CrossWind CyberScheduler is a scheduling and calendaring package. It consists of two distinct parts for - a set of cgi scripts on a web server and a set of daemons (or services) on a database server. One of the CyberScheduler daemons 'websyncd' (websyncd.exe on Windows NT) contains an exploitable buffer overflow in its timezone string parser. A timezone string is passed to websyncd by the websync.cgi cgi program (websync.exe on NT) through the tzs form variable. Because websyncd runs as root, a stack overflow allows arbitrary code execution as root. The overflow occurs before any logon credentials are verified by websync.cgi, so unprivileged remote users can exploit this vulnerability.
An attacker connecting to port 1526 and sending invalid input will cause the 'TNSLSNR80.EXE' process to consume all available system resources, causing the server to stop responding. A Perl script is provided which can be used to crash Oracle 8.0 on Windows NT 4.0 (Sp6).
The innfeed utility, part of ISC InterNetNews, has an exploitable buffer overflow in its command-line parser. Specifically, innfeed will overflow if an overly long -c option is passed to it. A local attacker in the news group could use this overflow to execute arbitary code with an effective userid of news, which could constitute an elevation in privileges, and the ability to alter news-owned binaries that could be run by root. Exploits are available against x86 Linux builds of innfeed.
A problem in the Samba package could make it possible to deny service to legitimate users. Due to the insecure creation of files in the /tmp file system, it is possible for a user to create a symbolic link to other files owned by privileged users in the system, such as system device files, and write data to the files.
Netscape SmartDownload, a download manager add-on for popular web browsers, is vulnerable to a buffer overflow. The library 'sdph20.dll' used by SmartDownload contains an URL parser function that will overflow when a user visits or is redirected to an URL longer than 271 characters. This overflow, if successfully exploited, allows execution of arbitrary code by an attacker with the privilege level of the currently logged-in user. Under Windows 95/98/Me, this means administrative privileges.
A problem with the handling of a long string of characters by the -F option makes it possible for a local user to gain elevated privileges. Due to the insufficient handling of input by the -F option of mailx, a buffer overflow at 1150 characters makes it possible to overwrite variables on the stack, including the return address.
Due to a flaw in the interpretation of CLSIDs when appended to a filename, it is possible to specify a different default action for a given file than would normally be used. As a result, seemingly harmless files (.txt, .jpg etc) may be opened in a nonstandard, attacker specified manner. For example, a program ('evil.exe') could be renamed 'evil.jpg.{CLSID_of_executables}' and when opened by the target user, this file will be executed instead of opened by their default .jpg viewer.
Due to the insufficient handling of input by the -F option of mailx, a buffer overflow at 1150 characters makes it possible to overwrite variables on the stack, including the return address, allowing a local user to gain elevated privileges.
A problem with the web server could lead to a Denial of Service to legitimate users. By connecting to the web server, and requesting an HTTP GET of the /aux directory, the web server ceases operation.
A problem with the GoAhead Web Server makes it possible to deny service to legitimate users of the software package. By accessing the web server, and issuing a request for the /aux directory, the web server ceases functioning. The process has to be manually restarted to resume normal operation.
Services By CQR