An off-by-one error occurs in the channel code of some versions of OpenSSH. A malicious client may exploit this vulnerability by connecting to a vulnerable server. Valid credentials are believed to be required, since the exploitable condition reportedly occurs after successful authentication.
Multiple buffer overflow vulnerabilities have been reported in some versions of xtell. If long strings are recieved by the xtell client, stack memory will be overwritten. Exploitation of these vulnerabilities may result in arbitrary code being executed as the xtell daemon. Overflow conditions may be caused if long strings are sent by a malicious DNS server in response to the reverse lookup performed when a message is received, either through the auth string returned by the ident server, or through directly sending an overly long message to the vulnerable user.
This exploit is based on sadminsparc. and sadminx86.c by Cheez Whiz. It is a buffer overflow exploit which allows an attacker to execute arbitrary code on the vulnerable system. It is a remote exploit which requires the attacker to send a malicious payload to the vulnerable system.
A format string vulnerability in the locale subsystem of UnixWare could lead to a user gaining elevated privileges. A local user could potentially supply maliciously crafted message catalogs through the LC_MESSAGES environment variable. This could allow a local user to load arbitrary message catalogs into setuid or setgid programs, and execute arbitrary code with setuid/setgid privileges.
A remote exploitable buffer overflow condition has been discovered in mIRC. This issue is due to improper bounds checking of nicknames sent by the server. A excessively long nickname (200+) is capable of overwriting stack variables. This may be exploited by a malicious server. This issue is also exploitable via a webpage that can instruct the client to launch and to make a connection to the malicious server.
EServ is a combination Mail, News, Web, FTP and Proxy Server for Microsoft Windows 9x/NT/2000 systems. It is possible to construct a web request which is capable of accessing the contents of password protected files/folders on the webserver, such as the admin folder, which contains the administrative interface. It should be noted that this vulnerability may only be exploited to access password-protected files in sub-folders of wwwroot. The following example will give the attacker access to the administrative interface: http://host/./admin/default.htm
VitalNet, part of Lucent's VitalSuite SP product family, contains a flaw in its cookie-based authentication mechanism. An attacker who successfully guesses a correct username can gain access to the server without need of a valid password. This is done by sending a specially crafted HTTP request to the server, such as http://<serverip>/cgi-bin/VsSetCookie.exe?vsuser=<user_name>.
This exploit is a theoretical exploit for HP-UX ftpd vulnerability. It is not tested anywhere and needs tweaking. It contains a HP-UX shellcode and a NOP sled. It also contains a buffer of size 1024 and a return address of 0xdeadbeef. It is used to send a PASS command with the shellcode and NOP sled to the ftpd server.
A vulnerability exists in the way that AOL Instant Messenger (AIM) parses a game request with a TLV (type, length, value) type of 0x2711. This type of game request is prone to a buffer overflow which could allow a remote user to obtain the same privileges of the user who is currently logged on. There is currently no way for an AIM user to block this type of request.
When processing the location field in a NOTIFY directive, UPnP server process memory can be overwritten by data that originated in the packet. If the IP address, port and filename components are of excessive length, access violations will occur when the server attempts to dereference pointers overwritten with data from the packet.
Services By CQR