Two denial of service vulnerabilities exist in the Dragon Server package, versions 1.00 and 2.00, from Shadow Ops Software. By supplying large arguments to two different network services, it is possible to cause these services to be innaccessible. By sending a USER command to the ftp server, and placing a buffer of approximately 16,500 characters as the argument to the command, it is possible to crash the ftp service. By sending a buffer of approximately 16,500 characters to the telnet server in place of a user name, it is also possible to crash this service. These both appear to be due to insufficient bounds checking.
SimpleServer WWW 1.05 is vulnerable to a denial of service attack when a long URL is sent to port 80. This causes the service to stop responding and requires a restart of the server service to regain normal functionality.
A buffer overflow condition exists in splitvt 1.6.3 and earlier. Splitvt is distributed with several Linux distributions. An attacker can exploit this vulnerability to obtain root access. The exploit code is written in C and uses a NOP sled and static pointer to /bin/sh to execute the shellcode.
MailStudio 2000 is vulnerable to multiple attacks. It is possible for a remote user to gain read access to all files located on the server via the usage of the "/.." string passed to a CGI, thereby compromising the confidentiality of other users email and password, as well as other configuration and password files on the system. It is also possible to set a password for those system user accounts which don't have one in place (ex: operator, gopher etc). There is also a input validation vulnerability in the userreg.cgi. This CGI uses a shell to execute certain commands. Passing any command directly after %0a in the arguments of the CGI will allow a remote user to execute the commands as root. userreg.cgi also has an unchecked which could allow remote attackers to execute arbitrary code as root. Mail view vulnerability: mailview.cgi?cmd=view&fldrname=inbox&select=1&html=../../../../../../etc/passwd userreg.cgi vulnerability: userreg.cgi?cmd=insert&lang=eng&tnum=3&fld1=test999%0acat</var/spool/mail/login>>/etc/passwd
It seems that is was possible to crash remotely winlogon.exe by sending a malformed request to access the registry of the remote host. As soon as you validate the error box, the host will reboot.
A buffer overflow exists in the 'restore' program, part of the dump 0.4b15-1 package, distributed with RedHat Linux 6.2. By supplying a long string containing machine executable code at the prompt for a tape name, it is possible for an attacker to execute arbitrary code with root privileges. The buffer overflow lies in the tape.c source file, where BUFSIZ is defined to be 8192, the fgets() will attempt to copy up to 8192 bytes in to a 1024 byte buffer.
Shiva Access Manager is vulnerable to a default configuration problem in its Solaris version (and possibly for NT as well, though uncomfirmed). When configuring the Access Manager for LDAP, it prompts for the root 'Distinguished Name' and password. It stores this information in a textfile that is owned by root and set world readable by default, $SHIVA_HOME_DIR/insnmgmt/shiva_access_manager/radtac.ini. This file also contains information such as the LDAP server's hostname and server port. This information can be used to completely compromise the LDAP server.
The configuration file for the snmpd is world writable, which could allow any user on the system to view and/or alter the settings of the snmp daemon. This in turn could be used to alter the configuration of the system, including, but not limited to, routing, addressing, arp caches, the status of connections, and so on. It is also possible this could be used to elevate access levels. Another vulnerability exists which allows users to redirect the logging location of snmpd to an alternate location, using symbolic links. This file is in a mode 777 directory, so any user can remove a file that already exists. Used in conjunction with the ability to alter configuration, this may also help leverage root access.
POSIX Capabilities have recently been implemented in the Linux kernel. These Capabilities are an additional form of privilege control to enable more specific control over what priviliged processes can do. By setting specific bits, the actions of priviliged processes can be controlled. The problem is that capabilities are copied with fork() execs, meaning that if capabilities are modified by a parent process, they can be carried over. This can be exploited by setting all of the capabilities to zero in each of the three bitfields and then executing a setuid program that attempts to drop priviliges before executing code that could be dangerous if run as root, such as what sendmail does. When sendmail attempts to drop priviliges using setuid(getuid()), it fails not having the capabilities required to do so in its bitfields. It continues executing with superuser priviliges, and can run a users .forward file as root leading to a complete compromise.
A vulnerability exists in BRU, the Backup and Restore Utility, from Enhanced Software Technologies. By setting the value of the BRUEXECLOG environment variable, it is possible to an attack to alter and create files on the filesystem. As BRU is installed setuid, these files are owned by root. This vulnerability can be easily used by local users to obtain root privileges.
Services By CQR