d1ce60a0c62b0edbb7d88eec3dfcb77203e10bad419
Georgi Guninski security advisory #18 - Two serious vulnerabilities have been found Microsoft products - Internet Explorer 5.5/5.x may execute arbitrary programs when visiting a web page, reading HTML based mail with Outlook, or simply browsing folders as web pages. In addition, the default installation of Windows 2000 allows Local Administrator compromise via opening local folders as web pages. In both cases a malicous person may take full control over user's computer / server. Includes proof of concept HTML code. Demonstration available here.
49fd86e3c8396e11f2d62291b0e07c00a9c7b972856156f9dac92627faf60f3b
Georgi Guninski security advisory #17 - MS Word and MS Access 2000 (with or without Service Release 1a) allow executing arbitrary programs if a Word document is opened. This may be exploited also by visiting a web page with IE or opening/previewing HTML email message with Outlook. In order this to work, the user must be able to access a mdb file, which resides either on an UNC share or a local drive. This allows taking full control over user's computer. Demonstration exploit available here.
89dfddff8833fb3dad88d40d972cfa0a68430d2b3ad384958e72e64fedda41e3
Excel 2000 serious vulnerability - Excel 2000/Windows 98 (other versions too) allows executing programs when opening an Excel Workbook (.xls file). This may be also be exploited thru IE or Outlook. This can easily lead to taking full control over user's computer. Demonstration available here.
00d755a71d377e63143d88bb87001c19403d83540df8f8eecd62246132cfe637
Georgi Guninski security advisory #14 - Internet Explorer 5.01 and Access 2000 allow executing programs when viewing a web page or HTML email message. This allows taking full control over user's computer. Access 2000 allows executing VBA code which has access to system resources and in particular executing files. Includes exploit code which silently opens and executes VBA code from Access 2000. Demonstration available here.
fe568442ae8f90da9486762f3cbbcbf6148ba69298f95dfc55f9dce550ddbebf
Georgi Guninski security advisory #13 - Internet Explorer 5.01, Excel 2000 and PowerPoint allow executing programs when viewing a web page or HTML email message via insecure ActiveX controls. This allows taking full control over user's computer. Demonstration available here.
f41e05939819ebcc5e580519c20fa7f242ed21f010334bb9e1e5c4204510a020
Georgi Guninski security advisory #12 - Internet Explorer 5.01 under Windows 98 (other versions are also vulnerable) allows circumventing "Cross frame security policy" by accessing the DOM of documents using JavaScript, IFRAME and WebBrowser control. This exposes the whole DOM of the target document and opens lots of security risks, such as reading local files, reading files from any host, window spoofing, getting cookies, etc. Exploit code included. Demonstration available here.
8aa57814b27a04133662e4ce2ca66e82e2d3cbb4f03b5ed71b69ebd2cf052c2c
Georgi Guninski security advisory #8 - There is a vulnerability in IE 5.x for Win95/WinNT (probably others) which allows executing arbitrary programs using .chm files. Microsoft Networking must be installed. Demonstration which starts wordpad here.
36cf5adf9fed04673b3b5f1b78c820e4d91c6d87aaadd7695c5310bb6022635e
Georgi Guninski security advisory #7 - There is a vulnerability in Wordpad which allows executing arbitrary programs without warning the user after activating an embedded or linked object. This may be also exploited in IE for Win9x. Demonstration which starts AUTOEXEC.BAT available here.
8c815d047dd5d9b4e8a06fecc24985c9005b8075decd685d753f14bceca1b2b7
Georgi Guninski security advisory #6 - Outlook Express 5.01 and Internet Explorer 5.01 under Windows 95 (others too) allow reading subsequently opened email messages after a hostile message is opened. Exploit code included. Workaround: Disable Active Scripting.
40e5fa882e4448e2504aa6f59add27ddb20730b6add122d795a838cfa1ea5033
Georgi Guninski security advisory #5 - Yet another Hotmail security hole. Hotmail allows executing JavaScript code in email messages using vascript, which may compromise user's Hotmail mailbox when viewed with Internet Explorer. Includes exploit code.
65fdac7706125ec8e60e80805e2a38b4ad6098e748b5365f66c120c827d08596
Internet Explorer 5.01 under Windows 95 and 5.5 under WinNT 4.0 (suppose other versions are also vulnerable) allows circumventing "Cross frame security policy" by accessing the DOM of "old" documents using IMG SRC="javascript:..." and a design flaw in IE. This exposes the whole DOM of the target document and opens lots of security risks. This allows reading local files, reading files from any host, window spoofing, getting cookies, etc. Demonstration available here.
08b65ae8aa1cc08a745f60c70d01fe3694092271137bffce73f1decd10d15396
Hotmail allows executing JavaScript code in email messages using "@import url(javascript:...)", which may compromise user's Hotmail mailbox when viewed with Internet Explorer. Includes exploit code.
87e9188eea6526dfe86fad7cdab334a6f17ec62990d027c1008bebab3e19f26b
Netscape under Windows 95 and NT 4.0 (suppose Win98 is vulnerable) allows reading local text and HTML files and files from any domain (probably reading files of other types of files is possible). Window spoofing is possible. It is also possible in some cases to read files behind fiewall. This vulnerability may be exploited using HTML email message or a newsgroup posting. Exploit code included. Demonstration here.
0a3d13522f593106bbaa7d375f521ad98569d9818af2bc967ab41e16e25de2b6