Packet Storm new exploits for November, 2003.
98a752eda0e42dae02e16f317b81af46The RNN Guestbook version 1.2 has multitudes of vulnerabilities. They range from allowing a remote attacker to execute commands to the ability to achieve full administrative access without authentication. Full descriptions and exploitation enclosed.
0754b26af27338e25b349e9041d28689Remote exploit that makes use of a SQL injection vulnerability that exists in the viewtopic.php file in phpBB version 2.06. Using a malformed query against the searching functionality, the MD5 password hash will be exposed. Related type of vulnerability here.
a0d71696e8ccf3834d85f4c6baa42746Bugtraq Security Systems Security Advisory - Multiple vulnerabilities have been discovered in the Applied Watch Command Center IDS. Two exploits have been released to demonstrate these flaws. The first, appliedsnatch.c, allows a remote attacker to add a user to the console without having to authenticate to the system. The second, addrule.c, allows a remote attacker to add custom IDS alerts to all sensor nodes in a network, enabling a human denial-of-service attack by making good packets look bad.
d75b0941421c1810583106423f646868EPIC4 remote exploit that acts as an IRC server and makes use of a stack-based overflow in EPIC4 versions later than pre2.003. Upon success, this exploit yields a shell with the privileges of the user id connecting into the server.
60364157eaa053fedb0f4fd986a98e85My_eGallery versions below 3.1.1.g has PHP files which do not filter all parameters fed to functions, allowing a malicious attacker the ability to execute any command as the user id the webserver is running under. Vendor supplied patch available here.
b43abc56c3104b46370ca73811988658CommerceSQL shopping cart allows remote file reading via a directory traversal vulnerability in its index.cgi.
5a17b3f5332c2e8437aa225dc2841a71The embedded webserver for the Thomson TCM315 cable modem is vulnerable to a buffer overflow during a typical GET method HTTP request.
51198bef948a30a3927152acb48c8e3fSecurity Corporation Security Advisory [SCSA-021]: vBPortal versions 2.0 alpha 8.1 and below allow a remote attacker the ability to send mail anonymously via a vulnerability in its friend.php script.
b9b406a1de68f15e93c5a0044938ddfawebfs 1.7.x remote root exploit that binds a shell to port 26112 and makes use of a User-Agent buffer overflow.
5d7053881beaf39ab594c60a0b0cd44cA bug exists in MSN's Messenger client that allows a user's IP address to be exposed due to improper parsing of the Ip-Address field when parsing requests.
20299636636f63dc45c73c692442d9d2Remote exploit for mod_gzip when in debug mode for versions 1.2.26.1a and below. Yields user id of the webserver. Tested against RedHat 8.0 and FreeBSD 4.7.
ccd4dcff6acad5955766d739f2551affOpenBSD v3.3 and below local root and v3.4 local denial of service exploit which uses a kernel based stack overflow vulnerability in ICBS. Patch available for v3.3 here. Also works against OpenBSD v2.x.
d2c5ec9e1b0e56417a1369edc4c038f3IA WebMail Server v3.1 and below (iaregdll.dll version 1.0.0.5) remote exploit in perl. Tested against Windows XP Home SP1 and Windows 2000 Pro SP4. Included shellcode downloads netcat and spawns a shell.
2e7f7b1bf13faa2e9a6f5a50715033ebRolis Guestbook version 1.0 is susceptible to php injection cross site scripting attacks.
1972e31d4135891fa96c056c66ac386fphpWebFileManager version 2.0.0 is susceptible to a directory traversal attack due to a lack of input validation.
9eb1029ff44f80602acd4bef54d419dcNetServe version 1.0.7 suffers from a directory traversal vulnerability that allows a remote attack to download any file outside of the webroot. Using this knowledge, a remote attacker can exploit this vulnerability to access the config.dat file that holds the login and password for the administrative account. Tested on Microsoft Windows XP and 2000.
8ff8a7c0a6c99ee99b37b46c84a0bbd6pServ 2.0.x Beta webserver remote exploit that makes use of the User-Agent HTTP Header buffer overflow.
27078b058c1063db9695a706a4f68b1dFrontpage Server Extensions remote exploit which creates a shell on tcp port 9999 and uses the bug described in ms03-051. Tested on Windows 2000 Professional SP3 English version, fp30reg.dll ver 4.0.2.5526. Bug discovered by Brett Moore.
e28d8512b7f0f40aa755ac0c05d43e14Local root exploit for terminatorX version 3.81 and below that makes use of LADSPA_PATH environment variable vulnerability.
a2817a1ad499a35cdb5469a0b032ce000verkill version 0.16 local proof of concept exploit that makes use of a stack overflow when reading in the HOME environment variable.
ee4378534a1ac7e7c6ff82037218678fUnAce version 2.20 local proof of concept exploit. Original vulnerability discovery made by MegaHz. Tested on Debian 3.0.
2b33f62481726d5a0a5ecbdf48ec57e1UnAce version 2.20 local proof of concept exploit. Original vulnerability discovery made by MegaHz. Bruteforcing option included.
652bbe547dbd598468bd44680ceda980Six step cache attach for Internet Explorer v6sp1 (up to date on 10/30/2003) which combines several older unpatched and recently discovered vulnerabilities to execute code remotely by viewing a web page or HTML email. More information available here.
61fe983e637f9bb67381751df8664ae7Remote denial of service exploit for MyServer 0.5. Malicious payload crashes the server giving a runtime error. Tested on Windows XP Pro SP1 and Windows 2000 SP3.
5003eaa9233aaba1997a86319e2b57aa
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed