The Windows 98 and Windows 2000 TCP/IP stacks were not built to reliably tolerate malformed IGMP headers. When one is received, the stack will sometimes fail with unpredictable results ranging from a Blue Screen to instantaneous reboot.
WinGate stores encrypted passwords in the registry, in a subkey where Everyone has Read access by default. The encryption scheme is weak, and therefore anyone can get and decrypt them. The exploit code provided is a C program that takes an encrypted password as an argument and decrypts it.
In 4.4BSD derivatives, there are four secure levels that provide for added filesystem security. Part of the secure levels are the system of file flags which include immutable and append-only flags. In secure level 0, these flags are irrelevant. The vulnerability lies in the inherent flaw with security level 1. In security level 1, the file flags are acknowledged; however, umounted partitions/devices can be freely written to and modified by root. Stealth has written a tool which allows for an intruder who has gained root to bypass security level 1 through writing directly to the device and clearing the file flags. The tool also sets the CLEAN flag in the filesystem which fools the computer into thinking the modified device is clean avoiding detection at bootup.
By connecting to port 2080 on a system running Qbik Wingate 3.0 and sending 2000 characters, all wingate services will crash.
This exploit is a Lite Version for DLE <=4.1. It is used to get the hash for the password of a user by exploiting a SQL injection vulnerability. The exploit defines the user ID, and then tries to get the hash for the password of the user with the specified ID. It then defines the table prefix, and checks if the site is vulnerable. It then uses a blind function to get the hash for the password of the user.
The WinGate log service is configured by default to only allow connections from 127.0.0.1, but can be set to allow connections from anywhere. Either way, there is a vulnerability that will allow any file to be read through the log service port over an http connection. There are various ways of exploiting this. NT and Win9x: h t t p://www.server.com:8010/c:/ h t t p://www.server.com:8010// Win9x only: h t t p://www.server.com:8010/..../
IMail's whois server can be crashed due to an unchecked buffer. An attacker can send a string of 1000 characters to port 43 of the target machine to exploit this vulnerability.
IMail Web Server is vulnerable to a denial of service attack when a long URL is requested. The server will crash when a URL of 3000 characters or more is requested.
The IMail ldap service has an unchecked buffer, resulting in a classic buffer overflow vulnerability. An attacker can exploit this vulnerability by telnetting to the target machine on port 389 and sending a string of 2375 characters followed by the letter 'Y' twice. This will cause the ldap service to consume 90% of the system resources, rendering the system unusable.
The IMail IMonitor service can be crashed by exploiting a buffer overflow vulnerability. Telnet to target machine, port 8181 and send a string of 2045 characters.
Services By CQR