BeOS networking process can crash if certain malformed packets are transmitted to it. If the length field is set to a number less than the total length of the IP and protocol (TCP or UDP) headers alone, the process will halt and require manual restarting to regain normal functionality. For TCP, the combined TCP and IP header length is 40, and for UDP the combined UDP and IP header length is 28.
Bray Systems Linux Trustees is an access control program which manages user permissions similar to implementations of Netware. Requesting an unusually long file or directory path will cause the application to hang. Other processes may also be affected. In order to regain normal functionality, the user must reboot the machine. The exploit code creates a loop that creates a directory named 'aaaa' and then changes the current directory to 'aaaa'. This causes the application to hang.
A vulnerability exists in the 'imwheel' package for Linux. This package is known to be vulnerable to a buffer overrun in its handling of the HOME environment variable. By supplying a sufficiently long string containing machine executable code, the imwheel program can be caused to run arbitrary commands as root. This is due to a setuid root perl script named 'imwheel-solo' which invokes the imwheel program with effective UID 0.
A vulnerability exists within the Microsoft Clip Art Gallery, where a remote user can crash the Clip Art application or possibly execute arbitrary code. Clip art can be downloaded from any website and incorporated into the local gallery. A particular file format called .CIL is used in order to transport new clip art files to the users. The vulnerability is that a user may open a malformed .CIL file containing a long embedded field downloaded from a malicious third-party website or in the form of an email attachment regardless of it's origin.
DNSTools version 1.0.8 and 1.10 are vulnerable to command injection due to lack of input validation. By manipulating the contents of certain post variables, arbitrary code may be executed. This can be done by sending a GET request to the webserver or cgi-bin with a malicious payload. For example, sending a GET request with the payload "domain_name=";ls"""" will cause a directory listing."
Trend Micro OfficeScan is an antivirus software program which is deployable across an entire network. During the installation of the management software, the administrator is asked to choose between managing from a webserver or from a fileserver. If the webserver option is chosen, clients running OfficeScan are configured to listen to port 12345 in order to receive periodical database engine updates and other administrative commands from the OfficeScan manager. There are several ways for an attacker to cause various denial of service conditions. Sending random data to port 12345 can cause tmlisten.exe to either consume 100% of the CPU cycles or cause a Visual C++ error and crash the machine. Furthermore, opening over 5 simultaneous connections to port 12345 while sending random data will cause the service to stop responding to requests. The service will have to be stopped and restarted on each client machine. It has also been reported that it is possible to cause a denial of service condition by making a single malformed GET request to port 12345. It is also possible for a local user to capture an administrative command by using a network sniffer. This command can then be modified and replayed against other clients to cause them to perform a variety of actions. Modifying the last two bytes of the request will change the client's response behaviour, including: 04: full uninstallation of the OfficeScan client, 06: launch a scan, 07: stop a scan. The client makes requests to a few CGI programs on the server, which respond with configuration information. One of these CGIs is cgiRqCfg.exe, which provides configuration details for scan behaviour. If an attacker were to set up a webserver with the same IP address as the valid server, duplicate the valid server's OfficeScan file structure, and disable the valid server, it would be possible to perform a more subtle DoS by leaving the client installed but modifying the scan behaviour.
The Finger Server is a perl script for providing .plan-like functionality through a website. Due to insufficient input checking, it is possible for remote unauthenticated users to execute shell commands on the server which will run with the privileges of the webserver. A request like: http://target/finger.cgi?action=archives&cmd=specific&filename=99.10.28.15.23.username.|<shell command>| will cause the server to execute whatever command is specified.
A vulnerability exists in the apcd package, as shipped in Debian GNU/Linux 2.1. By sending the apcd process a SIGUSR1, a file will be created in /tmp called upsstat. This file contains information about the status of the APC device. This file is not opened securely, however, and it is possible for an attacker to create a symlink with this name to another place on the file system. This could, in turn, lead to a compromise of the root account.
ColdFusion 4.x includes a function called CFCACHE which improves server performance by caching the HTML output of processed CFM pages. When the CFCACHE tag is used in a CFM page, it creates temporary files which are placed in the same web-accessible directory as the CFM file itself. These files can be remotely accessed via an explicit URL. For any cfm file, request the corresponding cfcache.map file.
When a client connects to the sendmail smtpd and sends an ETRN command to the server, the server fork()s and sleeps for 5 seconds. If many ETRN commands are sent to a server, it is possible to exhaust system resources and cause a denial of service or even a reboot of the server.
Services By CQR