Enterprise Server 3.6 SP2 with the SSL Handshake Patch applied is vulnerable to a buffer overflow attack when a GET request is sent with an Accept header of 2000 bytes or more. This can allow attackers to launch denial-of-service attacks and to execute arbitrary commands on the webserver.
The HTML STYLE command can be used to embed Javascript into Hotmail email messages. The STYLE tag circumvents current methods employed by Hotmail to disable Javascript from email messages. When viewed by a Microsoft IE 5.0 or Netscape Navigator 4.X browser, the Javascript in the email may execute various commands on the viewer's mailbox. The commands could take various actions on the user's inbox, including: reading email, deleting email, or prompting users to re-enter their password in a trojan application.
The BindView HackerShield product (originally Netect's HackerShield) creates an NT service account called NetectAgentAdmin$. This account is a member of the local administrators group on an NT host. The service account password is not machine specific, nor is it randomly generated. The password is fourteen characters long and includes non-printable ascii characters, therefore, password cracking tools like L0phtcrack may not be able to fully display the password. Using Paul Ashton's LSA secrets code against a Service Pack 3 machine with HackerShield installed, it is possible to recover the plaintext password for this account. As this password is the same for every HackerShield installation, an attacker could use this username / password combination to remotely access other NT hosts running the HackerShield product.
The ImportExportFavorites() method, used to import and export favorites to/from a file in IE5, can be made to write to any file on the system, in some cases from an email or remote webpage. This will create a file in the root of C: containing the user's favorites.
The Eyedog ActiveX control is marked 'safe for scripting' although it permits registry access and other information gathering methods to be used. It also contains a buffer overflow error. These weaknesses can be exploited remotely via a malicious webpage or email. With this control, MSInfoLoadFile is the offending method. There is no easy way to RET to our code, so instead, I have shown how to simply RET to ExitProcess directly. This will cause the host to terminate.
In several versions of Netscape Communicator, there is an unchecked buffer in the code that handles EMBED tags. The buffer is in the 'plugins page' option. This vulnerability can be exploited by a malicious webpage.
There are several buffer overflows in the setuid root components of the Mars Netware Emulator package. They allow for a local root compromise through the overflowing of buffers without bounds checking. It is to be assumed that all versions prior to and including 0.99 are vulnerable to these attacks.
INN versions 2.2 and earlier have a buffer overflow-related security condition in the inews program. inews is a program used to inject new postings into the news system. It is used by many news reading programs and scripts. The default installation is with inews setgid to the news group and world executable. It's possible that exploiting the buffer overflow could give the attacker news group privileges, which could possibly be extended to root access.
There is a remotely exploitable buffer overflow condition in the amd daemon under several operating systems. Amd is a daemon that automatically mounts filesystems whenever a file or directory within that filesystem is accessed. Filesystems are automatically unmounted when they appear to have become quiescent. The vulnerability is in the log functions of the daemon.
There is a remotely exploitable buffer overflow condition in the amd daemon under several operating systems. Amd is a daemon that automatically mounts filesystems whenever a file or directory within that filesystem is accessed. Filesystems are automatically unmounted when they appear to have become quiescent. The vulnerability is in the log functions of the daemon.
Services By CQR