The RAS Service in Microsoft Windows NT contains multiple buffer overflows that allow local users to execute arbitrary code and gain elevated privileges. The RAS API function RasGetDialParams does not perform any bounds checking, leading to an exploitable buffer overflow. The RASMAN.EXE component, which is run in the security context of the LocalSystem account, uses the RasGetDialParams function to read in data from the phonebook (rasphone.pbk) when dialing out. If a phone number in the phonebook entry is over 299 bytes in length, it can overwrite the process's saved return address, allowing an attacker to execute arbitrary code.
The Windows NT Help utility has a buffer overflow vulnerability when parsing .cnt files with long heading strings. This vulnerability allows a malicious user to create a custom .cnt file with executable code in an entry string, which can grant them Administrator privileges when viewed by an unsuspecting user. The vulnerability is not limited by the permissions of the help file directory as the Help utility will search for a .cnt file first in its execution directory before looking in the help file directory.
A vulnerability in Outlook Express allows a malicious message sent to the user's mailbox to halt POP mail download. The vulnerability occurs when a line containing two dots falls at a packet boundary, causing Outlook Express to interpret the second dot as the end of message marker (EOM). This results in Outlook Express switching back to POP3 command mode and interpreting the rest of the message as a POP3 response, leading to an error message or hanging of the session.
An Allaire Forums file "GetFile.cfm" in the root of the application directory allows anyone to access any file on the Forums server. This vulnerability affects Forums 2.0.4 and earlier.
A SQL Injection vulnerability & a misconfiguration are detected in the Nuked Klan SP v4.5 Content Management System. The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms without user interaction. Successful exploitation of the vulnerability results in dbms & application compromise. The vulnerabilities are located in misconfigured regex ereg condition when processing to request the eid variable.
This exploit allows an attacker to upload arbitrary files to the server by exploiting a vulnerability in the 'tmpImagePath' parameter of the BitArticle.php file in bitweaver version 1.3 and earlier. By uploading a specially crafted file, an attacker can execute arbitrary commands on the server.
Non-administrative Imail and WS_FTP Server users can elevate their privileges to administrator by modifying a specific registry value. Once they have obtained administrative privileges, they can use the application interface locally to perform various actions like reading email, creating accounts, deleting accounts, etc.
This program causes programs which use stdio(3S) and have data buffer overflow conditions to overwrite stdio's iob[] array of FILE structures with malicious, buffered FILEs. Thus it is possible to get stdio to overwrite arbitrary places in memory; specifically, it overwrites a specific procedure linkage table entry with SPARC assembly code to execute a shell.
Internet Explorer 4.x's implementation of Cross-frame security can be bypassed by appending '%01' to an arbitrary URL. This allows for the execution of arbitrary code on the target host, leading to access to local files, window spoofing, and arbitrary code execution. A variation of this vulnerability also exists in Microsoft Internet Explorer 5.5, where the ASCII equivalents of '^A' or '' can be used instead.
The default ACL over the HKEY_Local_MachineSoftwareMicrosoftWindows NTCurrentVersionWinlogon key "System" value includes an entry for Server Operators:Special. A malicious System Operator could place reference to a trojan in this entry. This trojan would be executed under system privileges the next time the system is booted. As the trojan has been called by the system, the system account has privileges to execute code that would elevate the permission of a selected account to "administrator".
Services By CQR