Re: Restricting access to a web server by IP
From: NeoSadist (neos@dist)
Date: 02/18/03
- Next message: \: "Re: Port 27374"
- Previous message: NeoSadist: "Re: Restricting access to a web server by IP"
- In reply to: adeveloper: "Restricting access to a web server by IP"
- Next in thread: Colonel Sam Flagg, U.S. Army Intelligence: "Re: Restricting access to a web server by IP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "NeoSadist" <neos@dist> Date: Tue, 18 Feb 2003 08:13:51 -0700
"adeveloper" <adeveloper@test.com> wrote in message
news:b2t72a$n7p$1@sparta.btinternet.com...
> Hi,
>
> We are currently considering if we should restrict access to our windows
> 2000 web servers by IP address (so that the firewall only gives access to
a
> list of allowed users). This would be done for things like access for
> remote control clients (terminal services, telnet, etc), etc - we remotely
> administer the machine with terminal services. I suppose it would be done
> for all ports except port 80 ideally. However this has some costs
> implications (we are a small company) and we are debating whetrher it is
> worth it.
>
> The argue for is that it secures us from hackers who specially target the
> machine, and it secures very vulnerable areas (such as remote control
> software that can give control of the entire machine).
> The agrument against is that mpst vulnerabilities seem to come through
port
> 80 anyway and that the best secruity measure is to keep up to date on all
> patches, and that the risk of a individual hacker targetting you are quite
> low - most risks come from worms trojans, etc (although we have been
> targeted once before...).
>
> I just wanted to know what other peoples experiences where with securing
web
> servers, and blocking access to all IPs accept those on the allowed list -
> what would you advise?
>
> Grateful for any info
> Pete
>
>
Try these exploits on them:
Exploit world -- Everything (Solaris,FreeBSD,OpenBSD,NetBSD,BSDI,Sun
Solaris,Linux,Microsoft Windows,SGI IRIX,HP HP-UX,IBM AIX, SCO, Digital
ULTRIX/TRU64,Apple Macintosh,etc) section
Last modified: Thursday, 17-Aug-2000 17:43:49 PDT
Exploit world!
Master Index for ALL Exploits
Compiled by Fyodor fyodor@insecure.org
on Thu Jan 13 21:41:31 UTC 2000
[Back] to Fyodor's Playhouse
3com/USR Total Control Chassis termserver problem
Description:The IP filtering on these servers doesn't appear to work
for
dialin connections. Thus a user can dialin, get a "host:" prompt
without
authentication, and then type in any hostname on the internet (or
intranet) to connect to. System logs incorrectly say that the
connection
was denied.
Author:Jason Downs <downsj@DOWNSJ.COM>
Compromise:Unauthorized access to Internet/Intranet through the
terminal
server
Vulnerable Systems:Those running the Total Control (tm) NETServer Card
V.34/ISDN with Frame Relay V3.7.24, perhaps other versions.
Date:11 May 1998
Exploit & full info:Available here
Bay networks unpassworded "User" account
Description:Unless they sysadmins change it (they should!), bay
networkds
access node/wellfleet routers have a "User" account for ftp/telnet
access
with no password. The Manager account also ships w/o a password, but
that
is more likely to be changed.
Author:Marty Rigaletto <marty@SLACK.NET>
Compromise:Read valuable configuration information, edit routing
tables,
etc.
Vulnerable Systems:Networks using Bay Networks access node/wellfleet
routers that haven't changed the default passwords.
Date:10 May 1998
Notes:Many products come w/o passwords with the assumption that they
will
be changed. This isn't really Bay Networks' fault, although perhaps
the
"User" account isn't documented well enough.
Exploit & full info:Available here
AIX rmail hole
Description:IFS attack, apparently AIX may be using system()
Author:Unknown
Compromise:gid mail
Vulnerable Systems:AIX 3.2, perhaps earlier
Date:10 May 1998 (it is actually much older)
Notes:Thanks to the person who submitted this to me!
Exploit & full info:Available here
Motorola Cablerouter hole
Description:Motorola CableRouters listen on port 1024 regardless of IP
access restrictions for some reason. This hole in combination with the
default login:cablecom pass:router can lead to easy unauthorized
access
Author:January <january@SPY.NET>
Compromise:unathorized administrator access
Vulnerable Systems:Motorola CableRouters, especially those where the
admin
left the default passwords in place (always a horrible idea).
Date:10 May 1998
Notes:Cablemodem users must connect from the Internet interface, not
from
the interface on their side of the router. Also Motorola wrote me to
say
this has been fixed. They claim that all customers have upgraded to
newer
software.
Exploit & full info:Available here
Overflow in Vixie crontab
Description:standard overflow
Author:Dave G. wrote the exploit
Compromise:root (local)
Vulnerable Systems:Some RedHat distributions, a German distribution
DLD
5.2, etc. Anyone running vulnerable version of Vixie crontab.
Date:10 May 1998 (actually it is an older problem)
Exploit & full info:Available here
Overflows in Minicom
Description:The terminal emulation modem program minicom has a number
of
blatant overflows.
Author:Tiago F P Rodrigues <11108496@LIS.ULUSIADA.PT>
Compromise:group uucp on some Linux distros (such as RedHat), but if
installed from source with default makefile then it allows root access
(local)
Vulnerable Systems:Most Linux boxes ship with minicom. Version 1.81
and
presumably earlier are vulnerable.
Date:9 May 1998
Exploit & full info:Available here
NCSA httpd buffer overflow
Description:Standard overflow in client request string
Author:Renos <renosm@YAHOO.COM>
Compromise:You can probably run arbitrary commands on the web server
machine, it is trivial to crash the server
Vulnerable Systems:Those running NCSA's httpd v1.4 for Windows.
Probably
earlier versions too.
Date:8 May 1998
Exploit & full info:Available here
Poor BSDI squid permissions
Description:on BSDI squid configuration files are owned by "www",
which is
the same UID that user CGI runs at. Thus a user could change
start-squid
to start a root shell, for example.
Author:"Jonathan A. Zdziarski" <jonz@NETRAIL.NET>
Compromise:user WWW privs -> root
Vulnerable Systems:BSDI 3.1 , perhaps other squid installs
Date:7 May 1998
Exploit & full info:Available here
dip 3.3.7o overflow
Description:Standard overflow (in the -l option processing).
Author:Goran Gajic <ggajic@AFRODITA.RCUB.BG.AC.YU>
Compromise:root (local)
Vulnerable Systems:Slackware Linux 3.4, presumably any other system
using
dip-3.3.7o or earlier suid root.
Date:5 May 1998
Notes:I've included a couple standard exploits and one that works
against
systems utilizing Solar Designer's excellent non-executable-stack
patch.
Exploit & full info:Available here
Backdoor passwords in 3com switches,routers,smart hubs.
Description:Numerous 3com products apparently have secret backdoors in
case the administrator "forgets the password". Yeah, there is a good
idea.
BIOS vendors have the annoying habit of making passwords useless the
same
way, but at least there the attacker needs physical access. With 3com
the
attacker can telnet over to your network from bis.bg in Sofiya,
Bulgaria
and reconfigure your routers!
Author:Eric Monti <monti@MAIL.NETURAL.COM> and others
Compromise:Intruders can reconfigure and basically take over your
switches
Vulnerable Systems:Many 3com products have various backdoors
including:
LanPlex/Corebuilder switches, 3Com LANplex 2500 , CellPlex 7000
Date:5 May 1998
Notes:Another post I appended notes that admin passwords and SNMP keys
are
available vi the "public" SNMP community by default.
Exploit & full info:Available here
Many holes in the Netmanager Chameleon tool suite
Description:Mostly standard overflows, but there are lots of them.
Virtually every product that comes in the suite seems exploitable.
Author:arager@MCGRAW-HILL.COM
Compromise:remote attackers can likely obtain root /administrator
privileges on the machines running Chameleion daemons. The clients
also
have serious security holes.
Vulnerable Systems:These holes are in the Windows versions, although I
would be very careful about running something like thier Unix Z-mail
product.
Date:4 May 1998
Exploit & full info:Available here
Xaw and Xterm vulnerabilities
Description:There are a number of vulnerabilities in X11R6 xterm(1)
and
Xaw(3c) libraries. They are mostly all overflows
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> and the
exploit
was written by alcuin
Compromise:root (local)
Vulnerable Systems:Those running Xterm or X apps linked to vulnerable
Xaw.
Virtually all versions of X are vulnerable to the *Keymap hole and the
others are mostly X11R6 specific (which virtually everyone uses
anyway).
Thus it is likely that many Solaris, Linux, HP/UX, and perhaps IRIX
and
AIX boxes are vulnerable.
Date:4 May 1998
Notes:I have also included an exploit sent to me by "M.C.Mar"
<emsi@it.com.pl>. This exploit works against Xaw and neXtaw even WITH
Solar Designer's non-executable stack patch applied. Check it out!
Exploit & full info:Available here
Overflow in lynx processing of mailto: URLs
Description:a mailto: URL with a long email address causes lynx 2.8 to
crashh and can cause it to execute arbitrary code
Author:Michal Zalewski <lcamtuf@boss.staszic.waw.pl>
Compromise:remote pages can cause commands to be executed on the lynx
user's machine. This can also be used to break out of restricted lynx
shells.
Vulnerable Systems:Those running lynx 2.8 and probably earlier.
Date:3 May 1998
Exploit & full info:Available here
ID games Backdoor in quake
Description:ID software blatantly put a backdoor in Quake 1/2 and
QuakeWorld including both the Linux/Solaris Quake2. RCON commands sent
from the subnet 192.246.40.0/24 and containing the password "tms" are
automaticly executed on the server without being logged.
Author:Mark Zielinski <markz@repsec.com>
Compromise:root (remote)
Vulnerable Systems:Those running Quake 1, QuakeWorld, Quake 2, Quake 2
Linux and Quake 2 Solaris, all versions. Thus many Windows and UNIX
boxes
are affected
Date:1 May 1998
Notes:Quake was always a horrible security hole, but I never thought
Id
would stoop to introducing an intentional backdoor to allow them
access to
systems running Quake. I am surprised this didn't get more publicity.
Exploit & full info:Available here
Overflow in kppp -c option
Description:Standard overflow
Author:"|[TDP]|" <tdp@psynet.net>
Compromise:root (local)
Vulnerable Systems:Those running kppp version < 1.1.3 suid root. This
comes with the KDE system (which is pretty neat -- www.kde.org) and
runs
on Solaris, Linux, IRIX, and HP/UX
Date:29 April 1998
Notes:The hole was fixed a while prior to this posting so the (then)
current version was not vulnerable.
Exploit & full info:Available here
Horrendous suidexec hole
Description:Debian Linux apparently distributes a program called
suidexec
as part of the suidmanager package. This program is trivially
exploitable
to run any program on the system as root.
Author:Thomas Roessler <roessler@GUUG.DE>
Compromise:root (local)
Vulnerable Systems:Debian Linux 2.0 (probably won't be in the final
2.0
Hamm release).
Date:28 April 1998
Exploit & full info:Available here
Yet ANOTHER hole in the HP/UX Glance program
Description:Standard symlink-following TMPFILE stupidity
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise:root (local)
Vulnerable Systems:HP/UX 10.20, perhaps other versions.
Date:27 April 1998
Exploit & full info:Available here
cxhextris overflow
Description:Standard overflow
Author:Chris Evans <chris@FERRET.LMH.OX.AC.UK>
Compromise:Local users can obtain uid=games privileges! This allows
them
to cause chaos by changing the high score table or trojaning various
games, etc.
Vulnerable Systems:At least RedHat Linux 5.0
Date:25 April 1998
Exploit & full info:Available here
Livewire "source" problem
Description:It is often possible in sites using Livewire to download
the
actual application rather than individual pages generated by it. If
the
page is http://www.blah.com/foo/ try downloading
http://www.blah.com/foo.web .
Author:Daragh Malone <daragh_malone@ACCURIS.IE>
Compromise:Obtain the livewire application rather than the pages it
generates. These may have passwords and other sensitive info stored in
them.
Vulnerable Systems:Those running Livewire, in particular DEC UNIX 4.0D
running Netscape Enterprise Server 3.0.
Date:24 April 1998
Exploit & full info:Available here
Many, many, many security holes in the Microsoft Frontpage extensions
Description:There are many horrible security holes in the Microsoft
Frontpage extensions. For example, you can list all files in
directories
on FP enabled sites, you can download password files on many of them,
and
a lot of FP sites even let you UPLOAD your own password files (!).
Author:pedward@WEBCOM.COM
Compromise:Break into user accounts on a web server (remote)
Vulnerable Systems:Those running the Fronpage server extensions. Sone
of
the vulnerabilities are UNIX only while others also work agains
WindowsNT
sites.
Date:23 April 1998
Exploit & full info:Available here
Overflows in Solaris ufsdump and ufsrestore binaries
Description:Standard buffer overflow (in device name passed as
arguments)
Author:Seth McGann <smm@WPI.EDU>
Compromise:Get UID of tty (local)
Vulnerable Systems:Solaris 2.6/SPARC, opinions differed on whether
2.6/X86
is vulnerable.
Date:23 April 1998
Exploit & full info:Available here
OpenBSD (and others) lprm overflow
Description:There is a subtle overflow in the pointer arithmetic in
copying a command string to a buffer.
Author:Niall Smart <rotel@indigo.ie>
Compromise:root (local)
Vulnerable Systems:OpenBSD 2.2 and earlier, some versions of FreeBSD,
NetBSD
Date:23 April 1998
Notes:This is an excellent description of the problem. Also
congratulations go to Niall Smart for finding this bug in the heavily
audited OpenBSD codebase.
Exploit & full info:Available here
qcam overflows
Description:several qcam apps as well as libqcam seem to have rather
obvious security holes when installed setuid root.
Author:bst@INAME.COM
Compromise:root (local)
Vulnerable Systems:Thos running qcam, sqcam,xqcam, SANE-0.67. Mostly
Linux
boxes, perhaps BSD.
Date:20 April 1998
Exploit & full info:Available here
lprm Linux/BSD/Solaris Overflow
Description:The lprm program on some machines has a standard overflow
in
the name you feed it to remove a job from a remote printer
Author:Chris Evans <chris@FERRET.LMH.OX.AC.UK> posted this problem to
BugTraq, it turns out the the OpenBSD folks (probably Theo De Raadt)
fixed
the problem in 1996.
Compromise:root (local)
Vulnerable Systems:RedHat Linux 4.2 and 5.0, Solaris 2.6, Some *BSD
variants vulnerable, but most fixed it 6 months to two years prior to
this
notice
Date:18 April 1998
Exploit & full info:Available here
Nestea "Off By One" attack
Description:A popular attack against Linux boxes
Author:John McDonald <jmcdonal@UNF.EDU>
Compromise:Stupid remote DOS attack
Vulnerable Systems:Linux 2.0.33 and earlier, PalmOS, HP Jet Direct
printer
cards, some 3COM routers, Magnum 5000 Ethernet switch, Some Windows
boxes,
perhaps others
Date:17 April 1998
Notes:I have appended the original Linux code, a BSD port, an improved
Linux version, and a few other messages on the topic.
Exploit & full info:Available here
Overflow in Microsoft Netmeeting
Description:Standard overflow
Author:DilDog <dildog@L0PHT.COM>
Compromise:remotely execute arbitrary commands on the machine of a
windows/netmeeting user (the user must click on your neetmeeting .conf
file)
Vulnerable Systems:Windows boxes running Micro$oft Netmeeting V. 2.1
Date:16 April 1998
Notes:For a lot more information on this exploit, including a short
windows overflow tutorial, see
http://www.cultdeadcow.com/cDc_files/cDc-351/ .
Exploit & full info:Available here
MGE UPS serious security holes
Description:Standard security holes are plentiful in the MGE UPS
software
Author:Ryan Murray <rmurray@PC-42839.BC.ROGERS.WAVE.CA>
Compromise:root (local)
Vulnerable Systems:Those running vulnerable versions of MGE UPS
software.
It apparently runs on Solaris, AIX, SCO, etc.
Date:12 April 1998
Exploit & full info:Available here
Major holes in IRIX IPX tools
Description:Sigh, IRIX was trivial to root before, but now thanks to
their
IPX tools it is even easier. We are talking blatant system() calls
here!
The story in this message is rather pathetic.
Author:Fabrice Planchon <fabrice@MATH.PRINCETON.EDU>
Compromise:root (local)
Vulnerable Systems:IRIX 6.3, perhaps earlier versions.
Date:8 April 1998
Exploit & full info:Available here
Overflows in various Macintosh mail clients.
Description:Standard overflows.
Author:Chris Wedgwood <chris@CYBERNET.CO.NZ>
Compromise:DOS attack at least, there is at least a possibility of
remote
code execution (I've never seen this done on a Mac though).
Vulnerable Systems:Macintosh boxes running Stalker Internet Mail
Server
V.1.6 or AppleShare IP Mail Server 5.0.3 SMTP Server
Date:8 April 1998
Exploit & full info:Available here
Multiple Vulnerabilities in BIND named
Description:There are a number of security holes in some bind 4.9 and
8
releases. One is a remote-root exploit that works if fake-iquery is
enabled, the other two are DOS attacks
Author:Unknown
Compromise:root (remote)
Vulnerable Systems:Those running BIND 8 prior to 8.1.2 or BIND 4.9
prior
to 4.9.7 .
Date:8 April 1998
Exploit & full info:Available here
BSDI tcpmux DOS
Description:Apparently BSDI 2.0,2.1,3.0,and 3.1 servers with tcpmux
enabled can be crashed with a fast portscanner.
Author:Mark Schaefer <marks@SHELL.FLINET.COM>
Compromise:DOS attack
Vulnerable Systems:BSDI 2.0, 2.1, 3.0, and 3.1 with tcpmux enabled and
without patch M310-009
Date:7 April 1998
Notes:Note the portscanner he used -- my nmap.
Exploit & full info:Available here
TTCP spoofing problem
Description:Apparently TTCP allows commands to be executed before the
full
3-way handshake has been completed. This means an attacker can set up
a
malicious connection without the trouble of TCP sequence prediction.
Author:Vasim Valejev <vasim@DIASPRO.COM>
Compromise:Exploit trust relationships, avoid logging, all the other
benefits that come with "classical" TCP sequencing attacks.
Vulnerable Systems:Those implementing T/TCP (rfc1644). Perhaps FreeBSD
allows this attack?
Date:7 April 1998
Exploit & full info:Available here
Yet another SGI pfdispaly CGI hole
Description:As has been demonstrated many times, SGI CANNOT write
secure
CGI scripts. Nor can they write secure setuid programs. They fixed the
last pfdisplay.cgi hole, but the new version is still quite buggy --
as
this post demonstrates.
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise:run arbitrary commands remotely as the UID running the
webserver
Vulnerable Systems:SGI IRIX 6.2 using the performer_tools CGIs.
Date:7 April 1998
Notes:I honestly believe default SGI security is as bad as default
Windows
NT security. That is sad.
Exploit & full info:Available here
ICQ Spoofer
Description:The ICQ protocol is poorly designed and leads to a number
of
problems. Included in this message is an ICQ spoofer in C, a Perl
version,
and an ICQ flooder. A sniffer is also included.
Author:Seth McGann <smm@WPI.EDU> and others
Compromise:Harass ICQ users to no end :).
Vulnerable Systems:People running ICQ, mostly windows users. There is
probably a Mac client too.
Date:6 April 1998
Notes:All the code is somewhat jumbled together -- I'm sure you can
figure
it out.
Exploit & full info:Available here
RedHat 5 metamail hole
Description:Many mail clients, MTA's, etc. are poorly written and can
interpret mail in ways that lead to security wholes. One of the bugs
in
this message demonstrates a way to execute arbitrary commands by
sending
mail to a Redhat 5 user. The bug is in metamail script processing of
MIME
messages.
Author:Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Compromise:potential root (remote). The victim must read the mail with
Pine (or something else that calls metamail).
Vulnerable Systems:RedHat 5, other linux boxes with vulnerable
metamail
script.
Date:5 April 1998
Exploit & full info:Available here
Eudora 3.0 and 4.0 DOS
Description:Eudora will crash if it tries to receive an email with an
attachment that has a filename of at least 233 characters.
Author:whiz <whizpig@TIR.COM>
Compromise:Stupid DOS attack
Vulnerable Systems:Windows users running Eudora Pro 4.0 or 3.0
Date:29 March 1998
Exploit & full info:Available here
Another WinGate hole -- this time with the LogFile service
Description:The WinGate Logfile service basically puts up a web server
on
port 8010 giving full read access to the victim's hard drive(!)
Author:HKirk <hkirk@tech-point.com>
Compromise:Remote read access to a Wingate user's hard drive
Vulnerable Systems:Windows users who run Wingate. This program is a
huge
security hole, a much better (cheaper, more secure, more robust,
better
performing) solution is to install a Linux gateway with IP
masquerading.
Date:29 March 1998
Exploit & full info:Available here
Majordomo tmpfile bug
Description:Standard tmpfile problem
Author:Karl G - NOC Admin <ovrneith@tqgnet.com>
Compromise:Any user on a system running majordomo can append arbitrary
data to any file owned by the majordomo account.
Vulnerable Systems:Those running majordomo. This runs on a ton of
systems
(Solaris, Linux, IRIX, etc.).
Date:26 March 1998
Exploit & full info:Available here
Overflows in the MesaGL OpenGL implementation
Description:There are many overflows in this library, one of which can
be
used to compromise xlock in some cases
Author:bjorn smedman <bs@ODEN.SE>
Compromise:root (local)
Vulnerable Systems:This exploits is for FreeBSD 2.2.5 although other
OSes
that use MesaGL are likely to be vulnerable.
Date:24 March 1998
Exploit & full info:Available here
dot bug in MS Personal Web Server
Description:IIS 3.0 had a bug which allowed ASP source to be
downloaded by
appending a . to the filename. That was eventually fixed by MS but
they
didn't fix the same hole in their Personal Web Server.
Author:Lynn Kyle <lynn@RAINC.COM>
Compromise:Read ASP file source, could contain passwords, etc.
Vulnerable Systems:Those running vulnerable version of MS Personal Web
Server
Date:22 March 1998
Exploit & full info:Available here
Linux Mailhandler overflow
Description:the Mailhandler (mh) ver 6.8.4-5 has an overflow relating
to
the SIGNATURE environmental variable . I think RedHat 5 among other
distributions are vulnerable.
Author:Catalin Mitrofan <md@LSPVS.SOROSIS.RO>
Compromise:root (local)
Vulnerable Systems:Those running mh version 6.8.4-5 suid.
Date:21 March 1998
Exploit & full info:Available here
Another MSIE 4.0 overflow
Description:Standard overflow, this one can almost certainly be
exploited
by a malicious page to run arbitrary code on a user's system.
Author:Georgi Guninski <guninski@hotmail.com>
Compromise:Run arbitrary code on the machines of Windows users
connecting
to your web page.
Vulnerable Systems:Windows 95/NT running MSIE 4.0. Perhaps even the
Solaris version is vulnerable, though I've never seen anyone run it.
Date:20 March 1998
Exploit & full info:Available here
Win95 "save password" nonsense
Description:Win95 offers dialup users to save their RAS credentials by
checking a box when dialing in. Security minded folks generally
decline.
However, Microsoft saves the password anyway!
Author:Aleph One <aleph1@DFW.NET>
Compromise:Obtain cleartext passwords for dialup accounts. On NT you
can
sometimes retrieve the lanman and NT hashes (which you can then run a
cracker on).
Vulnerable Systems:Windows95, NT.
Date:20 March 1998
Notes:In some cases information on the last SEVERAL logins are stored
without permission (!)
Exploit & full info:Available here
Irix pfdispaly CGI hole
Description:Standard .. read-any-file CGI exploit.
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise:Read any file (remotely) that user nobody (or whatever web
server runs as) can read.
Vulnerable Systems:IRIX 6.2 with performer_tools.sw.webtools
(Performer
API Search Tool 2.2) installed, check for
/var/www/cgi-bin/pfdispaly.cgi.
Date:17 March 1998
Exploit & full info:Available here
LinCity and Conquest Game overflows
Description:Typical buffer overflows
Author:bst@INAME.COM
Compromise:root (local)
Vulnerable Systems:Those running vulnerable versions of LinCity or
Conquest setuid (dumb!). This is mostly Linux boxes.
Date:16 March 1998
Exploit & full info:Available here
Ascend Router Insecurities
Description:There is a flaw in the Ascend router OS which allows the
machines to be crashed by certain malformed UDP probe packets. Also
the
routers have a default SNMP "write" community which allows attackers
to
download the entire Ascend configuration file.
Author:"Secure Networks Inc." <sni@SECURENETWORKS.COM>
Compromise:Download sensitive ascend configuration information
(passwords,
etc.) plus a remote DOS attack to take out the router.
Vulnerable Systems:Ascend Pipeline and MAX routers including OS
release
5.0Ap42 (MAX) and 5.0A (Pipeline).
Date:16 March 1998
Notes:Whee! We've got C exploit, CAPE exploit, IPsend exploit, and a
Perl
exploit!
Exploit & full info:Available here
Even more IE 4 bugs
Description:3 bugs which range in severity from crashing Internet
Explorer
to crashing all of windows. These can be put on malicious web pages to
take out the IE users.
Author:Aleph One <aleph1@DFW.NET>
Compromise:Stupid DOS attack
Vulnerable Systems:Win95/WinNT running Internet Explorer 4.01 (perhaps
earlier)
Date:16 March 1998
Exploit & full info:Available here
Insecure scripts that come with RedHat 5.0 (and other OS's)
Description:The scripts named in this message have standard insecure
tmpfile bugs. If someone can predict when these will be run (like if
they
are in cron) then they can generally overwrite files of the person
running
the command (could be root).
Author:Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Compromise:Potential for root compromise
Vulnerable Systems:Specifically this list is for RedHat 5 although
many
other Linux systems and probably some *BSD systems are vulnerable.
Date:14 March 1998
Exploit & full info:Available here
MDaemon/SLMail Mail server overflows
Description:Most Windows servers in generally seem to have horrific
security. Here is info on overflows in the MDaemon SMTP/Pop Server and
the
Seattle labs server. Many Macintosh servers also have these problems,
and
even UNIX isn't always immune to poor coding.
Author:Alvaro Martinez Echevarria <alvaro-bugtraq@LANDER.ES>
Compromise:Crash the server, perhaps arbitrary code could be executed.
Vulnerable Systems:Windows boxes running a vulnerable version of
MDaemon,
Seattle Labs SLMail, and several other crappy Windows servers.
Date:11 March 1998
Exploit & full info:Available here
Solaris 2.6 printd tmpfile problem
Description:Standard insecure tmpfile hole
Author:Silicosis <sili@l0pht.com>
Compromise:unprivileged users can overwrite and create system files
and
print files they shouldn't be able to read.
Vulnerable Systems:Solaris 2.6
Date:11 March 1998
Exploit & full info:Available here
Another TMPfile problem in updatedb script
Description:updatedb creates a tmp file in /tmp, moves it to
/var/lib/locatedb, then chowns it to root. The race condition is
clear.
Author:Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Compromise:root (local)
Vulnerable Systems:RedHat 5.0, perhaps other systems such as FreeBSD
using
updatedb.
Date:6 March 1998
Exploit & full info:Available here
info2www CGI hole
Description:Another dumb cgi blidnly using the (magical) perl open()
Author:Niall Smart <njs3@DOC.IC.AC.UK>
Compromise:execute arbitrary commands as web server's UID (remote)
Vulnerable Systems:Those running a vulnerable version of the info2www
CGI
Date:3 March 1998
Exploit & full info:Available here
X11Amp playlist bug
Description:When installed SUID root (as suggested in the README),
X11Amp
creates ~/.x11amp insecurely with root privs. Oops! There are very
likely
to be many more security bugs in X11Amp. The performance hit of making
it
suid is probably not worth the security risk (IMHO).
Author:viinikala <kala@DRAGON.CZ>
Compromise:root (local)
Vulnerable Systems:Those running a vulnerable version of X11Amp (.65
and
prior) suid. Mostly Linux boxes.
Date:28 February 1998
Exploit & full info:Available here
updatedb on Redhat
Description:RedHat Linux updatedb/sort insecure tmpfiles
Author:viinikala <kala@DRAGON.CZ>
Compromise:become user 'nobody' via updatedb (or root on a really old
distro of RedHat) (local)
Vulnerable Systems:Redhat Linux (presumably 5.0) is very vulnerable
due to
updatedb calling sort regularly, many other systems (such as Solaris)
have
an insecure sort. Also FreeBSD 2.2.2 is apparently vulnerable to the
same
updatedb problem.
Date:28 February 1998
Notes:Dave Goldsmith may have found this first, although I cannot
currently access his website for more info.
Exploit & full info:Available here
4.4BSD mmap() vulnerability
Description:A 4.4BSD problem allows a read-only descriptor to a char
device to be mmap()ed in RW mode. This can allow group kmem to become
root
and root to lower the system secure-level.
Author:Theo de Raadt and Chuck Cranor
Compromise:User kmem-> root ->modify secure-level->delete audit trail
and
load evil kernel mods.
Vulnerable Systems:OpenBSD 2.2 and below, FreeBSD 2.2.5 and below,
BSDI
3.0 and NetBSD.
Date:26 February 1998
Notes:This is an excellent advisory, I wish other groups and people
would
use a full-disclosure, detailed, and well organized format like this.
Exploit & full info:Available here
ZIP disk password recovery
Description:ZIP disk passwords provide very little security. Here is a
way
to bypass their silly little "passwords". If you wish to secure your
data,
ENCRYPT IT!.
Author:<mentzy@ath.forthnet.gr>
Compromise:Full access to password-protected Iomega ZIP disks.
Vulnerable Systems:People relying on the password protect feature of
the
ZIP drive.
Date:26 February 1998
Exploit & full info:Available here
Various gaping security holes in QuakeII (and Quake I and QuakeWorld
and
Quake Client).
Description:These games by ID software are absolutely riddled with
glaring
security holes and no one should even CONSIDER running them (or any
other
game for that matter) on a machine that is supposed to be secure. I
have
stuffed a bunch of quake exploits in this one section although there
is
one Quake II server hole I will treate separately later.
Author:kevingeo@CRUZIO.COM and others
Compromise:root (remote)
Vulnerable Systems:Those running pretty much any version of quake by
id
software, the client or server. Quake runs on many Linux boxes as well
as
Win95/NT.
Date:25 February 1998
Exploit & full info:Available here
Squid access control problem
Description:The squid http proxy allows an administrator to specify
banned
sites. Unfortunately, users can get around this by using URL hex
escapes
or specifying an IP address.
Author:"Vitaly V. Fedrushkov" <willy@CSU.AC.RU> and Mauro Lacy
<mauro@INTER-SOFT.COM>
Compromise:Bypass some squid access restrictions.
Vulnerable Systems:Those relying on squid access restrictions to keep
students, employees, etc. from undesireable sites.
Date:23 February 1998
Exploit & full info:Available here
Solaris /usr/dt/bin/dtappgather symlink problem.
Description:Standard symlink problem allows arbitrary files to be
chowned
the the attacker's UID.
Author:Mastoras <mastoras@PAPARI.HACK.GR>
Compromise:root (local)
Vulnerable Systems:Solaris 2.5,2.5.1 running CDE version 1.0.2 with
suid
/usr/dt/bin/dtappgather
Date:23 February 1998
Exploit & full info:Available here
Foolproof stores cleartext passwords in memory
Description:Foolproof security can be completely subverted by using a
meory dumper/editor and finding the password sitting their in
plaintext
right after the string FOOLPROO . Of course, I have never seen a
system
that CAN secure Win95. The true solution is to upgrade to a decent OS
that
doesn't allow unprivileged users full access to the disk/memory/etc. I
humbly suggest Linux, FreeBSD, OpenBSD, or Solaris.
Author:Mark M Marko <john__wayne@JUNO.COM>
Compromise:Break into Win95 machines protected by Foolproof.
Vulnerable Systems:Anyone relying on Foolproof for security on systems
where users can manage to execute arbitrary commands (very difficult
to
prevent).
Date:21 February 1998
Exploit & full info:Available here
Named Pipe attack
Description:This is not really an "exploit" per se, but just a note
about
the possibility of exploiting programs that open files insecurely. The
usual attack is something like ln -s /etc/passwd /tmp/prog.lock'.
Solar
Designer's excellent symlink kernel patch stops most of that nonsense.
Here the attack uses named pipes to modify the data in the file and
feed
it back to the app.
Author:"[UNKNOWN-8BIT] Micha³ Zalewski" <lcamtuf@BOSS.STASZIC.WAW.PL>
Compromise:Exploit potential for some insecure file opens and reads
(such
as gcc 2.7.2)
Vulnerable Systems:general UNIX feature
Date:20 February 1998
Exploit & full info:Available here
Radius spaces-in-password DOS attack.
Description:A number of Radius implementations will crash if the right
number of spaces are appended to a username.
Author:"Phillip R. Jaenke" <prj@NLS.NET>
Compromise:Stupid DOS attack
Vulnerable Systems:Several UNIX and NT radius implementations
including
Livingston 1.16 to 2.01, RadiusNT v2.x, and merit radius 2.4.23C
Date:20 February 1998
Exploit & full info:Available here
NT Login DOS
Description:Uh-Oh! NT isn't correctly checking its input. By sending
an
SMB logon request with an incorrect data length field you can blue
screen
the NT box.
Author:"Secure Networks Inc." <sni@SECURENETWORKS.COM>
Compromise:Yet another NT DOS attack
Vulnerable Systems:Windows NT 4.0 up to and including Service Pack 3
Date:14 February 1998
Notes:It shouldn't be hard to write a quick exploit for this. Any
volunteers? Just hack SAMBA login request code and experiment with
different data lengths. If you do write one, please mail it to me
(fyodor@insecure.org).
Exploit & full info:Available here
Wingate telnet redirection
Description:A somewhat common technique for attackers is to install
"telnet redirectors" on a system they have compromised. This allows
them
to telnet to the redirector and then telnet out from there
anonymously,
masking their true point of origin. These attackers no longer need to
bother with penetrating systems, as the Wingate includes anonymous
telnet
redirection as a feature enabled by default! Just telnet to port 1080
or
23 and then telnet right back out to wreak havok on the internet. And
don't worry, it doesn't (by default) log anything! <sigh>
Author:Alans other account <alanb@MANAWATU.GEN.NZ>
Compromise:Intruders can mask their true point of origin by going
through
Wingate
Vulnerable Systems:Windows boxes running Wingate
Date:11 February 1998
Notes:Many thanks to Dairo Bel <dairo@akrata.org> for translating his
spanish article on Wingate and sending it in! Also note that you can
use
nmap, a network portscanner I wrote to locate hosts on your network
that
are running Wingate.
Exploit & full info:Available here
Windows share passwords are right there in the registry and poorly
encrypted
Description:Share encryption is by a simple XOR and the passwords are
stored in registry entries such as
SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\Parm1enc .
Author:a42n8k9@redrose.net
Compromise:With local access to a windoze box you can determine the
read-only and full access passwords to the file system/printer/etc.
Also
these passwords might be the same as for more important access (ie to
company servers).
Vulnerable Systems:Windoze 95, NT
Date:9 February 1998
Exploit & full info:Available here
Poor authentication used with NT domain controllers for authenticating
SMB
requests.
Description:There are a number of problems with the way NT implements
authentication of clients accessing an smb fileshare.
Author:Paul Ashton <paul@ARGO.DEMON.CO.UK>
Compromise:Learn a users' password, and cause other mischief
Vulnerable Systems:Windows NT 4.0 and 3.51
Date:6 February 1998
Notes:This probably won't be fixed anytime soon.
Exploit & full info:Available here
NT port binding insecurity
Description:UNIX does not allow normal users to bind ports < 1024. NT
apparently has no such concept of privileged ports. It even allows
users
to bind ports in use by the system and sniff or redirect data from
them!!!
Author:Weld Pond <weld@L0PHT.COM>
Compromise:Obtain passwords, sniff information, change information
before
passing it to the real server, spoof UNIX r-services, etc.
Vulnerable Systems:Windows NT 3.51, 4.0
Date:6 February 1998
Notes:Appended to this message is a SMB redirectory which allows local
unprivileged users to redirect smb trafic to a remote server so that
the
local server doesn't even see it. This obviously has quite severe
implications.
Exploit & full info:Available here
Poor device permissions on Redhat 4.0/5.0
Description:Lax device perms on RedHat boxes allow unprivileged users
to
do nasty things such as peeking at the contents of a floppy in your
drive
or DOS attacks against the system.
Author:Smart List user <slist@cyber.com.au>
Compromise:Local users can read floppy device, be annoying
Vulnerable Systems:RedHat Linux 4.0 and 5.0
Date:4 February 1998
Exploit & full info:Available here
X11R6.3 Xkeyboard hole
Description:X11R6.3 based Xservers with the XKEYBOARD extension that
are
setuid can be exploited with the -xkbdir option
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Compromise:root (local)
Vulnerable Systems:Those systems running a setuid X11R6.3-based
Xserver
with XKEYBOARD extension (R6.1 is also probably affected). The XFree86
servers that come with many Linux and *BSD distributions is a good
example
of this.
Date:3 February 1998
Exploit & full info:Available here
Coredump hole in imapd and ipop3d in slackware 3.4
Description:When fed an unknown username, imapd and ipop3d will dump
core
in Slackware 3.4. /etc/shadow can be found in the core file.
Author:Peter van Dijk <peter@ATTIC.VUURWERK.NL>
Compromise:Learn the contents of /etc/shadow (which would allow you to
crack the passwords and break into other accounts)
Vulnerable Systems:Slackware Linux 3.4 and the imapd in 3.3. possibly
others
Date:2 February 1998
Exploit & full info:Available here
Defeating Solar Designer's Non-executable Stack Patch
Description:A very interesting paper on defeating non-executable stack
patches. It goes through the steps needed to exploit the XServer
<LONGDISPLAY> hole in Linux even with a non-execute patch.
Author:Rafal Wojtczuk <nergal@ICM.EDU.PL>
Compromise:root (local)
Vulnerable Systems:This just shows (as Solar Designer is well aware)
that
in some cases the non-executable stack patch can be subverted via
sneaky
techniques.
Date:30 January 1998
Notes:Solar Designer's respons is in the addendum.
Exploit & full info:Available here
Obtaining Domain Admins access on a LAN
Description:There are problems with the NT domain authentication
protocol
which allow anyone on a Domain to gain Domain access
Author:Paul Ashton <paul@ARGO.DEMON.CO.UK>
Compromise:Gain Domain Admin Access
Vulnerable Systems:NT 4.0
Date:28 January 1998
Exploit & full info:Available here
Htmlscript file access bug
Description:Another stupid .. bug.
Author:Dennis Moore <rainking@FEEDING.FRENZY.COM>
Compromise:read any file the web server can read on the remote system.
Vulnerable Systems:Those running htmlscript (distributed by
www.htmlscript.com)
Date:26 January 1998
Exploit & full info:Available here
Quake2 shared library nonsens
Description:Heh, quake2 is suid root and loads shared libraries from
the
working directory. This exploit overfloads _init.
Author:kevingeo@CRUZIO.COM
Compromise:root (local)
Vulnerable Systems:Those running a vulnerable version of QuakeII
Date:26 January 1998
Exploit & full info:Available here
Microsoft private key recovery
Description:There are a number of flaws in the way Microsoft stores
private keys.
Author:Peter Gutmann, pgut001@cs.auckland.ac.nz
Compromise:Obtain a users private keys which can allow you to
intercept
their email, digitally sign contracts and agreements (in their name),
etc.
Vulnerable Systems:Windoze NT and Win95
Date:25 January 1998
Notes:This paper is from Peter Gutmann's web site and can be found at:
<http://www.cs.auckland.ac.nz/~pgut001/pubs/breakms.txt>
Exploit & full info:Available here
OpenBSD mkfifo DOS attack
Description:You can run the *BSD kernel out of non-pageable memory by
making a fifo (via mkfifo) and forking a bunch of processes trying to
cat
it.
Author:Jason Downs <downsj@DOWNSJ.COM>
Compromise:Crash the system (stupid DOS attack)
Vulnerable Systems:OpenBSD, presumably NetBSD, FreeBSD, BSDI
Date:25 January 1998
Exploit & full info:Available here
Buffer overflow in the Yapp Conferencing System Version 2.2
Description:standard overflow
Author:satan <satan@FREENET.NETHER.NET>
Compromise:Run arbitrary commands as the uid yapp is running under
(often
'yapp').
Vulnerable Systems:This exploit is for x86/Linux . Any other platform
running Yapp should be vulnerable.
Date:20 January 1998
Exploit & full info:Available here
Lotus Domino database security problems
Description:Databases under this system do not correctly inherit ACLs,
plus some default database ACLs are set to allow unrestricted access
to
all web users(!). Thus users can can manipulate the files remotely.
Author:mattw <mattw@L0PHT.COM>
Compromise:manipulate server configuration files remotely
Vulnerable Systems:Those running vulnerable versions of Lotus Domino
Date:20 January 1998
Exploit & full info:Available here
ssh-agent RSA authentication problem
Description:SSH doesn't check permissions on credential files enough
so
that users can trick ssh into using the credentials of other users.
Author:"Secure Networks Inc." <sni@SECURENETWORKS.COM>
Compromise:Trick ssh into using the credentials of another user when
you
login to a remote server.
Vulnerable Systems:Those running ssh (setuid) on multiple-user systems
where RSA authentication is being used.
Date:20 January 1998
Exploit & full info:Available here
Mail Handler 6.8.4 overflow
Description:standard overflow
Author:Cesar Tascon Alvarez <tascon@enete.gui.uva.es>
Compromise:root (local)
Vulnerable Systems:Those running Mail Hanldler 6.8.4 (and presumably
earlier versions). Redhat 5.0 is affected.
Date:19 January 1998
Exploit & full info:Available here
Exploit for the gcc tempfile issue
Description:gcc 2.7.2.x (and earlier as far as I know) creates
temporary
files in /tmp which will follow symlinks and allows you to clobber the
files of the person running gcc
Author:"Micha=B3 Zalewski" <lcamtuf@boss.staszic.waw.pl>
Compromise:Overwrite files owned by the user running gcc (possibly
root )
Vulnerable Systems:Those running gcc 2.7.2.x this includes most linux,
and
*BSD boxes. Many admins of Solaris boxes have also added gcc. This
problem
is finally fixed in gcc 2.8.0
Date:16 January 1998
Notes:This has been mentioned before on Bugtraq but this is the first
actual exploit I've seen.
Exploit & full info:Available here
Overflow in MS PWS
Description:typical buffer overflow
Author:Gurney Halleck <gurneyh@ix.netcom.com>
Compromise:Crash the personal web server (it is also possible that you
could be able to execute arbitrary code remotely)
Vulnerable Systems:Those running MS Personal Web Server
(pws32/2.0.2.1112), it is apparently packaged with FrontPage 97.
Date:15 January 1998
Exploit & full info:Available here
DOS against realvideoserver by Progressive Networks
Description:Another DOS attack
Author:Rootshell
Compromise:remotely crash Progressive Networks Real Video Server
Vulnerable Systems:those running Progressive Networks Real Video
Server.
This includes the Linux version and the NT version
Date:15 January 1998
Exploit & full info:Available here
mk: URL overflow in Internet Explorer 4.0
Description:Another Internet Explorer overflow, this time in the mk:
URL
type
Author:DilDog <dildog@L0PHT.COM>
Compromise:run arbitrary code on the machines of IE users who visit
your
page
Vulnerable Systems:Microsoft Internet Explorer 4.0 and 4.01, Outlook
Express, Windows Explorer (it is an explorer library problem)
Date:14 January 1998
Exploit & full info:Available here
inode count integer overflow in Linux kernel
Description:Member i_count in struct inode of the Linux kernel is an
unsigned short, which can be overflowed by mapping one file more than
65535 times.
Author:<Jan.Kotas@acm.org>
Compromise:root (local)
Vulnerable Systems:Linux, probably versions up to 2.0.31 (or so)
Date:14 January 1998
Exploit & full info:Available here
DOS attack on backoffice viewcode.asp
Xserver overflow in the display command-line argument
Buffer overflow in the 'deliver' mail delivery program
Sendmail 8.8.8 HELO problem
A problem in Amanda backup software V. 2.3.0.4
Buffer overflow in the cidentd authlie file
Microsoft FrontPage server extensions file permissions problems
routed trace file exploit
NT/Win95 8.3 webserver exploit
Netware NFS compromise
Screen cloaking 'feature'
Holes in Apache prior to 1.2.5
The "Bonk" NT/Win95 fragmentation attack
ccdconfig sgid kmem BSD exploit
AIX mount vunlerability
DOS attack on XTACACS servers
Vsyslog overflow in Linux libc 5.4.38
MIRC worm bug
Overflow in Livingston RADIUS 1.16 and derived code
EWS (Excite for Web Servers) CGI hole
WordPerfect 7 filepermission problems
ICQ so-called protocol
Sun ^D DOS attack
gethostbyname() overflow in glibc
Cisco password overflow
Firewall1 smtpd open access vulnerability
Dillon crontab 2.2 overflow
mIRC crash via new socket feature
Overflow in cgiwrap-3.5 and 3.6beta1
Xscreensaver problem
Long filesystem paths
Sendmail file-as-username problem
BSD Termcap overflow
Xyplex terminal login problems
Solaris 2.5.1 automound hole
Common XDM and CDE insecurity
NT RAS Point to Point Tunneling Protocol hole
Solaris Statd exploit
XFree86 (and apparently other X11R6 XC/TOG derived servers) -config
The LAND attack (IP DOS)
Symlink problems with fstab and advfsd in OSF1
Kernel Buffer Overflow in the ISDN subsystem
Core file problem with Digital Unix 4.0
Terminal hijacking via pppd
Linux and Windows IP fragmentation (Teadrop) bug
Redhat 4.2 X11 /tmp/.X11-unix permissions problem
Overflow in suidperl 5.003
Digital Unix xterm overflow
Slackware lizards suid-root problem
Security Dynamics FTP server core problem
Core bug in the Security Dynamics ftp server
Cybercash 2.1.2 insecurities
Cisco password decryption
Exchange & Outlook client extensions problem
Security hole in iCat Carbo Server 3.0
BRU (Backup and Recovery Utility) poor permissions
Intel "f00f" Pentium bug
Attachments to Office files not encrypted
Kerberos $KRBTKFILE hole
Kerberos KRBTKFILE ticketfile vulnerability
ftp mget vulnerability
Micro$oft Internet Explorer 4 res:// overflow bug
Security holes in Metamail
BSD color_xterm xlib overflow
BSDI exploit for color_xterm and kterm
AIX xdat overflow
Gather all mailing list members through SMTP expn command
in.telnetd tgetent buffer overflow
Kill syslogd remotely on solaris boxes
Overfow in the Ideafix development environment
NT Syscalls insecurity
NT SetThreadPriority() hole
PHP mlog.html and mylog.html vulnerabilities
open() on BSD succeeds and cedes valid fd with the argument "-1"
Bad registry permissions on NT allows users to defeat security
Spy on IE users' files
Count.cgi remote overflow
MS exchange/service user problems
Overflow in Seattle Lab Sendmail v2.5
Micro$oft's attempt at FrontPage 98 server-side extensions for Apache
Count.cgi hole
imapd core hole
SNMP holes in Windoze NT 4.0
DNS Games
xsecurekeyboard problem
Redhat Linux 4.2 printfilter problems
JetDirect printer card problem
mSQL authentication holes
Samba Remote buffer overflow
kerneld auto-load of modules requested by unprivileged users
M$ IIS 3.0 newdsn.exe problem
HP/UX newgroup hole
Oracle webserver insecurities
ARP and ICMP redirection games
Asynchronous I/O signal handling
wu_ftpd recursive nlist DOS
AIX bugfiler hole
CC:Mail password vulnerability
SunOS rlogin overflow
Uploader.exe insecurity
Pico symlink vulnerability
Linux exploit code for the already known buffer overflow in sperl
Pathetic hole in HP/UX 10.20 CUE
Hole in the vacation program
Hole in the vacation program
MAC tcp stack syn problem
Security problems in CVS
Overwrite people's files through IE3 with malicious forms
Eggdrop set owner vulnerability
Linux setrlimit and sysctl integer overflows
syslogd spoofing
UNIX Oracle stores "system" account passwords in plaintext
Check for existance of files on systems runninng mountd
A perl eval error in majordomo allows remote execution of arbitrary
SPOOLSS.EXE memory leak
Overflow in bash's PS1 (promptline) and a neat overflow program
root bug in IRIX game spaceware
Write to arbitrary files (owned by your UID) from pine
DG/UX in.fingerd hole
lpr LIBC RETURN exploit
*BSD procfs forc() mem device hole
NT LSA secrets
Trivial "encryption" (obfuscation) in ws_ftp.ini
The VERY popular imapd remote overflow
Popper and qpopper symlink hole
Block reserved ports with XFree86
Vulnerability with -C in *IBM's* version of sendmail
SGI NIS Domain Name disclosure
Internet Explorer keeps a record of every page you've visit since it
Hole in the *BSD implementation of rfork()
SSH localforward vulnerability
Another stupid SGI hole
WINS nameservice (137/UDP) flood DOS attack
Remote INND buffer overflow exploit
mSQL overflow and poor hostname authentication checks
Overflow in Mailhandler 6.8.3
request-route script tempfile symlink problem.
NT file execution path
Solaris dtlogin core vulnerability
NT chargen flood DOS
Expect password spy vulnerability
AIX /usr/sbin/lchangelv overflow
AIX /usr/bin/X11/xlock exploit
Exim ~/.forward :include: overflow
AIX ping overflow
Routed broadcast ping DOS attack
ld-linux.so.1.9.2 overflow
JavaWebServer viewable source bug
campus cgi hole
L0phtcrack 1.5 Lanman / NT password hash cracker
Overflow in solaris passwd (and yppasswd and nispasswd)
WebGais forgot to strip single quotes in query string ... Oops!
NT fragmentation attack
Overflows in libxview
snprintf(3c) redefined by libdb-1.85.4
SunOS 4.x overflows! This example is for xterm
NT case insensitive filename problems
websendmail cgi hole
The ever popular getadmin exploit
Another BSD & Linux lpr overflow
Glimps HTTP evil inadequate evil char filter
ircd overflow DOS
Linux smbmount buffer overflow
Many RAS Service packet filtering rules are insecure.
ULTRIX 4.4 dxterm file linking hole
Ascend MAX 4000 IP address theft flaw
Solaris local ping DOS attack
4.4BSD procfs hole
Linux imapd remote overflow
Obtain unauthorised list of mailing lists from majordomo 1.94.1
Obtain an interactive shell through lynx
M$ IIS DOS long URL vulnerability
Inetd udp port spoofing DOS attack
B-DASH 0.31 $HOME overflow
BSDI 3.0 symlink hole
IRIX fails to correctly patch /cgi-bin/handler exploit
zgv $HOME overflow
Buffer overflows in the listserv mailing list manager.
BSDI 3.x corefile problem
Solaris root socket descriptor bug
symlink problem in mj_key_cache program
Seyon calls system(xterm), Krad!
Netscape gives away user's files!
Shotgon 1.1b overflows
IRIX handler cgi hole
poison the DNS cache by returning a bogus IP as a CNAME for a real
sshd and rshd leak usernames.
qmail rcpt DOS attack
QMAIL DOS attack #1
NT password replacement program
Another way to crash NT DNS server.
AIX 4.2 HOME environmental variable overflow
cgi-bin/test-cgi allows arbitrary remote file listing
Solaris rpcbind listens on undocumented high UDP port
Trojan in fake v1.2b version of the AtlantiS IRC script
Microsoft's Win95 stores your password in plaintext in the system
X11R6 library GetDatabase vulnerability
IRIX /usr/sbin/printers and /usr/bin/X11/xterm overflows
Buffer overflow in /usr/sbin/iwsh for Irix 5.3
Overflows in IRIX /usr/sbin/X11/xconsole, /usr/sbin/X11/cdplayer,
IRIX /bin/login overflow
Overflow in IRIX /usr/lib/desktop/permissions
AIX lquerylv overflow
3 More IRIX buffer overflows, courtesy of LsD
cfingerd search username vulnerability
PMDF 5.107 debug mode vulnerability
Macintosh At Ease Apple Share automated login "feature"
AIX 4.2 /usr/dt/bin/dtterm buffer overflow
SunOS 4.1.4 crashes when (l)users read /dev/tcx0
Data Buffer overrun in Solaris 2.5.1, 2.5.0 in ps and chkey
Program for exploiting data overrun conditions
IRIX stupid xhost + default
Failure of Solaris and old BSD versions to honor the filesystem
Assorted IRIX WWW vulnerabilities
Ascom Timeplex Router Backdoor
IRIX default guest account
LibXt XtAppInitialize() overflow *xterm exploit.
HP/UX 10.X /var/tmp/outdata symlink hole
Elm 2.3 and 2.4 curses overflow
IRIX sadc symlink vulnerability
Socks5 symlink bug
IRIX addnetpr race condition
Windows NT/95/3.11 Out Of Band (OOB) data barf
IRIX rmail system() and LOGNAME hole
IRIX inpview hole
IRIX webdist CGI vulnerability
IRIX xfsdump hole
IRIX crontab problems
A bunch of IRIX holes found by Yuri Volubuev
KDE unsecured TCP socket vulnerability
Failed logouts in Windows NT and '95
Soaris lp and lpsched symlink vulnerabilities
CERN httpd server authorization bypass
FreeBSD exploits for the Perl 5.003 (and earlier) overflow bug.
Narf NT usernames from an untrusted NT Domain Controller
Sperl 5.003 hole
NCSA PHP/FI CGI *2 HOLES*
WU-FTPD core dump vulnerability (the old patch doesn't work)
RedHat 4.1 amd-920824upl102-6.i386.rpm nodev hole.
NT 4.0 Stupid default SMB mount permissions
/usr/bin/filter NLSPATH buffer overflow
Novell Netware PERL.NLM vulnerability
AIX LC_MESSAGES /usr/sbin/mount and /bin/host holes
XFREE86 Console Hacking
NT crash via extra long username in Winpopup
Windows NT NTML Auto-Authentication
Linux inetd port theft vulnerability
ELM NLSPATH overflow
Win95 Cleartext SMB authentication hole
Linux tftpd vulnerability
Solaris /bin/fdformat overflow sploit
Windows NT password hash retrieval
Sendmail 8.8.[34] dead.letter exploit
Linux SuperProbe vulnerability
ANOTHER pathetic IIS 3.0 vulnerability
Buffer overflow in AOL Instant Messenger 1.7.466
WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4)
INND header control characters hole
SCO Openserver 5 expired password hole
Many Windows FTP servers are not very robust
A collection of 6 Internet Explorer bugs
Irix netprint vulnerability
xdm UNIX Ware exploit
Linux Doom sndserver vulnerability
Doom killmouse/startmouse vulnerability
Modstat exploit
dataman/cdman hole
Solaris chkperm vulnerability
IRIX suid_exec hole
HP/UX chfn bug
IRIX fsdump hole
IRIX /usr/etc/LicenseManager hole
IRIX /usr/bin/X11/cdplayer hole
Solaris gethostbyname() exploit
Digital Unix /usr/tcb/bin/dxchpwd hole
Sendmail HUP bug
More SOD HP/UX RemWatch vulnerabilities
SOD HP/UX /tmp/fpkg2swpk bug
SOD /usr/diag/bin/[cm]stm buffer overflow
(Another) SOD HP/UX RemoteWatch hole
IRIX systour package security holes
Linux & *BSD lpr holes
Ping of Death
Solaris /usr/bin/solstice bug
Another hpux ppl bug by SOD
Solaris (and others) ftpd core dump bug
Linux ldt kernel bug
swinstall symlink exploit
HP/UX passwd hole
HP OpenCall SCP /opt/OV/bin/OpC/opcragt exploit
Windows Screensaver bug
HP/UX SOD glance bug
HP/UX ppl symlink problem
Race condition exploit for HP/UX SAM
Sendmail gecos buffer overflow vulnerability
Xt library bug xterm exploit
Linux & *BSD umount holes
HP/UX Rdist exploit
IRIX day5notifier hole
IRIX 5.3 chost vulnerability
setgid Core dumping vulnerability in Solaris 2.4
Solaris admintool and /usr/openwin/bin/kfcs_* tmpfile vulnerabilities
Microsoft IIs '..' hole
DG/UX ospf_monitor vulnerability
Linux sliplogin hole
Rdist buffer overrun (BSD Code)
Novell httpd convert.bas cgi hole
HP/UX Remote Watch hole
suid_perl 5.001 vulnerability
Microsoft Internet Information Server abracadabra.bat bug
xrw bug
test-cgi vulnerability
PC Web site interpretor in cgi-bin directory vulnerability
Solaris /bin/eject Buffer overflow
Solaris 2.5.1 sdtcm_convert hole
Microsoft Active Server Pages IIS server hole
*BSD (and others) SetUID core vulnerabilities
Apache httpd 1.1.3 apache_status vulnerability
Linux NLSPATH libc overflow
sudo.bin exploit for NLSPATH vulnerability
Insecure Solaris default nissetup password table permissions!
AIX powerPC gethostbyname() and /bin/host exploits
AUTOSOFT/RTS holes
IRIX/usr/Cadmin/bin/csetup vulnerability
WebSite v1.1e for Windows NT & 95 buffer overflows
Telnetd Environmental variable passing problem
/cgi-bin/phf vulnerability
Resolv+ Linux library bug
HP/UX sam_exec user vulnerability
xwcreate/destroy vulnerability
Old HPUX subnetconfig vulnerability
Linux lilo vulnerabilities
More HP/UX glance vulnerabilities
This page Copyright © Fyodor 1996, 1997, 1998
[ Nmap | Exploit World | Reading | About/Contact | Privacy Policy ]
Description:You can leave a host running backoffice in a state of not
accepting connections by using
http://server.com/whetever/viewcode.asp?source=/////////////////
more
slashes>///
Author:Anonymous
Compromise:DOS attack against web server
Vulnerable Systems:Those running Microsoft Backoffice with
viewcode.asp
available
Date:14 January 1998
Exploit & full info:Available here
Description:typical overflow, although this one affects a lot of
people.
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Compromise:root (local)
Vulnerable Systems:X11R6 (possibly X11R5) based X servers. This
includes
XFree86. The servers have to be suid, of course (some systems use XDM
and
have a non-suid server)
Date:13 January 1998
Exploit & full info:Available here
Description:standard overflow
Author:"KSR[T]" <ksrt@DEC.NET>
Compromise:root (local)
Vulnerable Systems:Slackware 2.x, Debian 1.3.1, possibly other Linux
distributions. Basically anything running deliver version 2.0.12 and
below.
Date:12 January 1998
Exploit & full info:Available here
Description:By specifying a very long hostname in the HELO command at
the
beginning of SMTP negotiation, you can cause your real hostname and IP
to
not be displayed in the header Received: field. This leaves potential
for
mischief by mail forgers and (unfortuantely) spammers.
Author:Micha³ Zalewski <lcamtuf@boss.staszic.waw.pl>
Compromise:Send forged mail without your IP appearing in the message
headers.
Vulnerable Systems:Those running Sendmail 8.8.8 and probably earlier.
Date:12 January 1998
Exploit & full info:Available here
Description:According to this advisory (which I haven't verified),
attackers can remotely access backed up data on an index server. Also
attackers with local access to a machine being backed up can access
any
other machine or any partition being backed up.
Author:joey@CORINNE.CPIO.ORG
Compromise:unauthorized access to index servers and partition data
Vulnerable Systems:Those running Amanda version 2.3.0.4 (probably
earlier
as well).
Date:10 January 1998
Exploit & full info:Available here
Description:typical overflow
Author:Jackal <jackal@HACK.GR>
Compromise:run arbitrary code as the UID running cidentd (probably
user
nobody) (local)
Vulnerable Systems:Those running cidentd with ~/.authlie enabled
Date:10 January 1998
Exploit & full info:Available here
Description:Abhorrent permissions are required for some files related
to
the Microsoft FrontPage server extensions. For example _vti_pvt is a
775
directory which contains mode 664 service.pwd that contains the
crypt()ed
passwords for users.
Author:Dave Pifke <dave@VICTIM.COM>
Compromise:Not only can local users find out (or sometimes change) the
passwords used for web accounts, but determing these passwords may
lead to
compromise of more important accounts that may use the same passwords.
Vulnerable Systems:Those running Microsoft FrontPage server extensions
3.0.2.1117 under UNIX
Date:9 January 1998
Exploit & full info:Available here
Description:routed has the ability to have trace mode turned on
remotely
using any arbitrary filename. Thus you can append stuff to arbitrary
files
remotely.
Author:Rootshell
Compromise:You should be able to leverage this to root remote access.
Vulnerable Systems:Redhat linux; IRIX 5.2-5.3-6.2 is vulnerable,
NetBSD
1.2 is vulnerable.
Date:8 January 1998
Exploit & full info:Available here
Description:By default, when a file like "verylongname.html" is
created,
Windows also creates an 8.3 equivalent ("verylo~1.htm" for example).
Unfortunately, when people use Win* webservers to restrict access to
long
directories and files, the webservers often don't check access on the
8.3
equivalents. So people can grab stuff using the 8.3 names.
Author:Marc Slemko <marcs@ZNEP.COM>
Compromise:Obtain restricted files from NT/Win95 web servers
Vulnerable Systems:IIS 4.0, Netscape Enterprise 3.0x, probably others.
Probably ftp servers and so forth too.
Date:8 January 1998
Exploit & full info:Available here
Description:A flaw in the way NetWare-NFS mode 1 and 2 maps the "Read
Only" flag to UNIX allows a root compromise on systems which mount
user-writable volumes exported via NetWare NFS
Author:"Andrew J. Anderson" <andrew@DB.ERAU.EDU>
Compromise:root (local)
Vulnerable Systems:Those mounting user-writable volumes exported via
NetWare NFS
Date:8 January 1998
Exploit & full info:Available here
Description:Versions of the popular program 'screen' allow users to
cloak
themselves out of wtmp/utmp and appear to not be logged on.
Author:Taz <taz@webmaster.com>
Compromise:Cloak yourself from finger/wtmp/utmp etc. using screen
Vulnerable Systems:Those running screen 3.7.4 and probably earlier,
maybe
later
Date:7 January 1998
Notes:I consider it a good thing when people send me bugs. Also, note
that
you can effect the same sort of thing as this by running 'xterm -ut'
and
then logging off
Exploit & full info:Available here
Description:The fine folks who work on the Apache web server team
kindly
advised us of these holes in older versions of Apache. They are fixed
in
1.2.5. The most important are probably cfg_getline() overflow which
allows
local users to run arbitrary commands with the UID of the webserver
and
the '//////////' hole which allows people to remotely effect a DOS
attack
on a server by giving a URL with more than 7500 forward slashes in the
filename.
Author:Marc Slemko <marcs@ZNEP.COM>
Compromise:local users can run arbitrary commands with the UID of the
webserver, remote DOS attack (slows the server to a crawl)
Vulnerable Systems:Those running Apache versions prior to 1.2.5
Date:6 January 1998
Exploit & full info:Available here
Description:In an attack that is basically the reverse of the teardrop
attack, Windows machines that are patched for teardrop can be crashed.
Author:bendi
Compromise:crash Windoze machines remotely
Vulnerable Systems:Windows 95, Windowsw NT
Date:5 January 1998
Exploit & full info:Available here
Description:ccdconfig is sgid kmem and can be exploited to read
/dev/mem .
It shouldn't be too tough to leverage this into root access.
Author:Niall Smart <rotel@INDIGO.IE>
Compromise:root (local)
Vulnerable Systems:NetBSD, FreeBSD, older version of OpenBSD
Date:31 December 1997
Exploit & full info:Available here
Description:AIX mount has a serious problem that allows people to
mount
any filesystem on top of any writeable space.
Author:"S. Ryan Quick" <ryan@PHAEDO.COM>
Compromise:Mount filesystems on top of any writeable space (this could
allow you to clobber files, among other things).
Vulnerable Systems:AIX 4.1.3, 4.1.4, 4.2.0, 4.2.1
Date:28 December 1997
Exploit & full info:Available here
Description:You can crash these servers by sending ICMP unreachable
messages to them.
Author:Coaxial Karma <c_karma@HOTMAIL.COM>
Compromise:remotely crash vulnerable XTACACS servers.
Vulnerable Systems:some XTACACS servers
Date:23 December 1997
Exploit & full info:Available here
Description:Standard overflow (although it is pretty sad to see these
things in syslog ...)
Author:Posted by Solar Designer <solar@FALSE.COM>
Compromise:root (local)
Vulnerable Systems:Slackware 3.1, Redhat 4.2, possibly other Linux
boxes
Date:21 December 1997
Exploit & full info:Available here
Description:There is a bug in MIRC (a Windoze IRC client) which allows
people to send an arbitrary script.irc to MIRC users. This allows
arbitrary MIRC scripting commands to be interpreted.
Author:Unknown
Compromise:Windows IRC users can be harassed and their files can be
snatched and/or deleted.
Vulnerable Systems:Windows versions running MIRC prior to 5.3
Date:18 December 1997
Exploit & full info:Available here
Description:There is a buffer overflow in the handling of buffers
related
to inverse IP lookup in RADIUS 1.16 and derived code (including Ascend
RADIUS)
Author:"Secure Networks Inc." <sni@SECURENETWORKS.COM>
Compromise:root (remote)
Vulnerable Systems:Those running RADIUS server software derived from
Livingston RADIUS 1.x
Date:17 December 1997
Exploit & full info:Available here
Description:A classic CGI mistake: CWS launches a shell with query
results. They change spaces to $ and somehow think this solves the
problem
;)
Author:Marc Merlin <marc_merlin@MAGIC.METAWIRE.COM>
Compromise:run arbitrary commands as the processid that runs the
webserver
(remote)
Vulnerable Systems:Those running EWS 1.1 on both UNIX and NT
Date:17 December 1997
Exploit & full info:Available here
Description:Apparently WordPerfect 7 has serious problems with regard
to
permissions on the files it creates in users directories. It will also
follow symlinks when creating them.
Author:Hans Petter Bieker <hanspb@PERSBRATEN.VGS.NO>
Compromise:break into a users account or clobber their files (user
could
potentially be root )
Vulnerable Systems:Linux boxes running WordPerfect 7 (possibly other
*NIXes)
Date:15 December 1997
Exploit & full info:Available here
Description:The ICQ protocol is ridiculously simplistic and is riddled
with security holes. So is the ICQ software. So ICQ users can be
spoofed,
have their machine crashed, or have evil haxxors run arbitrary code on
their boxes. Geez, these poor users might as well run Internet
Explorer!
Author:Alan Cox <alan@CYMRU.NET>
Compromise:Spoof, Crash, or exploit the buffer overflow to run
arbitrary
code
Vulnerable Systems:Mostly Windows boxes where the user is running ICQ
Date:14 December 1997
Exploit & full info:Available here
Description:By connecting to the telnet port of a Solaris 2.5.1 box,
sending some bogus telnet negotiation option and then flooding the
channel
with ^D, you can (temporarily) slow the machine to a near halt.
Author:Jason Zapman II <zapman@CC.GATECH.EDU>
Compromise:remote DOS attack
Vulnerable Systems:Solaris 2.5.1, 2.6
Date:13 December 1997
Notes:I appended a better version after the first (the second forks
extra
processes to increase the flood). I also appended an NT port.
Exploit & full info:Available here
Description:Overflow in glibc gethostbyname() allows overflows in
ping,
rsh, traceroute, etc.
Author:Wilton Wong - ListMail <listmail@NOVA.BLACKSTAR.NET>
Compromise:root (local)
Vulnerable Systems:Redhat 5, presumably others with glibc (GNU HURD?)
Date:13 December 1997
Exploit & full info:Available here
Description:Cisco 76x routers reboot when you telnet to them and feed
a
very long password.
Author:Laslo Orto <Laslo@CPOL.COM>
Compromise:Reboot the Cisco router
Vulnerable Systems:Cisco 76x series of routers.
Date:11 December 1997
Exploit & full info:Available here
Description:By default, Firewall-1 allows anyone to obtain
confidential
operation and statistical info from its SNMP daemon.
Author:"Secure Networks Inc." <sni@SECURENETWORKS.COM>
Compromise:The information could help an attacker bypass the firewall
as
well as giving private network statistical information.
Vulnerable Systems:Those running a Vulnerable version of Checkpoitn
Firewall-1
Date:9 December 1997
Exploit & full info:Available here
Description:standard overflow
Author:"KSR[T]" <ksrt@DEC.NET>
Compromise:root (local)
Vulnerable Systems:Slackware Linux 3.4, other systems that runn dillon
crontab / crond ( dcron 2.2 )
Date:9 December 1997
Exploit & full info:Available here
Description:A problem with the way mIRC handles bound sockets allows
mean
people to crash the mIRC clients of poor, defenseless Windows users.
Author:Derek Reynolds <startnet@NATION.ORG>
Compromise:Crash an mIRC user and make thier Windows run even slower
than
usual
Vulnerable Systems:Those running mIRC 5.3 under Windows
Date:7 December 1997
Exploit & full info:Available here
Description:Standard overflow
Author:Duncan Simpson <dps@IO.STARGATE.CO.UK>
Compromise:Run arbitrary commants with the UID of the webserver
process
owner
Vulnerable Systems:Those running vulnerable versions of cgiwrap
Date:7 December 1997
Exploit & full info:Available here
Description:Apparently if you type more then 80 characters into an
xscreensaver password window it will die and you will gain access to
the
desktop. Also not that with XFree86 you can often use
CNTRL-SHIFT-BACKSPACE to simply kill the server (and whatever X
program is
locking it).
Author:Kim San Su <shanx@comp67.snu.ac.kr>
Compromise:Bypass xscreensaver password security
Vulnerable Systems:Those where people run a vulnerable version of
xscreensaver to lock their X-Windows sessions.
Date:2 December 1997
Exploit & full info:Available here
Description:One thing you can do to be highly annoying is create very
long
directory paths. These cause *major* problems to many system
utilities.
This post provides useful one-liners for the purpose.
Author:Zack Weinberg <zack@RABI.PHYS.COLUMBIA.EDU>
Compromise:Annoying DOS
Vulnerable Systems:Those that allow very long directory paths. I just
created one 10002 directories deep on my Linux box (I stopped it, it
could
have gone further). Fortunately Microsoft OS users don't have this
problem
due to small filesystem depth restrictions ;)
Date:2 December 1997
Exploit & full info:Available here
Description:A quirk in Sendmail that could potentially be exploited is
that usernames like '/etc/passwd' get written into the file of the
same
name when mail is received for them. This could be a problem on
systems
where users can specify their username without sysadmin intervention.
Author:Duck Vader <tiepilot@THEPOND.THEPOND.ML.ORG>
Compromise:Could potentially lead to root access
Vulnerable Systems:Mostly just BBSes or whatever systems allow users
to
specify a username and then create an /etc/passwd entry for them.
Date:2 December 1997
Exploit & full info:Available here
Description:This program creates a malicous termcap file which can
cede
root access.
Author:Bug originally discovered by Theo de Raadt
<deraadt@CVS.OPENBSD.ORG> exploit written by Written by Joseph_K the
22-Oct-1997
Compromise:Theoretically this may allow you to become root remotely
You
can definately become root locally.
Vulnerable Systems:BSDI, probably FreeBSD/NetBSD/OpenBSD prior to
October
1997
Date:1 December 1997
Exploit & full info:Available here
Description:Apparently you can get into some Xyplex terminals by
entering
^Z or '?' at the login prompt.
Author:Aleksandr Pilosov <apilos01@UTOPIA.POLY.EDU>
Compromise:Obtain unauthorized access to Xyplex terminals.
Vulnerable Systems:Xyplex terminals
Date:1 December 1997
Notes:Another problem with these terminals, this time with regard to
their
interaction with scripts is in the addendum.
Exploit & full info:Available here
Description:standard popen() hole
Author:Anonymous
Compromise:root (local)
Vulnerable Systems:Solaris 2.5.1 without patch 10465[45] applie
Date:26 November 1997
Exploit & full info:Available here
Description:Many implementations of these allow any host XDMCP
connection
access. This can allow people to effectivly login remotely even if
they
are denied telnet (etc.) access through /etc/hosts.deny of tcp
wrappers.
Also failed attempts are often not logged so this is useful for brute
force password guessing.
Author:Eric Augustus <augustus@stic.net>
Compromise:Brute force password guessing, bypassing tcp wrappers
Vulnerable Systems:Those running vulnerable implementations of XDM or
CDE
and those with poor access configuration files.
Date:26 November 1997
Exploit & full info:Available here
Description:You can crash NT boxes running RAS PPTP by sending a pptp
start session request with an invalid packet length specified in the
header.
Author:Kevin Wormington <kworm@SOFNET.COM>
Compromise:crash NT machines remotely
Vulnerable Systems:Windows NT 4.0 with RAS PPTP running
Date:26 November 1997
Exploit & full info:Available here
Description:Solaris 2.5.1 x86 remote overflow for statd. There is
apparently an earlier patch which doesn't fix the problem.
Author:Anonymous
Compromise:root (remote)
Vulnerable Systems:Solaris 2.5.1 x86 is what this exploit is written
for.
According to a later CERT advisory, vulnerable systems include Digital
UNIX (4.0 through 4.0c), AIX 3.2 and 4.1, Solaris 2.5, 2.51 and SunOS
4.1.* for both X86 and SPARC
Date:24 November 1997
Exploit & full info:Available here
insecurity
Description:XFree86 is setuid root in many cases and takes a -config
option to use a different config file. Unfortunately it doesn't check
permissions on this file so you can (for example) read the first line
of
/etc/shadow (printed in the warning message)
Author:plaguez <dube0866@eurobretagne.fr>
Compromise:Read files that you shouldn't have permissions for
Vulnerable Systems:Those with a suid root XFree86 X server as well as
some
other X servers. This affects many Linux (and probably
FreeBSD/OpenBSD)boxes.
Date:21 November 1997
Exploit & full info:Available here
Description:Sending a packet to a machine with the source host/port
the
same as the destination host/port crashes a lot of boxes.
Author:m3lt <meltman@LAGGED.NET>
Compromise:Remote DOS attack (reboots many systems)
Vulnerable Systems:Windows95, Windows NT 4.0, WfWG 3.11, FreeBSD
Date:20 November 1997
Exploit & full info:Available here
Description:These programs create /tmp files that will follow symlinks
and
lcobber system files
Author:Efrain Torres Mejia <etorres@POLLUX.JAVERIANA.EDU.CO>
Compromise:root (local)
Vulnerable Systems:Digital Unix OSF1 V4.0
Date:18 November 1997
Exploit & full info:Available here
Description:When dialing, the old Linux ISDN drivers copied everything
after ATD into a 40 char stack buffer (!).
Author:Andi Kleen <ak@muc.de>
Compromise:root (local)
Vulnerable Systems:Linux 2.0.31, perhaps earlier.
Date:16 November 1997
Exploit & full info:Available here
Description:With dbx you can cause suid root programs to core dump and
clobber system files
Author:John McDonald <jmcdonal@osprey.unf.edu>
Compromise:root (local)
Vulnerable Systems:Digital Unix 4.0 and 4.0B
Date:16 November 1997
Notes:I wish more people would send me their exploits like John did
...
this way I'm less likely to miss them.
Exploit & full info:Available here
Description:pppd offers read/write access to any tty. This allows a
man in
the middle attack for trojan terminals as well as other mischief. Also
it
allows users to freely dial out with the modem (often not a good
idea).
Author:David Neil <theoe@EUROPA.COM>
Compromise:Hijack terminals, dial arbitrary numbers with the modem,
other
mischief.
Vulnerable Systems:Those running pppd. Many linunx boxes, perhaps some
BSD, solaris.
Date:15 November 1997
Exploit & full info:Available here
Description:Win* and Linux deal with overlapping IP fragments in an
incorrect manner which allows the systems to be crashed remotely.
Author:Apparently datagram in flip.c
Compromise:Remote DOS attack
Vulnerable Systems:Windows NT 4.0, Win95 , Linux up to 2.0.32
Date:15 November 1997
Notes:I also included a program called "syndrop" which is a modified
version of teardrop (exploits an M$ SYN sequence bug.
Exploit & full info:Available here
Description:Any local user can destroy X service by moving (or
deleting)
the UNIX domain socket redhat puts in /tmp/.X11-unix/X0 . Redhat
apparently forgot the sticky bit. I think this works in Redhat 4.0
too.
Author:Carlo Wood <carlo@RUNAWAY.XS4ALL.NL>
Compromise:Screw up X (local)
Vulnerable Systems:Thos running the Redhat 4.2 and 4.0 Linux
distributions.
Date:14 November 1997
Exploit & full info:Available here
Description:Overflow (via sprintf()) in the mess() function in
suidperl
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Compromise:root (local)
Vulnerable Systems:Thos running suid-perl 5.003, this includes many
Linux,
*BSD, Solaris and UNIX boxes in general.
Date:13 November 1997
Exploit & full info:Available here
Description:Patch kit 5 includes a replacement xterm which can be
forced
to dump core and clobber system files. A buffer overflow may also
exist.
Author:Tom Leffingwell <tom@sba.miami.edu>
Compromise:root (local)
Vulnerable Systems:Digital Unix 4.0B *with* patch kit 5
Date:12 November 1997
Exploit & full info:Available here
Description:The lizards game is NOT intended to be suid root, but
Slackware 3.4 sets it that way anyway. This makes it trivial to become
root through code like system("clear"), etc.
Author:SUID <suid@BOMBER.STEALTH.COM.AU>
Compromise:root (local)
Vulnerable Systems:Linux boxes using the Slackware 3.4 (earlier?)
distributions.
Date:12 November 1997
Exploit & full info:Available here
Description:It is possible to cause this server to dump core while
ftping
in. The core file will clobber files and also contains crypt(3)ed
passwords.
Author:sp00n <sp00n@COUPLER.300BAUD.COM>
Compromise:root (local)
Vulnerable Systems:Solaris 2.5 running Security Dynamics' FTP server
(Version 2.2) perhaps other versions.
Date:12 November 1997
Exploit & full info:Available here
Description:typical core file bug
Author:sp00n <sp00n@COUPLER.300BAUD.COM>
Compromise:root (local)
Vulnerable Systems:Those running the Security Dynamics FTP server
(Version
2.2). This is available at least for solaris boxes.
Date:12 November 1997
Exploit & full info:Available here
Description:A number of insecurities in Cybercash
Author:Megan Alexander <malexander@COMMANDCOM.COM>
Compromise:Get credit card numbers, plaintext password registry
settings,
tons of fun stuff!
Vulnerable Systems:Windows95 and NT systems running Cybercash 2.1.2 or
Verifone vPOS
Date:11 November 1997
Exploit & full info:Available here
Description:Cisco passwords can be trivially decrypted although this
isn't
really the fault of Cisco (since the router itself needs to be able to
decrypt them).
Author:Jared Mauch <jared@puck.nether.net>
Compromise:Obtain extra access to Cisco routers
Vulnerable Systems:Cisco routers
Date:11 November 1997
Exploit & full info:Available here
Description:Anyone can register "extensions" to Exchange Client or
Outlook
which cause evil things to happen for various events. Typical idiotic
Microsoft bug.
Author:Martin Stanek <stanek@DCS.FMPH.UNIBA.SK>
Compromise:Steal mail, cause users to run malicious code, etc.
Vulnerable Systems:Microsoft systems where multiple users run Outlook
or
Exchange client
Date:9 November 1997
Exploit & full info:Available here
Description:Another pathetic hole, this one allows people to view any
file
on the web server (which the web server process owner can view)
Author:Mikael Johansson <Mikael.Johansson@ABC.SE>
Compromise:View files on remote web servers, maybe even filch credit
card
numbers!
Vulnerable Systems:Those running iCat Carbo Server (ISAPI, Release)
Version 3.0.0
Date:8 November 1997
Exploit & full info:Available here
Description:This commercial UNIX backup program creates the
/usr/local/lib/bru directory mode 777. This directory apparently
contains
sources. Enough said.
Author:Kyle Amon <amonk@GNUTEC.COM>
Compromise:root (local)
Vulnerable Systems:Any running vulnerable version of BRU (There is a
Linux
version, probably also Solaris and other *NIX).
Date:8 November 1997
Exploit & full info:Available here
Description:A bug in the Intel Pentium (and Pentium + MMX) chips
allows
usermode processes to crash the system by executing the invalid
instruction 0xf00fc7c8
Author:Sent through an anonymous remailer
Compromise:Users who can run code on the system can totally freeze the
system
Vulnerable Systems:Those running on a Pentium including versions of
Linux,
Dos, WinNT, Win95, SolarisX86, etc.
Date:8 November 1997
Exploit & full info:Available here
Description:Not only is the "encryption" used for Microsoft Office
applications hopelessly weak, but attachments are not encrypted at
all.
Author:lustiger@att.com
Compromise:Read attachments to "encrypted" Office documents without
having
to spend 30 seconds decrypting them.
Vulnerable Systems:Microsoft Office 95 and 97
Date:7 November 1997
Exploit & full info:Available here
Description:the rsh, rcp, and rlogin included in the kth-krb4 Kerberos
package will blindly use any ticketfile given in $KRBTKFILE, even if
it is
owned by another user and unreadable by the current user!
Author:Mattias Amnefelt <mattiasa@stacken.kth.se> finally gave real
information on the bug (thanks are due to him!). I don't know who
discovered it originally.
Compromise:Use other people's ticket files (which are often stored in
/tmp
, just find one and set $KRBTKFILE appropriately.
Vulnerable Systems:Those runing Kerberos kth-krb4 .
Date:6 November 1997
Exploit & full info:Available here
Description:Suid root programs in the Kerberos 4 suite don't check
permissions on $KRBTKFILE before using it for authentication.
Author:Mattias Amnefelt <mattiasa@stacken.kth.se>
Compromise:Spoof Kerberos authentication
Vulnerable Systems:Those running Kerberos 4 with rsh,rcp, or rlogin
suid-root .
Date:6 November 1997
Exploit & full info:Available here
Description:If the nlist caused by a mget returns a file like
/etc/passwd
, most ftp clients seem to (try to) overwrite/create it without
signaling
anything wrong. You can also use files with names like "|sh" to
execute
arbitrary commands.
Author:I don't recall who found it first, in the appended post
af@c4c.com
gives an example of the bug using Linus slackware
Compromise:ftp servers can compromise clients who use mget to d/l
files
Vulnerable Systems:ftp clients on Linux, AIX, HP/UX, Solaris 2.6, and
probably many other systems
Date:3 November 1997 was when this example was posted (the bug was
found a
while back)
Exploit & full info:Available here
Description:There is a standard buffer overflow in Microsoft's parsing
of
the new res:// URL protocol.
Author:DilDog <dildog@L0PHT.COM>
Compromise:Execute arbitrary code on the machines of Windows users who
connect to your web pages.
Vulnerable Systems:Windows 95 boxes running IE 4.0
Date:1 November 1997
Exploit & full info:Available here
Description:Some metamail scripts (such as sun-audio-file) call
innapropriate helper-apps (like uudecode) which allow things like
overwriting files on the system.
Author:Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
Compromise:Obtain access to the account running metamail.
Vulnerable Systems:Those running vulnerable versions of metamail
(often
Elm users). Redhat linux 4.x uses metamail in some cases.
Date:24 October 1997
Exploit & full info:Available here
Description:Standard buffer overflow, I believe the root of this is in
the
X libraries
Author:Ladislav Bukvicka <Ladislav.Bukvicka@EUNET.CZ>
Compromise:root (local)
Vulnerable Systems:Many systems vulnerable, but this particular
exploit is
for BSD
Date:23 October 1997 is when this exploit was published, but the hole
is
well known.
Exploit & full info:Available here
Description:standard overflow
Author:Ladislav Bukvicka <Ladislav.Bukvicka@EUNET.CZ>
Compromise:root (local)
Vulnerable Systems:BSDI 2.1
Date:23 October 1997
Exploit & full info:Available here
Description:Typical buffer overflow, this time with $TZ in AIX's xdat
program
Author:Unknown
Compromise:root (local)
Vulnerable Systems:AIX 4.1, 4.2
Date:22 October 1997
Exploit & full info:Available here
Description:In some cases it is possible to determine all the
subscribers
of a mailing list, even if you have disabled commands like "who" in
your
majordomo (or other listserv) software.
Author:"Christopher M. Conway" <cmconwa@SANDIA.GOV>
Compromise:unauthorized people can obtain subscriber lists.
Vulnerable Systems:Those running majordomo in a vulnerable fashion
Date:22 October 1997
Exploit & full info:Available here
Description:By specifying an alternate terminal capability database
with
huge entries, you can overflow programs (like telnet, possibly xterm
in
some cases) which call tgetent() expecting a reasonable-length buffer.
Author:Secure Networks, INC
Compromise:In some cases, root (remote)
Vulnerable Systems:BSD/OS v2.1,Theo de Raadt mentions that you might
be
able to attack the suid xterm program locally with this hole to gain
root
access (possibly Linux, as well as other BSDs)
Date:21 October 1997
Notes:I have appended an exploit for BSDI in the addendum section.
Exploit & full info:Available here
Description:There is a problem where syslogd will crash if it can't do
a
DNS lookup on the source IP it get the message from.
Author:lb - STAFF <lb@POSH.INEXWORKS.NET>
Compromise:Kill syslogd (I'm sure hackers would love to do that before
launchign a real attack)
Vulnerable Systems:Solaris 2.5, 2.51 both Sparc and x86
Date:21 October 1997
Exploit & full info:Available here
Description:standard overflow, in $TERM
Author:Bst Perez Companc <bst@INAME.COM>
Compromise:root (local)
Vulnerable Systems:Any systems running flawed version of ideafix, this
exploit is for Linux
Date:19 October 1997
Exploit & full info:Available here
Description:In this excellent paper, Solar Designer points out a
number of
serious flaws in the Micro$oft NT syscall implementations. He
demonstrates
code that will crash NT boxes, and points out that even more serious
holes
could probably be found by examining other syscalls.
Author:Solar Designer <solar@FALSE.COM> (This guy rocks!)
Compromise:Crash NT, possibly bypass security
Vulnerable Systems:Windoze NT 4.0 and earlier
Date:19 October 1997
Exploit & full info:Available here
Description:NT SetThreadPriority call resets a Thread's time quantum,
possibly allowing the process to run forever and hog available
resources.
Author:ntinternals.com
Compromise:NT local DoS
Vulnerable Systems:Windoze NT
Date:19 October 1997
Exploit & full info:Available here
Description:Trivially read any file on the remote system by exploiting
these cgi scripts
Author:bryan berg <km@UNDERWORLD.NET>
Compromise:remotely read any httpd-readable file on the remote system
Vulnerable Systems:Those running vulnerable versions of the PHP
distribution.
Date:19 October 1997
Exploit & full info:Available here
Description:You can't read a file you shouldn't be able to, but by
feeding
bad args to open, you can get a valid file descriptor and do
inappropriate
ioctl's to it. This is especially important for certain devices.
Author:explorer@flame.org
Compromise:DoS, possible other uses
Vulnerable Systems:*BSD
Date:17 October 1997
Exploit & full info:Available here
restrictions
Description:Users can set registry settings like
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to
run
programs at startup in a heightened security context.
Author:Unknown (Aleph One?)
Compromise:heighten privileges on NT
Vulnerable Systems:NT 3.5, 3.51, and 4.0 default configuration
Date:17 October 1997
Exploit & full info:Available here
Description:A hole in IE 4.0 allows web pages to read arbitrary files
on a
users hard drive.
Author:Jabadoo software (www.jabadoo.de)
Compromise:web servers can steal files from people who visit.
Vulnerable Systems:Those running Micro$oft Internet Explorer 4.0
Date:17 October 1997
Exploit & full info:Available here
Description:standard buffer overflow, this time in Count.cgi
Author:Nicolas Dubee <dube0866@eurobretagne.fr>
Compromise:local or remote execution of arbitrary code
Vulnerable Systems:Those running a vulnerable version of Muhammad A.
Muquit's wwwcount
Date:16 October 1997
Exploit & full info:Available here
Description:Apparently many people use service accounts for Exchange.
Apparently, those also generally don't have auto-account-disabling or
password expiration, which makes exchange a great target for
brute-force
password guessing
Author:Russ <Russ.Cooper@RC.ON.CA> and Geremy Cohen
Compromise:Hack a Windoze box
Vulnerable Systems:Windoze NT running Exchange 5.0 as a service
account
Date:15 October 1997
Exploit & full info:Available here
Description:Overflow in the username given to this program when
sending
mail
Author:David LeBlanc <dleblanc@ISS.NET> (Who is a loser, BTW)
Compromise:Lame DoS, possible remote execution of commands
Vulnerable Systems:Windoze NT running Version 2.5 (probably earlier
also)
of Seattle Lab Sendmail for NT
Date:14 October 1997
Exploit & full info:Available here
Description:The setuid root program (fpexe) which comes with the
FrontPage
extensions is a pathetic joke security-wise, as Marc Slemko
demonstrates.
Author:Marc Slemko <marcs@ZNEP.COM>
Compromise:root (remote)
Vulnerable Systems:Those using the Micro$oft FrontPage extensions to
Apache under UNIX.
Date:11 October 1997
Exploit & full info:Available here
Description:You can read any .gif or .jpg on a server (readable by
httpd
daemon, of course) by giving a "image=../../../../path" type argument
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:read protected .gif and .jpeg files (remote)
Vulnerable Systems:Those running version 2.3 of Muhammad A. Muquit's
wwwcount
Date:10 October 1997
Exploit & full info:Available here
Description:imapd can leave privileged info in core files when crashed
by
a user.
Author:mudge@L0PHT.COM
Compromise:Obtain shadowed password file
Vulnerable Systems:Those running imap-4.1Beta (or presumably earlier
releases) on systems which allow core dumps by processes that have
changed
UIDs.
Date:8 October 1997
Exploit & full info:Available here
Description:One bug described allows you to dump all domain usernames
with
smnpwalk. Another allows you to delete WINS database records remotely.
Micro$oft is pathetic. Nobody should by their products. Get Linux, or
OpenBSD, or Solaris.
Author:"Rouland, Christopher J" <CRouland@EXAMNYC.lehman.com>
Compromise:Determine usernames, potenet DoS
Vulnerable Systems:Those running WindoZe 4.0 Server with snmp
Date:8 October 1997
Exploit & full info:Available here
Description:Some games you can play with resolvers (if you control a
DNS
server) Phillip Jaenke shows some examples.
Author:"Phillip R. Jaenke" <prj@NLS.NET>
Compromise:Trick resolvers
Vulnerable Systems:Those with flaky resolvers (like gethostbyname())
(I
guess). It is a wierd sort of problem.
Date:6 October 1997
Exploit & full info:Available here
Description:Many people think that by clicking "secure keyboard" on
their
xterm, they are safe froom snoopers. This is not always true, as
Christopher Creutzig demonstrates by making 100 connect attempts per
second
Author:Christopher Creutzig <christopher@nescio.foebud.org>
Compromise:read someone's keystrokes if you can connect to their
Xserver,
even if they are using the "secure keyboard" feature
Vulnerable Systems:XFree86, probably other implementations
Date:6 October 1997
Exploit & full info:Available here
Description:Redhat 4.2 uses the "printfilter" software package called
by
lpd to determine the type of a file, unfortunately this program calls
others which were not made to handle malicious data (such as groff).
Author:"KSR[T]" <ksrt@dec.net>
Compromise:root (local)
Vulnerable Systems:Redhat Linux 4.2 (maybe earlier)
Date:6 October 1997
Exploit & full info:Available here
Description:The JetDirect card with TCP/IP enabled will by default
open
high ports (9099 and 9100) which can be used to print arbitrary files
Author:Klaus Steding-Jessen <jessen@AHAND.UNICAMP.BR>
Compromise:DoS Attack (send 500 page documents), or free printing if
you
have access to the printer in question
Vulnerable Systems:Those using JetDirect with TCP/IP enabled and the
default unrestricted connections.
Date:4 October 1997
Notes:Cool! He used my Security problems in the lpd protocol
Description:The protocol for lpd (Line Printer Daemon, RFC 1179) seems
to
have a number of insecurities, as discussed in this post
Author:Bennett Samowich <a42n8k9@REDROSE.NET>
Compromise:root (remote)
Vulnerable Systems:Those running a vulnerable version of lpd, many
Linux
and *BSD versions are vulnerable
Date:2 October 1997
Exploit & full info:Available here
Description:mSQL has a number of problems in its attempts at
authentication, as well as another serious problem if the user doesn't
use
ACLs
Author:"John W. Temples" <john@KUWAIT.NET>
Compromise:remotely manipulate a mSQL database
Vulnerable Systems:Those running vulnerable versions of mSQL, many
Linux
boxes run this
Date:27 September 1997
Exploit & full info:Available here
Description:Samba reads in a user's password into a fixed length
buffer,
allowing execution of arbitrary code on the target machine
Author:ADM
Compromise:root (remote)
Vulnerable Systems:Those running the SAMBA SMB server versions earlier
than 1.9.17p2. The exploit is for Linux/X86
Date:26 September 1997
Notes:ADM send me this before it went out on Bugtraq, and then they
sent
me a newer version (appended). Thanks!
Exploit & full info:Available here
Description:If an unprivileged user types 'ifconfig <devname>' the
system
will try to load the kernel module /lib/modules/<kernel
ver>/fs/devname.o
. Thus any unprivileged user can load any modules in your module
directory.
Author:Zygo Blaxell <zblaxell@fiction.org>
Compromise:Could be a DoS, or a more serious security problem,
depending
on the modules you have available.
Vulnerable Systems:Linux with vulnerable version of kerneld installed
Date:26 September 1997
Exploit & full info:Available here
Description:newdsn.exe under MS IIS 3.0 allows creation of arbitrary
files
(just names, not contents) in the wwwroot directory tree
Author:Vytis Fedaravicius <vytix@FLOYD.KTU.LT>
Compromise:create bogus files on webservers, it isn't clear if you can
overwrite files. A DoS attack at minumum
Vulnerable Systems:Those running Micro$oft IIS v.3.0 with newdsn.exe
installed. This includes a number of WinNT machines.
Date:25 September 1997
Exploit & full info:Available here
Description:Standard buffer overflow
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise:root (local)
Vulnerable Systems:HP/UX with vulnerable newgroup,HP 9000 Series
700/800s
running versions of HP-UX 9.X & 10.X
Date:25 September 1997
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here
Description:Anyone who is given control of an oracle webserver account
can
trivially become root
Author:hurtta+zz@OZONE.FMI.FI
Compromise:root (local)
Vulnerable Systems:Those running Oracle Wbserver 2.1 or Oracle
Webserver
1.0 (included to Oracle7 Server and Oracle7 Workgroup Server)
Date:19 September 1997
Exploit & full info:Available here
Description:This excellent article/code from Yuri points out a number
of
(mostly known) problems with the ARP and ICMP
protocols/implementations
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:spoof as a trusted host, redirect trafic through your host,
DoS
Vulnerable Systems:Many versions of Linux, numerous hubs/routers.
AFAIK,
IRIX, HP-UX, *BSD, and probably Windoze can be spoofed with gratuitous
ARP
Date:19 September 1997
Exploit & full info:Available here
Description:Two problems in the Asynchronous I/O handling of many *NIX
boxes. The most important ones allows SIGIO, SIGURG, and possiby other
signals to be sent to arbitrary processes on the system (from
unpriviliged
code)
Author:"Thomas H. Ptacek" <tqbf@RDIST.ORG> wrote the advisory, Alan
Peakall found the original problem
Compromise:In some cases you can kill or disrupt many system processes
Vulnerable Systems:*BSD, IRIX, probably others
Date:15 September 1997
Exploit & full info:Available here
Description:An attacker can long into a wu_ftpd server and do a
recursive
nlist that hogs a tremendous amount of system resources
Author:Josef Karthauser <joe@pavilion.net>
Compromise:lame DOS
Vulnerable Systems:Those running wu_ftpd, most Linux and *BSD systems
run
this
Date:9 September 1997
Exploit & full info:Available here
Description:running -b bugfiler <user> <directory> allows you to
create
wierd files in the directory (owned by <user>).
Author:Johannes Schwabe <schwabe@rzaix530.rz.uni-leipzig.de>
Compromise:In some cases root privileges can be gained (local)
Vulnerable Systems:AIX 3.*
Date:8 September 1997
Exploit & full info:Available here
Description:CC:Mail stores cleartext passwords in a "hidden" batch
file
which is apparently read/writeable by all users on NT (and of course
is on
W95)
Author:Carl Byington <carl@five-ten-sg.com>
Compromise:Take over a CC:Mail postoffice
Vulnerable Systems:Windoze NT/95 running cc:Mail release 8
Date:8 September 1997
Exploit & full info:Available here
Description:Aparrently an overflow in parsing argv
Author:I have no clue, _PHANTOM_ <phantom@lhab-gw.soroscj.ro> sent it
to
me
Compromise:root (apparently) (local)
Vulnerable Systems:SunOS
Date:8 September 1997
Notes:Someone confirmed to me that this works with Solaris 2.5.1 but
not
2.6. Anyoen care to try SunOS 4.x?
Exploit & full info:Available here
Description:pathetic insecurity in uploader.exe that comes with
O'reilly's
webserver 'website'
Author:Herman de Vette <herman@info.nl>
Compromise:run arbitrary commands on the web server (by placing
arbitrary
cgi scripts there)
Vulnerable Systems:Those running O'reilly's webserver, website. Mostly
Windoze NT and W95 boxes. Some versions of 1.1 and 2.0beta have this
vulnerability.
Date:4 September 1997
Exploit & full info:Available here
Description:Typical symlink problem, in pico (the editor used by pine)
Author:dynamo@IME.NET
Compromise:overwrite files owned by the user running pico
Vulnerable Systems:Those running a vulnerable version of pico
Date:2 September 1997
Exploit & full info:Available here
5.003
Description:Linux exploit code for the already known buffer overflow
in
sperl 5.003
Author:ggajic@FREENET.NETHER.NET
Compromise:root (local)
Vulnerable Systems:Those with sperl 5.003 installed suid, the exploit
is
for linux
Date:2 September 1997
Exploit & full info:Available here
Description:the cue (character-based User Environment) program that
ships
with HP/UX 10.20 uses $LOGNAME to verify who the user is!@#$@#!$ and
it
has an exploitable symlink problem
Author:Leonid S Knyshov <wiseleo@JUNO.COM>
Compromise:root (local)
Vulnerable Systems:HP-UX 10.20, probably others
Date:1 September 1997
Exploit & full info:Available here
Description:The standard UNIX vacation program doesn't do enough
checking
on its input (specifically the From: line in the mail) before sending
it
to other programs (sendmail) for processing
Author:bukys@CS.ROCHESTER.EDU apparently reported it to CERT & SUN on
June
1, 1994 but nothing happened. This vulnerability report is from
"Secure
Networks Inc." <sni@SILENCE.SECNET.COM>
Compromise:Run arbitrary commands remotely as the user running
vacation
Vulnerable Systems:At least some versions of AIX, FreeBSD, NetBSD, and
OpenBSD. Other systems if they have installed the vacation program
themselves or a different version of sendmail.
Date:1 September 1997
Exploit & full info:Available here
Description:The standard UNIX vacation program doesn't do enough
checking
on its input (specifically the From: line in the mail) before sending
it
to other programs (sendmail) for processing
Author:bukys@CS.ROCHESTER.EDU apparently reported it to CERT & SUN on
June
1, 1994 but nothing happened. This vulnerability report is from
"Secure
Networks Inc." <sni@SILENCE.SECNET.COM>
Compromise:Run arbitrary commands remotely as the user running
vacation
Vulnerable Systems:At least some versions of AIX, FreeBSD, NetBSD, and
OpenBSD. Other systems if they have installed the vacation program
themselves or a different version of sendmail.
Date:1 September 1997
Exploit & full info:Available here
Description:Apparently some Macintoshes crash from a high rate of TCP
SYN
packets (IE through a portscan)
Author:nomad@APOLLO.TOMCO.NET
Compromise:crash a mac
Vulnerable Systems:Mac TCP system 7.1 and 7.8
Date:31 August 1997
Notes:According to Jake Luck this problem was solved with
OpenTransport
1.2
Exploit & full info:Available here
Description:If CVS is run as root with pserver as suggested in the
info
page, any user can access any account (with the possible exception of
root)
Author:Elliot Lee <sopwith@REDHAT.COM>
Compromise:access any nonuser account (remote)
Vulnerable Systems:Those running a vulnerable version of CVS pserver
as
suggested in the CVS info page. CVS 1.9.14 has this fixed
Date:29 August 1997
Exploit & full info:Available here
Description:MS Internet Exploder 3 will overwrite local files if the
remote form asks it to.
Author:Andrew McNaughton <andrew@SQUIZ.CO.NZ>
Compromise:Malicious web page can overwrite files belonging to
visitors
who use M$ IE3
Vulnerable Systems:Microsoft Explorer version 3.0 PPC running on a
mac,
probably other IE3 versions.
Date:29 August 1997
Exploit & full info:Available here
Description:Apparently some versions of eggdrop allow people with
master
access to become owner with .set owner <nick>. You can then do stuff
like
.tcl exec cat /etc/passwd
Author:-*- Chotaire -*- <chotaire@CHOTAIRE.NET>
Compromise:obtain complete access to account running eggdrop bot (if
you
have master access already)
Vulnerable Systems:Those running vulnerable versions of eggdrop (an
IRC
bot)
Date:29 August 1997
Exploit & full info:Available here
Description:setrlimit() Linux kernel call (up to 2.0.29) does a signed
comparison only on the resource changes, which allows users to
increase
their resource limits by passing negative numbers. Also, a sysctl()
problems allows generation of kernel faults by unpriviliged users.
Author:Solar Designer <solar@FALSE.COM>
Compromise:bypass resource limits
Vulnerable Systems:Linux <= 2.0.29
Date:28 August 1997
Exploit & full info:Available here
Description:remote syslogd uses udp and is easily spoofable, as Yuri
demonstrates in this excellent paper. Also, there isn't an easy way to
turn off remote listening from AIX boxes.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:spoof syslogd, add fake log messages, overflow it, etc.
Vulnerable Systems:Those that have syslogd listening for remote
messages,
AIX is especially vulnerable.
Date:27 August 1997
Exploit & full info:Available here
Description:plaintext passwords are stored in
$ORACLE_HOME/network/config/sql/add*_net.sql
Author:Markus Fleck <fleck@informatik.uni-bonn.de>
Compromise:With these plaintext passwords, database information can be
manipulated
Vulnerable Systems:Those running Oracle 7.1, 7.2, and probably earlier
versions
Date:24 August 1997
Notes:I like it when people send me security holes like this. I wish
it
would happen more often! <hint, hint, mail me.
Exploit & full info:Available here
Description:Some mountd implementations apparently give different
error
messages depending on whether the mountpoint requested exists or not.
Author:Peter <deviant@UNIXNET.ORG>
Compromise:query for existance of arbitrary files (by name). This
could
help determine security flaws present on a remote system.
Vulnerable Systems:Those running vulnerable mountd. This includes at
least
some versions of AIX, Linux, *BSD, SunOS, Solaris, etc.
Date:24 August 1997
Exploit & full info:Available here
commands
Description:A Perl eval() in Majordomo is not quite paranoid enough,
allowing user commands to slip through with clever use of IFS.
Author:Razvan Dragomirescu <drazvan@KAPPA.RO>
Compromise:Run commands as whatever Majordomo runs as (often group
daemon). (remote)
Vulnerable Systems:Those running a vulnerable version of majordomo
Date:24 August 1997
Exploit & full info:Available here
Description:DOS attack by remotely exploiting \\server\PIPE\SPOOLSS
Author:"Holas, Ondøej" <OHolas@EXCH.DIGI-TRADE.CZ>
Compromise:Stupid DOS attack
Vulnerable Systems:WindoZE machines such as NT
Date:21 August 1997
Notes:Holas' message comes first, then the exploit he mailed to me.
Exploit & full info:Available here
Description:An overflow in bash, but since it isn't setuid the
repercusions aren't entirely clear. Maybe someone can find something
useful to do with this. At a minimum, the "eggo" buffer overflow code
ought to be useful.
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:none (actually it might be able to get you out of some
captive
shells, and it might have other potential).
Vulnerable Systems:Those running bash 2.0 or earlier.
Date:21 August 1997
Exploit & full info:Available here
Description:Root hole in SpaceWare trackball software
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise:root (local)
Vulnerable Systems:Presumably any system running spaceware 7.3 v1.0
(probably earlier). I don't know if it is IRIX specific. From the
message
it sounds like there are likely other holes in the program.
Date:20 August 1997
Exploit & full info:Available here
Description:The Pine 3.95 & 3.96 attachment viewer will overwrite any
file
owned by the user running pine in his directory. You can put arbitrary
data in this file. This "hole" is obviously only useful if Pine is
being
used as a restricted shell (there are numerous other problems with
this,
too).
Author:Jesse Brown <bextreme@POBOX.COM>
Compromise:break out of restricted pine "shell"
Vulnerable Systems:Systems offering pine 3.95 & 3.96 restricted
accounts
to untrusted users
Date:20 August 1997
Exploit & full info:Available here
Description:Apparently (and amazingly) current dgux ships with a
finger
daemon that allows remote users to pipe commands. IE you can 'finger
"|/bin/id@host'. This is made worse because many of these systems
apparently run in.fingerd as root (!).
Author:George Imburgia <gti@HOPI.DTCC.EDU>
Compromise:remotely run arbitrary programs with UID that is running
in.fingerd. Sometimes this means you can remotely become root .
Vulnerable Systems:dgux, versions unknown.
Date:11 August 1997
Notes:If this is true it is rather pathetic!
Exploit & full info:Available here
Description:Solar Designer has done it again! Here he proves the
viability
of overflow exploits returning into libc functions. He includes lpr
and
color_xterm exploits.
Author:Solar Designer <solar@FALSE.COM>
Compromise:root (local)
Vulnerable Systems:Systems running Linux with vulnerable lpr or
color_xterm suid. Even if they have stack execution disabled in some
cases.
Date:10 August 1997
Notes:Solar Designer is amazing! He comes through again with another
neat
proof-of-concept sploit.
Exploit & full info:Available here
Description:Under the *BSD proc filesystem, /proc/#/mem access is
controlled by the permissions on the file. Thus you can fork(), have
the
childe run something suid, and then modify that file's memory.
Author:Brian Mitchell <brian@FIREHOUSE.NET>
Compromise:root (local)
Vulnerable Systems:FreeBSD 2.2.1, probably 3.x. OpenBSD 2.1-RELEASE.
Possibly BSDI.
Date:10 August 1997
Exploit & full info:Available here
Description:This program allows you to obtain verious LSA secrets such
as
service passwords, cached password hashes of recent users, and a bunch
of
others.
Author:Paul Ashton <paul@ARGO.DEMON.CO.UK>
Compromise:The administrator (or someone who has hacked admin) of an
NT
box can find a lot of juicy information which M$ tried to hide.
Vulnerable Systems:Presumably just NT (4.0, maybe 3.51) boxes.
Date:9 August 1997
Exploit & full info:Available here
Description:WS_FTP offers the facility for morons to store their ftp
password to remote systems. It keeps this information in ws_ftp.ini in
obfuscated form which is easy to decode. Additionally, some idiots
have
their ws_ftp.ini (including passwords) available on public internet
ftp
sites.
Author:Milosch Meriac <anotherPI@studbox.uni-stuttgart.de>
Compromise:Obtain cleartext passwors from ws_ftp.ini files
Vulnerable Systems:People who save passwords w/ws_ftp and keep the
.ini
file where it is accessible to others.
Date:9 August 1997
Notes:I have appended a simple program to "decrypt" the ini file.
Exploit & full info:Available here
Description:A buffer overflow in popular imapd packages allows remote
root
access. This has been very widely exploited on the internet.
Author:I am not sure who discovered it, savage@apostols.org wrote the
Linux/Intel exploit I have put first. I have appended another exploit
to
that.
Compromise:root ( remote ) (Ohhhh, ***!)
Vulnerable Systems:This exploit is for linux, but a lot of other
systems
using the vulnerable IMAP are susceptible.
Date:7 August 1997
Exploit & full info:Available here
Description:qpopper and popper use an insecure lockfile creation
mechanism
that allows you to read other people's mail.
Author:dynamo@IME.NET
Compromise:Read other people's mail when they fetch it via pop.
Vulnerable Systems:Those running vulnerable versions of popper and
qpopper. Probably those below version 2.2
Date:7 August 1997
Exploit & full info:Available here
Description:Unprivileged users can black reserved ports by using a
high
display number which wraps arround the highest possible port (65535)
and
causes X to listen on a <1023 port.
Author:Willy TARREAU <tarreau@AEMIAIF.LIP6.FR>
Compromise:Block privileged ports
Vulnerable Systems:Those running XFree86 as an X-server. This probably
most affects systems like Linux and {Open,Free,Net}BSD.
Date:6 August 1997
Exploit & full info:Available here
Description:Supposedly, /usr/lib/sendmail -C <anyfile> while display
the
file specified regardless of permissions. This is also true on
versions of
sendmail prior to 8.8.7 if they are installed setgid. They shouldn't
be
setgid, but an errant makefile sets them that way.
Author:"DI. Dr. Klaus Kusche" <Klaus.Kusche@OOE.GV.AT>
Compromise:Read files beyond your permissiosn.
Vulnerable Systems:the IBM sendmail on AIX 4.1.5 and sendmail prior to
8.8.7 which is installed setgid.
Date:6 August 1997
Notes:A post from Troy Bollinger at IBM clarified that you have to be
in
the "system" group (gid 0) in order to use the -C trick. This limits
the
exploit potential A LOT! Also, A post by Eric Allman is appended to
Dr.
Kusche's post.
Exploit & full info:Available here
Description:In what seems to be YET ANOTHER stupid SGI bug, the system
is
apparently "nice" enough to create a "home page" for new users in
public_html/index.html or public_html/index.html.N if they already
have an
index.html. The problem is that this file often discloses the NIS
domain
name of the host, which obviously has serious repercusions.
Author:Joerg Kuemmerlen <joku@BTGIX8.BGI.UNI-BAYREUTH.DE>
Compromise:Leak of the NIS domain name.
Vulnerable Systems:SGI O2 machines, presumably IRIX 6.3, 6.4
Date:5 August 1997
Exploit & full info:Available here
was
installed!
Description:*.DAT files in the Win95/NT "Temporary Internet Files"
directory store every move you make on the web.
Author:From something called "technet"
Compromise:Huge potential privacy violation if you can get physical
access
to a computer running IE. Also some URLs have access information
encoded
in them.
Vulnerable Systems:Those running M$ Internet Explorer 4.0 or earlier.
Mostly W95/NT boxes.
Date:5 August 1997
Notes:Apparently %SystemRoot%\History also contains .DAT files with
the
same information. Asking IE to clear the cache doesn't eliminate this,
see
the post in the addendum.
Exploit & full info:Available here
Description:The rfork() system call allows the creation of a new
process
which can share file descriptor tables with its parent. Unfortunately
a
suid program exec'd by the child still shares those descriptors with
the
parent! The implecations are rather obvious (and scary).
Author:"Thomas H. Ptacek" <tqbf@enteract.com>,Danny
Compromise:Dulai
Vulnerable Systems:All 4.4BSD operating systems, including OpenBSD
2.1,
FreeBSD 3.0, possibly
Date:2 August 1997
Notes:This is another kick-ass advisory! Will CERT ever realize the
benefits of providing details and offering credit where it is due???
Also
note that plan9 is NOT vulnerable.
Exploit & full info:Available here
Description:SSH forgets to check that a user is root before forwarding
privileged ports as directed by the users ~/.ssh/config . This could
cause
a number of very serious security holes.
Author:Kristof Van Damme <aeneas@sesuadra.org>
Compromise:Redirect privileged ports to arbitrary ports on other (or
the
same) hosts.
Vulnerable Systems:Anything running ssh 1.2.20 (probably earlier
versions
too).
Date:2 August 1997
Notes:Also note that some implementations of sshd will allow you to
give a
portno like 65616, which is really port 80 when the 2 byte unsigned
short
is wrapped around. And remember that in some cases you can fool these
things by giving them a negative number, but fortunately ssh catches
that
(albeit probably accidentally with (port < 1024) check.
Exploit & full info:Available here
Description:By default SGIs (IRIX 6.3, probably 6.4) will take files
of
type application/x-sgi-exec or application/x-sgi-task and allow them
to
run /sr/sysadm commands. Thus you can put a malicous file on your web
page
and hack root on SGI boxes that connect to it.
Author:Arthur Hagen <art@kether.global-one.no>
Compromise:Trojan a webpage to gain access to the accounts of SGI
users
who visit it.
Vulnerable Systems:SGI IRIX 6.3, probably 6.4
Date:1 August 1997
Exploit & full info:Available here
Description:You can take out WINS service by sending random *** to
137/udp NETBIOS Name Service. Of course, this is true of most
Micro$oft
services.
Author:"Holas, Ondxej" <OHolas@EXCH.DIGI-TRADE.CZ>
Compromise:Stupid DOS attack
Vulnerable Systems:Windows systems (NT 4.0, probably 3.5 and Win95)
that
aren't protected by a firewall/packet filter that blocks 137/udp.
Date:1 August 1997
Exploit & full info:Available here
Description:Standard overflow, nice exploit
Author:Method <method@arena.cwnet.com>
Compromise:root (remote)
Vulnerable Systems:Systems running INND versions < 1.6, the exploit
seems
to be for Linux x86
Date:1 August 1997
Exploit & full info:Available here
Description:mSQL has several buffer overflows which allow intruders to
remotely execute arbitrary code. msql2d and msqld are specific
vulnerable
programs. Also, mSQL doesn't do a forward lookup after resolving an
IP->hostname, so it is trivial to spoof authentication by having your
DNS
return the hostname of an actual host.
Author:"Secure Networks Inc." <sni@SILENCE.SECNET.COM>
Compromise:run arbitrary commands remotely. Spoof access to an mSQL
server.
Vulnerable Systems:Those running the mSQL server software, msqld or
msql2d. Version 2.0 is vulnerable, probably earlier versions.
Date:27 July 1997
Exploit & full info:Available here
Description:The suid MH-6.8.3 package has several buffer overflow bugs
(among other holes). Also some BSD ruserpass() libc functions have the
same hole.
Author:Matt Conover <shok@COBRA.ONLINEX.NET>
Compromise:root (local)
Vulnerable Systems:Redhat Linux 4.1, although you may have to
specifically
enable something. Also old versions of the *BSD libc function
ruserpass().
Date:26 July 1997
Notes:I appended Alan Cox's post about *BSD ruserpass() to the end. I
also
put some new information from Matt Conover (who sent the original
post) in
the addendum.. Also note that the vulnerable programs are
bbc,inc,mhn,msgchk, and popi. Redhat's package mh-6.8.3-13.i386.rpm
installs /usr/bin/mh/inc and /usr/bin/mh/msgchk suid ROOT.
Exploit & full info:Available here
Description:The request-route script which is used with kerneld has a
serious symlink /tmp file vulnerability. It always uses
/tmp/request-route
as its lockfile, so you don't even have to predict anything!
Author:Nicolas Dubee <dube0866@EUROBRETAGNE.FR>
Compromise:It is pretty easy to become root on vulnerable hosts.
Vulnerable Systems:Those linux boxes with kerneld/request-route set
up.
Redhat 4.1 and 3.0.3 are vulnerable if the sysadmin has installed
this.
Date:26 July 1997
Exploit & full info:Available here
Description:NT has a HORRIBLY insecure path, and there is nothing you
can
do about it!
Author:Jeremy Allison <jallison@WHISTLE.COM> quotes some M$
documentation
which confirms the ugly rumors.
Compromise:Can you say TROJAN HORSE!
Vulnerable Systems:Windoze NT 4.0, probably earlier.
Date:25 July 1997
Exploit & full info:Available here
Description:Dtlogin apparently explicityly sets its umask 027 and when
it
dumps core it can leave both encrypted and UNENCRYPTED passwords of
remote
users available via 'strings'.
Author:Arve Kjoelen <akjoele@SIUE.EDU>
Compromise:Narf passwords from dtlogin /core
Vulnerable Systems:Solaris 2.5.1 CDE with vulnerable dtlogin.
Date:24 July 1997
Exploit & full info:Available here
Description:Systems with the Simple TCP/IP Services installed will
respond
to broadcast UDP datagrams sent to the subnet broadcast address. You
could
presumably use this to attack someone else (by using your target's
source
address in the broadcast) or take down the NT network by having the
source
be port 19 of the same broadcast address.
Author:Unknown
Compromise:stupid DOS attack
Vulnerable Systems:Micro$oft NT with the Simple TCP/IP services
installed.
M$ has a post-SP3 fix available.
Date:23 July 1997
Exploit & full info:Available here
Description:Expect is frequently used to automate login sessions, and
it
is possible to spy on the information transferred through it (often
passwords).
Author:Austin Schutz <tex@COLLEGENET.COM>
Compromise:Gather authentication information passwd by expect.
Vulnerable Systems:Those running expect 5.14, probably older and newer
versions too.
Date:22 July 1997
Exploit & full info:Available here
Description:Standard buffer overflow
Author:"Bryan P. Self" <bryan@SCOTT.NET> ( BeastMaster V)
Compromise:gid or egid system -> root
Vulnerable Systems:AIX 4.x (at least 4.2). PowerPC platform.
Date:21 July 1997
Exploit & full info:Available here
Description:standard overflow
Author:Well known vulnerability, but "Bryan P. Self" <bryan@SCOTT.NET>
posted the exploit for it.
Compromise:root (local)
Vulnerable Systems:AIX 4.x PowerPC architecture
Date:21 July 1997
Exploit & full info:Available here
Description:Standard buffer overflow.
Author:djb@koobera.math.uic.edu (D. J. Bernstein)
Compromise:root (local)
Vulnerable Systems:Anything running exim 1.62 (probably earlier). This
exploit is for BSD/OS
Date:21 July 1997
Exploit & full info:Available here
Description:standard overflow, AIX 4.2/PPC ping
Author:"Bryan P. Self" <bryan@SCOTT.NET>
Compromise:root (local)
Vulnerable Systems:Systems?: AIX 4.2, exploit for PPC platform
Date:21 July 1997
Exploit & full info:Available here
Description:If you spoof a PING packet FROM your target and TO the
subnet-wide broadcast address of another network, you can flood your
target with all the ICMP echo replies from the hosts on the broadcast
subnet.
Author:Edward Henigin <ed@texas.net>
Compromise:Stupid DOS attack
Vulnerable Systems:everybody (minimized if your provider filters out
ICMP
upstream, which causes major problems of its own).
Date:19 July 1997
Notes:In the addendum you'll find Tfreak's original "smurf" code for
exploiting this, as well as Jimbo Bahooli's port to *BSD. I also put a
UDP
version by T. Freak in the addendum. Also, my program nmap will locate
these evil addresses on your network with the ping (-P) scan
Exploit & full info:Available here
Description:Error handling code in ld.so has a buffer overflow
problem.
This exploit uses LD_PRELOAD to get by various problems with other
methods.
Author:Was originally a KSR[T] Advisory (#2), exploit written by Dan
McGuirk <mcguirk@INDIRECT.COM>
Compromise:root (local)
Vulnerable Systems:Linux boxes running ld-linux.so.1.9.2. Various
people
have suggested that the solaris /usr/lib/libdl.so may have a similar
vulnerability. If anyone has any info on this, please mail me.
Date:19 July 1997
Notes:I've put another exploit in the addendum
Exploit & full info:Available here
Description:You can view the source of .jhtml files by appending a '.'
or
'\' to their name. ie http://target.com/authenticate.jhtml. .
Author:Brian Krahmer <brian@KRAHMER.COM>
Compromise:View the source code of .jhtml files which in some cases
should
be secret
Vulnerable Systems:Those running vulnerable versions of JavaWebServer
for
win32
Date:16 July 1997
Exploit & full info:Available here
Description:A hole very similar to the standard phf hole alows people
to
execute arbitrary commands through the campus cgi.
Author:Francisco Torres <ftorres@CASTOR.JAVERIANA.EDU.CO>
Compromise:Execute arbitrary commands remotely as the owner of the
cgi-running process (commonly nobody or daemon).
Vulnerable Systems:Those running a vulnerable version of the campus
cgi.
Version 1.2 is vulnerable. It may be distributed with the NCSA server.
Date:15 July 1997
Exploit & full info:Available here
Description:The Lanman password hash is used by NT for authenticating
users locally and over the network (MS service packs are now out that
allow a different method in both cases). L0phtcrack can brute-force
these
hashes (taken from network logs or progams like pwdump) and recover
the
plaintext password. l0phtcrack 1.5 also breaks the new NT style
password
hashes.
Author:Mudge <mudge@l0pht.com>
Compromise:Compromise account passwords (remotely if you can sniff a
server challenge.
Vulnerable Systems:NT 4.0, 3.51. I believe NT4 Service Pack 3 SYSKEY
fix
will defeat pwdump style utilities. MS also has a fix out to disable
Lanman authentication over the network, but this breaks compatibility
w/W95 and 3.11.
Date:12 July 1997
Notes:First comes a very interesting message from mudge about M$
"authentication", then comes the readme file for l0phtcrack 1.5. Next
comes the source distribution in uuencoded form. You can get
executables
at their webpage, www.l0pht.com.
Exploit & full info:Available here
Description:Standard overflows
Author:Cristian SCHIPOR (skipo@SUNDY.CS.PUB.RO)
Compromise:root (local)
Vulnerable Systems:Solaris 2.X, including 2.4 and 2.5
Date:12 July 1997
Notes:I somehow missed this in my collection, thanks to the fellow
(who
wishes to be anonymous) who reminded me of this beauty!
Exploit & full info:Available here
Description:Webgais takes a query string, and quotes it in the perl
code.
But you can just close the quotes yourself, as it doesn't strip them
from
your query!
Author:Razvan Dragomirescu <drazvan@KAPPA.RO>
Compromise:run arbitrary commands remotely as the owner of the cgi
running
process.
Vulnerable Systems:Anything running a vulnerable version of WebGais
Date:10 July 1997
Notes:Remember to change the email address in the exploit!
Exploit & full info:Available here
Description:A flaw in the NT fragment reassembly algorithm allows you
to
smuggle packets to NT boxes through packet-filtering firewalls. You
"hide"
the TCP header in an offset IP fragment and just neglect to send the
first
(zero offset) packet. NT (Pre-SP3) will still happily reassemble your
packet, placing the fragment with the lowest-offset at the front.
Author:Thomas Lopatic
Compromise:Talk to NT boxes behind packet-filtering firwalls
Vulnerable Systems:NT 4.0 w/o SP3 installed, and probably 3.51
Date:10 July 1997
Notes:I *LOVE* this advisory. Fully detailed ... includes source code
so I
don't have to spend 5 hours reproducing this. Thanks Thomas!
Exploit & full info:Available here
Description:Standard environmental variable buffer overflows
Author:Nicolas Dubee <dube0866@EUROBRETAGNE.FR>
Compromise:root (local)
Vulnerable Systems:Those running X11 and xview 3.2p1.4, all older 3.x
varified, probably earlier ones vulnerable.
Date:10 July 1997
Exploit & full info:Available here
Description:This idiotic library redefines snprintf() and vsnprintf()
to
ignore the length parameter! Thus any programs which use *nprintf()
for
bounds checking and link to libdb.so can be subverted! Sendmail may
very
well be vulnerable.
Author:Thomas Roessler <roessler@guug.de>
Compromise:subvert programs which use libdb.so
Vulnerable Systems:Linux programs using libdb.so.1.85.4, as well as
other
versions.
Date:8 July 1997
Exploit & full info:Available here
Description:Willy has created SunOS 4.x buffer overflow code, and
gives
the appended example, which overflows the X libraries.
Author:Willy TARREAU <tarreau@AEMIAIF.LIP6.FR>
Compromise:root (local)
Vulnerable Systems:SunOS 4.x for this particular exploit. Many other
systems are vulnerable (see my other pages on the topic).
Date:8 July 1997
Notes:This is in uuencoded form. Be sure to copy & paste, don't save
as a
file because it has html codez in it.
Exploit & full info:Available here
Description:]You can create trojan directories in all lowercase, which
will in some cases be accessed before the Mixed case directories and
files
NT likes to create.
Author:Paul Ashton <paul@ARGO.DEMON.CO.UK>
Compromise:This has the potential to cause an administrator level
compromise.
Vulnerable Systems:Windoze NT 4.0
Date:4 July 1997
Notes:Paul Ashton also suggested the idea of creating a trojan
parallel
help directory, with hard links to all the original Help files, except
one
could call a special DLL to compromise NT. Also not that the POSIX
subsystem doesn't need to be installed. You can create a files of the
same
name but different case by calling the Win32 function CreateFile()
with
the FILE_FLAG_POSIX_SAMANTICS flag specified (also noted by Paul
Ashton).
Exploit & full info:Available here
Description:websendmail, a cgi-bin that comes with WEBgais, doesn't
make
any real attempts to check its input in some cases. Thus you can
execute
arbitrary commands.
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:Run arbitrary commands as the user who owns the webserver
cgi
proccess. (remote)
Vulnerable Systems:Any runnning an unpatched version of websendmail in
their cgi directory.
Date:4 July 1997
Exploit & full info:Available here
Description:Someone posted this executable to several newsgroups. It
allows any normal user to join the administrator group! Woop! M$ tried
to
fix the bug, but, not surprisingly, their hotfix didn't help.
Author:Konstantin Sobolev
Compromise:Become administrator on a NT box
Vulnerable Systems:NT 4.0, I think service pack 3 must be installed.
Date:4 July 1997
Notes:First I give the source to the program, then the source to the
program which works even after the hotfix. Then I give the uuencoded
getadmin.zip which was posted to the newsgroups.
Exploit & full info:Available here
Description:Standard overflow. Is this the same as the earlier ones?
They
did lpr -C <overflow-code>, while this just does lpr <overflow code>.
Well, I'll include it incase they are different.
Author:a42n8k9 <a42n8k9@REDROSE.NET>
Compromise:root (local)
Vulnerable Systems:Linux 2.0.0, BSD 4.4 is also vulnerable, although
you
obviously need a new exploit.
Date:4 July 1997
Exploit & full info:Available here
Description:Glips HTTP, a web interface to the Glimps search program,
doesn't adequately check its input for evil characters. By tricking it
to
open a pipe instead of a file, you can remotely execute arbitrary
commands
on the server.
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:Execute arbitrary commands on a server running Glimps HTTP
(remote).
Vulnerable Systems:Anything running a vulnerable and unmodified
version of
Glimpse HTTP. Runs on most systems.
Date:2 July 1997
Notes:Razvan Dragomirescu claims that he is getting "angry" at all the
idiots who send him passwd files by not modifying his example exploit.
But
*I* wouldn't mind! So I've modified the exploit to use my address
instead
of his. DON'T FORGET TO CHANGE IT!
Exploit & full info:Available here
Description:You can overflow the third argument to the SERVER irc
command,
and crash IRC servers. With all the lamer wannabe hackers on IRC, I
would
hope this is already fixed on all servers of any consequence.
Author:Aaron Campbell <aaron@UG.CS.DAL.CA> wrote the exploit
Compromise:Stupid DOS attack
Vulnerable Systems:Those running ircd2.8.21 and probably older
versions.
Date:2 July 1997
Exploit & full info:Available here
Description:Standard overflow ...
Author:Gerald Britton <gbritton@NIH.GOV>
Compromise:root, but only if smbmount is suid root (it isn't suid at
all
in Redhat Linux.
Vulnerable Systems:Linux systems that use default source
distributions,
probably other linux distributions.
Date:27 June 1997
Exploit & full info:Available here
Description:Because it has no notion of an established connection,
allowing connections often require two rules to specify the allowed
source
and destination ports. But allowing data back from, say, port 25 to
allow
outgoing mail, also allows a malicious attacker to come in from a
source
port of 25, even though you never initiated a connection with that
host.
Author:Russ <Russ.Cooper@RC.ON.CA>
Compromise:Bypass silly NT packet filters (when will people learn not
to
use NT as a firewall????)
Vulnerable Systems:Windows NT running the Routing and RAS Service
(Steelhead)
Date:26 June 1997
Exploit & full info:Available here
Description:dxterm, which is suid root, allows the user to specify a
file
to log output too. Unfortunately it will follow a hardlink to append
your
stuff to files you shouldn't be able to write to.
Author:Trevor Schroeder <tschroed@CHEETAH.WSC.EDU>
Compromise:root (local)
Vulnerable Systems:Ultrix 4.4, probably 4.5
Date:26 June 1997
Exploit & full info:Available here
Description:The Ascend MAX 40000 software (4.x up to at least 5.0Ap8)
has
a bug which allows any user to request any IP address they want.
Author:Joe Shaw <jshaw@INSYNC.NET>
Compromise:Use of an unauthorized IP address.
Vulnerable Systems:Ascend MAX 4000 series with at least 4.x and
5.0Ap13
versions.
Date:26 June 1997
Exploit & full info:Available here
Description:You can reboot solaris boxes with ping -sv -i 127.0.0.1
224.0.0.1
Author:Adam Caldwell <adam@ATL.ENI.NET>
Compromise:Stupid DOS attack, plus you need to be a local user.
Vulnerable Systems:Apparently all versions of Solaris up to (but not
including) 2.6
Date:26 June 1997
Exploit & full info:Available here
Description:A bug in the procfs filesystem code allows people to
modify
the (priviliged) init process and reduce the system securelevel.
Author:Alex Nash, exploit by Tim Newsham
Compromise:Lower the security level kernal veriable, allowing to
bypass
certain restrictions, like the filesystem immuteable flag.
Vulnerable Systems:4.4BSD including OpenBSD 2.0 and 2.1, FreeBSD,
NetBSD,
probably BSDI.
Date:24 June 1997
Notes:If only all security advisories contained exploit code, the
world
would be a safer place!
Exploit & full info:Available here
Description:Apparently a remote buffer overflow of imapd for linux. I
think this is sort of old, and many other systems are affected.
Author:Akylonius (aky@galeb.etf.bg.ac.yu)
Compromise:root (local)
Vulnerable Systems:The exploit is for Linux, but I believe that many
systems using older IMAP daemons are vulnerable.
Date:24 June 1997 was when this was posted, but I think this is much
older
Exploit & full info:Available here
Description:Majordomo 1.94.1 allows you to disable the 'lists'
command,
but people can still obtain it by 'unsubscribe * jdoe@fairy.net' and
getting an unsubscribe failure for every list.
Author:The Spectre <spectre@NAC.NET>
Compromise:obtain unauthorised data from majordomo list server.
Vulnerable Systems:Anything running unpatched majordomo 1.94.1,
possibly
other versions.
Date:23 June 1997
Exploit & full info:Available here
Description:It is possible to obtain an interactive shell via special
LYNXDOWNLOAD URLs. This is a big security hole for sites that use lynx
"guest accounts" and other public services.
Author:Unknown
Compromise:run unauthorized arbitrary commands
Vulnerable Systems:Sites trying to keep visitors captive in a lynx
session.
Date:23 June 1997
Exploit & full info:Available here
Description:If you send a specially formatted URL of about 8K to IIS,
you
can crash the server
Author:Todd Fast (loser) found the bug, and Andrea Arcangeli
<arcangeli@mbox.queen.it> ported the exploit to gcc.
Compromise:Stupid DOS attack
Vulnerable Systems:Anything running unpatched M$ IIS, mostly just NT.
Date:21 June 1997
Notes:The exploit is appended to the "advisory" cruft. Don't check his
webside, these details and the code have been removed.
Exploit & full info:Available here
Description:This has been very well known for a long time, it even had
a
CERT advisory quite a while ago. Yet Willy seems to have just found
it.
Here is the code he sent.
Author:Willy TARREAU <tarreau@AEMIAIF.IBP.FR>
Compromise:Stupid DOS attack
Vulnerable Systems:Netware, Most UNIX variants with shitty admins who
don't properly close these trivial UDP services.
Date:21 June 1997 was when this message was sent, but it is really an
*OLD* bug.
Exploit & full info:Available here
Description:Standard pathetic suid-for-svgalab-totally-insecure
application overflow.
Author:Nicolas Dubee <dube0866@EUROBRETAGNE.FR>
Compromise:root (local)
Vulnerable Systems:Mostly old versions of Linux. Possibly current
Slackware. Anything with B-DASH v0.31
Date:21 June 1997 was when he posted his OLD exploit, ignore the date
in
the header, it is bogus.
Exploit & full info:Available here
Description:BSDI 3.0 apparently allows you to cause a code dump and
the
core file will overwrite what you symlink it to.
Author:Stacey Son <sson@ISERVER.COM> and Ariel Biener
<ariel@FIREBALL.TAU.AC.IL>
Compromise:root (local)
Vulnerable Systems:BSDI 3.0, other versions don't seem to be affected.
Date:20 June 1997
Exploit & full info:Available here
Description:In an apparent attempt to prevent breakins through the
common
handler cgi technique, IRIX changed the code. They now check the end
of a
string for a pipe (trying to make sure perl opens the file as a plain
file), but you can still get away with putting tabs after the pipe, to
hide it.
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:remotely run commands through this pathetic CGI
Vulnerable Systems:IRIX 6.3 and 6.4, the older versions are vulnerable
to
an even easier version of the same problem.
Date:19 June 1997
Exploit & full info:Available here
Description:zgv, which is setuid r00t on many systems, takes untrusted
environmental information ($HOME) and copies it into an automatic
character buffer, thus allowing a standard buffer overflow.
Author:ksrt <ksrt@DEC.NET> sent the advisory, beastmaster wrote the
exploit code
Compromise:root (local)
Vulnerable Systems:Linux, Redhat 3.0.3 - 4.1, anything else running
zgv
setuid root
Date:19 June 1997
Notes:Note that the exploit is appended to the advisory.
Exploit & full info:Available here
Description:Stander buffer overflow stuff, although this may not be
exploitable.
Author:PLaGuEZ <root@MEAT.PLAGUEZ.ORG>
Compromise:Possibly just a DOS attack, unless you can make an exploit
out
of it.
Vulnerable Systems:Systems running unpatched versions of listserv.
Date:19 June 1997
Notes:This is NOT the L-Soft "listserv" program, instead it is a
significantly less popular (and less powerful) listserv program
available
on sunsite.
Exploit & full info:Available here
Description:BSDI 3.0 apparently allows any program to overwrite/create
files through a core dump link.
Author:Nir Soffer <scorpios@CS.HUJI.AC.IL>
Compromise:Definately DOS, possibly become r00t
Vulnerable Systems:BSDI 3.0
Date:19 June 1997
Notes:Several people mentioned that he was wrong about overwriting
files.
If the mode is 0600, you CAN overwrite them. This includes a lot of
files
you might want to overwrite ;).
Exploit & full info:Available here
Description:You can swipe control of a root owned socket descriptor
from
user-owned inetd processes like rshd.
Author:Alan Cox (alan@LXORGUK.UKUU.ORG.UK)
Compromise:control of a root owned socket
Vulnerable Systems:Solaris 2.5.1, probably earlier versions. I hear
that
2.6 if fixed. Sun doesn't seem interested in fixing this, for some
reason.
Date:19 June 1997 was the data of this post, although Alan has been
complaining about the bug for ages.
Notes:You may have to change your interface to le0, hme0, or whatever
to
make it work.
Exploit & full info:Available here
Description:This perl prog, which is part of MajorCool, which is
apparently related to the Majordomo listserver software, has a
standard
symlink problem.
Author:Benjamin J Stassart <dszd0g@DASB.FHDA.EDU>
Compromise:corrupt files writeable by the user/group mj_key_cache runs
as
(usually through cron). This user is usually majordom.
Vulnerable Systems:Anything running MajorCool 1.0.3 or below with
mj_key_cache cron'd
Date:18 June 1997
Exploit & full info:Available here
Description:seyon, which is setgid uucp on RedHat 4 at least, calls
system(xterm) if it can't find seyon-emu. The exploit is obvious,
'nuff
said
Author:Shawn Hillis <shillis@CLCSMAIL.KSC.NASA.GOV>
Compromise:root on some systems, like IRIX. Otherwise join the UUCP
group,
or whatever seyon is setgid to.
Vulnerable Systems:Redhat Linux 4.0, Irix 6.3, anything else with
vulnerable version of seyon installed
Date:17 June 1997
Notes:system(xterm) from a setuid root prog? Is this really 1997???
Exploit & full info:Available here
Description:A hole in the handling of the INPUT TYPE="FILE" tag allows
a
malicious website operator to download your files (if the filename is
known). This apparently works on all platforms, and with Netscape up
to
Netscape Communicator.
Author:"Paul T. Kooros" <kooros@TITAN.SRRB.NOAA.GOV>
Compromise:Steal people's ***!
Vulnerable Systems:Clients running Netscape Communicator 4.0 and
earlier,
as well as netscape navigator 3.* and probably earlier. This includes
the
Windoze, Macintosh, and UNIX platforms.
Date:16 June 1997
Notes:This is a great advisory! Show your thanks by buying his
JavaScript
book! I would if JavaScript wasn't such a lame language ;).
Exploit & full info:Available here
Description:Shotgon 1.1b, an svgalib based Linux file manager,
apparently
has "more than 10 buffer overflows".
Author:PLaGuEZ <dube0866@EUROBRETAGNE.FR>
Compromise:root (local)
Vulnerable Systems:Linux, apparently anything running shotgun,
although I
suspect that is almost exclusively linux.
Date:16 June 1997 (Ignore his fucked up date)
Exploit & full info:Available here
Description:another prog that uses a perl open() with untrusted
filenames,
allowing the pipe symbol to be used to create a pipe instead. I think
this
is a serious problem with perl which should be fixed (perl is supposed
to
make programming securely EASIER than C does.)
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:Run arbitrary commands as the owner of the httpd process
Vulnerable Systems:IRIX 6.2, the later versions try to fix this, but
without success (see the other handler entry). It also works on 5.3
Date:15 June 1997
Exploit & full info:Available here
server
Description:You can poison DNS cache by returning a bogus IP as a
CNAME
for a real server.
Author:Johannes Erdfelt outlined this type of attack originally.
Compromise:Subvert DNS
Vulnerable Systems:Almost all current DNS servers, including bind 8.1
and
M$ DNS
Date:14 June 1997 (It was actually discovered in April, apparently)
Exploit & full info:Available here
Description:sshd and rshd leak usernames. A lot of sites
security-consious
enough to run sshd probably don't want username validation to be this
easy
Author:Christophe Kalt <kalt@STEALTH.NET> and David Holland
Compromise:Test validity of suspected system usernames
Vulnerable Systems:Linux, NetBSD, Digital UNIX 4.0, all from rshd, as
well
as any systems running a vulnerable version of sshd. Remember to use
the
VERBOSE (-v) flag if you try to exploit sshd.
Date:13 June 1997
Notes:The syntax quoted at the bottom is not correct, you need to give
an
actual command (like ls) for the rsh problem to be demonstrated.
Exploit & full info:Available here
Description:qmail lets you send messages to an unlimited number of
people,
so you can actually run the system out of swap space by feeding
recipients
until it crashes.
Author:wietse@wzv.win.tue.nl (Wietse Venema)
Compromise:Stupid DOS attack
Vulnerable Systems:Systems running unpatched qmail. This includes a
lot of
Linux boxes as well as many other systems.
Date:12 June 1997
Exploit & full info:Available here
Description:A denial of service (DOS) attack against QMAIL, which
doesn't
set a maximum limit on command length.
Author:wietse@wzv.win.tue.nl (Wietse Venema)
Compromise:Stupid DOS attack.
Vulnerable Systems:Systems running unpatched qmail. This includes a
lot of
Linux boxes as well as many other systems.
Date:12 June 1997
Exploit & full info:Available here
Description:Micro$oft tried to obfuscate the NT password storage
method,
but it has been broken and this program allows you to reset any user's
password. Administrator might be a good example.
Author:pnordahl@eunet.no
Compromise:Administrator, if you have physical access.
Vulnerable Systems:NT 4.0 (probably earlier) without service pack 3
syskey
enabled.
Date:11 June 1997
Notes:A uuencoded of the source distribution is attached below. His
web
site also offers disk images.
Exploit & full info:Available here
Description:Apparently sending a flood of characters to port 53 (DNS)
will
crash the server. The MS advisory even gives advice for the lamers on
how
to do this.
Author:Unknown
Compromise:stupid DOS attach
Vulnerable Systems:NT 4.0 without the postSP3 hotfix. Service Pack 4
will
probably fix this.
Date:10 June 1997
Exploit & full info:Available here
Description:Typical environmental variable overflow.
Author:Georgi Guninski <guninski@hotmail.com>
Compromise:root (local)
Vulnerable Systems:AIX 4.2, probably other versions
Date:10 June 1997
Exploit & full info:Available here
Description:If you give test-cgi an argument which includes a *, you
can
get a directory listing from the SERVER_PROTOCOL field. In other
words, it
is another pathetic cgi.
Author:Jason Uhlenkott <jasonuhl@usa.net>
Compromise:remotely obtain directory listings
Vulnerable Systems:Systems running Apache/1.2b2, probably earlier
versions, many systems that have test-cgi installed.
Date:6 June 1997
Exploit & full info:Available here
Description:rcpbind for solaris, which belongs on UDP port 111, is
also
found on a UDP port above 32770. Thus many packet filters aren't
effective.
Author:Oliver Friedrichs <oliver@silence.secnet.com> (Secure Networks
Inc.)
Compromise:Access rcpbind, even from sites that filter it at their
firwall
or packet filter.
Vulnerable Systems:Unpatched Solaris 2.X up to 2.5.1
Date:4 June 1997
Notes:Apparently rpcbind also lists on high solaris *TCP* ports
sometimes.
I've included a a hacked rcpinfo client below the secnet advisory.
Exploit & full info:Available here
Description:Simple trojan. Use /ctcp <target_nick> jupe <command> to
exploit.
Author:raf@licj.soroscj.ro
Compromise:Remotely *** with a Atlantis IRC script user
Vulnerable Systems:Anyone running the AtlantiS script v1.2, other
versions
are also affected, though the author notes that v1.1 is clean.
Date:31 May 1997
Notes:This trojan was *NOT* inserted by the author, so don't flame
Deathnite. Some lamer put it in. I haven't seen any evidence that the
post
author is correct about other versions being vulnerable
Exploit & full info:Available here
registry.
Description:Bill Stout notes several locations in the W95 registry
where
user's passwords are stored in plain text.
Author:Bill Stout <stoutb@pios.com>
Compromise:Find out a user's W95 password (which is often also their
password on real machines)
Vulnerable Systems:Microsoft Windoze 95
Date:30 May 1997
Exploit & full info:Available here
Description:There is a security hole in the GetDatabase function of
the
X11 libraries, which appears to be present in every distribution of
X11.
The attached exploit is for Solaris xterm, not that you will only get
a
shell with your own uid if xterm is not suid
Author:David Hedley <hedley@CS.BRIS.AC.UK>
Compromise:root (local)
Vulnerable Systems:many systems are vulnerable, including Linux and
*BSD.
This particular exploit is for Soaris 2.5.1 xterm
Date:28 May 1997
Exploit & full info:Available here
Description:two more buffer overflows for IRIX, this time in xterm and
printers.
Author:David Hedley <hedley@CS.BRIS.AC.UK>
Compromise:root (local)
Vulnerable Systems:IRIX 5.x, 6.x
Date:27 May 1997
Notes:Note that David Hedley thinks the xterm problem is more general.
He
was able to overflow xlockmore on a FreeBSD machine. The xterm exploit
post is right after the printers post below.
Exploit & full info:Available here
Description:This overflow of /usr/sbin/iwsh is specifically taylored
for
IRIX 5.3. It is also possible to write a similar overflow for 6.x.
Author:David Hedley <hedley@CS.BRIS.AC.UK>
Compromise:root (local)
Vulnerable Systems:IRIX 5.3 (6.x would work with another exploit)
Date:27 May 1997
Exploit & full info:Available here
/usr/sbin/xwsh, and /usr/sbin/monpanel.
Description:As he mentions, there must be some bad IRIX library which
is
causing all of these IRIX progs to overflow. Anyway, this is a
standard
overflow which works on all of the above.
Author:"Patrick J. Paulus" <pjp@STEPAHEAD.NET> posted the exploit
which
was a _very_ slighty modified version of David Hedley's code posted
earlier.
Compromise:root (local)
Vulnerable Systems:IRIX 5.3, probably 6.x
Date:27 May 1997
Notes:Someone reported to me that he couldn't get these to work. Has
anyone used them successfully?
Exploit & full info:Available here
Description:Overflow in /bin/login on IRIX 5.3-6.4
Author:David Hedley <hedley@CS.BRIS.AC.UK>
Compromise:root (local)
Vulnerable Systems:IRIX 5.3 through 6.4
Date:26 May 1997
Exploit & full info:Available here
Description:standard IRIX overflow, in /usr/lib/desktop/permissions
Author:David Hedley <hedley@CS.BRIS.AC.UK>
Compromise:Gain egid sys
Vulnerable Systems:IRIX 6.2, 5.x is probably vulnerable, but needs a
rewritten exploit due to stack position.
Date:26 May 1997
Exploit & full info:Available here
Description:standard overflow
Author:Georgi Guninski <guninski@hotmail.com>
Compromise:root (local)
Vulnerable Systems:AIX 4.2 tested on a RS/6000 box. All 4.x, 3.x
probably
affected.
Date:26 May 1997
Exploit & full info:Available here
Description:Apparently, the "anonymous friend" who sent exploit code
to
Yuri may have swiped it from the polish group LsD. Anyway, they sent
in 3
more exploits which are very similar (actually almost exactly the
same) as
those Yuri's polish friend sent.
Author:Sent from a hacked account by LsD, Last Stage of Delirium
Compromise:root (local)
Vulnerable Systems:IRIX, presumably up to 6.3
Date:25 May 1997
Exploit & full info:Available here
Description:With cfingerd 1.2.2 (and probably earlier), a "feature"
lets
you get all the usernames on a system with finger search.*@host . Even
after that was fixed, you can do it with search.**@host . Also, the
author
even admits that there are probably buffer overflows in there because
sprintf() is used instead of snprintf().
Author:Rodrigo Barbosa <rodrigob@MORCEGO.LINKWAY.COM.BR> mentioned the
search.*@ , and "Edward S. Marshall" <emarshal@COMMON.NET> mentioned
search.**@
Compromise:Remotely obtain all the usernames on a system.
Vulnerable Systems:Systems running all versions of cfingerd. The
author
says he won't fix the problem.
Date:24 May 1997
Notes:Three relevent messages are appended below.
Exploit & full info:Available here
Description:PMDF 5.1-7 sendmail (NO relation to standard sendmail) has
a
debugging mode that can be entered by setting environmental variable
PMDF_SENDMAIL_DEBUG. This then allows a standard symlink vulnerability
in
which you can put arbitrary binary data into the pdmf owned file of
your
choosing.
Author:Jonathan Rozes <jrozes@GUMBO.TCS.TUFTS.EDU>
Compromise:quash files owned by user pmdf with arbitrary data.
Vulnerable Systems:Digital Unix 4.0B reported by the author. Probably
any
systems running PDMF sendmail
Date:23 May 1997
Exploit & full info:Available here
Description:By default, At Ease will automate the login process to
AppleShare servers, and store the login and password in clear text in
the
At Ease Preference file. You can usually read this file trivially by
exploiting applications (like netscape file:// URLs).
Author:Paul Melson <melson@SCNC.HOLT.K12.MI.US>
Compromise:Unauthorised access to an AppleShare fileserver.
Vulnerable Systems:Macintoshes, running At Ease and using the Auto
Login
"feature".
Date:21 May 1997
Exploit & full info:Available here
Description:Standard buffer overflow. Possibly in the X library.
Author:Georgi Guninski <guninski@hotmail.com> (and who says all
hotmail
users are idiots?)
Compromise:root (local)
Vulnerable Systems:AIX 4.2, possibly others. Exploit for a RS/6000
box.
Date:20 May 1997
Exploit & full info:Available here
Description:Sparcstations running 4.1.4 (probably other versions too)
crash when users read /dev/tcx0 with something like 'cat'. Not that
this
is a VERY generall problem. There are a lot of devices on many devices
that will crash if you do wierd things to them. Especially cat'ing
binary
files to them. I am not going to write up a page on each.
Author:Dixon Ly <dly@BAYNETWORKS.COM> mentioned this particular
problem.
Compromise:DOS attack, obviously annoy people. You could also do more
devious thing, taking down the machine so you can IP spoof "from" it
without it sending thos damn RST's!
Vulnerable Systems:Sparc 5,10,20,etc. running SunOS 4.1.4 probably
other
versions.
Date:19 May 1997
Exploit & full info:Available here
Description:The solaris ps (both /usr/bin and /usr/ucb) and chkey
programs
are insecure, and it is possible to exploit them via a rather
complicated
data buffer overrun. This overrun is probably present in many other
programs.
Author:Joe Zbiciak <jzbiciak@DALDD.SC.TI.COM> wrote the ps exploit.
Adam
Morrison <adam@MATH.TAU.AC.IL> provided a lot of information and
mentioned
that chkey was also vulnerable. Adam also posted a cool stdio overflow
program which will get its own entry.
Compromise:root (local)
Vulnerable Systems:Solaris 2.5.1, 2.5.0, possibly earlier versions.
Date:19 May 1997
Notes:There were a bunch of interesting postings on this topic which
help
to exploit the vulnerability. I've included the best ones below.
Exploit & full info:Available here
Description:This isn't an exploit per se, (although, as mentioned in
another exploit, it works for chkey and ps). Now you can exploit these
overruns when you find them yourself!
Author:adam@math.tau.ac.il (Adam Morrison), Joe Zbiciak
<jzbiciak@DALDD.SC.TI.COM> also contributed a useful script for
finding
the proc_link value for an overflow.
Compromise:root (local)
Vulnerable Systems:This program works for Solaris on SPARC. Other OSes
are
vulnerable to similar overflows, although this program obviously won't
work.
Date:19 May 1997
Notes:I've included Adam Morrison's original post as well as Joe
Zbiciak's
supplimentary script below.
Exploit & full info:Available here
Description:For X sessions, IRIX (I think up to 6.3) by default gives
global access (ie xhost +). Duh. Of course this fits in very well with
their default non-passworded guest account and their security-filled
default crontab (see those other exploit entries for more
information).
Author:Well known, but Matt Harrigan <matth@CONNECTNET.COM> posted
interesting comments on exploiting the hole to someone who mentioned
the
problem.
Compromise:Take over an X session
Vulnerable Systems:IRIX, up to 6.3 I believe, using default IRIX
default X
access permissions.
Date:19 May 1997
Exploit & full info:Available here
permissions of unix domain sockets.
Description:Solaris (including SunOS) and old (4.3 and earlier)
versions
of BSD don't honor permissions on the filesystem representations of
unix
domain sockets. A lot of programmers might not realize that anyone can
send data to their programs by writing to the "file".
Author:Thamer Al-Herbish <shadows@whitefang.com> posted this to
bugtraq,
but it was somewhat well known.
Compromise:write malicious data to unsuspecting applications
Vulnerable Systems:Solaris 2.5 and earlier (not sure about 2.5.1).
Version
2.6 will supposedly not be vulnerable.
Date:17 May 1997
Exploit & full info:Available here
Description:IRIX has serious problems with some of their CGI's and
other
WWW programs like handler. Yuri explores these and exposes a lot of
problems.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:Become owner of httpd process, read files that are
"protected"
by .htaccess.
Vulnerable Systems:Irix 6.2
Date:16 May 1997
Notes:Woo! I'm glad to see Yuri isn't out of the scene like I was
afraid
he was.
Exploit & full info:Available here
Description:You can enter a backdoor 'debug' mode in these routers by
sending a bunch of cntrl-d characters to the device.
Author:Brent Huston <bhuston@NETWALK.COM>
Compromise:Change the router setup, this would obviously be bad ;)
Vulnerable Systems:Ascom Timeplex Routers
Date:15 May 1997
Exploit & full info:Available here
Description:Apparently, all IRIX systems come by default with a
unpassworded guest account. Almost as stupid as HP/UX's staticly
passworded uid 0 sam_exec accounts.
Author:well known, but Mike Neuman <mcn@RIPOSTE.ENGARDE.COM> mentioned
it
on bugtraq
Compromise:remotely obtain local user privileges.
Vulnerable Systems:IRIX, apparently all versions up to 6.3
Date:15 May 1997
Exploit & full info:Available here
Description:overflow in libXt from XFree86 allows exploitation of suid
*xterm s.
Author:Ming Zhang <mzhang@softcom.net> useful info also contributed by
Marcin Bohosiewicz <marcus@venus.wis.pk.edu.pl>
Compromise:root (local)
Vulnerable Systems:Systems running XFree86-3.2-9, probably lower who
have
suid cxterm, mxterm, xterm, etc. Includes RedHat 4.0, Slackware 3.1
and
3.2
Date:14 May 1997
Notes:I have appended useful info from Marcin Bohosiewicz
<marcus@venus.wis.pk.edu.pl>
Exploit & full info:Available here
Description:Typical symlink problem
Author:David Hyams <nhyamd@ASCOM.CH>
Compromise:Wipe SAM data to arbitrary files, I don't know what happens
with existing files. If you can clobber existing files, you can
obviously
become root.
Vulnerable Systems:HP/UX 10.X
Date:14 May 1997
Exploit & full info:Available here
Description:Buffer overflow with environmental veriable TERM
Author:Wojciech Swieboda <wojtek@AJAX.UMCS.LUBLIN.PL>
Compromise:GID mail
Vulnerable Systems:Many linux boxes, anything else with vulnerable ELM
2.3, 2.4
Date:13 May 1997
Exploit & full info:Available here
Description:the IRIX program /usr/lib/sa/sadc is sgid sys and writes
to
/tmp/sa.adrfl, even if that is a symlink.
Author:Well known, but Jaechul Choe <poison@COSMOS.KAIST.AC.KR> posted
this warning that IRIX is still vulnerable.
Compromise:GID sys
Vulnerable Systems:IRIX 5.3, 6.2
Date:9 May 1997
Exploit & full info:Available here
Description:Just do a standard symlink to /tmp/socks5.pid and
connect() to
port 1080.
Author:Trevor Schroeder <tschroed@CHEETAH.WSC.EDU>
Compromise:obtain access of the owner of the socks daemon (probably
nobody
or daemon).
Vulnerable Systems:Systems running Socks5 beta-0.17.2 from NEC and
probably earlier versions.
Date:9 May 1997
Exploit & full info:Available here
Description:IRIX's addnetpr program has a symlink race condition that
allows the clobbering of arbitrary files.
Author:Jaechul Choe <poison@COSMOS.KAIST.AC.KR>
Compromise:cause addnetpr to write to arbitrary files. It is unclear
whether it appends or overwrites to already existing files. Could
probably
lead to root access.
Vulnerable Systems:IRIX 5.3, 6.2
Date:9 May 1997
Exploit & full info:Available here
Description:Windows NT will completely crash if you send Out of Band
(MSG_OOB) data to its port 139. Win95 will blue screen and network
connectivity is usually lost, applications may crash. Win 3.11 with
the M$
TCP/IP stack crashes too. Other ports like MS DNS may also be
affected.
Author:myst <myst@LIGHT-HOUSE.NET>
Compromise:Stupid DOS attack, but it can be humorous.
Vulnerable Systems:WinNT 4.0, 3.51, Win95 , WFWG 3.11
Date:9 May 1997
Notes:I'm also appending the perl exploit code and the visual basic
code.
The M$ FIX in service pack 3 and the Hotfix does NOT work! You just
have
to change the code a bit, or use the Macintosh exploit. Change the TCP
Urgent pointer if you want to exploit the post-servicepacke 3 conditon
from a UNIX box.
Exploit & full info:Available here
Description:rmail is setgid mail and apparently does a system()
involving
the contents of untrusted user environmental variable LOGNAME. Duh.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:Group mail, the uses of this are obvious
Vulnerable Systems:IRIX, 5.3, 6.2, possibly 6.3
Date:7 May 1997
Notes:Too bad Yuri Volobuev is retiring. There wouldn't be a IRIX
section
without him. Good job Yuri!
Exploit & full info:Available here
Description:inpview is part of a video conferencing package. Wow, in
1997
we've got a system() without absolute path vulnerability. Haven't seen
something that pathetic in a while, except for the M$ OOB problem.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:root (local)
Vulnerable Systems:IRIX, presumably 5.3, 6.2, and 6.3
Date:7 May 1997
Exploit & full info:Available here
Description:Stupid cgi
Author:Grant Kaufmann <grant@CAPE.INTEKOM.COM>
Compromise:remotely execute arbitrary commands as httpd process owner
(usually nobody or daemon)
Vulnerable Systems:IRIX 6.2, 6.3
Date:7 May 1997
Exploit & full info:Available here
Description:standard symlink problem.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:root (local)
Vulnerable Systems:IRIX, presumably 5.3, 6.2, 6.3
Date:7 May 1997
Exploit & full info:Available here
Description:IRIX's default crontab contains some bad stuff. Like find
that
execs rm. Check the bugtrac archives for ways to leverage this to
delete
anything from the filesystem.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:Delete any files on the (probably root) filesystem. You
should
be able to leverage root access from this.
Vulnerable Systems:IRIX, probably 5.3, 6.2, and 6.3
Date:7 May 1997
Exploit & full info:Available here
Description:I have made a lot of these into their own pages, but I
didn't
include the more obscure ones, and I didn't have a good place to
include
his IRIX bashing. So I'm putting the whole post here.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:root (local)
Vulnerable Systems:IRIX 5.3, 6.2, 6.3
Date:7 May 1997
Exploit & full info:Available here
Description:the KDE desktop apparently uses network TCP sockets for
process comunication instead of AF_UNIX domain sockets. The TCP
sockets
have no authentication, so you can send malicious commands to the port
for
copying files, etc.
Author:Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
Compromise:Subvert the user running KDE
Vulnerable Systems:Anything running unpatched KDE
Date:5 May 1997
Exploit & full info:Available here
Description:Some people "logout" of their NT boxes and leave, but NT
sometimes fails due to hung processes and give the option to abort the
logout.
Author:Peter da Silva <peter@BAILEYNM.COM>
Compromise:Take over someone's local console login
Vulnerable Systems:Windows NT 3.51, 4.0 and I believe Win95 is
vulnerable
Date:3 May 1997
Notes:Not too big of a deal, but it should still be fixed
Exploit & full info:Available here
Description:A typical symlink-to-.rhosts exploit
Author:Chris Sheldon (csh@viewgraphics.com)
Compromise:root (local)
Vulnerable Systems:Solaris 2.51, possibly others
Date:3 May 1997
Exploit & full info:Available here
Description:You can bypass password authorization by adding extra
forward
slashes in the URL. ie: http://www.server.com//secret.html.
Author:Peter Lord <plord@perrin.demon.co.uk>
Compromise:Unauthorized viewing of passworded html files
Vulnerable Systems:Systems running CERN httpd, apparently up to their
last
version.
Date:30 April 1997
Exploit & full info:Available here
Description:Buffer overflow in Perl, already discussed in another
entry.
These are FreeBSD exploits for perl4.036, and 5.00X
Author:Deliver <deliver@FREE.POLBOX.PL> wrote the exploits
Compromise:root (local)
Vulnerable Systems:FreeBSD with vulnerable perl (Version <= 5.003)
installed.
Date:21 April 1997
Exploit & full info:Available here
Description:Through an NT Domain Controller, you can get a full list
of
usernames on other servers by failing a logon and then examining the
target with Explorer.
Author:webroot <webroot@WEBROOT.COM> (Steve Thomas)
Compromise:List usernames of remote server including full names,
descriptions, and group memberships.
Vulnerable Systems:NT 4.0, probably 3.51 too.
Date:19 April 1997
Exploit & full info:Available here
Description:Another hole in sperl, this time a buffer overflow.
Author:Willy Tarreau (tarreau@aemiaif.ibp.fr)
Compromise:root (local)
Vulnerable Systems:Systems with Sperl 5.003, this exploit is for Linux
x86.
Date:17 April 1997
Notes:I have appended the uuencoded exploit src&bin after this post.
Debian is vulnerable if you use offset of 1169 instead of those tried
by
the exploit, according to David Luyer (luyer@ucs.uwa.edu.au)
Exploit & full info:Available here
Description:First of all, this rather pathetic cgi allows anyone to
trivially read any file on the system which is readabl by the owner of
the
httpd process (usually nobody or daemon). It also has a buffer
overflow.
Author:Shamanski <jshaman@M-NET.ARBORNET.ORG> posted the read-any-file
exploit, The SNI advisory is by David Sacerdote
Compromise:read files and execute code as the httpd process owner
(remote)
Vulnerable Systems:Those with php.cgi 2.0beta10 or earlier,
distributed
with NCAA httpd, possibly others.
Date:16 April 1997
Exploit & full info:Available here
Description:A common problem with many OS's is that you can cause ftpd
(or
other network services) to crash and find remnants of the shadowed
password file in the resultant corefile. wu-ftpd was patched, but is
apparently still broken.
Author:Vadim Kolontsov <vadim@tversu.ac.ru>
Compromise:read crypt(8)ed passwords, which could lead to root (local)
Vulnerable Systems:Systems running wu-ftpd v2.1, 2.2, 3.0, possibly
others.
Date:13 April 1997
Exploit & full info:Available here
Description:The above mentioned distribution fails to prevent devices
on
mounted drives, even if the nodev option is specified.
Author:Bradley M Keryan <keryan@andrew.cmu.edu>
Compromise:root with a little work (local)
Vulnerable Systems:Redhat 4.1, anyone who uses
amd-920824upl102-6.i386.rpm, possibly other distributions
Date:7 April 1997
Exploit & full info:Available here
Description:If you have an account on a NT box, you are by default
allowed
to mount any drive r/w by mounting \\server\c$ (replace 'c' with the
drive
letter).
Author:Well known, but this post was by Yiorgos Adamopoulos
<Y.Adamopoulos@noc.ntua.gr>
Compromise:Mount any NT drive r/w (local)
Vulnerable Systems:NT 4.0 with no service packs, 3.51?
Date:7 April 1997
Exploit & full info:Available here
Description:Standard buffer overflow, filter is sometimes setgid mail.
Author:Mikhail Iakovlev <miakovle@SN.NO>. Sploit by "Dmitry E. Kim"
<jason@REDLINE.RU>
Compromise:group mail (local)
Vulnerable Systems:Systems with vulnerable /usr/bin/filter setgid
mail.
Include slackware 3.1, possibly 3.0
Date:6 April 1997
Exploit & full info:Available here
Description:Netware 4.1 puts a special version of perl on TCP port
8002.
Author:Axel Dunkel <ad@Dunkel.de>
Compromise:access, read, modify or delete any file on Netware 4.1 or
Intranetware systems
Vulnerable Systems:Novell Netware 4.1, Intranetware
Date:5 April 1997
Exploit & full info:Available here
Description:Standard buffer overflow, using LC_MESSAGES
Author:Georgi Guninski (guninski@linux2.vmei.acad.bg)
Compromise:root (local)
Vulnerable Systems:AIX 4.2, possibly 4.1 and more
Date:3 April 1997
Exploit & full info:Available here
Description:You can often break out of a Xlock session from the
console
with <CTRL><ALT><Backspace>. You can also do <CTRL><ALT><F1> and then
^C
(sometimes ^Z works better) to get to a shall.
Author:Roman Garcia <nykros@sol.info.unlp.edu.ar>
Compromise:Obtain interactive shell as the user who used 'startx' to
start
an X session
Vulnerable Systems:XFree86 sessions started with startx from a shell,
rather than with XDM
Date:1 April 1997
Exploit & full info:Available here
Description:You can crash an NT box (possibly W95 too) by sending a
very
long username in a Winpopup message. This is easy to do from UNIX with
'smbclient -U LOTSandLOTSofcrap -M host'.
Author:Well known.
Compromise:Crash Windows boxes
Vulnerable Systems:Windows NT 4.0 and earlier, fixed in NT 4.0 Service
pack 3. Win95 may be vulnerable.
Date:April 1997
Exploit & full info:Available here
Description:Internet Explorer running on NT will attemt to
authenticate
using your (hashed) password to anyone who asks! Worse, it doesn't
even
tell you that it is doing this. Even if you have a very strong
password, a
man-in-the-middle attack is possible. The server can request a
challenge
from another server, and then feed it back to you for encryption!
Author:Paul Ashton <paul@argo.demon.co.uk>
Compromise:WWW servers can obtain authentication information (username
and
Lanman password hash) from clients who connect using Internet Explorer
from an NT box.
Vulnerable Systems:NT 4.0, probably 3.51
Date:April 1997 or so
Notes:See Paul Ashton's demonstration at
http://www.efsl.com/security/ntie/ . Also not that this isn't fixed as
of
7/27/97. Will it ever be?
Exploit & full info:Available here
Description:Inetd clos()es its sockets sometimes which (if they are
unpriviliged) allows a user to just swipe them to put up a trojan
service
or whatever. Note that users can generally cause inetd to close the
port
by connecting over and over rapidly to make inetd think there is a
loop.
Author:Marc Slemko (marcs@znep.com) posted this, it might have
originally
been discovered by someone else and I don't have the original post.
Compromise:Steal unpriviliged services from INETD
Vulnerable Systems:Linux, possibly others
Date:28 March 1997
Exploit & full info:Available here
Description:Elm , which is often setgid mail, has a buffer overflow
with
the NLSPATH variable. This is NOT the same as the libc NLSPATH bug.
Author:"Dmitry E. Kim" <jason@REDLINE.RU>
Compromise:GID mail (local)
Vulnerable Systems:Linux with vulnerable setGID mail ELM
Date:26 March 1997
Notes:Joining group mail *CAN* be very helpful to hackers, some linux
boxes allow you to write to mail spool and read other people's mail if
you
achieve this. Also, if anyone has a working exploit please mail it
this
way, I don't feel like writing & testing right now.
Exploit & full info:Available here
Description:Win95 is that it will connect to SMB servers and try the
user's plaintext password first. You can also direct this through a
web
page with a linke like file://\\server/hackmicrosoft/sploit.gif. You
also
have to inform it of your name (can be done through SAMBA's nmbd
utility).
Author:Steve Birnbaum (sbirn@security.org.il)
Compromise:Grab Win95 Passwords (remote)
Vulnerable Systems:Win95, Internet Explorer to a slight degree
Date:25 March 1997
Exploit & full info:Available here
Description:Linux tftpd doesn't check corectly for requests beginning
with
../
Author:Alex Belits (abelits@phobos.illtel.denver.co.us)
Compromise:Access directories beyond permissions REMOTELY
Vulnerable Systems:Idiots on Linux running tftpd
Date:23 March 1997
Exploit & full info:Available here
Description:Buffer overflow in find_media() in /bin/fdformat
Author:Cristian Schipor (skipo@Math.PUB.Ro)
Compromise:root (local)
Vulnerable Systems:Solaris 2.4, 2.5
Date:23 March 1997
Exploit & full info:Available here
Description:Jeremy Allison has successfully de-obfuscated the NT
LANMAN
and md4 hashes from the registry. This has many useful implications,
including allowing us to hack the real password, or use the hash to
longin
via SAMBA. To make things even better, the "encryption" has a LOT of
problems.
Author:Jeremy Allison <jra@cygnus.com>
Compromise:Grab NT password hashes, which can then be cracked. You
must be
administrator or at least have the loser run your trojan.
Vulnerable Systems:Windows NT 4.0 and 3.51 at least
Date:22 March 1997
Notes:The README for follows, and afterwords I have included the code.
Also there are a lot of crackers available. Try NTCrack. Or you can
get
l0phtcrack, try www.l0pht.com
Exploit & full info:Available here
Description:A hard-link vulnerability
Author:C0WZ1LL4@NETSPACE.ORG
Compromise:root (local)
Vulnerable Systems:SOME systems running sendmail 8.8.[34] possibly
8.8.5
in some situations.
Date:22 March 1997
Notes:This doesn't always work, it depends among other things on if
they
have POSTMASTER of MAIL_DAEMON defined in /etc/aliases. Remember if
/var
is on another partition, ln to a file in /var ... there are plenty to
choose from ;)
Exploit & full info:Available here
Description:Buffer overflow in SuperProbe, which should NOT be suid
root!
Author:Solar Designer
Compromise:root (local)
Vulnerable Systems:Linux with vulnerable SuperProbe SUID root
Date:21 March 1997 (I could have swarn it was known before this)
Exploit & full info:Available here
Description:Microsoft CANNOT seem to handle dots at all in their
programs,
after fixing the name.asp. bug, the great guys at the l0pht found that
their "fix" introduced another '.' bug. This time using the hex
representation.
Author:Weld Pond <weld@l0pht.com&rt
Compromise:Remotely obtain .asp, .ht, .id, .PL files etc.
Vulnerable Systems:Those running vulnerable M$ IIS 3.0 web server
Date:21 March 1997
Exploit & full info:Available here
Description:Overflow in message <TITLE>. Trivial DOS attack, probably
could be exploited for remote access.
Author:Karl Koscher <mrsaturn@TEENCITY.ORG>
Compromise:DOS attack with strong possibility of remotely running
arbitrary code.
Vulnerable Systems:People running AOL's Instant Messenger V.1.7.466 or
before
Date:20 March 1997
Exploit & full info:Available here
Description:Win95 will automatically try to authenticate the logged in
user to an SMB server. Thus (through a web page, in this example), you
can
direct people to the server and then grab their username and
"encrypted"
LANMAN password.
Author:Aaron Spangler <pokee@MAXWELL.EE.WASHINGTON.EDU>
Compromise:Obtain LANMAN hashed passwords (remote)
Vulnerable Systems:Win95, WinNT 3.51 & 4.0
Date:14 March 1997
Exploit & full info:Available here
Description:This hole allows someone to attack THOUSANDS of news
servers
at once by inserting special characters into post headers. This has
been
widely exploited.
Author:Been known for a while
Compromise:You can REMOTELY execute arbitrary commands under UID of
news
server.
Vulnerable Systems:Systems running versions of INND prior to and
including
1.5, some sites with later versions are vulnerable if they forgot to
delete some scripts in the new installation
Date:Was widely exploited in March 1997
Notes:Here are some examples of exploit postings
Exploit & full info:Available here
Description:SCO OpenSERVER 5 apparently doesn't prompt users for their
expired password before making them change it. Duh.
Author:ultima@CORINNE.MAC.EDU
Compromise:root (local)
Vulnerable Systems:SCO OpenSERVER5
Date:22 February 1997 (could be pretty old)
Exploit & full info:Available here
Description:This is an example of how tocrash War FTPD 1.65 for Win
95/NT,
you can do similar things with ServU and most other ftpd's I have
seen.
Author:Well known, but here is a post to Bugtraq from rootshell
Compromise:crash the Windows ftpd
Vulnerable Systems:Those runnign Windows ftp servers
Date:4 February 1997
Notes:I have appended a serv-U crasher. Note that this may be the
fault of
Windows and not Serv-U.
Exploit & full info:Available here
Description:6 security holes in our favorite web browser (NOT), all in
one
neat package
Author:Assorted, mentioned in package
Compromise:Run commands as the user running IE, NT idiots often run as
ADMINISTRATOR.
Vulnerable Systems:Systems running Internet Explorer, the vicinity of
3.0.
Microsoft Win95/NT mostly.
Date:February 1997 might be a good average
Notes:How many admins would respond to an email message promising "wet
hot
sex!" or something else enticing at a certain URL? Except for
indiscriminate attacks, this would take a little social engineering.
The
appended UUencoded version probably looks funny in your web browser.
Just
"save as".
Exploit & full info:Available here
Description:standard system() call/path hole
Author:Yuri Volobuev <volobuev@t1.chem.umn.edu&rt;
Compromise:root (local)
Vulnerable Systems:IRIX with vulnerable Netprint
Date:4 January 1997
Exploit & full info:Available here
Description:standard tempfile vulnerability in setuid root xdm on UNIX
Ware systems with X, possibly others.
Author:Angel Ortiz <angelo@tawny.ssd.hcsc.com>
Compromise:root (local)
Vulnerable Systems:Systems with vulnerable xdm setuid (at least some
UNIXware systems)
Date:2 January 1997
Notes:See addendum.
Exploit & full info:Available here
Description:This one is pathetic. The user can configure a soundserver
in
.doomrc, and this program that the user chose, runs as root!
Author:Joe Zbiciak <im14u2c@cegt201.bradley.edu>
Compromise:root (local)
Vulnerable Systems:Linux running an insecure version of doom setuid
root.
Date:17 December 1996
Exploit & full info:Available here
Description:Doom calls insecure shell scripts as root, leading to easy
root compromise.
Author:Bo (bo@ebony.iaehv.nl)
Compromise:root (local)
Vulnerable Systems:Linux, including Slackware 3.0. Possibly other
distributions.
Date:14 December 1996
Notes:If anyone runs suid root GAMES on a system they want secure,
they
DESERVE to be hacked! I've appended the obvious exploit to the end of
this.
Exploit & full info:Available here
Description:Standard buffer overflow in modstat, which is distributed
with
many BSD variants (althought apparently not BSDI).
Author:Mudge <mudge@l0pht.com>
Compromise:root (local)
Vulnerable Systems:Windows versions running MIRC prior to 5.3
Date:9 December 1996
Exploit & full info:Available here
Description:system() call vulnerability in the dataman program (cdman
is a
symlink to it) in IRIX
Author:Yuri Volobuev (volobuev@t1.chem.umn.edu)
Compromise:root
Vulnerable Systems:Windows95 and NT systems running Cybercash 2.1.2 or
Verifone vPOS
Date:9 December 1996
Exploit & full info:Available here
Description:Solaris 2.4's /usr/vmsys/bin/chkperm creates
$VMSYS/.facerc in
a laughably insecure fashion.
Author:Duncan Simpson <dps@IO.STARGATE.CO.UK>
Compromise:bin, which trivially leads to root (local)
Vulnerable Systems:Solaris 2.4, NOT 2.5 or 2.5.1, the author is
apparently
wrong about this.
Date:5 December 1996
Exploit & full info:Available here
Description:suid_exec, a program apparently distributed with ksh, has
a
number of security holes, including trusting the user's $SHELL
variable.
Author:Yuri Volobuev (volobuev@t1.chem.umn.edu)
Compromise:root (local)
Vulnerable Systems:Irix 5.3 and 6.2, possibly AIX and others.
Date:2 December 1996
Exploit & full info:Available here
Description:Standard buffer overflow
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise:root (local)
Vulnerable Systems:HP/UX with vulnerable chfn (probably 9.x, 10.x)
Date:December 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here
Description:/var/rfindd/fsdump handles lock files poorly, which can
lead
to root access.
Author:Yuri Volobuev (volobuev@t1.chem.umn.edu)
Compromise:root (local)
Vulnerable Systems:Irix 5.3 and some 6.2 systems (its apparently
optional
in 6.2)
Date:28 November 1996
Notes:There is a better exploit at the addendum
Exploit & full info:Available here
Description:/usr/etc/LicenseManager handles log files poorly, which
can
lead to root access.
Author:Yuri Volobuev (volobuev@t1.chem.umn.edu)
Compromise:root (local)
Vulnerable Systems:Irix 5.3 and 6.2 systems (possibly other Irix
systems)
Date:22 November 1996
Exploit & full info:Available here
Description:/usr/bin/X11/cdplayer is setuid on IRIX and is very
insecure
in file/directory creation, which can lead to root access.
Author:Yuri Volobuev (volobuev@t1.chem.umn.edu)
Compromise:root
Vulnerable Systems:at least Irix 5.3 and 6.2
Date:21 November 1996
Exploit & full info:Available here
Description:gcc 2.7.2.x (and earlier as far as I know) creates
temporary
files in /tmp which will follow symlinks and allows you to clobber the
files of the person running gcc
Author:Jeremy Elson (jelson@helix.nih.gov)
Compromise:Overwrite files owned by the user running gcc (possibly
root )
Vulnerable Systems:Solaris 2.5 and 2.5.1
Date:18 November 1996
Notes:See addendum
Exploit & full info:Available here
Description:In Digital Unix, /usr/tcb/bin/dxchpwd creates log files in
a
very insecure manner.
Author:Eric Augustus (augustus@mail.stic.net)
Compromise:root (local)
Vulnerable Systems:at least Digital Unix v3.x with c2 security package
installed
Date:17 November 1996
Exploit & full info:Available here
Description:smtpd, part of the sendmail distribution, can be tricked
into
executing arbitrary programs as root after receiving a hang-up signal.
Author:Leshka Zakharoff (leshka@leshka.chuvashia.su)
Compromise:root (local)
Vulnerable Systems:systems running Sendmail versions 8.7-8.8.2
Date:16 November 1996
Exploit & full info:Available here
Description:A number of internal HP/UX RemWatch binaries, including
checkcore, rwiDCOM, and showdisk are vulnerabile. Several exploits
included
Author:SOD (sod@command.com.inter.net)
Compromise:root (local)
Vulnerable Systems:HP/UX with vulnerable RemWatch binaries, probably
9.x,
10.x
Date:6 November 1996 and earlier
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here
Description:Standard buffer overflow
Author:Dog Catcher
Compromise:root (local)
Vulnerable Systems:HP/UX with vulnerable fpkg2swpk, probably just 10.x
Date:November 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here
Description:Standard buffer overflow
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise:root (local)
Vulnerable Systems:HP/UX with vulnerable [cm]stm, probably 9.x 10.x
Date:November 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here
Description:pathetic daemon
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise:root or whatever remwatch runs as (remote!)
Vulnerable Systems:HP/UX with vulnerable Remote Watch running,
probably
9.x, maybe 10.x
Date:November 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here
Description:The "systour" packaged shipped with IRIX contains numerous
security holes.
Author:Tung-Hui Hu (hhui@STARDOT.NET)
Compromise:root (local)
Vulnerable Systems:At least Irix 5.3 and 6.2 with systour installed
Date:30 October 1996
Exploit & full info:Available here
Description:A standard buffer overflow exists Berleley derived lpr
Author:Vadim Kolontsov (vadim@tversu.ac.ru) wrote the exploits at
least
Compromise:root (local)
Vulnerable Systems:Systems with vulnerable lpr setuid (many Linux and
BSD
distributions)
Date:25 October 1996
Exploit & full info:Available here
Description:gazillions of machines can be crashed by sending IP
packets
that exceed the maximum legal length (65535 octets)
Author:The page included was created by Malachi Kenney. The programs
have
attribution.
Compromise:Stupid DOS
Vulnerable Systems:I have heard that NT and 95 can actually lock up
hard
from the programs below. Also, early 2.0.x Linux, Solaris x86, and
Macintosh systems are often vulnerable.
Date:21 October 1996 was when this page came up.
Notes:The Ping O' Death page is included first, then comes BSD source
code, then comes a version of the above which is modified to compile
on
Linux 2.X. I also appended jolt.c, which IP spoofs to. Woop!
Exploit & full info:Available here
Description:/usr/bin/solstice is setgid bin and gives this privilege
away
freely.
Author:Unknown (it was known before the attached post)
Compromise:group bin, which leads quickly to root (local)
Vulnerable Systems:Systems with vulnerable /usr/bin/solstice (Solaris
2.5,
2.5.1)
Date:18 October 1996 (known prior to this)
Notes:See addendum.
Exploit & full info:Available here
Description:standard symlink/core vulnerability
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise:root (local)
Vulnerable Systems:HP/UX with vulnerable ppl, probably 9.x 10.x
Date:15 October 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here
Description:Solaris ftpd (as well as others) can be made to core dump
and
divulge shadowed passwords
Author:Unknown
Compromise:Can obtained crypt()ed root password
Vulnerable Systems:Solaris (at least 2.5) and others including
wu.ftpd. If
enclosed doesn't work, try killing the process yourself.
Date:15 October 1996
Notes:See addendum
Exploit & full info:Available here
Description:see exploit.
Author:Marin Purgar - PMC (pmc@asgard.hr) wrote this exploit
Compromise:root
Vulnerable Systems:Unpatched Linux 1.2.* systems (possibly some 1.3.x)
Date:11 October 1996
Exploit & full info:Available here
Description:Standard symlink hole
Author:"Salty"
Compromise:root (local)
Vulnerable Systems:HP/UX with vulnerable swinstall, mostly 10.x, some
9.x
Date:6 October 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here
Description:Standard buffer overflow
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise:root (local)
Vulnerable Systems:Those running O'reilly's webserver, website. Mostly
Windoze NT and W95 boxes. Some versions of 1.1 and 2.0beta have this
vulnerability.
Date:October 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here
Description:Standard /tmp symlink vulnerability
Author:Dog Catcher
Compromise:root on a potentially very cool system! (local)
Vulnerable Systems:many phone network operators use OpenCall SCP
Date:October 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here
Description:Some versions of Win/Win95/WinNT seem to allow people to
bypass screensaver password "security" with control-alt-delete and
contol-ESC
Author:Common knowledge
Compromise:Take over "passworded" winbloze machines (local)
Vulnerable Systems:Some Win95 and WinNT boxes
Date:October 1996
Exploit & full info:Available here
Description:symlink bug due to poor error file creation
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise:root (local)
Vulnerable Systems:HP/UX with vulnerable /usr/perf/bin/glance ,
probably
just 9.x
Date:October 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here
Description:ppl insecurely creates log files in world writeable
directory,
I'm sure you can see where this is headed.
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise:root (local)
Vulnerable Systems:HP/UX with vulnerable ppl, 9.x 10.x
Date:October 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here
Description:standard /tmp symlink race condition with HP/UX SAM
Author:John W. Jacobi (jjacobi@nova.umuc.edu)
Compromise:root (local)
Vulnerable Systems:HP/UX with vulnerable SAM, at least HP-UX 9.04 &
9.05
on 9000/700 & 9000/800
Date:25 September 1996
Notes:for more HP bugs see the SOD HP Bug of the Week page
Exploit & full info:Available here
Description:A quirk in Sendmail that could potentially be exploited is
that usernames like '/etc/passwd' get written into the file of the
same
name when mail is received for them. This could be a problem on
systems
where users can specify their username without sysadmin intervention.
Author:mudge@l0pht.com found this hole in a l0pht advisory. This
exploit
for FreeBSD written by Alexey Zakharov (leshka@chci.chuvashia.su)
Compromise:root (local)
Vulnerable Systems:Any systems using Sendmail ~8.6.12, possibly up to
8.75
that allow user-specified /etc/passwd gecos fields (ie through
chfn(1)).
This exploit will work for FreeBSD
Date:23 September 1996
Notes:The original L0pht Security Advisory is in addendum
Exploit & full info:Available here
Description:The Xt library has a number of buffer overflow
vulnerabilities
which can be exploited on the suid root programs linked to it.
Author:"b0z0 bra1n"
Compromise:root (local)
Vulnerable Systems:This exploit will work for FreeBSD and with
tweaking
other x86 operating systems (eg linux). Most systems running any
version
of X11 prior to Aug '96 are vulnerable
Date:24 August 1996
Exploit & full info:Available here
Description:A standard buffer overflow exists in Linux and *BSD umount
Author:bloodmask (bloodmask@mymail.com) claims to have found the
vulnerability. Paulo Jorge Alves Oliveira (pjao@dux.isec.pt) wrote the
freebsd/linux exploits included first.
Compromise:root (local)
Vulnerable Systems:Systems with vulnerable umount setuid (many Linux
and
BSD distributions)
Date:13 August 1996
Notes:If mount is fixed, try ncpmount/ncpumount and possibly wuftpd.
Another mount exploit is in addendum.
Exploit & full info:Available here
Description:SOD HP/UX rdist exploit
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise:root (local)
Vulnerable Systems:HP/UX with vulnerable rdist, probably 9.x 10.x
Date:10 August 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here
Description:Hehe, the good folks at SGI apparently tried to avoid the
system() call security problems, by an execve("/sbin/sh", "sh", "-c",
"command..."). Ha!
Author:Mike Neuman <mcn@RIPOSTE.ENGARDE.COM>
Compromise:root (local)
Vulnerable Systems:IRIX 6.2
Date:Mike reported it on 6 August 1996, but they apparently didn't get
around to fixing it.
Exploit & full info:Available here
Description:IRIX 5.3 chost apparently fails to drip privileges
sufficiently when an invalid root password is entered
Author:Grant Kaufmann (gkaufman@cs.uct.ac.za)
Compromise:root (local)
Vulnerable Systems:IRIX 5.3 with vulnerable chost.
Date:6 August 1996
Notes:The SGI patch may not always plug the hole!
Exploit & full info:Available here
Description:Solaris 2.4 prior to kernel jumbo patch 35 in many
circumstances allows setgid programs to dump core which is especially
bad
since Solaris has WAY too many group-writable files.
Author:Jungseok Roh <beren@cosmos.kaist.ac.kr>
Compromise:It is easy to overwrite files writeable by group bin, which
leads quickly to root access (local)
Vulnerable Systems:Solaris 2.4 prior to kernel jumbo patch -35
Date:3 August 1996
Exploit & full info:Available here
Description:Standard insecure tempfile creation, symlink to /.rhosts
exploit
Author:Jungseok Roh (beren@cosmos.kaist.ac.kr) posted the kcms_*
stuff,
Leif Hedstrom (leif@netscape.com) posted that admintool had the same
problem.
Compromise:root (local)
Vulnerable Systems:Solaris 2.5.[01]
Date:26 July 1996
Exploit & full info:Available here
Description:ANOTHER stupid MS '..' bug, this time in their web server.
Author:possibly Thomas Lopatic
(lopatic@dbs.informatik.uni-muenchen.de)
Compromise:Gain unauthorized access to files outside the public html
directories.
Vulnerable Systems:Systems running a vulnerable IIs http server,
mostly
Windows NT boxes.
Date:26 July 1996
Exploit & full info:Available here
Description:It is suid and contains a command to write to file, which
it
does w/o dropping privileges. Brilliant.
Author:Brian Mitchell (brian@saturn.net)
Compromise:root (local)
Vulnerable Systems:Tested on DG/UX 5.4r3.10
Date:23 July 1996
Exploit & full info:Available here
Description:sliplogin does system() as root w/o clearing environment,
so
you can do things like set IFS='/'.
Author:David Holland <dholland@hcs.HARVARD.EDU>
Compromise:root (local)
Vulnerable Systems:Any with sliplogin older than 2.1.0, mostly linux
systems (many BSD distributions have the program, but it apparently
can't
be exploited to another error).
Date:16 July 1996
Exploit & full info:Available here
Description:Another vulnerability in rdist, standard buffer overflow
Author:found in [8lgm]-Advisory-26.UNIX.rdist.20-3-1996, *BSD exploit
written by Brian Mitchell (brian@saturn.net)
Compromise:root (local)
Vulnerable Systems:Solaris 2.x, Sunos 4.*, some *BSD systems. Included
exploit only for *BSD.
Date:10 July 1996
Exploit & full info:Available here
Description:Another '..' bug, this time by Novell
Author:TTT Group <ttt@broder.com&rt;
Compromise:read any file on server
Vulnerable Systems:systems running vulnerable versions of Novell's
httpd
Date:3 July 1996
Exploit & full info:Available here
Description:Standard /tmp symlink exploit
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise:root (local)
Vulnerable Systems:HP/UX with vulnerable , probably 9.x 10.x
Date:June 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here
Description:On systems that support saved set-user-IDs, perl isn't
thorough enough in giving up its root priviledges.
Author:Jon Lewis (jlewis@inorganic5.fdt.net) wrote this basic exploit,
though it has been modified. It is unclear who found the hole.
Compromise:root (local)
Vulnerable Systems:Systems that support saved set-user-IDs and
set-group-IDs and have suid_perl 5.001 (and possibly below) installed.
Many linux and *BSD boxes.
Date:June 1996
Exploit & full info:Available here
Description:abracadabra.{bat,cmd} are insecure CGIs
Author:www.omna.com
Compromise:Execute arbitrary commands on the remote IIS Server
Vulnerable Systems:Microsoft IIS http server v.1.0, 2.0b
Date:June 1996
Exploit & full info:Available here
Description:shelling from a xrw telnet session cedes EUID 0
Author:Ess Jay
Compromise:root (local)
Vulnerable Systems:HP/UX with vulnerable xrw, probably 9.x 10.x
Date:23 May 1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here
Description:Some of the test-cgi scripts distributed with some http
servers are buggy
Author:Mudge <mudge@l0pht.com>
Compromise:remotely obtain directory listings
Vulnerable Systems:systems with vulnerable test-cgi (many web servers)
Date:April 1996
Notes:If this exact exploit doesn't work, try slightly modified query
strings.
Exploit & full info:Available here
Description:A lot of idiots with PC web servers put perl.exe in their
cgi-bin directory.
Author:tchrist@perl.com wrote this exploit
Compromise:Execute arbitrary perl code on a PC (remote)
Vulnerable Systems:Mostly PC web servers. Wherever anyone is stupid
enough
to leave perl.exe in cgi-bin dir
Date:28 March 1996
Notes:You can find vulnerable site via altavista. More information on
this
program available at http://www.perl.com/perl/news/latro-announce.html
Exploit & full info:Available here
Description:Solaris /bin/eject takes a device name (floppy, etc) for
argv[2] which can be overflowed via standard techniques.
Author:Cristian SCHIPOR (skipo@SUNDY.CS.PUB.RO)
Compromise:root (local)
Vulnerable Systems:Unpatched Solaris 2.4, 2.5
Date:13 March 1996
Exploit & full info:Available here
Description:sdtcm_convert is kind enough to watch the permissions of
your
calendar file and if you change them it will change them back ... even
following symlinks ;)
Author:Cristian SCHIPOR (skipo@SUNDY.CS.PUB.RO)
Compromise:root (local)
Vulnerable Systems:Solaris at least 2.5.1
Date:22 February 1996
Exploit & full info:Available here
Description:Microsoft really has a problem with clients that send "."
don't they? Well here again they let people download asp source by
appending a '.' to the url
Author:Mark Joseph Edwards (mark@NTSHOP.NET)
Compromise:Read raw unprocessed asp files which may contain privileged
information (remote)
Vulnerable Systems:Systems running M$ IIS web server
Date:20 February 1996
Exploit & full info:Available here
Description:A 4.4BSD problem allows a read-only descriptor to a char
device to be mmap()ed in RW mode. This can allow group kmem to become
root
and root to lower the system secure-level.
Author:Theo de Raadt and Chuck Cranor
Compromise:User kmem-> root ->modify secure-level->delete audit trail
and
load evil kernel mods.
Vulnerable Systems:OpenBSD 2.2 and below, FreeBSD 2.2.5 and below,
BSDI
3.0 and NetBSD.
Date:17 February 1996 for this posting
Exploit & full info:Available here
Description:Older versions of Apache httpd would blindly follow
symlinks
and overwrite files with its /tmp/apache_status file.
Author:Dean Gaudet (dgaudet@ARCTIC.ORG)
Compromise:root (local)
Vulnerable Systems:systems running Apache httpd v1.1.3 or lower on
some
architectures
Date:16 February 1996
Exploit & full info:Available here
Description:Standard Buffer overflow in libc, neat shellcode though
Author:solar@IDEAL.RU posted exploit, libc had already been fixed
Compromise:root (local)
Vulnerable Systems:Linux with libc around or before 5.3.12, 5.4.7 not
vulnerable. SOME versions of Redhat 4.0 are vulnerable
Date:14 February 1996
Exploit & full info:Available here
Description:Another NLSPATH exploit, this time for sudo.bin
Author:_Phantom_ <vali@lhab.soroscj.ro>
Compromise:root (local)
Vulnerable Systems:Linux with libc around or before 5.3.12, 5.4.7, and
sudo.bin installed (Slackware 3.1 and 3.0 maybe?)
Date:13 February 1996 was when we started seeing this class of
exploits
Notes:I wish more people would email me exploits like _Phantom_ did!
He
has also sent in a bunch of other NLSPATH sploits. If the system
doesn't
have this particular binary, pick another suid program and just change
the
execl
Exploit & full info:Available here
Description:The nissetup.sh program for setting up NIS+ databases
leaves
insecure permissions on the password table. This allows you to, for
example, use nistbladm to change your UID!
Author:Well known
Compromise:root (local)
Vulnerable Systems:Unpatched Solaris 2.5.1 systems (possibly earlier
versions of Solaris).
Date:10 February 1996
Notes:Here is an anonymous posting reminding us of the problem. Also,
Casper *** (casper@HOLLAND.SUN.COM) mentioned that just installing the
Solaris patch doesn't fix the problem. You need to manually reset the
bad
permissions. How many people do you think forgot to do that?
Exploit & full info:Available here
Description:standard buffer overflow in gethostbyname
Author:Georgi Guninski (guninski@technologica.bg)
Compromise:root (local)
Vulnerable Systems:AIX systems on PowerPC with vulnerable
gethostbyname().
AIX 4.1, possibly 3.x, 4.x.
Date:13 January 1996
Exploit & full info:Available here
Description:A BUNCH of pathetic security holes in AUTOSOFT/RTS (an
inventory control system).
Author:Brian Mitchell <brian@saturn.net>
Compromise:root (local)
Vulnerable Systems:Any running unfixed vunerable versions of
AUTOSOFT/RTS
Date:9 January 1996
Exploit & full info:Available here
Description:standard dumb tmpfile creation vulnerability in csetup
Author:Discovered by Jay (srinivas@t2.chem.umn.edu)
Compromise:root (local)
Vulnerable Systems:IRIX with vulnerable suid csetup
Date:6 January 1996
Exploit & full info:Available here
Description:Cool. Win95/NT Buffer overflows with WebSite v1.1e for
Windows
NT and '95.
Author:solar@ideal.ru
Compromise:Run arbitrary commands remotely.
Vulnerable Systems:Systems running WebSite v1.1e for Windows NT and
'95.
Date:6 January 1996
Exploit & full info:Available here
Description:A "feature" of most telnetd programs is that they will
pass
environmental variables (like TERM, DISPLAY, etc) for you.
Unfortunately
this can be a problem if someone passes LD_PRELOAD and causes
/bin/login
to load trojan libraries!
Author:Well known, squidge (squidge@onyx.infonexus.com) wrote this,
but I
doubt you can reach him. Isn't he in jail now?
Compromise:root REMOTELY!
Vulnerable Systems:Older Linux boxes, I think SunOS systems, probably
others.
Date:January 1996 maybe? Quite old but lives forever like phf.
Notes:Appended is a uuencoded version of squidge's telnetd_ex.tar.gz
Exploit & full info:Available here
Description:A VERY well known character escaping vulnerabity in some
phf
cgi scripts.
Author:Unknown
Compromise:Generally 'nobody' or 'daemon', but sometimes root .
Whatever
httpd is running. (REMOTE)
Vulnerable Systems:Many old web server distributions came with phf
installed
Date:January 1996 or something like that.
Notes:Since some systems have vulnerable bash, you can also try
http://host.com/cgi-bin/phf?Qalias=%ff/bin/cat%20/etc/passwd. Also see
addendum for a fake phf script to fool would-be crackers. After that
I've
put a phf exploit with a little more obfuscation.
Exploit & full info:Available here
Description:The libresolv+ library can give out too much information
and
possibly to crash the system
Author:Possibly Jared Mauch (jared@puck.nether.net)
Compromise:users can read first line of any file (ie /etc/shadow) and
they
can possibly crash the system.
Vulnerable Systems:Many Linux distributions.
Date:1996
Exploit & full info:Available here
Description:In a particularly dumb move, HP/UX's remote administration
program, SAM, adds a user 'sam_exec' with UID 0 and a standard
password.
Author:bogus technician (bogus@command.com.inter.net) (apparently it
is
SOD again) was the first to find the 10.x password.
Compromise:root (local)
Vulnerable Systems:HP/UX 9.x,10.x where SAM has been used
Date:1996
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here
Description:xwcreate and xwdestroy let you delete any file on system!
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise:delete any file on system, this can lead to root if you
take
out /etc/passwd, but BE CAREFUL! (local)
Vulnerable Systems:HP/UX with vulnerable xwcreate/xwdestroy 9.x and
possibly 10.x
Date:Unknown
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here
Description:trojan in path vulnerability in subnetconfig
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise:root (local)
Vulnerable Systems:HP/UX with vulnerable netconfig, possibly just 9.0
Date:OLD
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here
Description:Lilo offers a lot of ways to get root by people who have
physical access to the machine. This should be obvious, as these are
advertiese features of lilo. If some one has physical access, they can
get
in somehow anyway. But these make it easy to do inconspicuously.
Author:These are quite well known, though BeastMaster V apparently
wrote
the textfile.
Compromise:root (local)
Vulnerable Systems:Linux systems running lilo which allow physical
access
to untrusted users (really dumb!).
Date:Old (very), but still applicable to many systems, as it is a
feature
and thus hasn't been "patched".
Notes:BeastMaster doesn't mention that you can also boot with "linux
single" to get a root single-user-mode shell on many linux boxes. I've
added another post about lilo "vulnerabilities" in the addendum
section.
Exploit & full info:Available here
Description:A couple more old glance vulnerabilities
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise:root (local)
Vulnerable Systems:HP/UX with vulnerable glance, maybe 9.x or 10.x
Date:Unknown
Notes:See the SOD HP Bug of the Week page
Exploit & full info:Available here
[Back] to Fyodor's Exploit World main index
