July 2002 Advisories & Exploits


July 11 2002

Caldera CSSA-2002-SCO.28 - Several local & remote bugs were discovered in the rpc.ttdbserverd program that allow an attacker to overwrite memory in the program as well as force the program to create and delete arbitrary files on the system.

Conectiva CLA-2002:507 - A remote attacker who is able to send malicious DNS responses to vulnerable machines could potentially execute arbitrary code with the privileges of the application making use of the vulnerable resolver library.

HEWLETT-PACKARD #0197 - Apache Rev 3 - a remotely exploitable vulnerability in handling of large data chunks in Apache-based web servers on HP9000 Servers running HP-UX release 11.00, 11.04, and 11.11.

Lil'HTTP Server pbcgi.cgi - is vulnerable to cross-site scripting attacks

Microsoft SQL Server 7/2000 - setup.iss is not properly removed after installation or applying service packs and the file contains account user names and password

Microsoft SQL Server 2000 - BULK INSERT query contains a remotely exploitable buffer overrun vulnerability that can be exploited by an attacker to run arbitrary code

Popcorn <-1.20 - multiple remote exploits exist

SunPS iRunbook 2.5.2 - directory traversal vulnerability allows any file or folder on the server to be read.


July 10 2002

Apache Tomcat v4.0.3 - Cross Site Scripting

Carello 1.3 - remote file execution

CERT CA-2002-20 - multiple vulnerabilities in CDE ToolTalk

Cisco VPN3000 - The Cisco VPN3000 gateway lets remote client dictate which maximum MTU to use when sending back ESP frames, regardless of the transmitting capabilities of the physical medium. This could lead to a denial of service attack.

Fluid Dynamics -

GoAhead Web Server v2.1 - directory traversal + cross site scripting may allow files to be read from server

HEWLETT-PACKARD #0198 - RFC-Netbios panics when it receives a malformed UDP packet on port 139 on HP 9000 Servers running HP-UX release 11.00, and 11.11.

HEWLETT-PACKARD #0184 - Vulnerabilities in SNMP request and trap handling can lead to possible denial-of-service, service interruptions, or unauthorized access. This affects these products:

HP 9000 Series 700/800 running HP-UX releases 10.X and 11.X
HP Procurve switches
HP TopTools Remote Control Card
JetDirect Firmware
MC/ServiceGuard, EMS HA Monitors
Solaris running OpenView or NNM
Windows/NT running OpenView or NNM

Internet Explorer/Outlook Express - cross domain scripting can lead to elevating privileges, arbitrary command execution, local file reading, stealing arbitrary cookies.

NAI PGP Desktop Security 7.0.4 - sending a carefully crafted email the message decoding functionality can be manipulated to overwrite various heap structures pertinent to the PGP plug-in and execute arbitrary code.

NAI PGP Personal Security 7.0.3 - sending a carefully crafted email the message decoding functionality can be manipulated to overwrite various heap structures pertinent to the PGP plug-in and execute arbitrary code.

NAI PGP Freeware 7.0.3 - sending a carefully crafted email the message decoding functionality can be manipulated to overwrite various heap structures pertinent to the PGP plug-in and execute arbitrary code.

Sharp Zaurus SL-5000D & SL-5500 - two vulnerabilities allow remote filesystem access and the screen to be locked

Tooltalk (multiple vendors) - several vulnerabilities exist that can lead to remote and local compromise of the privilege root account on the vulnerable system


July 9 2002

Badblue 1.7.3 - vulnerability still unpatched

iPlanet Web Server 6.0 SP2 - a flaw in its search function that allows remote viewing of any files on the server.

iPlanet Web Server 4.1 SP9 - a flaw in its search function that allows remote viewing of any files on the server.

iPlanet - search buffer overflow

Netscape Enterprise Server 3.6 - a flaw in its search function that allows remote viewing of any files on the server.

Shambala Server 4.5 - DoS exploit for previously discussed issues

SPARC/solaris 8 - kcms_configure -o -S command line buffer overflow proof of concept (POC)

SuSE-SA:2002:025 - multiple squid vulnerabilities

SuSE-SA:2002:026 - buffer overflow in dig, host, and nslookup utilities

Watchguard Firebox firmware v5.x.x - A malicious user can crash the Dynamic VPN Configuration Protocol service (DVCP) by sending a malformed packet to the listener service on TCP port 4110.


July 8 2002

artswrapper - local root exploit - proof of concept (POC) code included

BadBlue <1.7.3 - cross site scripting

BadBlue <1.7.3 - Denial of service

Bea Weblogic Performance Pack - a denial of service condition exists when the performance pack is installed where the Bea Weblogic Server can be crashed by a malicious user.

HEWLETT-PACKARD #019 - A remotely exploitable vulnerability in handling of large data chunks in Apache-based web servers on HP9000 Servers running HP-UX release 11.00, 11.04, and 11.11.

Lil'HTTP Server Urlcount.cgi - input sanitation of the CGI's saved data could allow an attacker who could access the CGI to submit a maliciously designed request to the CGI, and then send a targeted visitor to view the counter report.


July 7 2002

KeyFocus Web Server 1.0.2 - An attacker can see all hidden (non-HTML linked) files and directories on the server If the requested URL contains a %00 after a directory name.


July 6 2002

MacOS 10.0.X/10.1.X - a remote attacker can impersonate the software updates site and possibly install software not issued by Apple. Exploiting this vulnerability can lead to root compromise on affected systems.


July 5 2002

Conectiva CLA-2002:506 - An attacker can exploit some of these vulnerabilities to execute arbitrary code remotely as the user running squid (which in Conectiva Linux is "proxy" or "nobody"), cause a Denial-of-Service (DoS) in the server or inject/get invalid data in/from the network.

Winamp 2.80a - is remotely exploitable and can execute arbitrary code on the victim machine - Proof Of Concept (POC) included

XiRCON v.10B4 - sending a large message will crash the irc client, creating a denial of service.


July 4 2002

Conectiva CLA-2002:505 - fixes various vulnerabilities in ethereal

Mandrake MDKSA-2002:041 - multiple linux kernel

Mandrake MDKSA-2002:042 - LPRng default configuration, the lpd daemon will accept job submissions from any remote host

OpenPKG-SA-2002.006 - DNS resolver libraries may allow a remote attacker to create a Denial of Service condition or execute arbitrary commands.

UnBodyGuard - Bouncer (POC)

Worldspan for Windows 4.1 Gateway - Invalid packets sent to gateway crash system


July 3 2002

AnalogX SimpleServer 1.16 - Proof-of-concept

Argosoft Mail Server Plus/Pro Webmail <= 1.8.1.5 - reverse directory traversal

MyWebServer <1.02 - A buffer overflow allows remote execution of arbitrary code with daemon privileges.

nn <=6.6.3 - newsreader insecurely uses server input in a format string to print error messages on the clients terminal

OpenSSH <3.4 - kbd-interactive buffer overflow allows a local user to execute arbitrary commands as the user which the OpenSSH daemon is running as prior to authentication (normally root).

Redhat RHSA-2002:051-16 - multiple squid vulnerabilities

SQUID-2002:3 - multiple

SunPCi II - VNC weak authentication scheme vulnerability allows remote attackers to gain access to the system

Unreal Tournament - attacker can flood other hosts createing a denial of service


July 2 2002

Debian DSA-135-1 - specially crafted .htaccess files allow arbitrary code execution as the web server user, DoS attacks, and allowing someone to take control of apache child processes.

Engarde ESA-20020702-016 - remote openssh vulnerabilities

EnGarde ESA-20020702-017 - off-by-one in mod_ssl's configuration directive handling may allow an attacker to create a denial of service or execute arbitrary commands.

Cisco Secure ACS - Unix Acme.server Information disclosure

CommuniGatePro <= 4.0b4 - allows directory listing

Conectiva CLA-2002-504 - An off-by-one buffer overflow vulnerability exists in the code which handles entries in .htaccess files in mod_ssl <= 2.8.9 allowing an attacker to cause a denial of service or even execute arbitrary commands.

Inktomi Traffic Server - a long command line argument creates a buffer overflow that can be exploited locally to gain root access.

Mandrake MDKSA-2002:040-1 - An input validation error exists in the OpenSSH server between versions 2.3.1 and 3.3 that can result in an integer overflow and privilege escalation. This error is found in the PAMAuthenticationViaKbdInt code in versions 2.3.1 to 3.3, and the ChallengeResponseAuthentication code in versions 2.9.9 to 3.3

Noguska Nola 1.1.1 - It's possible to upload php code with certain file extensions such as: .php4, .phtml, .html etc.. using all upload fields in the application.

PHPAuction - allows anyone to create admin account

SuSE-SA:2002:024 - openssh updates

VeriSign Japanese - allows a malicious site owner to create an authenticity seal (false one) for his site without it being actually issued by VeriSign.


July 1 2002

Caldera CSSA-2002-SCO.31 - UnixWare 7.1.1 Open UNIX 8.0.0 Apache web server chunk handling / mod_ssl off-by-one error

Caldera CSSA-2002-SCO.32 - OpenServer 5.0.5 OpenServer 5.0.6 Apache web server chunk handling / mod_ssl off-by-one error

Blackboard 5 - Blackboard 5 contains multiple input validation errors, exploitable with Cross-site scripting

efstool - a buffer overflow in efstool can allow an attacker to execute arbitrary commands and possibly take control of the system

FS-070102-23-AXPR - buffer overflow exists in AnalogX's Proxy software that allows remote execution of arbitrary code with the privileges of the Proxy daemon.

HEWLETT-PACKARD #00196 - Internal data can be modified causing rpcd or dced to crash causing a denial of service on HP 9000 Series 700/800 running HP-UX 11.11 only with PHSS_25710 or PHSS_26394 and PHSS_26396.

HEWLETT-PACKARD #0197 - Apache Rev 3 - a remotely exploitable vulnerability in handling of large data chunks in Apache-based web servers on HP9000 Servers running HP-UX release 11.00, 11.04, and 11.11.

ircii-pana-1.0c19.tar.gz - a trojaned version has been found for download at ftp.bitchx.com

KPMG-2002026-Jrun - It is possible for a malicious user to trick the Jrun webserver into disclosing sourcecode

KPMG-2002027-Watchguard - A malicious user, with access to the internal network interface card would not have to know the username to log on to the FTP service, and could attempt to bruteforce the password and thus gain access to configuring the firewall.

KPMG-2002028-Sitespring - A malicious user with access to the Sitespring database engine port can crash both the runtime database engine and the Sitespring web service.

OmniHTTPd v2.09 - a problem with handling long HTTP versions which causes a denial of service.

OpenBSD - OpenSSH revision 4

ptl-2002-03 Betsie<=1.5.11 - A Cross-site Scripting vulnerability exists in the application

Remote OpenSSH exploit for 2.9.9-3.3 - signature


Copyright © 1998 - 2004 RHP Studios
All Rights Reserved!
Report errors to webmaster@rhpstudios.com
Last Updated on July 24,2004 @ 11:45 hrs EST