The InfoSearch package converts man pages and other documentation into HTML web content. The search form uses infosrch.cgi which does not properly parse user input in the 'fname' variable, allowing commands to be executed at the webserver privilege level by remote web users.
DNSTools version 1.0.8 and 1.10 are vulnerable to command injection due to lack of input validation. By manipulating the contents of certain post variables, arbitrary code may be executed. This can be done by sending a GET request to the webserver or cgi-bin with a malicious payload. For example, sending a GET request with the payload "domain_name=";ls""' will cause a directory listing."
A vulnerability exists in the configuration of Dosemu, the DOS emulator, as shipped with Corel Linux 1.0. Dosemu documentation cautions that the system.com binary should not be made available to users, as it implements the system() libc call. Users can use this command to execute commands as root, and obtain elevated access to the system.
Axis StorPoint CD and Axis StorPoint CD/T are CD ROM servers (actual hardware units)sold by Axis Communications. Both of these appliances support remote management via SNMP MIB-II and private enterprise MIB as well as from the web via a system-supplied webserver. In regards to the web based administration, users can completely bypass authentication (username and password) by using a specified URL. The actual login page is located at: http://server/config/html/cnf_gi.htm. However, by using http://server/cd/../config/html/cnf_gi.htm, a user side steps the login page and gains administrative access to the appliance.
A buffer overflow vulnerability exists in Netscape Enterprise Server 3.6 when a GET request containing more than 4080 characters is sent to the server. This causes the httpd.exe process to crash, resulting in a Dr. Watson error. This can be exploited to execute arbitrary code remotely.
EZShopper is a perl-based E-Commerce software package offered by Alex Heiphetz Group, Inc. It is possible to remotely compromise a host due to a lack of checks on user input passed directly to the open() call. This vulnerability exists in two scripts shipped with EZShopper, loadpage.cgi and search.cgi. In the first vulnerability, the variable passed to open() is called 'file' and is submitted to a script called loadpage.cgi. There are no checks on 'file', meaning that if '../' preceed an arbitrary filename/path as the file variable, those '../' paths will be followed and the arbitrary file anywhere on the filesystem will be displayed (provided that the uid of the webserver has access to them..). If pipes are included in the variable, arbitrary commands can be executed on the target host possibly giving remote access to the attacker with the uid of the webserver (usually 'nobody'). The second vulnerability is identical in nature to the first but is in the 'search.cgi' script. In search.cgi, no checks are made on user input variables 'template' and 'database' (passed to open()). As a result, it is possible to view files or execute commands on the host through search.cgi as well.
Trend Micro OfficeScan is an antivirus software program which is deployable across an entire network. During the installation of the management software, the administrator is asked to choose between managing from a webserver or from a fileserver. If the webserver option is chosen, clients running OfficeScan are configured to listen to port 12345 in order to receive periodical database engine updates and other administrative commands from the OfficeScan manager. There are several ways for an attacker to cause various denial of service conditions. Sending random data to port 12345 can cause tmlisten.exe to either consume 100% of the CPU cycles or cause a Visual C++ error and crash the machine. Furthermore, opening over 5 simultaneous connections to port 12345 while sending random data will cause the service to stop responding to requests. The service will have to be stopped and restarted on each client machine. It has also been reported that it is possible to cause a denial of service condition by making a single malformed GET request to port 12345. It is also possible for a local user to capture an administrative command by using a network sniffer. This command can then be modified and replayed against other clients to cause them to perform a variety of actions. Modifying the last two bytes of the request will change the client's response behaviour, including: 04: full uninstallation of the OfficeScan client, 06: launch a scan, 07: stop a scan. The client makes requests to a few CGI programs on the server, which respond with configuration information. One of these CGIs is cgiRqCfg.exe, which provides configuration details for scan behaviour. If an attacker were to set up a webserver with the same IP address as the valid server, duplicate the valid server's OfficeScan file structure, and disable the valid server, it would be possible to perform a more subtle DoS by leaving the client installed but modifying the scan behaviour.
A buffer overflow exists in the implementation of the 'man' program shipped with RedHat Linux, and other Linux vendors. By carefully crafting a long buffer of machine executable code, and placing it in the MANPAGER environmental variable, it becomes possible for a would be attacker to gain egid man. Using attacks previously outlined by Pawel Wilk, and available in the reference portion of the credit section, it is possible for an attacker to alter manpages such that code will be executed. Upon looking up an altered manpage, code will be executed with the privileges of the person running man. If this person is the root user, root privileges can be obtained.
A buffer overflow exists in the implementation of the 'man' program shipped with RedHat Linux, and other Linux vendors. By carefully crafting a long buffer of machine executable code, and placing it in the MANPAGER environmental variable, it becomes possible for a would be attacker to gain egid man. Using attacks previously outlined by Pawel Wilk, and available in the reference portion of the credit section, it is possible for an attacker to alter manpages such that code will be executed. Upon looking up an altered manpage, code will be executed with the privileges of the person running man. If this person is the root user, root privileges can be obtained.
A vulnerability exists in the Nortel/Bay Networks Nautica Marlin router pruduct. Sending a 0 byte UDP packet to port 161 (SNMP) to one of these routers will cause it to crash. This attack can be trivially performed using NMAP or other UDP port scanner.
Services By CQR