Versions 1.4H and prior of BB4 Big Brother are susceptible to a directory traversal vulnerability which would allow a remote user to view the contents of any directory or file on the system. Executing a GET request for: http://target/cgi-bin/bb-hostsvc.sh?HOSTSVC=/../../directory will display the contents of the specified directory.
A connection through a Cisco Secure PIX Firewall can be reset by a third party if the source and destination IP addresses and ports of the connection can be determined or inferred. This can be accomplished by sending a forged TCP Reset (RST) packet to the firewall, containing the same source and destination addresses and ports (in the TCP packet header) as the connection to be disrupted. The attacker would have to possess detailed knowledge of the connection table in the firewall (which is used to track outgoing connections and disallow any connections from the external network that were not initiated by an internal machine) or be able to otherwise determine the required IP address and port information to exploit this.
A buffer overflow exists in the Savant Web Server. It is possible to exploit this overflow by sending an unusually long GET request to the server. The overflow occurs when the server recieves too many headers in the GET request. The results of the attack look something like SAVANT caused an invalid page fault in module KERNEL32.DLL at 015f:bff87eb5.
Guild Ftpd is vulnerable to a path traversal attack, which allows an attacker to access files outside of the FTP root directory. This is possible due to the difference in the error messages that are returned when a file is requested. If the file exists, the error message "Download failed" is returned, and if the file does not exist, the error message "Access denied" is returned.
Poll It is a Perl CGI application used to create and maintain opinion polls on websites. The program relies on a number of internal variables. These variables can be overwritten by any remote user by specifying the new value as a variable in the GET request. This is due to the fact that Poll It overwrites variables to user-supplied values after it sets them to the internally-specified defaults. This can lead to unauthorized file reads, as well as potentially other compromises.
The Razor Configuration Management program stores passwords in an insecure manner. A local attacker can obtain the Razor passwords, and either seize control of the software and relevant databases or use those passwords to access other users' accounts on the network.
LocalWEB is a freeware HTTP server for the Windows suite of operating systems. Certain versions of this software are vulnerable to a remotely exploitable buffer overflow attack. This attack can instrumented by sending the web server (via port 80) a malformed URL. The net result is a denial of service, however a remotely exploitable buffer overflow leading to a system compromise has not been ruled out.
If an E-mail containing an excessively long To: field in the header (~1.5 MB) is processed by First Class Intranet Services (FCIS), a Denial of Service can occur.
The Check Point Firewall-1 SMTP Security Server in Firewall-1 4.0 and 4.1 on Windows NT is vulnerable to a simple network-based attack which can increase the firewall's CPU utilization to 100%. Sending a stream of binary zeros (or other invalid SMTP commands) to the SMTP port on the firewall raises the target system's load to 100% while the load on the attacker's machine remains relatively low. According to Check Point Software this only disables mail relay while allowing other firewall operations to continue normally. This can easily be reproduced from a Linux system using netcat with an input of /dev/zero, with a command such as 'nc firewall 25 < /dev/zero'.
Sending a stream of binary zeros to any one of a number of Windows 2000 ports can cause 100% CPU utilization. The ports that were found vulnerable include TCP ports 7, 9, 21, 23, 7778 and UDP ports 53, 67, 68, 135, 137, 500, 1812, 1813, 2535, 3456. This can easily be reproduced from a Linux system using netcat with an input of /dev/zero, with a command such as 'nc target.host 7 < /dev/zero' for the TCP variant or 'nc -u target.host 53 < /dev/zero' for the UDP variant.
Services By CQR