isdn4linux contains a format string vulnerability in the ipppd utility. In some installations, this utility is installed with setuid root privileges. Exploitation of this vulnerability could lead to a local attacker executing code with administrative privileges.
It is possible to remotely gain access to the identification string used for configuration of OEM access points manufactured by Orinoco through SNMP. By sending a custom-crafted SNMP query to a vulnerable access point, the access point will return system credentials, including the identification string. This identification string can be used as the administrative community string.
Falcon Webserver does not sufficiently sanitize HTML tags from error message output. In particular, attackers may inject HTML into 301 and 404 error pages. It is possible to create a malicious link to the server which will generate an error page with attacker-supplied HTML and script code when visited. Arbitrary HTML and script code will be executed by the web client of the user visiting the server, in the security context of the server.
The 602Pro LAN SUITE 2002 Telnet Proxy is reported to be prone to a denial of service condition. It is possible for proxy users to use the loopback interface to connect to localhost. If a large number of these connections are made concurrently, it is possible to cause a denial of service via resource exhaustion.
It is possible for an attacker to cause a buffer overflow condition on the vulnerable SQL server with a malformed login request. This may allow a remote attacker to execute arbitrary code as the SQL Server process.
A flaw has been reported in the handling of X.509 certificates by a number of products, including several web browsers. It may be possible for a malicious party to create certificates for arbitrary domains, which will be treated as trusted by the vulnerable browser. The flaw lies in the handling of intermediate certificate authorities. Normally, intermediate certificates should possess a Basic Constraints field which states the certificate may be used as a signing authority. Vulnerable products do not require the Basic Constraints field be properly defined. A malicious party with one valid certificate may sign a new certificate for an arbitrary domain. This may allow the attacker to spoof a sensitive domain, or to attempt a man-in-the-middle attack against encrypted communications.
Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. A paper, entitled 'Win32 Message Vulnerabilities Redux' has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Another proof-of-concept has been released by Brett Moore in a paper entitled 'Shattering SEH III' which demonstrates how Shatter attacks may be used against applications which make use of progress bar controls. Brett Moore has released a paper entitled 'Shattering By Example' which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages.
The qmailadmin utility, developed by Inter7, is vulnerable to a buffer overflow condition. It is meant to run as a CGI program and is typically installed setuid (owned by root on some systems, regular users on others). qmailadmin fails to implement adequate bounds checking when processing an environment variable, resulting in a buffer overrun condition. It is likely that this can be exploited by malicious local users to elevate privileges.
When viewing the contents of a FTP site as web content from a ftp:// URL, the directory name is included in the HTML representation. It is not adequately sanitized before this occurs. An attacker may embed javascript as this value between opening and closing "<title>" tags in a FTP URL.
When viewing the contents of an FTP site as web content, the data within <title> tags is not sanitized. An attacker may embed javascript between open and closing <title> tags in a FTP URL.
Services By CQR
