STonX v0.6.5 and v0.6.7 local root exploit. Tested on Slackware 7.0.
8a1770d7784c6541840ba4ee8c888446
Weekly Newsletter from Help Net Security - Covers weekly roundups of security events that were in the News the past week. In this issue: Laptop encryption and international travel, and much more.
f0f8d94e525483d290469ce60f12681a
chkrootkit locally checks for signs of a rootkit. Includes detection of LKM rootkits, ifpromisc.c to check and see if the interface is in promisc mode, chklastlog.c to check lastlog for deletions, and chkwtmp.c to check wtmp for deletions. Tested on Linux, FreeBSD, Solaris, and OpenBSD.
b8557bcfc5dae6d0c3579783596fe450
Debian Security Advisory - There is a problem in the way gpg checks detached signatures which can lead to false positives. Also it was discovered that gpg would import secret keys from key-servers, circumventing the web of trust. GnuPG homepage here.
c310fad9afc780a8461621c247cb6e24
HEH! Magazine Issue #5 (In Spanish). In this issue: Free Calling in Argentina, Accessing Milicom Modems (Breeze Com), Wireless info, 6 year old cryptography, Semipublic Telephones, Disturbing a StarTac, Hacking Cuspide, and more.
7cc554cd4d3cf2db41b8bd50ba7aedf2
USSR Advisory #58 - The 1st Up Mail Server v4.1 contains a buffer overflow in a long "mail from:" tag which can result in denial of service. Fix available here.
c9ef8f54b753f84c0e129653d746aa46
SpoofW.c "spoofs" messages from any user on the system (can only be used as root, or as normal user on very old systems). Re-written by Root-Dude
97498b3f4e82cf6bf3b94a0a0efbfd4a
ummmm.c v2.1 is a URL obfuscation tool which converts something like /cgi-bin/some.cgi into %2f%63%67%69%2d%62%69%6e%2f%73%6f%6d%65%2e%63%67%69. It might be used in cgi scanners which require an input file with cgi requests.
b4046289bf986622f664bc3081dbca6e
Linux xconq v7.4.1 local exploit - Gives a gid=games shell by exploiting the -L parameter. Tested on Slackware.
f418606627aaac0b33630928c6e7278d
Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, NNTP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code.
950b08220c12588e490dcb0609b7d668
SendIP is a commandline tool to send arbitrary IP packets. It has a large number of command line options to specify the content of every header of a TCP, UDP, ICMP, or raw IP packet. It also allows any data to be added to the packet. Checksums can be calculated automatically, but if you wish to send out wrong checksums, that is supported too.
f5b2a15d30e7d8359be25dcacdff663c
Pdump is a sniffer written in perl which dumps, greps, monitors, creates, and modifies traffic on a network. It combines features from tcpdump, tcpkill, ngrep, tcptrace, dsniff (and its webspy and urlsnarf), pfilt, macof, and xpy. It is able to do passive operating system detection/fingerprinting and can also watch packet streams and then create it's own spoofed packets to hijack or kill TCP connections. It understands tcpdump-like and perl-like syntax and allows easy modifications via a plug-in system. The packet display is easily configurable. Man page available here.
0a082794faf434efbf0859ef624e4d21
TWWWscan is a Windows based www vulnerability scanner which looks for 300 www/cgi vulnerabilities . Displays http header, server info, and tries for accurate results. Now features anti-IDS url encoding and passive mode scan. Tested on win95 osr2 win98,win98se,win nt4,win 2k/Me.
0883ee41c038940fa7658a29397d5722
Debian Security Advisory - Stunnel has a format string vulnerability, random number problems, symlink vulnerabilities, and insecure syslog() calls. These are fixed in v3.10.
81cafcf92517700a3f1e7200b0ee8869
Debian Security Advisory - Dialog creates lock files insecurely, making it susceptible to a symlink attack.
90cae4bddc6fa6de0e87a248e6e138e2
Authforce is a brute force www password strength testing tool.
c1c0477d3ae7b4d107009838e5669db6
OpenBSD v2.6 and 2.7 ftpd remote root exploit.
851ecd7cde4ff528736a6f54e5ea9649
How to exploit format string vulnerabilities - In Spanish.
2e2786b05184aebe0803a534b6636612
SuSE identd remote denial of service attack - Uses a long sting to set a pointer to NULL.
0ddf9677ef65b2ce004d04d7db4613de
SuSE Security Announcement - openssh is an implementation of the secure shell protocol, available under the BSD license, primarily maintained by the OpenBSD Project. Many vulnerabilities have been found in the openssh package: An openssh client (the ssh program) can accept X11- or ssh-agent forwarding requests even though these forwarding capabilities have not been requested by the client side after successful authentication. Using these weaknesses, an attacker could gain access to the authentication agent which may hold multiple user-owned authentication identities, or to the X-server on the client side as if requested by the user.
7f97be0212f0dff802a15f9082d28125
This paper describes a possible way to attack hosts with RFC1918 IP addresses behind GRE Tunnels over the Internet.
74238e97542ad3e67f91ef9f872afd20
NSFOCUS Security Advisory (SA2000-07) - A serious flaw in Microsoft IIS 4.0 and 5.0 when handling CGI filenames allows any file on the system to be read and remote command execution, as described in here.
ea015026bde97bb7ea1ff31fc8929458
Pluto.c is a SOCK_RAW flooder which attempts to hide from conseal and ipchains.
3e3bdc125cc76c64ece722d3a34e1aa4
Solaris 2.7/2.8 /usr/bin/catman allows local users to clobber root owned files by symlinking temporary files. Includes catman-race.pl and ctman-race2.pl for proof of concept.
bdf08aefd1a27a54c4ac57903f9613a6
Microsoft Security Bulletin (MS00-100) - Microsoft has released a patch that eliminates the "Malformed Web Form Submission" security vulnerability in a component that ships as part of Microsoft Internet Information Server. The FrontPage Server Extensions (FPSE) which ship with and are installed by default as part of IIS 4.0 and 5.0 have a vulnerability which crashes IIS when a malformed form submission is sent. Microsoft FAQ on this issue available here.
72f2966a7350e4f6fa1dbc7408526cf7