The dvwssr.dll included with the FrontPage 98 extensions for IIS and shipped as part of the NT Option Pack has a remotely exploitable buffer overflow. This attack will result in the service no longer accepting connections and may allow for remote code execution on the vulnerable host. The exploit code sends a GET request with a string of 5000 'a's to the dvwssr.dll file.
Two dlls (dvwssr.dll and mtd2lv.dll) included with the FrontPage 98 extensions for IIS and shipped as part of the NT Option Pack include an obfuscation string that manipulates the name of requested files. Knowing this string and the obfuscation algorithm allows anyone with web authoring privileges on the target host to download any .asp or .asa source on the system (including files outside the web root, through usage of the '../' string). This includes users with web authoring rights to only one of several virtual hosts on a system, allowing one company to potentially gain access to the source of another company's website if hosted on the same physical machine.
BizDB is a web databse integration product using perl CGI scripts. One of the scripts, bizdb-search.cgi, passes a variable's contents to an unchecked open() call and can therefore be made to execute commands at the privilege level of the webserver. The variable is dbname, and if passed a semicolon followed by shell commands they will be executed. This cannot be exploited from a browser, as the software checks for a referrer field in the HTTP request. A valid referrer field can however be created and sent programmatically or via a network utility like netcat. The following netcat session will cause a copy of the output of the ls command to be mailed to attacker@attacker-host
A remote user on the local network is capable of retrieving any known file from a machine running AVM KEN! by appending ../ to a URL utilizing port 3128 to escape the regular web file structure, and appending the remaining path onto the request. A denial of service attack could also be launched against AVM KEN! by sending random characters to port 3128. A restart would be required in order to regain normal functionality.
Web+ is an e-commerce server designed to run under a webserver, to provide web storefronts. The various scripts that are required to do this are specified to the webpsvr daemon via a 'script' variable passed to the webplus CGI. This CGI can be passed a path to any file via the script variable, resulting in arbitrary files being displayed to the browser. This vulnerability is limited to files that are known to the user and that the webpsvr daemon has read access to.
A direct system call containing invalid parameters through int 0x25 will cause the BeOS to crash. Reboot of the machine is required in order to regain normal functionality.
CRYPTOCard CRYPTOAdmin is a network authentication application for use with the Palm OS platform. CRYPTOAdmin generates a .pdb file which contains the username, PIN number, serial number, and key in encrypted or plaintext format. The PIN number can be retrieved due to the software's usage of a fixed 4-byte value in key generation. With access to the .pdb file and PIN number, a user is capable of duplicating the token onto another Palm device effectively gaining access to the network as the compromised user.
Bray Systems Linux Trustees is an access control program which manages user permissions similar to implementations of Netware. Requesting an unusually long file or directory path will cause the application to hang. Other processes may also be affected. In order to regain normal functionality, the user must reboot the machine. The exploit code creates a loop that creates a directory named 'aaaa' and then changes the current directory to 'aaaa'. This causes the application to hang.
Symantec pcAnywhere is shipped by default with a weak encryption scheme that is used to encrypt username and password transmittal. Therefore, usernames and password can be retrieved by anyone sniffing the network in between the host computer running pcAnywhere and the NT domain controller. Users of pcAnywhere can be authenticated with their NT domain username and password. In this case, the weakly encrypted transmitted authentication would be transmitted domain wide.
SalesLogix eViewer is a web application integrated with the SalesLogix 2000 package. eViewer will not perform authorization on administrative commands if they are requested directly in the URL. Therefore, the URL http://target/scripts/slxweb.dll/admin?command=shutdown will cause the slxweb.dll process to shutdown. Although the slxweb.dll process will restart once a new query or session is issued, continually requesting the URL above will cause a denial of service.
Services By CQR