The imapd login process is susceptible to a buffer overflow attack which will crash the service. An attacker can send a LOGIN command with two glob arguments, where the first argument is 1200 characters and the second argument is 1300 characters, to the target machine on port 143.
IIS and potentially other NT web servers have a vulnerability that could allow arbitrary code to be run as SYSTEM. This works because of the way the server calls the GetExtensionVersion() function the first time an ISAPI extension is loaded. Any user able to put a CGI script in the web structure can insert code that will be run as SYSTEM during this window. Using VC++, create an ISAPI extension project and call it CRbExtension. Replace GetExtensionVersion() and Default() with the code below. Compile it to something simple, like rb.dll. Place it on your web server and invoke it from your browser like this http://your.machine.namerb.dll? Note: if you are using IE4.0, don't call this from the machine that is running the web server otherwise, the next time you log in, IE will recall the last URL and you'll reboot again.
Lsof is an open file management utility included with many linux distributions. When run setuid root or setgid kmem, it is subject to a buffer overflow that can lead to regular users gaining root priveleges. This exploit uses a technique of overflowing with 'A' till reaching the ret address and then filling with NOP and the shellcode just after the modified ret address. The user needs to provide an offset between 373-505.
By establishing a Null session with an NT host, an intruder can gain the name of even a renamed Administrator account. This is because even Null sessions are added to the Everyone group for the duration of the connection. This was done so that hosts not in the domain could still use MS Networking's browser functions. One way to this is by using the Net Use command with an empty password.
VMWare version 1.0.1 for Linux is vulnerable to a buffer overflow attack. Since VMWare is installed with binaries that are setuid root, local users can exploit the hole allowing for arbitrary code to be executed as root.
Accelerated-X, also known as Accel-X, is a popular commercial X server available from Xi Graphics. The servers are normally installed setuid root, and contain multiple buffer overflow vulnerabilities. These vulnerabilities were found in the passing of oversized command line arguments to the servers causing the stack to be overwritten and the flow of execution for the Xserver changed. Two of these vulnerabilities is known to be related to the -query argument and the DISPLAY environment variable, upon neither of which is bounds checking performed. The consequence of these vulnerabilities being exploited is local root compromise.
Lotus Notes SMTP MTA is susceptible to being used as a mail relay for SPAM or other unsolicited email. Connecting to the mail server (tcp25) and issuing a 'mail from' command with <> as the data may allow an unauthorized user to relay email via this server.
Non-authenticated clients have access to CX.EXE and NLIST.EXE in the SYS:LOGIN directory of a Netware 4.x server. The default root access is set to Read. Therefore, by using various switch options in CX.EXE and NLIST.EXE, anyone connecting to the server can gain access to NDS tree information such as account names, group names and membership, tree layout etc. By attaching to different servers and switching contexts an intruder could gain an understanding of the NDS structure for the entire network.
Netscape's Fasttrack server is vulnerable to a directory listing attack even when an index file is present in the directory. An attacker can telnet to the httpd port and type 'get/' to get a root directory listing.
The XBase package that ships with SCO OpenServer 5.0.* is vulnerable to several buffer overflow attacks in many different XBase tools. The tools that are installed setuid root allow local users to gain superuser privileges. This is because they contain buffers which they copy data into assuming that the length is not exceeded. The vulnerabilities in the XBase package will let a local user trivially execute arbitrary code as root (if the binary exploited it setuid root) and compromise the security of entire system.
Services By CQR