Requesting an invalid database file from a web server implementing Gossamer Threads DBMan scripts will return a CGI error message containing environmental variables to a remote user without any authorization. The parameters displayed include the local document root path, server administrator account name, web server software, platform, etc.
A vulnerability exists in the pam_console PAM module, included as part of any Linux system running PAM. pam_console exists to own certain devices to users logging in to the console of a Linux machine. It is designed to allow only console users to utilize things such as sound devices. It will chown devices to users upon logging in, and chown them back to being owned by root upon logout. However, as certain devices do not have a 'hangup' mechanism, like a tty device, it is possible for a local user to continue to monitor activity on certain devices after logging out. This could allow an malicious user to sniff other users console sessions, and potentially obtain the root password if the root user logs in, or a user su's to root. They could also surreptitiously execute commands as the user on the console.
A remote user is able to expend all of the available resources of the webserver by using a specially-devised request to the CGI. This request causes a fork, which will then consume the processor time and memory of the server.
Passing a path to a non-existent file to the shtml.exe or shtml.dll (depending on platform) program will display an error message stating that the file cannot be found accompanied by the full local path to the web root.
By sending a packet to a machine running the Alpha or SPARC versions of NetBSD, with an unaligned IP timestamp option, it is possible to cause the kernel to perform an unaligned memory access, causing a panic and resulting in the machine rebooting.
DNews News Server is a CGI application that gives access to a user's NNTP server over the web. There are many unchecked buffers in the program, some of which can be exploited directly from any browser. Supplying an overly long value for the 'group', 'cmd' and 'utag' variables, and possibly others, will overwrite their respective buffers. In this manner, arbitrary code can be executed on the remote target.
Alladin Knowledge Systems eToken is a USB smartcard-like device used for authentication, file integrity, and encryption. Access to the eToken device itself and entering the PIN number encoded in the eToken will grant authorization to a local user. The PIN number can be reset to the default value with the use of standard device programmers. This can be done by physically opening the eToken device (which can be done without leaving any trace or evidence of tampering) and copying the default PIN value to the location used to store either the user PIN or administrator PIN in the serial EEPROM.
A vulnerability exists in the DNS decode capabilities provided as part of the tcpdump sniffer, from LBL, as well as other sniffers, including Ethereal, by Gerald Combs. These sniffers will attempt to decode DNS request and queries. However, due to the DNS name compression scheme, it is possible to create a DNS packet such that tcpdump will be caught in an infinite loop, while trying to decompress. This will prevent the sniffer from displaying further packets. If tcpdump is being used as some part of and intrusion detection system, this could allow an intruder to evade this system.
A vulnerability exists in the DNS decode capabilities provided as part of the tcpdump sniffer, from LBL, as well as other sniffers, including Ethereal, by Gerald Combs. These sniffers will attempt to decode DNS request and queries. However, due to the DNS name compression scheme, it is possible to create a DNS packet such that tcpdump will be caught in an infinite loop, while trying to decompress. This will prevent the sniffer from displaying further packets. If tcpdump is being used as some part of and intrusion detection system, this could allow an intruder to evade this system.
UltraBoard 1.6 (and possibly all 1.x versions) is vulnerable to a directory traversal attack that will allow any remote browser to download any file that the webserver has read access to. On Windows instalations, the file must reside on the same logical drive as the webroot. In all cases, the filename and relative path from the webroot must be known to the attacker. This is accomplished through a combination of the '../' string and the usage of a null byte (x00) in the variables passed to the UltraBoard CGI.
Services By CQR