A remote buffer overflow vulnerability in AIX's ftpd allows remote users to obtain root access. This exploit is crafted for one box and is unlikely to work on another box. It sets the buffer on the stack, with the first 4 bytes being 'CEL'. The buffer is set to $buf[0x14] = 0x10015228, $buf[0x18] = 0x1001038c, $buf[0x3c] = 0xd00406d4, and $buf[0x40] = '/bin/sh'. This allows the user to execute a command to obtain root access.
Cisco devices running classic IOS are reported prone to a denial of service vulnerability. The issue occurs when a vulnerable device receives and processes a UDP packet on UDP port 514 for syslog. This issue results in a crash or hang requiring a reboot.
The 'download behavior' feature of Microsoft's Internet Explorer 5 may allow a malicious web site operator to read files on an IE5 client computer or on a computer that is in the client's 'Local Intranet' web content zone. IE5 introduced a new feature called DHTML Behaviors. DHTML Behaviors allow web developers to encapsulate methods, properties and events that can then be applied to HTML and XML elements. IE5 comes with set of built-in DHTML behaviors. One of them is the '#default#download' behaviors. This behavior defines a new Javascript method called 'startDownload' that takes two parameters, the file to download and a function to call once the file has been downloaded. By default the 'startDownload' method checks that the file to be downloaded is in the same web content zone as the file calling the method. When both the file to be downloaded and the file executing the behavior are in the same security zone, the client will safely download the requested file and subsequently perform the specified function. A malicious web site owner may bypass this security restriction and force an IE5 client to both read and perform a follow-up action on the contents of a local file or files in other security zones. This action may include sending the contents of the file back to the malicious web site operator.
A buffer overflow vulnerability in the '/usr/bin/mail' program's handling of the '-m' command line argument allows local users to obtain access to the 'mail' group. The exploit program is written in C and uses a shellcode to set the gid to 6 (mail). The exploit takes three arguments: offset, NOPS and BUFSIZE.
A vulnerability in the Linux kernel allows remote users to guess the initial sequence number of TCP sessions. This can be used to create spoofed TCP sessions bypassing some types of IP based access controls. The function 'secure_tcp_sequence_number' in the file 'drivers/char/random.c' at line 1684 is used to generate the initial sequence number. It used the MD4 hash with a set of inputs to generate the new ISN.
There is a buffer overflow in the 1.0.0.1 version of the hhopen OLE control (hhopen.ocx) that ships with some versions of Internet Explorer. This control is marked 'Safe for Scripting' . Arbitrary commands may be executed if the OLE control is run in a malicious manner. HHOPEN: This control is a little more difficult to exploit, as the RET address is in the middle of the string, and once again there is no easy way to RET to our code, so I have RET'd to ExitProcess directly instead. In this case, OpenHelp is the vulnerable method, and the exploit is possible when the method is called with a valid help file, and a long Help Section.
There is a buffer overflow in the 1.3.188 version of the Adobe Acrobat ActiveX control (pdf.ocx) that ships with Acrobat Viewer 4.0. This ActiveX control is marked 'Safe for Scripting' within Internet Explorer 4.X. Arbitrary commands may be executed if the ActiveX control is run in a malicious manner. This control from Adobe Acrobat, can be exploited through the setview method, and because ESP points to the address after the RET address, we can place arbitrary code at this point and JMP to it by RET'ing to a JMP ESP, in this case, one found in Shell32. The code simply executes CALC.EXE then calls ExitProcess to terminate the host without it crashing.
A vulnerability in the Diva LAN ISDN Modem allows remote malicious users to lock up the modem by sending a GET request of the form 'login.html?password=<very long string>' to the Diva HTTP port.
A local buffer overflow in the handling of the HOME environment variable by the rlserver and rnavc binaries that are part of the Knox Software Arkiea backup application allow local users to obtain root access.
A vulnerability in SSH's creation of the authentication agent UNIX domain socket allows local users to create a UNIX domain socket with an arbitrary file name in the system. SSH follows symbolic links while creating the socket as root thus allowing any local users with ssh access to create a socket with an arbitrary filename in the system.
Services By CQR