Windows NT 4.0 can crash due to winlogon.exe's inability to process specially malformed remote registry requests. Rebooting the machine would be required in order to regain normal functionality.
The Linux kernel implements POSIX "Capabilities" as an additional form of privilege control. These capabilities allow more specific control over what privileged processes can do. However, there is a vulnerability where capabilities are copied with fork() execs, meaning that if capabilities are modified by a parent process, they can be carried over. An attacker can exploit this by setting all capabilities to zero and executing a setuid program that attempts to drop privileges before executing dangerous code. This can lead to a complete compromise of the system.
This PoC exploit demonstrates a remote buffer overflow vulnerability in sipXtapi. It sends a crafted INVITE packet to a target host, causing a buffer overflow in the CSeq field. The exploit is written in Perl and uses the IO::Socket module. The payload consists of a sequence of 'A' characters ('0x41' in hex) as the return address (EIP).
If VT control-characters are displayed in the xterm, they can be interpreted and used to cause a denial of service attack against the client (and even the host running the client). This vulnerability allows remote users to crash the xterm of an admin or consume all available memory. The control characters can be injected into the xterm through various means such as rogue FTP servers, rogue banner messages on FTP, telnet, mud daemons, and spoofed syslog messages, web server logs, and FTP server logs.
There is a buffer overflow vulnerability in the server daemon of NetWin's DMail mail-server solution for unix and NT servers. This vulnerability could allow remote attackers to execute arbitrary commands as root or cause a denial of service. The overflow occurs when a large buffer is sent to argument the ETRN command: If over 260 characters are sent, the stack is corrupted and the mailserver will crash.
Windows 95, 98, NT and 2000 suffer from a number of related buffer overflows that can result in a crash if a filename with an extension longer than 128 characters is accessed. Although arbitrary code could be executed via this manner, it would have to composed of valid filename character values only.File extensions of this size cannot be created within Windows 95, 98 or NT. A batch file executed from the command interpreter can accomplish this in a manner similar to the example in Securax advisory SA-02, linked to in the credit section.In Windows 2000, long extensions can be created with Explorer. The file will display properly, however if a cut and paste operation is attempted Explorer crashes and EIP is overwritten, making arbitrary code executable at the security level of the user.
Sending a malformed URL request to the JetAdmin Web Interface Server on port 8000 causes the server services to stop responding, requiring a service restart for normal functionality.
A remote user can gain read and write access on a target machine running Carello shopping cart software. By creating a duplicate of a known file in a known directory on the target host through add.exe in /scripts/Carello, the user can generate a duplicate file with a "1" appended to the filename. The remote user can then perform an HTTP request of the newly created duplicate file and view its contents. This vulnerability requires the anonymous internet account to have write access to the relevant directories.
By requesting a specially formed URL which includes "../" it is possible for a remote user to gain read-access to any files outside of the web-published directory.
Various shopping cart applications use hidden form fields within the html source code with preset parameters which contain product information. If a remote user saves the web page of a particular item to their machine it is possible for them to edit the html source, consequently allowing them to alter the parameters of the product. The modified web page can then be submitted to the shopping cart application. It is also possible in some circumstances to exploit this vulnerability via any regular browser's address bar.
Services By CQR
