By embedding the npdnupdater2.dll plugin inside an html page, it is possible to trigger a buffer overflow vulnerability through the 'SRC' parameter. This can lead to remote code execution.
The SMB service within Windows 95/98 allocates 0x400*4 bytes to store file handles. Therefore, a file handle returned to a client will be in the range 0 - 1023. When SMB commands such as SMBfindclose are sent to the service specifying a specially crafted handle out of that range, the sharing service will attempt to access illegal memory address. Successful exploitation of this vulnerability will cause the sharing service to buffer overflow and likely crash.
A vulnerability exists in all versions of the Check Point Session Agent, part of Firewall-1. Session Agent works in such a way that the firewall will establish a connection back to the client machine. Upon doing so, it will prompt for a username, and if the username exists, a password. Upon failure, it will reprompt indefinitely. This allows for a simple brute force attack against the username and password.
The Still Image Service in Windows 2000 is vulnerable to an unchecked buffer which could enable a user to run commands at the privilege level of the service (LocalSystem by default). This is due to an unchecked buffer in one of the methods by which inter-process messages are handled in Windows 2000. Therefore, this vulnerability may be present in other services as well.
The exploit is a kernel vulnerability in Nvidia drivers. The code snippet allows an attacker to write and read arbitrary physical memory addresses. The vulnerability is triggered by a function that requires 16-byte alignment for input. By exploiting this vulnerability, an attacker can gain unauthorized access to the system and execute arbitrary code.
The vulnerability allows attackers to upload arbitrary files by exploiting the file upload functionality in the Joomla joomgalaxy component. By uploading a specially crafted file, an attacker can execute arbitrary code on the target system.
The 'screen' utility in versions 3.9.5 and prior has multiple format string vulnerabilities that can be exploited by local users to elevate their privileges. If 'screen' is setuid root, an attacker can alter the contents of the variable storing the user id.
An attacker can control the output of the message retrieval functions that get feed to the printf(3) functions, allowing them to execute arbitrary code as a privileged user (root) using almost any SUID program on the vulnerable systems. On some operating systems, the problem can also be exploited remotely using the environment variable passing options in telnetd.
The locale subsystem in many UNIX operating systems is vulnerable to a format string vulnerability. By manipulating the custom messages database, an attacker can control the output of the message retrieval functions and execute arbitrary code as a privileged user. This vulnerability can be exploited locally or remotely, but remote exploitation requires the ability to place the suitable messages database on the target host.
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms without user interaction. The vulnerabilities are located in the mypage.do or rca.jsp module(s) and the bound vulnerable parameters selectedpageid & resourceid. Successful exploitation of the vulnerability results in dbms & application compromise.
Services By CQR