If Index Server is enabled in Microsoft Internet Information Server 5.0, it is possible for a remote user to view the entire root directory structure and all sub-directories due to a flaw in the Web Distributed Authoring and Versioning (WebDAV) search implementation. Hidden directories, include files (*.inc), or other documents that would not normally be accessible through the regular website interface can be exposed through this exploit. Successful exploitation could lead to the discovery of certain files that may contain sensitive information such as usernames and passwords.
If a malicious website operator were to embed a specially crafted java object into a HTML document, it would be possible to execute arbitrary programs on a target host viewing the webpage through either Microsoft Internet Explorer or Outlook. The com.ms.activeX.ActiveXComponent java object inserted into an <APPLET> tag will allow the creation and scripting of arbitrary ActiveX objects even if they may present security hazards. Even if Outlook has had the 'security update' applied, it is still possible to circumvent the disabling of active script execution through the use of java. Execution of arbitrary programs could make it possible for the malicious website operator to gain rights equivalent to those of the current user.
This vulnerability is a new variation of the NT LPC Privilege Escalation Vulnerability reported on January 12, 2000 by Bindview. The patch released by Microsoft on January 12, 2000 does not address these new issues. A number of restrictions apply to this new variation of the spoofed LPC replies vulnerability. Only presently running processes can be impersonated and the LPC identifier must be specified. As well, in order to successfully exploit this vulnerability, the request must be conducted at the same time as when the LPC call was made. Successful exploitation could lead to privilege escalation on the local machine. These vulnerabilities can only be launched against a machine a user can interactively log onto, therefore remote exploitation is not possible.
The IRIX's /usr/lib/desktop/permissions tool is a suid and sgid root applications normally used by users to modify permissions of their files and files they are privileged for. A vulnerability in the permissions tool allows local malicious users to modify the permissions of any file on the system by running the tool against the file, changing the permissions, and clicking the 'Apply' button twice before the dialog box appears asking for a username and password.
The 'rpc.ypupdated' deamon is part of the Network Information Service (NIS) or Yellow Pages (YP). It allows clients to update NIS maps. A vulnerability in 'rpc.ypupdated' allows a malicious user to execute commands as root. After receiving a request to update the Yello Pages maps, 'ypupdated' executes a copy of the bource shell to run the 'make' command to recompute the maps whether the request for changes was sucessful or not. Because of bad input validation while executing 'make', an attacker can pass shell metacharacters to the shell and can execute commands.
The 'rpc.ypupdated' deamon is part of the Network Information Service (NIS) or Yellow Pages (YP). It allows clients to update NIS maps. A vulnerability in 'rpc.ypupdated' allows a malicious user to execute commands as root. After receiving a request to update the Yello Pages maps, 'ypupdated' executes a copy of the bource shell to run the 'make' command to recompute the maps whether the request for changes was sucessful or not. Because of bad input validation while executing 'make', an attacker can pass shell metacharacters to the shell and can execute commands.
LPC (Local Procedure Call) is a message-passing service that allows threads and processes to communicate with each other on a local machine. The underlying problem exists in the way NT's LPC ports implementation verifies the original source of the message. When a client attempts to connect to the server, the server will receive a new handle from NtAcceptConnectPort. Although, the server will not use the handle and will use the original handle it had received from the NtCreatePort call. It will utilize the PID (Process Identifier), TID (Thread Identifier), and MID (Message Identifier) as illustrated above. The MID of a LPC message is predictable and any process that knows the MID can use it. This opens up the possibility of a number of exploits such as Denial of Service, Session Hijacking, Eavesdropping, and Privilege Escalation.
A user definable environment variable (PWD, parent working directory) is passed as the only argument to a *printf() function within fstat. As a result, it is possible for a user to exec fstat with a value for the PWD variable that contains malicious format specifiers. These format specifiers could be layed out in the environment variable in a way that causes the *printf function interpreting them to overwrite certain bytes on the stack (like those that the return address of the function called is composed of) and manipulate the flow of execution.
LPC (Local Procedure Call) is a message-passing service that allows threads and processes to communicate with each other on a local machine as opposed to RPC (Remote Procedure Call) that takes place between different hosts. LPC allocates memory from a pool specifically for message-storage into what is known as the LPC Zone. If the LPC Zone allocated memory cannot handle the volume of messages received, then memory is transferred from the kernel to the LPC Zone. Under normal circumstances, the memory should be diverted back to the kernel from the LPC Zone once it is no longer in use. However, creating a specially malformed request can cause the memory to be withheld by the LPC Zone which could eventually utilize all of the kernel's memory resources if this action was repeated. Reboot of the system is required in order to regain normal functionality. This vulnerability can only be launched against a machine a user can interactively log onto, therefore remote exploitation is not possible.
A vulnerability exists in the 1.2.x releases of scp which, if properly exploited using a modified scp binary on the server end, can permit the remote server to spoof local pathnames and overwrite files belonging to the local user. As a proof of concept, I created trivial scp replacement (put it on remote machine in the place of original scp binary - usually in /usr/local/bin). It will try to exploit any file transfer, creating setuid /tmp/ScpIsBuggy file on client system.
Services By CQR