The ComStock product, based on the RedHat 5.1 distribution, has numerous vulnerabilities including weak or nonexistent passwords and easily guessable accounts. The machines can be compromised using well-known passwords and RedHat 5.1 exploits.
A buffer overflow vulnerability exists in the direct client-to-client (DCC) chat implementation of IrcII version 4.4-7 and possibly previous versions. This vulnerability allows an attacker to execute arbitrary code on a client attempting to initiate a DCC chat, potentially leading to a remote compromise with the privileges of the user running the ircII client.
Due to an inherent fault within the Microsoft Windows 9x/NT/2000 operating systems, local and remote users have the capability of crashing the system by simply requesting any permutation of a path and filename referring to a reserved DOS device name in the manner of devicedevice. The following is an incomplete list of device names that have been known to render a system unstable: CON, NUL, AUX, PRN, CLOCK$, COMx, LPT1, and CONFIG$. Exploiting this vulnerability can be done in a number of ways. Local users are able to crash the operating system by attempting to open a file of devicedevice, eg. within Microsoft Word, the Run dialog box, or at a command prompt. It is possible to remotely crash a Windows 9x/NT/2000 machine as well. This bug is exploitable remotely via any service that involves the remote user specifying paths on the target ie ftp or web services, netbios shares, etc. Malicious webmasters may exploit this vulnerability by creating a link that will invoke devices locally on the web user's machine. In addition, many archiving programs will allow special devices to be called out of context. Some archivers have been known to drop device name files to an unspecified location on the disk. The majority of virus scanners are not affected by this issue. The host must be restarted to regain normal functionality. Some FTP servers running on a patched version of Windows 98 are still reported to be vulnerable. It has been reported that aspects of this issue may still be exploitable via Internet Explorer on patched versions of Microsoft Windows operating systems. There are conflicting reports however, regarding what versions of Windows and Internet Explorer are affected. IE6, Windows ME, Windows 2000 SP4
The registry value HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerUser Shell FoldersCommon Startup specifies the shared startup folder for all users on a system. This key is set to be writeable by any authenticated user. Therefore, any user could specify a folder with a shortcut to a program of their choice that will be run any time a user logs in, at the privilege level of that user. An example of this exploit is demonstrated by creating a batch file that adds a new user and adds them to the administrators group on a Domain Controller. This batch file is placed in the folder c:hackstartup and the registry value is set to 'c:hackstartup'. The next time an administrator logs on to that machine, the 'attacker' account will be created and added to the Administrators group on the PDC of the domain.
The ht://dig web content search engine for Unix platforms allows for file inclusion from configuration files. An attacker can specify any file for inclusion into a variable, leading to arbitrary file inclusion vulnerabilities.
This script creates a crafted WAV file which leads the application to crash (DoS).
This is a DLL, which gets injected into the server exe. The engine strips bytes >127, '%', and '' before it overflows, so you will need encoded shellcode and an EIP which doesn't contain any of these characters.
By passing a command line option, an attacker can execute arbitrary commands with group 'kmem' privileges in the ascpu and asmon ports to FreeBSD.
The Windows Autorun feature allows an executable and an icon to be specified for any removable media. However, it can also be abused on fixed and networked drives. Any user with write access to the root of a logical drive can install an executable and specify it in an autorun.inf file. When the drive is accessed later, the code will run with the privileges of the logged-in user, potentially enabling privilege escalation attacks.
The ARCserve agent in SCO Unixware 7 has a vulnerability that allows any user on the system to replace files created by the asagent program in /tmp with symlinks. This can be exploited to create files anywhere on the filesystem owned by root. The contents of the new file are stored in /usr/CYEagent/agent.cfg, which is world writable.
Services By CQR
