AKA Wunderbar Emporium
This module exploits a remote buffer overflow in the ZENworks Configuration Management 10 SP2. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x06 (PROXY_CMD_CLEAR_WS) to the 998/TCP port. The module has been successfully tested on Novell ZENworks Configuration Management 10 SP2 and Windows Server 2003 SP2 (DEP bypass).
This program exploits an overflow vulnerability in CProxy 3.3 SP2 HTTP Service, causing server shutdown.
Bugzilla is prone to a vulnerability which may allow remote users to execute arbitrary commands on the target webserver. When accepting a bug report, the script "process_bug.cgi" calls "./processmail" via a perl system() call argumented by a number of paramaters with values originating from user input via a web-form. There are no checks against these values for shell metacharacters by the script before insertion into the system() call. As a result, it possible for an attacker to supply maliciously crafted input to form fields, which when submitted will cause arbitrary commands to be executed on the shell of the host running vulnerable versions of Bugzilla. Commands will be executed with the privileges of the webserver process.
Requesting a known filename with the extension replaced with .htr preceeded by approximately 230 '%20' from Microsoft IIS 4.0/5.0 will cause the server to retrieve the file and its contents. This is due to the .htr file extension being mapped to ISM.DLL ISAPI application which redirects .htr file requests to ISM.DLL. ISM.DLL removes the extraneous '%20' and replaces .htr with the proper filename extension and reveals the source of the file. This vulnerability is similar to a more recently discovered variant, BugTraq ID 1488.
Users with existing access to the router can modify SNMP tables that they should not have access to. By entering command-line mode and setting SNMP community strings, users can bypass administrator limitations.
The Web Archive component of L-Soft Listserv contains unchecked buffer code exploitable by sending specially crafted requests to the Web Archive. This weakness will allow execution of arbitrary code by remote attackers.
A malicious email sender can bypass warning messages in Eudora 4.2/4.3 by inserting a specific tag in an email message. This allows them to open executable attachments without triggering the usual warning message.
By supplying a long buffer containing machine executable code in the DISPLAY environment variable, it is possible to execute arbitrary code with the permissions of the user running the binary. In the case of a setuid binary, it is possible to obtain the privileges of the user it is setuid to. This can lead to privilege escalation and potential local root compromise.
A buffer overrun has been discovered in the lp program, as included with Sun's Solaris 7 operating system. By passing well crafted, machine executable code of sufficient length to the -d option of lp, it becomes possible to execute arbitrary code as root.
Services By CQR