The vulnerability in ProFTPD versions 1.2pre1, 1.2pre3, and 1.2pre3 is a remotely exploitable buffer overflow. It is caused by a sprintf() function in the log_xfer() routine in src/log.c. The vulnerability in ProFTPD version 1.2pre4 is a mkdir overflow, where the name of the created path cannot exceed 255 characters. ProFTPD version 1.2pre6 limits the command buffer size to 512 characters in src/main.c and modifies the fix from version 1.2pre4.
A user can add any group to the Local Administrators group on Windows NT hosts running IBM's GINA replacement. By creating a specific Registry key under HKLMSystemCurrentControlSetServicesIBMNeTNT, non-administrators can modify the GroupMapping key to include a group name that will be added to the administrators group upon the next reboot.
The version of Vixie cron that ships with RedHat versions 4.2, 5.2 and 6.0 is vulnerable to a local buffer overflow attack. By utilizing the MAILTO environment variable, a buffer can be overflown in the cron_popen() function, allowing an attacker to execute arbitrary code. Vixie cron daemon is installed setuid root by default, allowing for a local root compromise.
The in.identd daemon in SuSE Linux is vulnerable to a remote denial of service attack. By sending a large number of ident requests in a short period of time, an attacker can force the target machine to start multiple daemons, eventually causing the machine to run out of memory and halt.
Windows 95 and 98 systems running IE4 or specific versions of IE5 (5.00.2314.1003 and 5.00.2314.1003IC) are susceptible to a remote vulnerability that allows the execution of arbitrary code on a target that views a malicious web page. This vulnerability is due to a combination of two different weaknesses:First, the Windows 95 and 98 telnet.exe is vulnerable to a buffer overflow condition. While preparing the Connect Failed message box, there is an unchecked input buffer of 255 characters, and sending more than that will overwrite the heap.Second, IE5 will start an instance of telnet.exe if passed any of the following URL types: rlogin:, telnet: or tn3270:. Earlier versions of IE5 allowed only two parameters to be passed in these URLs, but the most recent ones, listed above, will allow any number of parameters to be passed, up to a total of approximately 460 bytes. This is enough for an attacker to create a URL that will start an instance of telnet on the client machine, and pass it the overrun code he or she wants executed.The exploit runs when the telnet window is closed.
Executing the provided code results in a crash of PC Tools Firewall, allowing for potential malware escalation.
Dialer.exe has an unchecked buffer in the part of the program that reads dialer entries from %systemroot%dialer.ini. A specially-formed entry could cause arbitrary code to be run on the machine. By default, the %systemroot% folder is world-writeable. Dialer.ini is Dialer runs in the security context of the user, so an attacker would have to have a higher authority user dial the entry to gain any escalated privileges.
Microsoft Excel is prone to a remote code execution issue which may be triggered when a malformed Excel document is opened. The issue is due to an error in Excel while handling malformed URL strings. There may be other ways to trigger this vulnerability. Successful exploitation could allow an attacker to execute arbitrary code with the privileges of the user running Excel. Code execution is dependent upon certain factors including the overflow condition, the MS Excel version and the host OS and SP. If you cannot get it to work, attach it with the debugger check the stack layout and the rest is on your imagination. Compile with MS VC++ or g++, it will generate the Excel file. Clicking the link in the file binds the shell, C:nc localhost 4444.
The SGI Array Services daemon (arrayd) in Irix systems is vulnerable to remote root compromises. The default configuration for authorization allows requests from anywhere to be accepted, leading to remote code execution with root privileges. An attacker can exploit this vulnerability by sending a specially crafted request to the arrayd service.
There is a remotely exploitable buffer overflow vulnerability in rpc.cmsd which ships with Sun's Solaris and HP-UX versions 10.20, 10.30 and 11.0 operating systems. The consequence is a remote root compromise.
Services By CQR