There is a buffer overflow in the Internet Explorer Registration Wizard control (regwizc.dll). This control is marked 'Safe for Scripting'. Arbitrary commands may be executed if the control is run in a malicious manner.
This exploit allows an attacker to disclose passwords in Emesene, a software used for instant messaging. The script reads a file called 'users.dat' located in the '.config/emesene1.0' directory and prints out the email and corresponding password in clear text. This vulnerability can be exploited if the user has enabled the 'remember password' feature.
There is a buffer overflow in the 4.71.0.10 version of the MSN Setup BBS ActiveX control (setupbbs.ocx). This ActiveX control is marked 'Safe for Scripting'. Arbitrary commands may be executed if the ActiveX control is run in a malicious manner.
A buffer overflow vulnerability in GNOME's shared libraries handling of the 'espeaker' command line argument may allow local users to attack setuid binaries linked against these libraries to obtain root access.
Variable $header not sanitized. When register_globals=on, an attacker can exploit this vulnerability with a simple PHP injection script.
Microsoft has made available fixes for the JET/ODBC and RDS vulnerabilities. These fixes implement specific Registry Key values to restrict 'malicious activity'. The Security Permissions over these Registry Keys are Set to 'Everyone:Special Access'. Special Access, in these instances, includes 'Set Value'. This permission allows members of the Everyone Group (Domain Users, Users, Guests, etc.) to modify the value of these keys, including the ability to disable the security features which may have been enabled by the administrator. Disabling the Data FactoryHandlerInfo setting ('handlerRequired DWORD=0') may open the host to exploit via the MDAC RDS exploit as described in Bugtraq ID 529 (https://www.securityfocus.com/bid/529.html).
cfingerd is vulnerable to a local root (or nobody) buffer overflow. By setting a carefully designed GECOS field, it is possible to execute arbitrary code with root (or nobody) privileges.
The libtt.so shared library under certain versions of CDE handles a user defined variable titled TT_SESSION. The code which handles this variable does not place a restriction on its size. At least one of the CDE programs which rely on this variable do not have sufficient bounds checking in place for this variable. This can result in a buffer overflow. The program in question is dtsession. Due to the fact that dtsession is running setuid root and does not remove the root privilege (at least as tested on Solaris), the overflow can lead to local root compromise.
A local user can modify DCOM registry entries to escalate their privilege level. By editing the registry keys associated with DCOM server applications, they can change which services are started to handle specific events. By overwriting the services EXE file and triggering the event, the user's code can run as SYSTEM.
A denial of service attack exists that affects FreeBSD, NetBSD, and OpenBSD, and potentially other operating systems based in some part on BSD. It is believed that all versions of these operating systems are vulnerable. The vulnerability is related to setting socket options regarding the size of the send and receive buffers on a socketpair. By setting them to certain values, and performing a write the size of the value the options have been set to, FreeBSD can be made to panic. NetBSD and OpenBSD do not panic, but network applications will stop responding.
Services By CQR
