BNC's IRC Proxy is used as a gateway to an IRC server. A buffer stores a username which arguments the program's USER command. User-supplied input to this buffer is improperly checked for length. As a result, the excessive data copied onto the stack can overwrite critical parts of the stack frame such as the calling functions' return address. If properly exploited, this can yield root privilege to the attacker.
BNC's IRC Proxy is used as a gateway to an IRC server. A buffer stores a username which arguments the program's USER command. User-supplied input to this buffer is improperly checked for length. As a result, the excessive data copied onto the stack can overwrite critical parts of the stack frame such as the calling functions' return address. If properly exploited, this can yield root privilege to the attacker.
A Denial of Service exists in current implementations of BIND. The problem occurs in the Compressed Zone Transfer (ZXFR) functionality of BIND. A default installation of BIND does not support the transfer of compressed zone files. However, daemon that allows zone transfers and recursive queries will crash if queried for a compressed zone transfer that is not in the nameserver cache. This could result in a name resolution Denial of Service for all users and systems depending upon nameservers using the affected software.
YaBB (Yet Another Bulletin Board) is a popular perl-based bulletin board scripting package. search.pl, one of several perl scripts which comprise YaBB, fails to properly validate user input which arguments a call to open(). A malicious user could supply a string containing '/../'-type sequences and shell commands. As a result of search.pl's failure to reject this type of input, it is possible to traverse the script's normal working directories, and to execute arbitrary commands on the host with the privelege level of YaBB. This can lead to an anonymous internet user gaining shell access to the host. An attacker could easily create a malicious html form with a catsearch such as: ./../../../../../usr/bin/touch%20/tmp/foo|
The registrar service that ships with version 10.20 (possibly others) of HP's HP-UX operating system contains a vulnerability that may allow a local user to read any file on the hosts filesystem. The service (which listens on tcp port 1712) writes to a log file, /etc/opt/resmon/log/registrar.log. Default permissions on the /etc/opt/resmon/log directory allow users to overwrite the log file within it via 'mv', which is normally created and written to by root when connections are made to the service. After mv'ing an existing log file to another location, a malicious user can create a symbolic link to an arbitrary file they do not have read access to with the filename registrar.log in etc/opt/resmon/log. If any connections are made to the registrar service after this, the mode of the file pointed to will change to 0644 (world readable) and log data will be appended to it. In addition to disclosing to the user restricted information, this may lead to an elevation of privileges for the local attacker.
restore is a program for backup and recovery procedures, distributed with the RedHat Linux Operating System. A vulnerability exists that could allow a user elevated permissions. The problem occurs in the RSH environment variable. restore is dependent upon this environment variable for execution. It is possible to set this variable PATH to that of an executable, and then execute restore. This will result in the executable in the RSH environment variable being run with an EUID of 0. Exploitation of this vulnerability by a malicious user can result in root compromise.
When Microsoft IIS receives a valid request for an executable file, the filename is then passed onto the underlying operating system which executes the file. In the event that IIS receives a specially formed request for an executable file followed by operating system commands, IIS will proceed to process the entire string rather than rejecting it. Thus, a malicious user may perform system commands through cmd.exe under the context of the IUSR_machinename account which could possibly lead to privilege escalation, deletion, addition, and modification of files, or full compromise of the server.
The ASP ISAPI file parser does not properly execute certain malformed ASP files that contain scripts with the LANGUAGE parameter containing a buffer of over 2200 characters and have the RUNAT value set as 'server'. Depending on the data entered into the buffer, a denial of service attack could be launched or arbitrary code could be executed under the SYSTEM privilege level in the event that a malicious ASP file were locally executed on IIS.
An attacker can compose an email message with a carefully-formed string in the Reply-To: field which includes shell meta-characters, and send it to a victim/recipient. Upon receipt of this message, the recipient might normally see the dangerous text in the Reply-to field and delete the message without responding. However, the field can be formed in such a way that these extra characters are concealed. By including a series of ^H characters, the attacker can affect the text in the field as it is displayed on the recipient's screen. As a result, the victim has no visible indication that the message variables (eg, from and reply-to) are malformed. If the message elicits a response from the user, the contents of the reply-to field will be interpreted as a reference to a pre-existing file in /tmp, placed earlier by the attacker, which can contain arbitrary shell commands. This can grant the attacker an elevation of privileges, to that of his victim, and possibly root (if root replies to the dangerous email..).
ManTrap is a 'honeypot' intrusion detection system designed to lure attackers into it for analysis. The honeypot is implemented as a chroot'ed Solaris environment, designed to look and feel real to an attacker who gains access to it. It is possible for an attacker to guess that they are on a chrooted() ManTrap system by looking at the inode of the root directory (ls -id /). If it is high (usually within the 100000-200000 range), then the root directory is a chrooted() subset of a larger filesystem.
Services By CQR