The OverView5 CGI interface by default is shipped with HP Openview Node Manager. HP Openview Node Manager can be compromised due to an unchecked buffer. By sending a specially crafted GET request comprised of 136 bytes to the web services (default port 80) through the Overview5 CGI interface, the SNMP service will crash. Successful exploitation, depending on the data entered, will allow the execution of arbitrary code.
A vulnerability exists in the software implemented for automated domain administration in Alabanza. Modification, deletion, and addition of domains and MX and CNAME records associated with Alabanza hosts and resellers does not require valid authentication and can be conducted by any remote user. Access to the Control Panel which handles administrative controls for domains associated with Alabanza does not require a username and password if specially crafted URLs are requested.
A buffer overflow vulnerability exists in the popular mail client Pine 4.21 (and possibly earlier versions), relating to the function which regularly checks for incoming email. In standard e-mail message headers is a field that holds the name and address of the sender. It typically looks like and is presented in pine like this: From: username <user@host>. Pine does not check the length of the username value when copying it into a memory buffer of predefined length. As a result, if a large "from" value is sent in the email header, it can corrupt "internal" memory when the offending function is called and the oversized buffer is copied onto the stack. An attacker can overwrite the return address of the function on the stack with a value that points back into the buffer, to which the function would return. Arbitrary machine instructions placed on the stack would then be executed. The real concern here is that this requires no user interaction to exploit.. a target need only be using a vulnerable version of pine. The overflow occurs when the user recieves new email.
By submitting a specific url to the web server ("http://hosts.any/doc/packages/") , any user from any host may obtain a list of packages installed on a S.u.S.E 6.3 or 6.4 system. This problem is due to a configuration in the Apache httpd.conf supplied with S.u.S.E that permits anyone to request documents from this webroot subdirectory. The end result is that attackers will know what packages the victim has installed, which can assist in executing more complicated attacks.
Depending on the data entered, CiscoSecure ACS for Windows NT can be made to crash or arbitrary code execution can be made possible if an unusually long packet is sent to port 2002. If the application were to crash due to an oversized packet, the CSadmin Module would automatically restart after one minute in versions 2.3x and higher. Existing sessions would re-establish although they would need to be authenticated again. In prior versions, a restart is required in order to regain normal functionality.
NetcPlus BrowseGate 2.80 will crash as the result of an invalid read error if a number of character strings consisting of 8 KB are inserted into GET request arguments through port 80.
When a program executes under Microsoft Windows, it may require additional code stored in DLL library files. These files are dynamically located at run time, and loaded if necessary. A weakness exists in the algorithm used to locate these files. The search algorithm used to locate DLL files specifies that the current working directory is checked before the System folders. If a trojaned DLL can be inserted into the system in an arbitrary location, and a predictable executable called with the same current working directory, the trojaned DLL may be loaded and executed. This may occur when a data file is accessed through the 'Run' function, or double clicked in Windows Explorer. This has been reported to occur with the 'riched20.dll' and 'msi.dll' DLL files and some Microsoft Office applications, including WordPad. This behavior has also been reported for files loaded from UNC shares, or directly from FTP servers.
The Cisco PIX Firewall implements technology that reads the contents of packets passing through it for application-level filtering. In the case of SMTP, it can be configured so only certain smtp commands can be allowed through. However, due to flaws in exceptional condition handling of PIX, it is reportedly possible to evade the smtp command restrictions by tricking the firewall into thinking the body of the message is being sent when it isn't. During communication with an smtp server, if the 'data' command is sent before the more important information is sent, such as 'rcpt to', the smtp server will return error 503, saying that rcpt was required. The firewall, however, thinks everything is alright and will let everything through until recieving '<CR><LF><CR><LF>.<CR><LF>'. It is then possible for the attacker to do whatever he wishes on the email server.
A utility integral to Tridia DoubleVision for SCO UnixWare 7.x has been found to be vulnerable to a buffer overflow attack. dvtermtype, which is setuid root, is run by a user at login time to tell DoubleVision what terminal translations to use. If a malicious user contructs a long termtype string and executes dvtermtype, dvtermtype will stack overflow. This can lead to a root compromise.
Long commands (ie., over 2048 bytes) sent to TYPSoft FTP Server can cause the server to hang, requiring a manual restart to restore the process. This is due to the fact that they use a DELPHI TSocket class, which doesn't handle exceptions very well.
Services By CQR