Ircd hybrid-6 (up to beta 58) has a vulnerability which can allow remote access to the irc server (ircd). In most cases this attack results in the attacker gaining the privileges of the user 'irc'. This vulnerability is in the invite handling code (m_invite). In a channel with operators (ops) and modes +pi (paranoid + invite-only), a channel invitation is reported to all other operators. The buffer used to store the invitation notice can be overflown by up to 15 bytes.
Certain Linux kernels in the 2.0.3x range are susceptible to blind TCP spoofing attacks due to the way that the kernel handles invalid ack sequence numbers, and the way it assigns IDs to outgoing IP datagrams. For this vulnerability to be effective, 3 conditions have to be met: The spoofed machine must be off the network or incapable of sending data out/recieving data properly, the target machine must not be communicating actively with any other machines at the time, and no packets between the attacker's machine and the target can be dropped during the attack. The reason this can be done is firstly due to how these kernels handle invalid ack_seq numbers. If a connection has not been established, a packet with an ack_seq too low will be ignored, and a packet with an ack_seq too high will be responded to with a reset packet. If a connection has been established, any invalid ack_seq is ignored. Whether or not a reply packet has been generated can be determined by sending ICMP echo requests, with the attacker's real IP address as the source. Linux assigns sequnetial IP IDs to all outgoing packets. Therefore, by sending an ICMP echo request probe between each spoofed packet, it is possible to determine how many packets were generated in reply to the spoof attempt. To determine which is true, another spoofed packet is sent, with a known-high ack_seq, followed by another ICMP probe. If the response to this probe has an ID incremented by two, then the known-high ack_seq resulted in a reset packet being sent, so the conneciton was not established.
Microsoft IIS and all other products that use the IIS web engine have a vulnerability whereby a flood of specially formed HTTP request headers will make IIS consume all available memory on the server and then hang. IIS activity will be halted until the flood ceases or the service is stopped and restarted.
The ICMP Router Discovery Protocol (IRDP) comes enabled by default on DHCP clients that are running Microsoft Windows95 (w/winsock2), Windows95b, Windows98, Windows98se, and Windows2000 machines. By spoofing IRDP Router Advertisements, an attacker can remotely add default route entries on a remote system. The default route entry added by the attacker will be preferred over the default route obtained from the DHCP server. This results in higher susceptibility to denial of service, passive snooping and man in the middle attacks.
The ALMail32 POP3 client contains unchecked buffers in the header parsing code. An abnormally long FROM: or TO: field in the header of an incoming email will overwrite the buffer and allow arbitrary code to be executed.
The Chocoa IRC client has an unchecked buffer in the code that processes channel topics. If the server returns a topic that overwrites the client's buffer and contains exploit code arbitrary commands can be run on the client system.
ToxSoft's shareware FTP client, NextFTP, contains an unchecked buffer in the code that parses CWD command replies. If the FTP server's reply contains the exploit code, arbitrary commands can be run on the client machine.
Some *BSD's use a profil(2) system call that dates back to "version 6" unix. This system call arranges for the kernel to sample the PC and increment an element of an array on every profile clock tick. The security issue stems from the fact that profiling is not turned off when a process execve(2)'s another program image. As the size and location of this array as well as the scale factor are under the program's control, it is possible to arrange for an arbitrary 16-bit program virtual address to be incremented on each profile clock tick. Although unlikely, it is theoretically possible that an attacker with local access and knowledge of the addresses used by privileged programs could construct an exploit. It may be that there are no candidate addresses that, when incremented, result in a security failure. However, as this can turn -1 into 0, and 0 into 1, and as security-related system calls and library functions often return either -1 or 0, this mechanism could turn system call returns of success into failure or failure into success if a program stores system call results into memory locations.
Specifying a negative content-length in a POST operation to the WebTrends Enterprise Reporting Server will crash the web server.
A 'GET' request for a URL longer than 166 characters will overflow a buffer and cause the web server to crash with the following or similar error message.
Services By CQR