Certain versions of Samba software suite ship with a utility titled SWAT (Samba Web Administration Tool) which is used for remote administration of the Samba server and is by default set to run from inetd as root on port 701. This vulnerability allows remote users to abuse the loging facility with certain versions of SWAT which will not log bad login attempts if the remote user enters a correct username but wrong password. This in effect allows the remote user to continuously attack the service guessing passwords without being logged or locked out.
Samba ships with a utility titled SWAT (Samba Web Administration Tool) which is used for remote administration of the Samba server and is by default set to run from inetd as root on port 701. Certain versions of this software ship with a vulnerability local users can use to leverage root access. This problem in particular is a symlink problem where user can take advantage of poor programming in SWAT's logging facilities (which are not enabled by default) to overwrite files with user specified data. In this case, the logging is enabled under SWAT it logs by default to /tmp/cgi.log. This file logs all traffic to the web service, regrettably this file does not have restrictive permissions set on it and local users may symlink the file to any other file (which they have read access to) on the system. They can then connect to the port in question (701 by default) and have the data they type in entered into a file of their choice, typically /etc/passwd.
A vulnerability in Samba SWAT allows local users to leverage root access by taking advantage of poor programming in SWAT's logging facilities. SWAT logs all traffic to the web service to a file called /tmp/cgi.log, which does not have restrictive permissions set on it. Local users can symlink the file to any other file (which they have read access to) on the system, such as /etc/passwd.
Unify eWave ServletExec is vulnerable to a denial of service attack if a URL invoking the ServletExec servlet preceded by /servlet is requested. The ServletExec engine will attempt to bind a server thread over port 80 and if the web server is currently running, a java.net.BindException error will result thus halting all operations on the ServletExec engine.
A cross-site scripting vulnerability has been reported in Microsoft Indexing Services for Windows 2000/NT4 and its handling of the .htw extension. If a user inadvertantly opened a hostile link through a browser or HTML compliant e-mail client, active content such as JavaScript may be executed. For example, the following link when processed by IIS will yield successful exploitation: http://target/null.htw?CiWebHitsFile=filename.htm&CiRestriction="<SCRIPT>Active Scripting</SCRIPT>" It is not necessary to specify a valid .htw file because the virtual file null.htw is stored in memory and the .htw extension is mapped by default to webhits.dll.
FTP Serv-U is an internet FTP server from CatSoft. It contains an anti brute-force security feature which does not indicate whether an account is valid or not, after three unsuccessful login attempts a user is disconnected. Reconnection is not permitted until after a specified amount of time. It is possible for a remote user to bypass the anti brute-force function within FTP Serv-U. Once successfully logged into the server either anonymously or with a valid account, a user can from that point brute force other usernames and passwords without ever being disconnected. This could lead to a compromise of other user accounts on the ftp server.
A potential local root yielding buffer overflow vulnerability exists in Exim mail client version 1.62. A buffer used in processing filenames of message attachments can be overflowed by a maliciously-formed filename. As a result, the excessive data copied onto the stack can overwrite critical parts of the stack frame such as the calling functions' return address. If properly exploited, this can yield root privilege to the attacker.
A vulnerability exists in the operating system of some Ascend routers. If an invalid TCP packet (of zero length) is sent to the administration port of Ascend Routers 4.5Ci12 or earlier, the result will be a crash and reboot of the attacked router, accomplishing a denial of service attack.
A vulnerability in crontab exists that allows a user to read any file on an HP-UX system. To create a crontab, a user must execute the command 'crontab -e'. Executing this command launches the vi editor, creates a file in the /tmp directory with the ownership delegated to the user running the command. While the file exists in /tmp, the owner of the file may spawn a shell from vi and create a symbolic link to any file on the system. After exiting the spawned shell, then quitting vi, an error message will return the contents of the previously symbolically linked file to the standard output of the user.
When attempting to establish a connection, the username submitted to the device is not properly filtered for length. By supplying a string for USER of approximately 620 characters in length, it is possible for a remote attacker to overflow the relevant buffer. The device will halt in response, requiring the unit to be powered down and restarted. In addition to this denial of service, an attacker sufficiently familiar with the hardware architecture and firmware of this platform may, potentially, be able to exploit this overflow to place malicious machine code on the stack, permitting interference with or modification of the device's software, interception of messages, or another compromise of the unit's normal function.
Services By CQR