STonX v0.6.5 and v0.6.7 local root exploit. Tested on Slackware 7.0.
c751c9ecd87655ab1f2703c193c5080ea84909a0b48d28666ce7f32edbf5b25e
Weekly Newsletter from Help Net Security - Covers weekly roundups of security events that were in the News the past week. In this issue: Laptop encryption and international travel, and much more.
942f2773e759562a9809329ed469a6366c25804fdcdd69b1e47abad7a1f95e7e
chkrootkit locally checks for signs of a rootkit. Includes detection of LKM rootkits, ifpromisc.c to check and see if the interface is in promisc mode, chklastlog.c to check lastlog for deletions, and chkwtmp.c to check wtmp for deletions. Tested on Linux, FreeBSD, Solaris, and OpenBSD.
afe99cb3dadecbc1cdf1ac56fab17283b5c7eca9640f4798fd3ff404e05b2234
Debian Security Advisory - There is a problem in the way gpg checks detached signatures which can lead to false positives. Also it was discovered that gpg would import secret keys from key-servers, circumventing the web of trust. GnuPG homepage here.
5d14e9537651bbc63698a8574da5f9f191cba27896ffb7f45b4cb6d6b2e12a34
HEH! Magazine Issue #5 (In Spanish). In this issue: Free Calling in Argentina, Accessing Milicom Modems (Breeze Com), Wireless info, 6 year old cryptography, Semipublic Telephones, Disturbing a StarTac, Hacking Cuspide, and more.
09a68469031fafff5f58e2c56104afae70a992a4fd50ad3b12999524f1d27b3b
USSR Advisory #58 - The 1st Up Mail Server v4.1 contains a buffer overflow in a long "mail from:" tag which can result in denial of service. Fix available here.
b3f2abaf7829914bb59b16a6596355c2829b25a197a106b1184540398916f867
SpoofW.c "spoofs" messages from any user on the system (can only be used as root, or as normal user on very old systems). Re-written by Root-Dude
4a5e56e60655e168369f38dd84cc5052a91abd3ee503bc5cc47330ac24ff1cba
ummmm.c v2.1 is a URL obfuscation tool which converts something like /cgi-bin/some.cgi into %2f%63%67%69%2d%62%69%6e%2f%73%6f%6d%65%2e%63%67%69. It might be used in cgi scanners which require an input file with cgi requests.
4968493ed605717ad8e51ff70428152b2255e6ab112c2e87c121f76b07e16000
Linux xconq v7.4.1 local exploit - Gives a gid=games shell by exploiting the -L parameter. Tested on Slackware.
58e72092adb49d8ae668a492bed2721cde6ad0ab1e236ba3ab3787b8b6b8d6f7
Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, NNTP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code.
0ecc3ce0c713984c4cdf1db4c321409f8baf498b7b0a65ea41e020ceae5ffc20
SendIP is a commandline tool to send arbitrary IP packets. It has a large number of command line options to specify the content of every header of a TCP, UDP, ICMP, or raw IP packet. It also allows any data to be added to the packet. Checksums can be calculated automatically, but if you wish to send out wrong checksums, that is supported too.
df7b3b785636cc2fcc8afa9ed8fd6ddd539d1d9d8fe70b19f05b1bcce15cb579
Pdump is a sniffer written in perl which dumps, greps, monitors, creates, and modifies traffic on a network. It combines features from tcpdump, tcpkill, ngrep, tcptrace, dsniff (and its webspy and urlsnarf), pfilt, macof, and xpy. It is able to do passive operating system detection/fingerprinting and can also watch packet streams and then create it's own spoofed packets to hijack or kill TCP connections. It understands tcpdump-like and perl-like syntax and allows easy modifications via a plug-in system. The packet display is easily configurable. Man page available here.
a602c264c5aba0ba348610e2d470ce586566221a19fe2d173b61eadbc8f1bd10
TWWWscan is a Windows based www vulnerability scanner which looks for 300 www/cgi vulnerabilities . Displays http header, server info, and tries for accurate results. Now features anti-IDS url encoding and passive mode scan. Tested on win95 osr2 win98,win98se,win nt4,win 2k/Me.
5e15fd47f1786fc1a908327948692eaab205e433c67dc4cd85910dc488b08cda
Debian Security Advisory - Stunnel has a format string vulnerability, random number problems, symlink vulnerabilities, and insecure syslog() calls. These are fixed in v3.10.
7c5528d13465844144c14d93e5020787edccc35ed0557d62e4572c41da757e91
Debian Security Advisory - Dialog creates lock files insecurely, making it susceptible to a symlink attack.
0e1a4dfce47304b778ad0b42e62db3dd738036c36bdf2773a246d1ef9a82e135
Authforce is a brute force www password strength testing tool.
473d8ca1770505766cd74d14d1b0cfcc20fce3f66fa70320799f6c2f156fb5f4
OpenBSD v2.6 and 2.7 ftpd remote root exploit.
3bce3b748cccc4e919388bcb98fab8e0032f8b36b13107f0b8d2af7e7591fff5
How to exploit format string vulnerabilities - In Spanish.
d30ae54998bb2cc00f334b5bae58862608dc3f8d9da7dce9df01a7975c7a1cc0
SuSE identd remote denial of service attack - Uses a long sting to set a pointer to NULL.
5428c66fd108f4593af53e80bdb814ea4c560c05eda8deea3e7caaa7e617830e
SuSE Security Announcement - openssh is an implementation of the secure shell protocol, available under the BSD license, primarily maintained by the OpenBSD Project. Many vulnerabilities have been found in the openssh package: An openssh client (the ssh program) can accept X11- or ssh-agent forwarding requests even though these forwarding capabilities have not been requested by the client side after successful authentication. Using these weaknesses, an attacker could gain access to the authentication agent which may hold multiple user-owned authentication identities, or to the X-server on the client side as if requested by the user.
6bc86fe768520b6d4748e5ce57dc320bc8e2cc6fab198eb115172bff82ff249d
This paper describes a possible way to attack hosts with RFC1918 IP addresses behind GRE Tunnels over the Internet.
f56cd653e16527b61bea075fcdd9e9bd1e145226aa80c22f2f48ba8f4bdd083a
NSFOCUS Security Advisory (SA2000-07) - A serious flaw in Microsoft IIS 4.0 and 5.0 when handling CGI filenames allows any file on the system to be read and remote command execution, as described in here.
85c25f2dd295eef761bb7ed7766d70fbcfc7d6ba678f8b8cf47e98b2f9c639b7
Pluto.c is a SOCK_RAW flooder which attempts to hide from conseal and ipchains.
8d9cd489065a7c20ca2164005dc5e8894dd2f18730f6eaf773403c9e662103ea
Solaris 2.7/2.8 /usr/bin/catman allows local users to clobber root owned files by symlinking temporary files. Includes catman-race.pl and ctman-race2.pl for proof of concept.
9a29d9929df3618598e1b73b8901c5d5026303418322bac348f2cc5417e8cef6
Microsoft Security Bulletin (MS00-100) - Microsoft has released a patch that eliminates the "Malformed Web Form Submission" security vulnerability in a component that ships as part of Microsoft Internet Information Server. The FrontPage Server Extensions (FPSE) which ship with and are installed by default as part of IIS 4.0 and 5.0 have a vulnerability which crashes IIS when a malformed form submission is sent. Microsoft FAQ on this issue available here.
0570cc66d8a2848c8d874674c177c4fefa1b9043c8e990e815130176ea89c8ad