chkrootkit locally checks for signs of a rootkit. Includes detection of LKM rootkits, ifpromisc.c to check and see if the interface is in promisc mode, chklastlog.c to check lastlog for deletions, and chkwtmp.c to check wtmp for deletions. Tested on Linux, FreeBSD, Solaris, and OpenBSD.
95302616bae6811f5e9eb02afdbdbe13
HP Openview NNM6.1 and earlier running on unix contains a remote vulnerability in the suid bin executable overactiond. Any program can be started remotely by sending a SNMP trap to the server. Exploit details included.
cbb6e5495aa3d1b8af6375409b149752
Razor / Bindview Advisory - There is a buffer size checking related fault condition in Microsoft Windows 2000 telnet server. This vulnerability is present only if telnet service is running and plain-text logins are allowed. If there are already 4300 characters in the buffer, username length range checking does not work. Perl exploit included.
6ee028c03f526273bad46c971bb256b8
Microsoft Security Advisory MS01-031 - This bulletin discusses seven new vulnerabilities affecting the Windows 2000 Telnet service. The vulnerabilities fall into three broad categories: privilege elevation, denial of service and information disclosure. Two of the vulnerabilities allow privilege elevation and four are denial of service attacks. Microsoft FAQ on this issue available here.
95bd9c018828ae3994f004d19d258581
Cue.sh exploits an old hp/ux local root vulnerability which remains unpatched on most systems. Tested on HP.UX 10.20 v899. /usr/bin/cue exists on 800 models.
90bbd4ddb85767d4598a8994dfaed28e
Passlogd is a sniffer which logs traffic on the UDP syslog port, allowing a syslog receiver to have no open ports.
8daf2d86ce9b7a319ae48ab1158375e8
Passlogd is a sniffer which logs traffic on the UDP syslog port, allowing a syslog receiver to have no open ports.
292f484a37e05dc8cf38c8e0e0b51bd6
Firestorm is a Network Intrusion Detection sensor which is multi-threaded, fast, and is pluggable at almost every point.
6535757480bdcaca23579488b294503a
Microsoft Security Advisory MS01-030 - Exchange 2000's web access (OWA) has a vulnerability which allows an attacker to send script code to users which can take action against the user's mailbox as if it were the user, including, under certain circumstances, manipulation of messages or folders. Microsoft FAQ on this issue available here.
d1e00e389b7c9427fa7e3cd3c70a349f
Su-wrapper v1.1.1 local root exploit for Linux/x86.
90df033d56dc85b7713a3852178226ab
MindTerm is a complete ssh-client in pure java which can be used either as a standalone java-application or as a java-applet. Includes a vt102/xterm-terminal with the ssh protocol and also "drop-in" socket replacements to use ssh tunnels transparently from a java application/applet.
f641fe70d40fdb757a2de2893a1c3671
Flawfinder searches through source code for potential security flaws, listing potential security flaws sorted by risk, with the most potentially dangerous flaws shown first. This risk level depends not only on the function, but on the values of the parameters of the function.
1b78f9519313232071a0d25cb82e9f73
Arping is an arp level ping utility which broadcasts a who-has ARP packet on the network and prints answers. Very useful when you are trying to pick an unused IP for a net that you don't yet have routing to.
561c9b6ba785c72de865c1bb5334b22b
RSX is a Linux LKM which stops most buffer overflow attacks. It is a Runtime addressSpace eXtender providing on the fly code remapping of existing Linux binaries in order to implement non-executable stack as well as non-exec short/long heap areas. RSX targets common buffer-overflow problems preventing code execution in mapped data-only areas. Currently a 2.4.x version of the kernel module is available.
ca73f0cf8a75d55e1c127d88b96e0f8c
Tiatunnel.c is a Linux/x86 remote exploit for TIAtunnel-0.9alpha2, an IRC bouncer. Tested on RedHat 6.2 with TIAtunnel-0.9alpha2 from tar.gz. Binds a shell to port 30464.
806b38eb96baac01be27ce096fae9989
Vudo.c is a Sudo-1.6.3p5 and below local root exploit. Tested on Red Hat 6.2 with sudo-1.6.1-1.
a223d049daea0c009c41ef4a02237f0e
The QVT/NET 4.3 FTP Server and the Shambala FTP Server for Windows 9x/NT/2000 contains remote vulnerabilities which allow users to see and retrieve any file on the server. Exploit information included.
f31b863e65cf4e42820d482689e3046f
Stealth Syscall Redirection - This article describes a technique of redirecting system calls without modifying the sys call table (implemented in Linux). This can be used to evade intrusion detection systems that use the sys call table to register redirected or trojaned system calls. The basic premise behind this attack is to modify the old system call code to jump to the new system call, thus control is transferred to the replacement system call and the sys call table is left untouched.
917c0100d90f45ce4ca2c1e021da1f6d
StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. This is a experimental version, and a spin off from the Saint Jude Project.
5b4c791c22c5fa58c904835a96f0389e
ICMP Usage in Scanning v3.0 - This paper outlines what can be done with the ICMP protocol regarding scanning. Although it may seem harmless at first glance, this paper includes details on plain Host Detection techniques, Advanced Host Detection techniques, Inverse Mapping, Trace routing, OS fingerprinting methods with ICMP, and which ICMP traffic should be filtered on a Filtering Device.
f60a05e7802e4364c022896d78730665
Georgi Guninski security advisory #46, 2001 - There is a buffer overflow in SunOS 5.8 x86 with $HOME and /usr/bin/mail leading to egid=mail. Includes exploit.
c001290c85b9715cba2645cb81f2c3f6
Packet Storm new exploits for May, 2001.
c5aff02f19eb6b0d6609b6f1a24ed2fb
nabou is a Perl script which can be used to monitor changes to your system. It provides file integrity checking, and can also watch crontabs, suid files and user accounts for changes. It stores all data in standard dbm databases.
943b114cfbbbb3476bbecf7339401589
The Linux Intrusion Detection System is a patch which enhances the kernel's security. When it's in effect, many system administration operations can be made impossible even for root. You can turn the security protection on or off on the fly and you can hide sensitive processes and prevent anyone from using ptrace or any other capability on your system. LIDS can also provide raw device and I/O access protection. LIDS FAQ available here.
be4b57bd2ce6f2f85264af1cb8940e67
Inflex is an email scanner which encapsulates your existing sendmail server setup. It scans both incoming and outgoing email and it does not alter your current /etc/sendmail.cf file. It can scan for email viruses, unwanted file types (eg. EXE, BMP, MPEG) and file names (eg. prettypark.exe). It can also be used to scan for text snippets within emails.
5fa0e17e31b2df7864dff969d9ad3b42