Razor / Bindview Advisory - There is a buffer size checking related fault condition in Microsoft Windows 2000 telnet server. This vulnerability is present only if telnet service is running and plain-text logins are allowed. If there are already 4300 characters in the buffer, username length range checking does not work. Perl exploit included.
be12ffcb3f00a8aa6f4162cd3e7951feb76a5d093a8d28f0c9847b0b212e51c2
Razor Bindview Advisory - A remote root vulnerability exists in the crc32 compensation attack detector (deattack.c) of most ssh daemon installations (F-SECURE, OpenSSH, SSH from ssh.com, OSSH). Insufficient range control calculations (16-bit unsigned variable is used instead of 32-bit, which causes integer overflow) in the detect_attack() function leads to table index overflow bug. This effectively allows an attacker to overwrite arbitrary portions of memory. The altered memory locations affect code that is executed by the daemon with uid 0, and this can be leveraged to obtain general root access to the system. This is fixed in OpenSSH 2.3.0, ossh-1.5.8, and SSH-2.4.0.
72f0b876373954999b3e48c286d832d9874353833141a0ee8db15f4cd9b2c873
Netsed v0.01b brings sed functionality to the network layer, allowing you to change the contents of packets traveling through your network on the fly and in a completely transparent manner. It features basic expressions and dynamic filtering, and cooperates with ipfwadm/ipchains transparent proxy rules to pick specific packets.
a04f6b235d787b1efd96ecdb398e6c8456301dbf965840e6fcbad36c68372dce
Vixie crontab local root exploit - an insecure fopen() call in Paul Vixie's crontab code is exploitable on systems where /var/spool/cron is user readable, such as Red Hat 6.1.
ab44f3d242c7a1c5af9df46eb9bdc3905efc1ef485b1406235d10775c03e5ede
When scp'ing files from a remote machine, the remote scp daemon can be modified to overwrite arbitrary files on the client side. Scp from ssh-1.2.30 and below is vulnerable. Proof of concept scp replacment included.
c83fdb97397307f495d1cef7e5ab8dc8f8740692dccebe8deaaee85d3f5a2fe1
Netscape Navigator is vulnerable to trivial, remote buffer overflow attack when viewing prepared html.
5e00530a07bbcee85e83bc7a5a9c024d8a58a576c2617200505e8c4098a74b86
The Siemens HiNet LP 5100 IP-phone is vulnerable to a buffer overflow when the GET request method is used with a large request size. Vulnerability can lead to a partial or complete crash of phone services.
c2c3fa55e9b3b0ea73526601681a57f6551de6e2ac82d72450d780945bdf8d14
Suidperl v5.00503 and below local root exploit which exploits an undocumented /bin/mail feature when perl wants to notify root on inode race conditions. Tested on Redhat 6.x/7.0.
e046c5c1d324b9945abcef32f5756e05f4d6bf70782c8cc77d62546e05aa1ec2
The Netscape Professional Services FTP server contains several remote vulnerabilities which are easily exploited. Any file on the system can be downloaded / uploaded, users can overwrite each other files via LDAP, and LDAP passwords can be read remotely.
f5e86ccfbc1b2c198c0392fd914db9654935e689b9c821c6cc048bdbf3fc3fad
P0f performs passive OS detection by watching SYN packets with tcpdump. Additionally, it is able to determine distance to remote host, and can be used to determine the structure of a foreign or local network. When running on the gateway of a network it is able to gather huge amounts of data and provide useful statistics. On a user-end computer it could be used to track which operating systems are making each connection. p0f supports full tcpdump-style filtering expressions, and has an easily modified fingerprinting database. Tested on Linux 2.0/2.2, FreeBSD, OpenBSD, NetBSD, SunOS, and Solaris.
c12412c6a9ae99a45bca4816d61188e822b5b548420cec12adf7538b07a171a5
INND (InterNet News Daemon) 2.2.2 has a remotely exploitable stack overflow in the control articles handler. About 80% of usenet servers are vulnerable.
1fdab59692baa167e5e89c82010248721ee6cdb5b14cc48401a4a2cd02d49432
"I don't think I really love you" or writing internet worms for fun and profit.
d21298d8550cdb1dce8b32a0ad6a565a74adfde66a4bcb0a08045abe78644dd4
Writing Internet Worms for Fun and Profit - The love letter worm was very crude, and proof of concept code for much more powerful worms has been written. Expect next years worms to be architecture independent, invisable to the end user, spread without user intervention, learn and launch updated worms, polymorphic with no constant code, and dissapear after it has accomplished its objective.
4814e0d3497813ef018f3be0c85104943a8f0a6b10ad19514067d20f4a5d8653
Novell Netware 5.1 Remote Administration Service contains a buffer overflow that could allow an attacker to launch a denial of service attack against the system, or possibly inject code into the operating system for execution. DoS exploit included.
daeeaaf07bbd7be2d103ab1cd49ffde2eb56484860d53f34ddeeccce4add2867
Many devices come from the manufacturer configured with snmp enabled and unlimited access with *write* privledges. It allows attacker to modify routing tables, status of network interfaces and other vital system data, and seems to be extermely dangerous. To make things even worse, some devices seems to tell that write permission for given community is disabled, but you can still successfully write to it. This is a list of devices with default writable configurations.
64b8dfa2a60e46777335afd3866fb129ffab8f3f3c77ea49b736b92fb1b23445
Recent PAM implementations allow you to use su to rapidly crack accounts without being logged. Tested on RH 6.1.
4e4445f9726601745b246b699479483fc7dc3fcd4f33a94228ee97377938b11a
nsuncat 0.01b - Unix socket connectivity from the command line. (works just like netcat for tcp/udp sockets)
49088a575ee48d6c5401773d67d701fbde1b7fe01256a0d55e04ed9c19f06f5b
Five new vulnerabilities have been found in Berkeley Sendmail and 'procmail'.
739a99c27c891bd518989d4459effe5d7dbae8f49924a28318fe663f8c8dbe7b
Exploit for vulnerabilities in sendmail 8.8.8 which hijacks incoming mail and saves it in /tmp.
bafadc740b0a5f08f59f80e1deefd74e1785d438413907c07207f431886905b3
Lynx has mechanisms to avoid spoofed 'special URLs'. The protections are insufficient and can result in local compromise.
572c27a381354f90a31a76977dccc10442db4065337602fbc6a83efbba50ffb1
Several silently fixed bugs in Sendmail combine to make any sendmail below 8.9.3 insecure. DOS exploit description included, more possible.
dc448e9c2e184b0972cc80f1cc2184a265473cb295116d350c21d5023e9f43e7
Rather dangerous bug is present in output processing after "command substitution" in bash 1.xx. It seems to be NOT present in bash 2.0.x.
5c8907ed9a89b1176ae7bdba5929b1581c4486d8dc5359db4efc86351c1b7210
Sendmail 8.x.x - any user may rebuild aliases database causing local denial of service.
ee87fe08a43899cadbac39a3e8a3cf5421bda9c8ff62986e65f41d6271f83a96