Non-administrative Imail and WS_FTP Server users can elevate their privileges to administrator by modifying a specific registry value. Once they have obtained administrative privileges, they can use the application interface locally to perform various actions like reading email, creating accounts, deleting accounts, etc.
This program causes programs which use stdio(3S) and have data buffer overflow conditions to overwrite stdio's iob[] array of FILE structures with malicious, buffered FILEs. Thus it is possible to get stdio to overwrite arbitrary places in memory; specifically, it overwrites a specific procedure linkage table entry with SPARC assembly code to execute a shell.
Internet Explorer 4.x's implementation of Cross-frame security can be bypassed by appending '%01' to an arbitrary URL. This allows for the execution of arbitrary code on the target host, leading to access to local files, window spoofing, and arbitrary code execution. A variation of this vulnerability also exists in Microsoft Internet Explorer 5.5, where the ASCII equivalents of '^A' or '' can be used instead.
The default ACL over the HKEY_Local_MachineSoftwareMicrosoftWindows NTCurrentVersionWinlogon key "System" value includes an entry for Server Operators:Special. A malicious System Operator could place reference to a trojan in this entry. This trojan would be executed under system privileges the next time the system is booted. As the trojan has been called by the system, the system account has privileges to execute code that would elevate the permission of a selected account to "administrator".
By using a workaround in Word or Excel, a user can bypass the application restrictions set by Zero Administration Kit (ZAK). The user can open the File:Open window, right-click on the background, select 'Browse', and open Windows Explorer. From there, the user can create a special directory in the temp folder and copy the executables of forbidden applications into it. These applications can then be executed, circumventing ZAK's policies.
The Smurf denial of service exploits the existence and forwarding of packets sent to IP broadcast addresses. By creating an ICMP echo request packet, with the source address set to an IP within the network to be attacked, and the destination address the IP broadcast address of a network which will forward and respond to ICMP echo packets sent to broadcast. Each packet sent into the network being used to conduct the attack will be responded to by any machine which will respond to ICMP on the broadcast address. Therefore, a single packet can result in an overwhelming response count, all of which are directed to the network the attacker has forged as the source. This can result in significant bandwidth loss.
The Wwwcount CGI program is vulnerable to a buffer overflow in the QUERY_STRING environment variable. This allows remote attackers to execute arbitrary commands with the privileges of the Wwwcount program.
The Teardrop denial of service attack exploits a flaw inherent to multiple vendor TCP/IP stacks. This attack can be delivered by sending 2 or more specially fragmented IP datagrams, causing the TCP/IP stack to allocate unusually large resources to reassembling the packets. This can lead to system freezing or rebooting due to insufficient memory.
An implementation fault in the ToolTalk object database server allows a remote attacker to run arbitrary code as the superuser on hosts supporting the ToolTalk service. The affected program runs on many popular UNIX operating systems supporting CDE and some Open Windows installs. The ToolTalk service allows independently developed applications to communicate with each other by exchanging ToolTalk messages. Using ToolTalk, applications can create open protocols which allow different programs to be interchanged, and new programs to be plugged into the system with minimal reconfiguration. The ToolTalk database server (rpc.ttdbserverd) is an ONC RPC service which manages objects needed for the operation of the ToolTalk service. ToolTalk-enabled processes communicate with each other using RPC calls to this program, which runs on each ToolTalk-enabled host. This program is a standard component of the ToolTalk system, which ships as a standard component of many commercial Unix operating systems. The ToolTalk database server runs as root. Due to an implementation fault in rpc.ttdbserverd, it is possible for a malicious remote client to formulate an RPC message that will cause the server to overflow an automatic variable on the stack. By overwriting activation records stored on the stack, it is possible to force a transfer of control into arbitrary instructions provided by the attacker in the RPC message, and thus gain total control of the server process.
An implementation fault in the ToolTalk object database server allows a remote attacker to run arbitrary code as the superuser on hosts supporting the ToolTalk service. By overwriting activation records stored on the stack, it is possible to force a transfer of control into arbitrary instructions provided by the attacker in the RPC message, and thus gain total control of the server process.
Services By CQR
