A number of TCP/IP stacks are vulnerable to a 'loopback' condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00.
Excite for Web Servers 1.1 (EWS) is a search engine suite for web servers running under Windows NT and UNIX. By default the file containing the administrative password, architext.conf, is world readable and world writable. This allows an attacker with local access to gain administrative privileges over EWS. This password is encrypted, but the attacker can bypass the normal login method and pass the encrypted password directly to the script responsible for authenticating the user - /cgi-bin/AT-generate.cgi. This can be done with the help of a simple HTML form or passed directly to the script as the 'ENCRYPTEDPASS' parameter. Since the file is also world writable, the attacker could make up an 'encrypted' password and overwrite the file with it, then submit the new encrypted password.
PerlCal is a CGI script written by Acme Software that allows web-based calendar sharing and related functions. A vulnerability exists in PerlCal which can allow a remote user to traverse the filesystem of a target host. This may lead to the disclosure of potentially sensitive file contents. Files and directories can be accessed through the use of double dot '../' techniques along with a relative path to the known resource. Disclosed content is dependant on the privilege level of the user the server is running under, typically user 'nobody'. This attack may lead to the disclosure of sensitive information and may aid in the assistance of future attacks.
DataWizard WebXQ server is vulnerable to a directory traversal attack, which allows a remote user to obtain read access to directories and files outside the web root. This can be done by including '/../' sequences along with a known file or directory in requested URLs.
An attacker with access to the printer's local network (or, if no firewall is in place, any attacker) can reach the printer's admin interface, supported by the inbuilt Tektronix PhaserLink webserver. No authentication is applied to this connection. Arbitrary pages inside the printer's administration interface may be accessed by specifying the desired page in a querystring submitted to the PhaserLink webserver. No password or other authentication method prevent arbitrary users from making use of this interface. Using this method, an attacker can activate the printer's 'Emergency Power Off' feature, which can lead to improper cooling of the ink/crayon reservoir, potentially physically damaging the device.
routed is a daemon used to dynamically update network routing tables. Certain operating systems (including IRIX 3.x up to 6.4 inclusive, Caldera OpenLinux 1.0 and 1.1) contain a routed version which allows attackers to write limited data to arbitrary files, with root privileges. routed communicates using the Routing Information Protocol (RIP - RFC1058, RFC1723). An obsolete command specified by this protocol is "traceon," which turns on certain debugging features and logs information to a file specified in the RIP packet. Attackers can construct packets (typically with spoofed source addresses) to turn on this feature and cause routed to append debugging information to the specified trace file. Although the information thus written is limited to the normal routed debugging output, the files specified could include /dev files and therefore this could lead to a number of damaging scenarios including memory and disk corruption, denial of service, etc.
The 'netprint' utility shipped with SGI Irix systems is used to send print jobs to print spoolers on remote hosts. It is installed setuid root by default. At the command line, 'netprint' accepts an option to specify the network type (-n). This option is argumented with a string representing the type. 'netprint' uses this argument to open a shared library. There is no input validation on this string, and as a result it is possible for attackers to have malicious shared libraries used. Since 'netprint' is setuid root, malicious code contained in attacker supplied shared libraries will be executed with superuser privileges. It has been reported that only 'lp' can execute 'netprint'. On many earlier versions of Irix, 'lp' was a passwordless default account. If this account has not been disabled, it is entirely possible for remote users to log into systems without a password as 'lp' and gain root access using this vulnerability.
Raiden FTPD is susceptible to directory traversal attacks using multiple dots in submitted commands specifying file paths. If the request is properly composed, RaidenFTPD will serve files outside of the intended webroot, potentially compromising the privacy of user data and/or obtaining information which could be used to further compromise the host.
Microsoft Internet Information Server is vulnerable to a denial of service. This particular denial of service affects versions 2.0, 3.0 and 4.0 of the server prior to service pack 4. The URL which causes this issue is of the format 'http://server/?anything=XXXXX' - note that no existing file need be requested. This is not a buffer overflow; a URL of specific length must be sent (between 4k and 8k), anything longer or shorter will not affect the server.
PowerScripts PlusMail Web Control Panel is a web-based administration suite for maintaining mailing lists, mail aliases, and web sites. It is reportedly possible to change the administrative username and password without knowing the current one, by passing the proper arguments to the plusmail script. After this has been accomplished, the web console allows a range of potentially destructive activities including changing of e-mail aliases, mailing lists, web site editing, and various other privileged tasks. This can be accomplished by submitting the argument "new_login" with the value "reset password" to the plusmail script (typically /cgi-bin/plusmail). Other arguments the script expects are "username", "password" and "password1", where username equals the new login name, password and password1 contain matching passwords to set the new password to.
Services By CQR