Section: .. / 0008-exploits /
/// File Name: |
Critical_Path_CSS |
Description:
|
A simple flaw in the web mail service offered by Critical Path (www.cp.net) allows an attacker to gain full access of any webmail account. The attack falls under the umbrella of cross-site scripting, which was addressed in detail by CERT in their advisory CA-2000-02, entitled "Malicious HTML Tags Embedded in Client Web Requests." The bug is aggravated by an defective session token scheme.
| Author: | Jeffrey W. Baker | File Size: | 7803 | Last Modified: | Aug 30 02:41:07 2000 |
MD5 Checksum: | ce67656bc39d3867917caa86196bff78 |
|
/// File Name: |
WDK_v1.0.vuln.txt |
Description:
|
The Javaserver Webserver Development Kit (WDK) v1.0 contains a .. vulnerability allowing remote attackers to read any file on the system with the permissions of the webserver. The server typically resides on TCP port 8080 and instructions for identifying this server are given.
| Author: | Kevin Finisterre | File Size: | 1517 | Last Modified: | Aug 29 05:34:19 2000 |
MD5 Checksum: | 942419ad40c9d395eabf61da00278016 |
|
/// File Name: |
vqserver.dos.txt |
Description:
|
vqServer version 1.4.49 is vulnerable to a denial of service attack by sending a malformed URL request. Tested on Windows version. The latest edition of vqServer (1.9.47) is unaffected.
| Author: | nemesystm | Homepage: | http://dhcorp.cjb.net | File Size: | 2228 | Last Modified: | Aug 29 05:25:00 2000 |
MD5 Checksum: | 303c9106b865941caabe75045152da02 |
|
/// File Name: |
VIGILANTE-2000007 |
Description:
|
Vigilante Advisory #7 - A malicious user can crash an Intel Express 550F or a host behind it by sending a packet with a malformed header. To restart the box you need remove it from it's power source as the reset button loses functionality as well. Affected systems: Intel Express Switch 550F - Firmware version 2.63 - Firmware version 2.64.
| Author: | Vigilante | Homepage: | http://www.vigilante.com | File Size: | 1871 | Last Modified: | Aug 28 11:16:01 2000 |
MD5 Checksum: | 70f964bfc3be8ff1be7c1a6ab323c0e2 |
|
/// File Name: |
bubonic.c |
Description:
|
Bubonic.c is a denial of service tool that sends random TCP packets with random settings. Tested against Windows 2000 and RedHat Zoot.
| Author: | Sil | Homepage: | http://www.antioffline.com | File Size: | 6625 | Last Modified: | Aug 28 11:06:39 2000 |
MD5 Checksum: | c3272ac6b130a121e601108895f93080 |
|
/// File Name: |
daemonic.c |
Description:
|
Dameonic.c is a theoretical router based denial of service attack that exploits a weakness within the Border Gateway Protocol (BGP). If a malicious user sends spoofed malformed packets to a neighboring router, the peer will ignore it and possibly kill the session entirely. Written on a Ultra 5 running Linux Zoot, this has been compiled on Linux, OpenBSD, Solaris without problems.
| Author: | Sil | Homepage: | http://www.antioffline.com | File Size: | 8144 | Last Modified: | Aug 28 10:55:49 2000 |
MD5 Checksum: | 6f0c6611db0f18e797c8422d40ca25a2 |
|
/// File Name: |
subscribeme.txt |
Description:
|
Unavailable.
| File Size: | 2010 | Last Modified: | Aug 24 22:29:08 2000 |
MD5 Checksum: | b32fff4d493f1bd7bb88989d494fd742 |
|
/// File Name: |
spad02.txt |
Description:
|
Unavailable.
| File Size: | 8894 | Last Modified: | Aug 24 19:57:43 2000 |
MD5 Checksum: | 78978df1ffd3d83d01195c113927bb9a |
|
/// File Name: |
php-nuke.txt |
Description:
|
A short advisory on how to manipulate a bug in the PHP-nuke Web Portal System to allow you to gain administrative access.
| Author: | Starman_Jones | File Size: | 1799 | Last Modified: | Aug 24 19:09:49 2000 |
MD5 Checksum: | f63871452fe6ee993b8f7a7961c8f7e0 |
|
/// File Name: |
labs51.txt |
Description:
|
USSR Labs Advisory #51 - There is a remote denial of service caused by a buffer overflow memory problem in the rpc module of the Pragma TelnetServer 2000 for Windows NT/2000. The included shell code causes the system to crash.
| Homepage: | http://www.ussrback.com | File Size: | 4816 | Last Modified: | Aug 24 18:53:33 2000 |
MD5 Checksum: | 5451e4fdd8c8cb64106282d8dc91a7fc |
|
/// File Name: |
darxite.tar.gz |
Description:
|
Darxite, a daemon that retrieves files via FTP or HTTP, has several vulnerabilities throughout the code that allow a local/remote user to crash the servers, as well as a passwd authentication remote overflow, allowing remote shell access as the uid of the darxite daemon. Exploit and advisory included. Tested against Linux x86 systems.
| Author: | dethy | Homepage: | http://www.synnergy.net | File Size: | 4738 | Last Modified: | Aug 23 02:03:59 2000 |
MD5 Checksum: | 32a8c8dcfdcba3259e8d0e9af20eba1a |
|
/// File Name: |
xslrnpull.c |
Description:
|
Slrnpull.c exploits a local buffer overflow vulnerability in slrnpull version 0.9.6.2, which is setgid news. Tested against RedHat 6.2.
| Author: | Vade79 | Homepage: | http://www.realhalo.org | File Size: | 2272 | Last Modified: | Aug 23 01:39:37 2000 |
MD5 Checksum: | 71914e4011b9a4a07c80e1c6268761eb |
|
/// File Name: |
PHP-Nuke.c |
Description:
|
A vulnerability in the way PHP-Nuke, a news site administrative tool, authenticates administrative accounts, allows a remote attacker to gain administrative access to the application. Attacker could edit users, articles, topics, banners, assign authors, etc
| Author: | Fabian Clone | File Size: | 2800 | Last Modified: | Aug 22 00:29:53 2000 |
MD5 Checksum: | be38d88ef4fe90bff7fa3c1c2766dfb5 |
|
/// File Name: |
htgrep.c |
Description:
|
Htgrep has a vulnerability which allows a remote user to read arbitrary files on the system with the priviledge of the user running the program.
| Author: | n30 | File Size: | 2386 | Last Modified: | Aug 21 23:04:12 2000 |
MD5 Checksum: | 44e6b83eeb52eb927c6866f44c07cd87 |
|
/// File Name: |
srcgrab.pl.txt |
Description:
|
Srcgrab.pl exploits the Translate:f bug as described in ms00-058. The vulnerability, present in IIS 4.0 and Windows 2000 Frontpage server extensions, allows a remote user to retrieve the source of .asa and .asp pages.
| Author: | Smiler | File Size: | 7692 | Last Modified: | Aug 17 19:28:32 2000 |
MD5 Checksum: | 821dc542307911b4bfd039e2463a515e |
|
/// File Name: |
crackncftp.c |
Description:
|
The ncftp client uses an easily decrypted scheme to save passwords to remote FTP sites in a bookmark file. Crackncftp.c provides the plaintext when from the encrypted string.
| Author: | Zorgon | Homepage: | http://zorgon.freeshell.org | File Size: | 5056 | Last Modified: | Aug 17 03:45:04 2000 |
MD5 Checksum: | 652d5a84fea593b7798071e24c6325d1 |
|
/// File Name: |
ie5-msn.exec.txt |
Description:
|
Georgi Guninski security advisory #18 - Two serious vulnerabilities have been found Microsoft products - Internet Explorer 5.5/5.x may execute arbitrary programs when visiting a web page, reading HTML based mail with Outlook, or simply browsing folders as web pages. In addition, the default installation of Windows 2000 allows Local Administrator compromise via opening local folders as web pages. In both cases a malicous person may take full control over user's computer / server. Includes proof of concept HTML code. Demonstration available here.
| Author: | Georgi Guninski | Homepage: | http://www.nat.bg/~joro | File Size: | 8941 | Last Modified: | Aug 16 02:12:00 2000 |
MD5 Checksum: | 1f4cc1e9ab9d13efedb1c42dbabdbc96 |
|
/// File Name: |
rapidstream.vpn.txt |
Description:
|
RapidStream VPN nodes has hard-coded the 'rsadmin' account into the sshd binary in the appliance OS. The account has been given a 'null' password in which password assignment and authentication was expected to be handled by the RapidStream software itself. The vendor failed to realize that arbitrary commands could be appended to the ssh string when connecting to the SSH server on the remote vpn. This in effect could lead to many things, including the ability to spawn a remote root shell on the vpn.
| Author: | Loki courtesy of Bugtraq. | File Size: | 2409 | Last Modified: | Aug 16 01:41:19 2000 |
MD5 Checksum: | 6e70e4def5f1cac4ebe348a0e56c6965 |
|
/// File Name: |
linsql.c |
Description:
|
Linsql is a simple command-line client for MS SQL server which can execute arbitrary SQL queries and OS commands on an MS-SQL hosts that uses a blank 'sa' password, a common default configuration.
| Author: | Herbless courtesy of Bugtraq. | File Size: | 39781 | Last Modified: | Aug 16 01:32:36 2000 |
MD5 Checksum: | b2093a37c013dad47d3336afc2da99a5 |
|
/// File Name: |
VIGILANTE-2000006.txt |
Description:
|
Vigilante Security Advisory - The OS/2 Warp 4.5 FTP Server contains denial of service vulnerabilities which allow anyone who can connect to port 21 to crash the service. Fix available here.
| Author: | Vigilante | Homepage: | http://www.vigilante.com | File Size: | 1763 | Last Modified: | Aug 16 00:48:42 2000 |
MD5 Checksum: | 076354db31d3da7d9ef4e70cab192a03 |
|
/// File Name: |
VIGILANTE-2000005.txt |
Description:
|
Vigilante Security Advisory - Watchguard Firebox Authentication dos vulnerability. Sending a malformed URL to tcp port 4100 causes Watchguard to shut down and require a reboot to restart. Fix available here.
| Author: | Vigilante | Homepage: | http://www.vigilante.com | File Size: | 2090 | Last Modified: | Aug 16 00:44:08 2000 |
MD5 Checksum: | 3f541d31e07cd77684a3542ad46821b9 |
|
/// File Name: |
lyris.3-4.txt |
Description:
|
Versions 3 and 4 of the Lyris List Manager allow any mailing list subscriber to gain access to the administrative interface of that list by changing a form before submitting it. Fix available here.
| Author: | Adam Hupp courtesy of Bugtraq. | File Size: | 721 | Last Modified: | Aug 15 07:22:23 2000 |
MD5 Checksum: | a9644285ccce803fd21a6ecad931c843 |
|
/// File Name: |
form-totaller.txt |
Description:
|
Form-Totaller version 1.0 (form-totaller.cgi) trusts user input for filenames, allowing a remote user to read any file on the webserver.
| Author: | Signal 9 | File Size: | 1879 | Last Modified: | Aug 14 22:29:59 2000 |
MD5 Checksum: | c176fa3885dae24832840fa6cf24539d |
|
/// File Name: |
everythingform.txt |
Description:
|
The Everything Form (everythingform.cgi) contains remote vulnerabilities which allow any file on the sytem to be read.
| Author: | Signal 9 | File Size: | 1850 | Last Modified: | Aug 14 22:25:42 2000 |
MD5 Checksum: | 886d2b5c72aae75767b040e22b3bbd9f |
|
/// File Name: |
wais.pl.advisory.txt |
Description:
|
The wais.pl CGI written by Tony Sanders provides means to access the waisq WAIS client via the webserver. Waisq contains buffer overflows allowing remote code execution which can be exploited via wais.pl. In addition, files owned by nobody on the webserver can be overwritten with arbitrary content. Includes exploit for Linux/x86.
| Author: | Scrippie | Homepage: | http://www.synnergy.net | File Size: | 13976 | Last Modified: | Aug 14 19:36:58 2000 |
MD5 Checksum: | 795f85e6d55de6d0878a8c35c77da7a9 |
|
|
|
|
|