SecureRemote is the proprietary VPN infrastructure designed by Check Point Software, and included with some versions of Firewall-1. A problem with the package allows remote users to gain information about internal networks. Older versions of the package send network topology information to SecureRemote connections prior to authentication, allowing an information gathering attack.
A possible vulnerability exists in Apache that could cause directory contents to be disclosed when directory indexing is enabled, despite the presence of an 'index.html' file. The problem is likely the result of an error in 'multiview' functionality provided as part of Apache's content negotiation support. Exploitation of this problem may lead to the dislosure of sensitive information to attackers.
This exploit is for the locale subsystem format strings bug in Solaris with noexec stack. It is tested in Solaris 2.6/7.0 and can be adjusted by changing the retloc offset. The exploit is written in C and uses ldd, sed, gcc, and systeminfo.h. It uses a fake frame to bypass the noexec stack and then executes a shell.
Qpopper v4.0.x poppassd local root exploit is a vulnerability that allows an attacker to gain root access to a system by exploiting a vulnerability in the Qpopper v4.0.x poppassd service. The exploit code 0x82-Local.Qp0ppa55d.c is used to exploit the vulnerability. The exploit code is written in C and uses the setreuid, setregid, setuid, and setgid functions to gain root access.
KTVision is vulnerable to symbolic link attacks. It is possible for an attacker to anticipate the expected name of a KTVision config file. A local attacker can then create a symbolic link with the anticipated filename pointing to files on the system writable by ktvision, (which is frequently suid root). This could allow an attacker to overwrite any file on the filesystem, completely undermining the the security of the exploited system.
ttawebtop.cgi is a CGI script included with the Tarantella, formerly SCO. It is designed as a management tool, designed to allow a user clicking a link to display and resume an application at any time. However, it does not sufficiently validate input, allowing a remote user to traverse the directory structure and view any file that is readable by the webserver process. This can be done by appending "../../../../../../../../../../../../../../../etc/passwd" to the URL.
Windows Index Server and Indexing Service contain an unchecked buffer in the 'idq.dll' ISAPI extension associated with each service. A maliciously crafted request could allow arbitrary code to run on the host in the Local System context. Note that Index Server and Indexing Service do not need to be running for an attacker to exploit this issue. Since 'idq.dll' is installed by default when IIS is installed, IIS would need to be the only service running.
This exploit uses a technique that overwrites the .dtors section of /bin/su program with the address of the shellcode, so, the program executes it when main returns or exit() is called. The address of .dtors section can be easily obtained with objdump -h filename. The shellcode is pushed in a env var with a lot of nops, and the size of the "piece" of stack that must be "eaten" is calculated with a loop. Tested on Red Hat 6.2, 6.1 and SuSE 6.2.
It is possible for local users to cause man to cache files in the system cache directory from outside of the configured manual page hierarchy search path. Combined with the behaviours of 'man' and 'mandb' or any other utilities which trust cache filenames, it may be possible to use this vulnerability to elevate privileges.
PowerScripts PlusMail Web Control Panel is a web-based administration suite for maintaining mailing lists, mail aliases, and web sites. It is reportedly possible to change the administrative username and password without knowing the current one, by passing the proper arguments to the plusmail script. After this has been accomplished, the web console allows a range of potentially destructive activities including changing of e-mail aliases, mailing lists, web site editing, and various other privileged tasks. This can be accomplished by submitting the argument "new_login" with the value "reset password" to the plusmail script (typically /cgi-bin/plusmail). Other arguments the script expects are "username", "password" and "password1", where username equals the new login name, password and password1 contain matching passwords to set the new password to.
Services By CQR