When traceroute is executed with the arguments "-g x -g x", the function "savestr()" is called twice. savestr() does what strdup() does without the extra malloc() call and is used when parsing the hostname or "dotted quad notation" ip address argument to the -g parameter. It uses a block of pre-allocated memory instead of allocating memory itself. After the first instance of "-g" is parsed and savestr() is called, the pointer to the block used by savestr() is unallocated via free(). When the next gateway parameter (-g) is interpreted, savestr() is called again and the user data argument is written to the block of unallocated memory. Like in the first instance, free() is called on the pointer to where the data begins inside the old-buffer of unallocated memory. When free() doesn't find a valid malloc header before the pointer it is passed, traceroute crashes. What makes this possibly exploitable is that the region of memory to which the pointer points is user-controlled and can be written to with (somewhat) arbitrary data before free() is called. An attacker may be able to construct a malicious malloc() header and carefully stuff it into the first savestr() buffer, so that is there when free() looks for it after the second savestr(). What complicates exploitation of this issue are the functions involved with savestr(), inet_addr() and gethostbyname(), which limit the type of user data that can be put into the buffer (which would need to be binary). If pulled off, however, it may be possible to overwrite aribitrary locations in the heap (such as a function pointer) with arbitrary data.
A malicious website operator can insert code into a HTML document that will cause a Pegasus Mail client to automatically send a local file from the user's system to the email address specified without any prior warning.
CyberOffice Shopping Cart 2.0 is vulnerable to a directory traversal attack, which allows an attacker to gain read access to the _private directory on a website running the application. The _private directory has world readable permissions, and contains an Microsoft Access Database which stores confidential client details such as customer orders and unencrypted credit card information. An attacker need only request 'http://target/_private/shopping_cart.mdb' with a browser to access it.
CyberOffice Shopping Cart is vulnerable to an arbitrary price modification attack. By downloading the order form locally and then resubmitting it to the target server containing the new values, unit item prices can be modified to any arbitrary value.
Web+ is a development language for use in creating web-based client/server applications. In Linux versions of the product, an example script installed in Web+ (Web+Ping) which fails to correctly filter shell meta characters. As a result, parameters passed to this script may contain malicious shell commands, allowing an attacker to remotely execute or read any file which is accessible by the Web+ user. To exploit simply place a '|' after the parameter you which to provide to ping and then the command you wish to execute. For example, by entering '127.0.0.1 | cat /etc/passwd' in the host destination box, an attacker can be presented with the contents of the /etc/passwd file.
Talentsoft Web+ is a web application server that can be integrated with various web technologies. Web+ can be used to display the source code of WML files residing on an NTFS parition by appending certain data to the known WML file. This vulnerability is also known to work if the scripts directory is set to the web root which enables the disclosure of other script (eg. ASP files) source code. Successful exploitation of this vulnerability may reveal source code, table names, usernames, passwords, and other forms of confidential data.
Talentsoft Web+ is a web application server that can be integrated with various web technologies. A vulnerability exists in one of the CGI applications implemented by Web+. It is possible for a remote user to retrieve the internal IP address in a NAT environment running Web+ by requesting a specially crafted URL containing the 'about' argument.
SCO Unixware 7 default installation includes scohelp, an http server that listens on port 457/tcp and allows access to manual pages and other documentation files. The search CGI script provided for that purpose has a vulnerability that could allow any remote attacker to execute arbitrary code on the vulnerable machine with privileges of user 'nobody'. This can be done by sending a request with the following URI: http://target:457/search97cgi/vtopic?Action= FilterSearch&filter=&queryText=%25x. This will elicit an Internal error response from the server, which shows that the server is interpreting the %x argument passed in the URI as the 'queryText' value. By supplying a carefully built value for the queryText argument, an attacker can change the program flow and execute arbitrary code.
Palm OS is shipped with a security feature which enables a user to set password protection on various applications.The HotSync process allows a user to connect to a machine on the network through their Palm device. This process involves the device to send the encoded password to the HotSync Manager or HotSync Network Server on the network. Due to a weak encryption scheme, it is possible to decrypt the password block into the actual ASCII format with the use of an exploit tool. Physical access to the device is required in order to exploit this vulnerability. Successful exploitation yields unauthorized access to private data.
Due to a flaw in the method Microsoft Windows Media Player 7 handles OCX controls (ActiveX containers) in embedded in RTF email messages, it is possible to crash RTF-enabled email clients such as Microsoft Outlook and Outlook Express. If a user of Outlook or Outlook Express were to receive an RTF email containing an embedded OCX control associated with Windows Media Player 7, the client would fail when the message was closed. Restarting the application would be required in order to regain normal functionality. In addition, deleting the offending email would resume normal operations of the email client. The functionality of Windows Media Player 7 would not be affected in any way.
Services By CQR