The version of arp(8c) which shipped with versions of SunOs 4.1.X could be used to dump system memory by using the -f flag. This flag causes the file filename to be read and multiple entries to be set in the ARP tables. However, in this instance because of poor permission sets on /dev/kmem a user can specify the file to be read as /dev/kmem and therefore gain a dump of currently paged system memory. This could lead to a root compromise.
A malicious user can initiate a Denial of Service attack on a PCAnywhere32 server running TCP/IP networking by connecting to tcp port 5631 and inputting a large amount of data when prompted with 'Please press <Enter>'. This will cause the server to hang at 100% CPU utilization.
IBM's eNetwork Firewall for AIX contains a number of vulnerability in scripts which manipulate files insecurely. When fwlsuser script is run it creates a temporary file called /tmp/fwlsuser.PID ( where PID is the process ID of the command being run ). If this file is created previously and is a link to any other file the output generated by the fwlsuser script will overwrite this linked file.
Microsoft's JET database engine feature allows the embedding of Visual Basic for Application in SQL string expressions and the lack of metacharacter filtering by many web applications may allow remote users to execute commands on the system. Microsoft's IIS in particular executes ODBC commands in the context of the System account. This may allow remote attackers to input VBA code in web enabled applications that will be executed by IIS as the System user. The most dangerous VBA command available to an attacker is shell(), which enables it to run any command in the system.
A vulnerability in the Compaq Management Agents and the Compaq Survey Utility when running as an agent allows remote malicious users to steal local files. All Compaq Server and Client Management Agents version 4.0 or later are vulnerable. All Compaq Survey Utility versions 2.0 or later are vulnerable. The web server in the agents fails to check whether requested files fall outside its document tree (by using ".." in the URL). Thus attackers can retrieve files in the same drives as that on which the software resides if they know or can get it's filename. The web server listens on port 2301. By default the only user accounts available in the agents are account "anonymous", username "anonymous", no password, account "user", username "user", password "public", and account "administrator", username "administrator", and password "administrator". You login via the URL http://www.example.com:2301/cpqlogin.htm. One an attacker has access to on such machine, using Compaq's HTTP Auto-Discovery Device List at the URL http://www.example.com/cpqdev.htm they can locate other machines. The web agent service also appears to be vulnerable a a denial of service. By sending it a request for over 223 bytes long ("AAAA...") the service will fail with an access violation.
A vulnerability in Computalynx's CMail allows remote malicious users to steal local files. The web server fails to check whether requested files fall outside its document tree (by using ".." in the URL). Thus attackers can retrieve files in the same drives as that on which the software resides if they know or can get it's filename. A number of buffer overflows in the processing of SMTP and POP commands also exist.
A vulnerability in Gordano's NTMail allows remote malicious users to steal local files. The web server fails to check whether requested files fall outside its document tree (by using ".." in the URL). Thus attackers can retrieve files in the same drives as that on which the software resides if they know or can get it's filename.
A vulnerability in ColdFusion allows pages encrypted with the CFCRYPT.EXE utility to be decrypted. A program that decrypts ColdFusion's encryption has been discovered. This will in effect make the source code for all this propietary CFML applications available to those with access to their encrypted form.
A buffer overflow vulnerability in SmartDesk WebSuite 2.1 allows malicious remote users to crash the server, and may at worst allow them to execute arbitrary code. WebSuite 2.1 will crash when the filename requested is overly long. Test showed the filename length that crashed the server varied from 250 to over 2,000 bytes long. On Windows 98, append 150 to 1,000+ characters to the URL. On Windows NT, append 250 to 2,000+ characters to the URL.
The server fails to close the socket created by a PASV command in multiple PASV commands are executed back to back. This can create a socket and memory shortage that will not be fixed when the client disconnects from the server. Connecting to the server and issuing a "PORT a" command followed by several thousand carriege returns and new lines will cause the server to crash. The are multiple buffer overflows in all commands that take arguments. For example LIST and CWD both crash the server if they are passed string longer than 1500 characters. The USER command in conjunction with a password, each containing a string over 550 characters long, is vulnerable as well which means an attacker doesn't need to logon to the server to exploit the vulnerability.
Services By CQR