Microsoft's Active Setup Control (asctrls.ocx) shipped with Internet Explorer 4 and above has a vulnerability in it as discovered by Juan Carlos Garcia Cuartango <cuartango@teleline.es>, which was posted on BUGTRAQ (ID 775) in the month of November, 1999. This vulnerability allows for almost any kind of break-in into client systems.
Through exploiting a combination of seemingly low-risk vulnerabilities in sendmail, it is possible for a malicious local user to have an arbitrary program inherit (or "hijack") the file descriptor for the socket listening on (priviliged) port 25. The problem begins with the way sendmail handles the failure of an accept() call. The accept() call is made when a tcp syn packet is recieved by a listening tcp socket. When the three-way handshake does not complete (as is the consequence of a half-open tcp "stealth scan"), accept() fails and sendmail closes all listening sockets and sleeps for 5 seconds. The second problem is that a user can start the sendmail daemon if a more obscure argument is passed (-bD). The -bD flag tells sendmail to run as a daemon, but in foreground. User priviliges are not checked against for this option, allowing any user to start sendmail. The third problem is how sendmail reacts to a HUP signal. When a HUP is recieved, sendmail calls execve(argv[0],..) to restart itself. The problem here is obvious, since argv[0] can be changed to anything. The bigger problem here though, is that the fourth file descriptor is not closed before this is done (which happens to be the one for the listening tcp socket), thus any argv[0] which is executed via the execve() call will inherit the descriptor.
Etype's Eserv product is vulnerable to a directory traversal attack, which allows an attacker to access any file on the server's filesystem that the webserver has access to. This is done by using a URL containing "../" strings, such as http://victim.com/../../../autoexec.bat.
BFTelnet, a telnet server for Windows NT by Byte Fusion, will crash if a user name of 3090 or more characters is supplied. An attacker can exploit this vulnerability by sending a username of 3090 or more characters to the telnet server.
If window.open is called with a target URL that redirects to a client-side file and then a variable is created pointing to the contents of the new window, the contents of the new window (the local file) can be read and possibly manipulated or transmitted by other code in the webpage. The filename and location would have to be known by the attacker, and it could only be a file that is viewable by a browser.
Hylafax is a popular fax server software package designed to run on multiple UNIX operating systems. Some versions of Hylafax ship with a vulnerable sub program 'faxalter'. This program is installed SUID UUCP and has a buffer overflow which if exploited will allow a malicious user to gain UUCP privileges. Because the important programs are executed as root, such as Minicom (a popular modem terminal program) or cu(1) and are in the UUCP group and therefore writable by the same group they could be trojaned by the attacker.
The aVirt Mail Server has a weakness in the code that handles the RCPT TO command. By specifying a path in the command instead of an email recipient, an attacker could cause the mail server to create a directory in the server's local filesystem. This will cause the mail server to create a root directory called 'createdir', which will contain 1 file. Testing indicates that this method cannot be used to overwrite existing folders.
Certain versions of the IBM Web page printout software 'IBM HomePagePrint' can in some instances be remotely exploited by malicious webservers. The problem lies in a buffer overflow in the code which handles IMG_SRC tags. If a page containing a specially constructed IMG SRC tag is previewed or printed using the IBM HomePagePrint software, arbitrary code can be run on the client.
In certain versions of the BTD Zom-Mail server there exists a buffer overflow which may be remotely exploitable by malicious users. The problem in question is in the handling of overly (past 256 chars) long file names for file attachments.
There is a buffer overflow in the MidiPlug that may allow arbitrary code to be executed on the local host. This overflow occurs if a long "Text" variable is specified within an EMBED tag in a web page. Instructions in the text variable may be executed when a user visits the malicious web page.
Services By CQR