IRIS from eEye Digital Security is a protocol analyzer geared towards network management. Certain versions of the this software are vulnerable to a remotely triggered buffer overflow attack. This attack is orchestrated by a malicious user launching multiple UDP sessions to random ports on the machine which IRIS resides on (and is in operation on). The net result of this buffer overflow is that the product ceases to function and may drive system resources to 100% before exiting. It may be possible that this overflow (a heap overflow according to the attached advisory) could result in a system compromise.
It is possible for a remote user to add an author to the author index (author.file) in GWScripts News Publisher, a web news publisher. This can be done by requesting the following raw HTTP request using any arbitrary username and password: POST /cgi-bin/news/news.cgi?addAuthor HTTP/1.0 Connection: close User-Agent: user/browser Host: target Referer: http://target/cgi-bin/news/news.cgi Content-type: application/x-www-form-urlencoded Content-length: 71 author=<username>&apassword=<password>&email=<email address>&name=<username>&password=<password>
Certain versions of IMail do not perform proper access validation, resulting in users being able to attach files resident on the server. The net result of this is users may attach files on the server to which they should have no access. This access is limited to the user privileges which the server is being run as, typically SYSTEM.
Kerberos is a cryptographic authentication protocol that allows users of a network to access services without transmitting cleartext passwords. A common implementation of the protocol includes a login service which is vulnerable to an attack which involves spoofing responses from the Key Distribution Center (KDC). The login service authenticates a user by first requesting a ticket granting ticket (TGT) from the authentication server. If the TGT can be decrypted using the password supplied by the user, the login service attempts to verify the identity of the KDC by making a request with the received TGT for a service ticket for itself. The service ticket returned by the KDC is encrypted with a secret shared between the KDC and the service host. If the service ticket cannot be verified with the service's secret key it is assumed that the KDC is not authentic. If the login service has not been registered as a principal with the KDC or the service's secret key has not been installed on the host the login service will proceed without verification that the TGT was returned by the authentic KDC. In these circumstances it is possible to log into the server illicitly if an attacker can spoof responses from the Key Distribution Center.
A vulnerability exists in a portion of the mgetty package, by Gert Doering. By exploiting a flaw in the faxrunq and faxrunqd programs, it is possible for local users to create arbitrary files, and alter arbitrary files on the filesystem. This in turn can lead to local root compromise. The faxrunq and faxrunqd programs will follow symbolic links. By creating a symbolic link named .last_run in /var/spool/fax/outgoing, and running the faxrunqd or faxrunq program, arbitrary files can be created. Existing files will have their contents overwritten.
A number of unchecked buffers exists in Robotex Viking Server. This enables a malicious user to either crash the application or execute arbitrary code, depending on the data supplied. The following commands will crash Viking Server: GET [x11765] HTTP/1.1<enter><enter>, GET / HTTP/1.1<enter> Unless-Modified-Since: [x14765]<enter><enter>, GET / HTTP/1.1<enter> If-Range: [x14765]<enter><enter>, GET / HTTP/1.1<enter> If-Modified-Since: [x14765]<enter><enter>
Regardless of privilege level, any remote user can modify the administrative password for CGI Script Centers' Subscribe Me Lite. This would grant the user full administrative privileges which includes addition or removal of users from mailing lists.
Regardless of privilege level, any remote user can modify the administrative password for CGI Script Centers' Subscribe Me Lite. This would grant the user full administrative privileges which includes addition or removal of users from mailing lists.
Pragma Systems TelnetServer 2000 is vulnerable to a Denial of Service attack when more than 1000 NULL characters are sent to its rexec port, 512. This can be executed by an anonymous attacker from anywhere on the internet.
Regardless of privilege level, any remote user can modify the administrative password for CGI Script Centers' Account Manager. In order to accomplish this, a user would access the following URL with a POST command: http://target/cgibin/amadmin.pl?setpasswd. This would grant the user full administrative privileges which includes the capability of granting and revoking user access to secured areas of the target website.
Services By CQR