The Windows Media Player ActiveX control, shipped with IE 5, returns a specific error code if it is instructed to load a local file that does not exist. In this way, an attacker could determine whether or not a specified file on the victim's host exists. This could be used to determine user names and other facets of system configuration.
The POP server that is part of the NetcPlus SmartServer3 email server has an unchecked buffer that could allow an attacker to execute code on the server. If the USER command is followed by an argument of over 800 characters, the input buffer will be overflowed, and data from the argument will be passed to the system to be executed at the privelege level of the SmartServer program.
There is a buffer overflow in the username field when the username is between 200 and 500 characters. Although it may be possible to execute arbitrary code on the vulnerable server, current exploits only cause a denial of service on the remote machine.
There are several vulnerabilities in recent BIND packages (pre 8.2.2). The first is a buffer overflow condition which is a result of BIND improperly validating NXT records. The consequence of this being exploited is a remote root compromise (assuming that BIND is running as root, which is default).
There is a buffer overflow in the HELO command of the smtp gateway which ships as part of the VirusWall product. This buffer overflow could be used to launch arbitrary code on the vulnerable server. This issue was patched by InterScan, however even with the patch it is possible to cause a DoS of the mail server software by sending between 4075 and 4090 characters.
Broker FTP server software is vulnerable to a denial of service attack if an unusually long user name is passed to the program. If the program is running as a service, the service will consume all available memory and crash the entire system.
IrfanView32, a freeware image viewer, has a problem in the handling of Adobe Photoshop generated jpegs. If a .jpg file is opened for viewing that contains the Adobe Photoshop marker in the header (8BPS) followed by a long string, the program will crash. It is possible to insert code in the string for execution.
Seyon uses relative pathnames to spawn two other programs which it requires. It is possible to exploit this vulnerability to obtain the privileges which seyon runs with. It is installed (by default) setgid dialer on FreeBSD and root on Irix.
By specifying an exceptionally long filename, an attacker can cause the machine to crash or execute arbitrary code. This vulnerability could be exploited remotely by including a hostile UNC or file:// URL in a web page or HTML email.
There is a overflowable buffer in the networking code for Windows 95 and 98 (all versions). The buffer is in the part of the code that handles filenames. By specifying an exceptionally long filename, an attacker can cause the machine to crash or execute arbitrary code. This vulnerability could be exploited remotely by including a hostile UNC or file:// URL in a web page or HTML email. The attack would occur when the page was loaded in a browser or the email was opened (including opening the email in a preview pane.)
Services By CQR