A vulnerability exists in the apcd package, as shipped in Debian GNU/Linux 2.1. By sending the apcd process a SIGUSR1, a file will be created in /tmp called upsstat. This file contains information about the status of the APC device. This file is not opened securely, however, and it is possible for an attacker to create a symlink with this name to another place on the file system. This could, in turn, lead to a compromise of the root account.
Many commercial virus scanners for Windows platforms exclude the Recycled folder on the hard drive from their scans. The Recycled folder is where Win9x operating systems keep files that have been deleted via the GUI but not purged from the Recycle Bin. Files of any nature can be manually placed in the Recycled folder. Therefore, it is possible for any user or program to put code into that folder that will never be subject to virus scans. Although WinNT makes use of a folder called 'Recycler' for similar purposes, many virus scanners for NT still have the 'Recycled' folder listed in the exclusions. This exploit will install a 'decoy' executable to the desktop, and install a file (winsetup.dll) containing an eicar.com virus signature into the Recycled folder. The hostile code is originally XORed with 25 to get it past active detection, but is then restored to its regular executable state after being placed into the recycled folder.
Firewall-1 includes the ability to alter script tags in HTML pages before passing them to the client's browser. In version 3, this function can be bypassed by adding an extra opening angle bracket. The tag will be left unmodified, and the browser will be able to execute the contained script. Hostile script could lead to a remote compromise of the client system.
Index Server 2.0 is a utility included in the NT 4.0 Option Pack. When combined with IIS, Index Server and Indexing Services include the ability to view web search results in their original context. It will generate an html page showing the query terms in a short excerpt of the surrounding text for each page returned, along with a link to that page. This is known as 'Hit Highlighting'. To do this, it supports the .htw filetype which is handled by the webhits.dll ISAPI application. This dll will allow the use of the '../' directory traversal string in the selection of a template file. This will allow for remote, unauthenticated viewing of any file on the system whose location is known by the attacker.
A remotely exploitable buffer-overflow vulnerability affects Qualcomm's 'qpopper' daemon. This issue allows users already in possession of a username and password for a POP account to compromise the server running the qpopper daemon. The problem lies in the code that handles the 'LIST' command available to logged-in users. By providing an overly long argument, an attacker may cause a buffer to overflow. As a result, the attacker can gain access with the user ID (UID) of the user whose account is being used for the attack and with the group ID (GID) mail.
Certain versions of this software are vulnerable to a remote buffer overflow attack in the password authentication of vpopmail. An attacker can exploit this vulnerability by sending a maliciously crafted string to the vulnerable server, resulting in arbitrary code execution.
Certain BSD derivative operating systems use an implantation of the /proc filesystem which is vulnerable to attack from malicious local users. This attack will gain the user root access to the host. The proc file system was originally designed to allow easy access to information about processes (hence the name). Its typical benefit is quicker access to memory hence more streamlined operations. As noted previously certain implementations have a serious vulnerability. In short, the vulnerability is that users may manipulate processes under system which use /proc to gain root privileges.
There is a denial of service condition in Nosque Workshop's MsgCore SMTP server. The problem lies in memory used to store server input not being deallocated and eventually exhausted, causing the target NT host to freeze requiring a reboot. If a smtp client (or user sending input manually) sends multiple sequences of 'HELO/ MAIL FROM/ RCPT TO / DATA' in a single connection, the memory allocated to store all of those values will not be freed and the target will stop functioning once memory runs out.
The binary 'get_it', which is stored in /usr/X11R6/bin, is setuid root installed by default on all Corel LinuxOS systems. get_it relies on PATH to be valid when it calls 'cp' (without the full path), making it possible to spawn an arbitrary program (called 'cp') with inherited root privs by changing the first searched path to one in which a malicious cp lies. This can lead to immediate local root compromise.
Multiple vulnerabilities have been discovered in lpd, shipped with various Linux and Unix distributions. It has been reported that lpd fails to properly authenticate hostnames. This could allow an unauthenticated user to gain access to lpd services by supplying a spoofed hostname. It is also possible for a local user to pass arguments to sendmail, through the vulnerable print daemon. This could allow an unauthorized user to execute commands with elevated privileges. By exploiting multiple vulnerabilities in lpd, it may be possible for a remote attacker to gain root privileges on a target server.
Services By CQR