CamShot is a Windows 95/98/2000/NT web server that serves up web pages containing time stamped images captured from a video camera. Certain trial versions of this software contain a possibly exploitable remote buffer overflow by way of a overly long user supplied 'Authorization' password. An example of this is GET / HTTP/1.1<enter>Authorization: Basic ['a'x325]<enter><enter>
The Sambar Server is vulnerable to a directory traversal attack due to a vulnerability in the search.dll file. An attacker can pass a malformed query parameter to the search.dll file to view the contents of the Sambar Server, such as mail folders. All that is needed is a malformed query parameter parsed to the search.dll file, such as http://server-running-sambar.com/search.dll?search?query=%00&logic=AND or http://server-running-sambar.com/search.dll?search?query=/&logic=AND.
By default, the telnet client (telnet.exe) shipped with Microsoft Windows 2000 utilizes Windows NT Challenge/Response (NTLM) as an authentication method. When establishing a connection to a host, the telnet client will attempt authentication via NTLM, regardless of whether or not the host is a Windows telnet server or not. There is a possibility that the NTLM challenge/response authentication session could be monitored and subsequently cracked, which could lead to the disclosure of sensitive information such as usernames, passwords, domains, etc. The NTLM challenge/response protocol is known to be susceptible to brute-force cracking, as demonstrated in the tool 'L0phtcrack'. Forcing a telnet session on a remote target is a trivial task because products such as Microsoft Internet Explorer, Outlook (Express), Netscape Navigator, etc. will automatically open URLs with a 'telnet://' prefix in a default telnet client (which is normally telnet.exe).
A number of unchecked buffers exist in the SMTP and POP3 components of Jack De Winter's WinSMTP mail daemon which could lead to denial of service attacks or arbitrary code execution, depending on the data entered. Sending a HELO command consisting of approximately 170 bytes or a USER command consisting of approximately 370 bytes will result in a Windows general protection fault error.
The default configuration files for versions of mod_perl shipped with Mandrake Linux 6.1 through 7.1 contain a misconfiguration that can be a security concern in some situations. The /perl directory is part of the webserver's root tree (the subdirectory tree from which files are accessable on the webserver..) that is used to store perl scripts. In the configuration file for mod_perl, the apache perl interpreter module, the directory is permitted to be 'indexed' meaning that the webserver will display the contents of the directory if it is requested by itself. The result is that an attacker can see what files are in /perl. While this bug does not affect how the webserver interprets the files in that directory (eg., it will still execute them), knowing what is there to be executed can allow for more targeted and intelligent attacks against scripts known to be vulnerable listed there.
If a remote user sends a UDP packet to any port in the 22701 - 22705 range to a system running WebTV for Windows, the system may crash entirely or at the least the program will stop responding. As well, sending a UDP packet to port 22703 specifically has been known to cause automatic reboots.
YaBB.pl, a web-based bulletin board script, stores board postings in numbered text files. The numbered file name is specified in the call to YaBB.pl in the variable num=<file>. Before retrieving the file, YaBB will append a .txt extension to <file>. Due to input validation problems in YaBB, relative paths can be specified in <file>. This includes ../ style paths. Additionally, <file> does not need to be numerical, and the .txt extension can be avoided by appending %00 to <file>. By exploiting these problems in a single request, a malicious user can view any file that the webserver has access to.
Any user with write access to /tmp or /var/tmp, can induce tmpwatch to cause Red Hat (and others runnng tmpwatch from cron) to stop responding, and possibly require a hard reboot. This is accomplished by creating a directory tree many (ie. ~6000) nodes deep in /tmp. For each level of the directory in /tmp, tmpwatch will fork() a new copy of itself.
A vulnerability exists in all versions of the Check Point Session Agent, part of Firewall-1. Session Agent works in such a way that the firewall will establish a connection back to the client machine. Upon doing so, it will prompt for a username, and if the username exists, a password. Upon failure, it will reprompt indefinitely. This allows for a simple brute force attack against the username and password.
A vulnerability exists in the 'Session Agent' portion of Firewall-1, from Check Point. This vulnerability appears to affect all versions of the session agent prior to the one shipped in FW-1 4.1. The session agent listens on a Windows 9x or NT box for connections from the firewall, requesting user authentication for connections. This information is all transmitted in cleartext, and is unauthenticated. This means it can be sniffed. In addition, the agent accepts connections from any host. Any person who can connect to the session agent can impersonate the Firewall-1 module, and request username and password information. If supplied, this can result in the compromise of that username and password.
Services By CQR