Exploit world!

Master Index for ALL Exploits

Compiled by Fyodor fyodor@insecure.org
on Thu Jan 13 21:41:31 UTC 2000

[Back] to Fyodor's Playhouse


3com/USR Total Control Chassis termserver problem
Description:The IP filtering on these servers doesn't appear to work for dialin connections. Thus a user can dialin, get a "host:" prompt without authentication, and then type in any hostname on the internet (or intranet) to connect to. System logs incorrectly say that the connection was denied.
Author:Jason Downs <downsj@DOWNSJ.COM>
Compromise:Unauthorized access to Internet/Intranet through the terminal server
Vulnerable Systems:Those running the Total Control (tm) NETServer Card V.34/ISDN with Frame Relay V3.7.24, perhaps other versions.
Date:11 May 1998
Exploit & full info:Available here


Bay networks unpassworded "User" account
Description:Unless they sysadmins change it (they should!), bay networkds access node/wellfleet routers have a "User" account for ftp/telnet access with no password. The Manager account also ships w/o a password, but that is more likely to be changed.
Author:Marty Rigaletto <marty@SLACK.NET>
Compromise:Read valuable configuration information, edit routing tables, etc.
Vulnerable Systems:Networks using Bay Networks access node/wellfleet routers that haven't changed the default passwords.
Date:10 May 1998
Notes:Many products come w/o passwords with the assumption that they will be changed. This isn't really Bay Networks' fault, although perhaps the "User" account isn't documented well enough.
Exploit & full info:Available here


AIX rmail hole
Description:IFS attack, apparently AIX may be using system()
Author:Unknown
Compromise:gid mail
Vulnerable Systems:AIX 3.2, perhaps earlier
Date:10 May 1998 (it is actually much older)
Notes:Thanks to the person who submitted this to me!
Exploit & full info:Available here


Motorola Cablerouter hole
Description:Motorola CableRouters listen on port 1024 regardless of IP access restrictions for some reason. This hole in combination with the default login:cablecom pass:router can lead to easy unauthorized access
Author:January <january@SPY.NET>
Compromise:unathorized administrator access
Vulnerable Systems:Motorola CableRouters, especially those where the admin left the default passwords in place (always a horrible idea).
Date:10 May 1998
Notes:Cablemodem users must connect from the Internet interface, not from the interface on their side of the router. Also Motorola wrote me to say this has been fixed. They claim that all customers have upgraded to newer software.
Exploit & full info:Available here


Overflow in Vixie crontab
Description:standard overflow
Author:Dave G. wrote the exploit
Compromise: root (local)
Vulnerable Systems:Some RedHat distributions, a German distribution DLD 5.2, etc. Anyone running vulnerable version of Vixie crontab.
Date:10 May 1998 (actually it is an older problem)
Exploit & full info:Available here


Overflows in Minicom
Description:The terminal emulation modem program minicom has a number of blatant overflows.
Author:Tiago F P Rodrigues <11108496@LIS.ULUSIADA.PT>
Compromise:group uucp on some Linux distros (such as RedHat), but if installed from source with default makefile then it allows root access (local)
Vulnerable Systems:Most Linux boxes ship with minicom. Version 1.81 and presumably earlier are vulnerable.
Date:9 May 1998
Exploit & full info:Available here


NCSA httpd buffer overflow
Description:Standard overflow in client request string
Author:Renos <renosm@YAHOO.COM>
Compromise:You can probably run arbitrary commands on the web server machine, it is trivial to crash the server
Vulnerable Systems:Those running NCSA's httpd v1.4 for Windows. Probably earlier versions too.
Date:8 May 1998
Exploit & full info:Available here


Poor BSDI squid permissions
Description:on BSDI squid configuration files are owned by "www", which is the same UID that user CGI runs at. Thus a user could change start-squid to start a root shell, for example.
Author:"Jonathan A. Zdziarski" <jonz@NETRAIL.NET>
Compromise:user WWW privs -> root
Vulnerable Systems:BSDI 3.1 , perhaps other squid installs
Date:7 May 1998
Exploit & full info:Available here


dip 3.3.7o overflow
Description:Standard overflow (in the -l option processing).
Author:Goran Gajic <ggajic@AFRODITA.RCUB.BG.AC.YU>
Compromise: root (local)
Vulnerable Systems:Slackware Linux 3.4, presumably any other system using dip-3.3.7o or earlier suid root.
Date:5 May 1998
Notes:I've included a couple standard exploits and one that works against systems utilizing Solar Designer's excellent non-executable-stack patch.
Exploit & full info:Available here


Backdoor passwords in 3com switches,routers,smart hubs.
Description:Numerous 3com products apparently have secret backdoors in case the administrator "forgets the password". Yeah, there is a good idea. BIOS vendors have the annoying habit of making passwords useless the same way, but at least there the attacker needs physical access. With 3com the attacker can telnet over to your network from bis.bg in Sofiya, Bulgaria and reconfigure your routers!
Author:Eric Monti <monti@MAIL.NETURAL.COM> and others
Compromise:Intruders can reconfigure and basically take over your switches
Vulnerable Systems:Many 3com products have various backdoors including: LanPlex/Corebuilder switches, 3Com LANplex 2500 , CellPlex 7000
Date:5 May 1998
Notes:Another post I appended notes that admin passwords and SNMP keys are available vi the "public" SNMP community by default.
Exploit & full info:Available here


Many holes in the Netmanager Chameleon tool suite
Description:Mostly standard overflows, but there are lots of them. Virtually every product that comes in the suite seems exploitable.
Author:arager@MCGRAW-HILL.COM
Compromise:remote attackers can likely obtain root /administrator privileges on the machines running Chameleion daemons. The clients also have serious security holes.
Vulnerable Systems:These holes are in the Windows versions, although I would be very careful about running something like thier Unix Z-mail product.
Date:4 May 1998
Exploit & full info:Available here


Xaw and Xterm vulnerabilities
Description:There are a number of vulnerabilities in X11R6 xterm(1) and Xaw(3c) libraries. They are mostly all overflows
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> and the exploit was written by alcuin
Compromise: root (local)
Vulnerable Systems:Those running Xterm or X apps linked to vulnerable Xaw. Virtually all versions of X are vulnerable to the *Keymap hole and the others are mostly X11R6 specific (which virtually everyone uses anyway). Thus it is likely that many Solaris, Linux, HP/UX, and perhaps IRIX and AIX boxes are vulnerable.
Date:4 May 1998
Notes:I have also included an exploit sent to me by "M.C.Mar" <emsi@it.com.pl>. This exploit works against Xaw and neXtaw even WITH Solar Designer's non-executable stack patch applied. Check it out!
Exploit & full info:Available here


Overflow in lynx processing of mailto: URLs
Description:a mailto: URL with a long email address causes lynx 2.8 to crashh and can cause it to execute arbitrary code
Author:Michal Zalewski <lcamtuf@boss.staszic.waw.pl>
Compromise:remote pages can cause commands to be executed on the lynx user's machine. This can also be used to break out of restricted lynx shells.
Vulnerable Systems:Those running lynx 2.8 and probably earlier.
Date:3 May 1998
Exploit & full info:Available here


ID games Backdoor in quake
Description:ID software blatantly put a backdoor in Quake 1/2 and QuakeWorld including both the Linux/Solaris Quake2. RCON commands sent from the subnet 192.246.40.0/24 and containing the password "tms" are automaticly executed on the server without being logged.
Author:Mark Zielinski <markz@repsec.com>
Compromise: root (remote)
Vulnerable Systems:Those running Quake 1, QuakeWorld, Quake 2, Quake 2 Linux and Quake 2 Solaris, all versions. Thus many Windows and UNIX boxes are affected
Date:1 May 1998
Notes:Quake was always a horrible security hole, but I never thought Id would stoop to introducing an intentional backdoor to allow them access to systems running Quake. I am surprised this didn't get more publicity.
Exploit & full info:Available here


Overflow in kppp -c option
Description:Standard overflow
Author:"|[TDP]|" <tdp@psynet.net>
Compromise: root (local)
Vulnerable Systems:Those running kppp version < 1.1.3 suid root. This comes with the KDE system (which is pretty neat -- www.kde.org) and runs on Solaris, Linux, IRIX, and HP/UX
Date:29 April 1998
Notes:The hole was fixed a while prior to this posting so the (then) current version was not vulnerable.
Exploit & full info:Available here


Horrendous suidexec hole
Description:Debian Linux apparently distributes a program called suidexec as part of the suidmanager package. This program is trivially exploitable to run any program on the system as root.
Author:Thomas Roessler <roessler@GUUG.DE>
Compromise: root (local)
Vulnerable Systems:Debian Linux 2.0 (probably won't be in the final 2.0 Hamm release).
Date:28 April 1998
Exploit & full info:Available here


Yet ANOTHER hole in the HP/UX Glance program
Description:Standard symlink-following TMPFILE stupidity
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise: root (local)
Vulnerable Systems:HP/UX 10.20, perhaps other versions.
Date:27 April 1998
Exploit & full info:Available here


cxhextris overflow
Description:Standard overflow
Author:Chris Evans <chris@FERRET.LMH.OX.AC.UK>
Compromise:Local users can obtain uid=games privileges! This allows them to cause chaos by changing the high score table or trojaning various games, etc.
Vulnerable Systems:At least RedHat Linux 5.0
Date:25 April 1998
Exploit & full info:Available here


Livewire "source" problem
Description:It is often possible in sites using Livewire to download the actual application rather than individual pages generated by it. If the page is http://www.blah.com/foo/ try downloading http://www.blah.com/foo.web .
Author:Daragh Malone <daragh_malone@ACCURIS.IE>
Compromise:Obtain the livewire application rather than the pages it generates. These may have passwords and other sensitive info stored in them.
Vulnerable Systems:Those running Livewire, in particular DEC UNIX 4.0D running Netscape Enterprise Server 3.0.
Date:24 April 1998
Exploit & full info:Available here


Many, many, many security holes in the Microsoft Frontpage extensions
Description:There are many horrible security holes in the Microsoft Frontpage extensions. For example, you can list all files in directories on FP enabled sites, you can download password files on many of them, and a lot of FP sites even let you UPLOAD your own password files (!).
Author:pedward@WEBCOM.COM
Compromise:Break into user accounts on a web server (remote)
Vulnerable Systems:Those running the Fronpage server extensions. Sone of the vulnerabilities are UNIX only while others also work agains WindowsNT sites.
Date:23 April 1998
Exploit & full info:Available here


Overflows in Solaris ufsdump and ufsrestore binaries
Description:Standard buffer overflow (in device name passed as arguments)
Author:Seth McGann <smm@WPI.EDU>
Compromise:Get UID of tty (local)
Vulnerable Systems:Solaris 2.6/SPARC, opinions differed on whether 2.6/X86 is vulnerable.
Date:23 April 1998
Exploit & full info:Available here


OpenBSD (and others) lprm overflow
Description:There is a subtle overflow in the pointer arithmetic in copying a command string to a buffer.
Author:Niall Smart <rotel@indigo.ie>
Compromise: root (local)
Vulnerable Systems:OpenBSD 2.2 and earlier, some versions of FreeBSD, NetBSD
Date:23 April 1998
Notes:This is an excellent description of the problem. Also congratulations go to Niall Smart for finding this bug in the heavily audited OpenBSD codebase.
Exploit & full info:Available here


qcam overflows
Description:several qcam apps as well as libqcam seem to have rather obvious security holes when installed setuid root.
Author:bst@INAME.COM
Compromise: root (local)
Vulnerable Systems:Thos running qcam, sqcam,xqcam, SANE-0.67. Mostly Linux boxes, perhaps BSD.
Date:20 April 1998
Exploit & full info:Available here


lprm Linux/BSD/Solaris Overflow
Description:The lprm program on some machines has a standard overflow in the name you feed it to remove a job from a remote printer
Author:Chris Evans <chris@FERRET.LMH.OX.AC.UK> posted this problem to BugTraq, it turns out the the OpenBSD folks (probably Theo De Raadt) fixed the problem in 1996.
Compromise: root (local)
Vulnerable Systems:RedHat Linux 4.2 and 5.0, Solaris 2.6, Some *BSD variants vulnerable, but most fixed it 6 months to two years prior to this notice
Date:18 April 1998
Exploit & full info:Available here


Nestea "Off By One" attack
Description:A popular attack against Linux boxes
Author:John McDonald <jmcdonal@UNF.EDU>
Compromise:Stupid remote DOS attack
Vulnerable Systems:Linux 2.0.33 and earlier, PalmOS, HP Jet Direct printer cards, some 3COM routers, Magnum 5000 Ethernet switch, Some Windows boxes, perhaps others
Date:17 April 1998
Notes:I have appended the original Linux code, a BSD port, an improved Linux version, and a few other messages on the topic.
Exploit & full info:Available here


Overflow in Microsoft Netmeeting
Description:Standard overflow
Author:DilDog <dildog@L0PHT.COM>
Compromise:remotely execute arbitrary commands on the machine of a windows/netmeeting user (the user must click on your neetmeeting .conf file)
Vulnerable Systems:Windows boxes running Micro$oft Netmeeting V. 2.1
Date:16 April 1998
Notes:For a lot more information on this exploit, including a short windows overflow tutorial, see http://www.cultdeadcow.com/cDc_files/cDc-351/ .
Exploit & full info:Available here


MGE UPS serious security holes
Description:Standard security holes are plentiful in the MGE UPS software
Author:Ryan Murray <rmurray@PC-42839.BC.ROGERS.WAVE.CA>
Compromise: root (local)
Vulnerable Systems:Those running vulnerable versions of MGE UPS software. It apparently runs on Solaris, AIX, SCO, etc.
Date:12 April 1998
Exploit & full info:Available here


Major holes in IRIX IPX tools
Description:Sigh, IRIX was trivial to root before, but now thanks to their IPX tools it is even easier. We are talking blatant system() calls here! The story in this message is rather pathetic.
Author:Fabrice Planchon <fabrice@MATH.PRINCETON.EDU>
Compromise: root (local)
Vulnerable Systems:IRIX 6.3, perhaps earlier versions.
Date:8 April 1998
Exploit & full info:Available here


Overflows in various Macintosh mail clients.
Description:Standard overflows.
Author:Chris Wedgwood <chris@CYBERNET.CO.NZ>
Compromise:DOS attack at least, there is at least a possibility of remote code execution (I've never seen this done on a Mac though).
Vulnerable Systems:Macintosh boxes running Stalker Internet Mail Server V.1.6 or AppleShare IP Mail Server 5.0.3 SMTP Server
Date:8 April 1998
Exploit & full info:Available here


Multiple Vulnerabilities in BIND named
Description:There are a number of security holes in some bind 4.9 and 8 releases. One is a remote-root exploit that works if fake-iquery is enabled, the other two are DOS attacks
Author:Unknown
Compromise: root (remote)
Vulnerable Systems:Those running BIND 8 prior to 8.1.2 or BIND 4.9 prior to 4.9.7 .
Date:8 April 1998
Exploit & full info:Available here


BSDI tcpmux DOS
Description:Apparently BSDI 2.0,2.1,3.0,and 3.1 servers with tcpmux enabled can be crashed with a fast portscanner.
Author:Mark Schaefer <marks@SHELL.FLINET.COM>
Compromise:DOS attack
Vulnerable Systems:BSDI 2.0, 2.1, 3.0, and 3.1 with tcpmux enabled and without patch M310-009
Date:7 April 1998
Notes:Note the portscanner he used -- my nmap.
Exploit & full info:Available here


TTCP spoofing problem
Description:Apparently TTCP allows commands to be executed before the full 3-way handshake has been completed. This means an attacker can set up a malicious connection without the trouble of TCP sequence prediction.
Author:Vasim Valejev <vasim@DIASPRO.COM>
Compromise:Exploit trust relationships, avoid logging, all the other benefits that come with "classical" TCP sequencing attacks.
Vulnerable Systems:Those implementing T/TCP (rfc1644). Perhaps FreeBSD allows this attack?
Date:7 April 1998
Exploit & full info:Available here


Yet another SGI pfdispaly CGI hole
Description:As has been demonstrated many times, SGI CANNOT write secure CGI scripts. Nor can they write secure setuid programs. They fixed the last pfdisplay.cgi hole, but the new version is still quite buggy -- as this post demonstrates.
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise:run arbitrary commands remotely as the UID running the webserver
Vulnerable Systems:SGI IRIX 6.2 using the performer_tools CGIs.
Date:7 April 1998
Notes:I honestly believe default SGI security is as bad as default Windows NT security. That is sad.
Exploit & full info:Available here


ICQ Spoofer
Description:The ICQ protocol is poorly designed and leads to a number of problems. Included in this message is an ICQ spoofer in C, a Perl version, and an ICQ flooder. A sniffer is also included.
Author:Seth McGann <smm@WPI.EDU> and others
Compromise:Harass ICQ users to no end :).
Vulnerable Systems:People running ICQ, mostly windows users. There is probably a Mac client too.
Date:6 April 1998
Notes:All the code is somewhat jumbled together -- I'm sure you can figure it out.
Exploit & full info:Available here


RedHat 5 metamail hole
Description:Many mail clients, MTA's, etc. are poorly written and can interpret mail in ways that lead to security wholes. One of the bugs in this message demonstrates a way to execute arbitrary commands by sending mail to a Redhat 5 user. The bug is in metamail script processing of MIME messages.
Author:Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Compromise:potential root (remote). The victim must read the mail with Pine (or something else that calls metamail).
Vulnerable Systems:RedHat 5, other linux boxes with vulnerable metamail script.
Date:5 April 1998
Exploit & full info:Available here


Eudora 3.0 and 4.0 DOS
Description:Eudora will crash if it tries to receive an email with an attachment that has a filename of at least 233 characters.
Author:whiz <whizpig@TIR.COM>
Compromise:Stupid DOS attack
Vulnerable Systems:Windows users running Eudora Pro 4.0 or 3.0
Date:29 March 1998
Exploit & full info:Available here


Another WinGate hole -- this time with the LogFile service
Description:The WinGate Logfile service basically puts up a web server on port 8010 giving full read access to the victim's hard drive(!)
Author:HKirk <hkirk@tech-point.com>
Compromise:Remote read access to a Wingate user's hard drive
Vulnerable Systems:Windows users who run Wingate. This program is a huge security hole, a much better (cheaper, more secure, more robust, better performing) solution is to install a Linux gateway with IP masquerading.
Date:29 March 1998
Exploit & full info:Available here


Majordomo tmpfile bug
Description:Standard tmpfile problem
Author:Karl G - NOC Admin <ovrneith@tqgnet.com>
Compromise:Any user on a system running majordomo can append arbitrary data to any file owned by the majordomo account.
Vulnerable Systems:Those running majordomo. This runs on a ton of systems (Solaris, Linux, IRIX, etc.).
Date:26 March 1998
Exploit & full info:Available here


Overflows in the MesaGL OpenGL implementation
Description:There are many overflows in this library, one of which can be used to compromise xlock in some cases
Author:bjorn smedman <bs@ODEN.SE>
Compromise: root (local)
Vulnerable Systems:This exploits is for FreeBSD 2.2.5 although other OSes that use MesaGL are likely to be vulnerable.
Date:24 March 1998
Exploit & full info:Available here


dot bug in MS Personal Web Server
Description:IIS 3.0 had a bug which allowed ASP source to be downloaded by appending a . to the filename. That was eventually fixed by MS but they didn't fix the same hole in their Personal Web Server.
Author:Lynn Kyle <lynn@RAINC.COM>
Compromise:Read ASP file source, could contain passwords, etc.
Vulnerable Systems:Those running vulnerable version of MS Personal Web Server
Date:22 March 1998
Exploit & full info:Available here


Linux Mailhandler overflow
Description:the Mailhandler (mh) ver 6.8.4-5 has an overflow relating to the SIGNATURE environmental variable . I think RedHat 5 among other distributions are vulnerable.
Author:Catalin Mitrofan <md@LSPVS.SOROSIS.RO>
Compromise: root (local)
Vulnerable Systems:Those running mh version 6.8.4-5 suid.
Date:21 March 1998
Exploit & full info:Available here


Another MSIE 4.0 overflow
Description:Standard overflow, this one can almost certainly be exploited by a malicious page to run arbitrary code on a user's system.
Author:Georgi Guninski <guninski@hotmail.com>
Compromise:Run arbitrary code on the machines of Windows users connecting to your web page.
Vulnerable Systems:Windows 95/NT running MSIE 4.0. Perhaps even the Solaris version is vulnerable, though I've never seen anyone run it.
Date:20 March 1998
Exploit & full info:Available here


Win95 "save password" nonsense
Description:Win95 offers dialup users to save their RAS credentials by checking a box when dialing in. Security minded folks generally decline. However, Microsoft saves the password anyway!
Author:Aleph One <aleph1@DFW.NET>
Compromise:Obtain cleartext passwords for dialup accounts. On NT you can sometimes retrieve the lanman and NT hashes (which you can then run a cracker on).
Vulnerable Systems:Windows95, NT.
Date:20 March 1998
Notes:In some cases information on the last SEVERAL logins are stored without permission (!)
Exploit & full info:Available here


Irix pfdispaly CGI hole
Description:Standard .. read-any-file CGI exploit.
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise:Read any file (remotely) that user nobody (or whatever web server runs as) can read.
Vulnerable Systems:IRIX 6.2 with performer_tools.sw.webtools (Performer API Search Tool 2.2) installed, check for /var/www/cgi-bin/pfdispaly.cgi.
Date:17 March 1998
Exploit & full info:Available here


LinCity and Conquest Game overflows
Description:Typical buffer overflows
Author:bst@INAME.COM
Compromise: root (local)
Vulnerable Systems:Those running vulnerable versions of LinCity or Conquest setuid (dumb!). This is mostly Linux boxes.
Date:16 March 1998
Exploit & full info:Available here


Ascend Router Insecurities
Description:There is a flaw in the Ascend router OS which allows the machines to be crashed by certain malformed UDP probe packets. Also the routers have a default SNMP "write" community which allows attackers to download the entire Ascend configuration file.
Author:"Secure Networks Inc." <sni@SECURENETWORKS.COM>
Compromise:Download sensitive ascend configuration information (passwords, etc.) plus a remote DOS attack to take out the router.
Vulnerable Systems:Ascend Pipeline and MAX routers including OS release 5.0Ap42 (MAX) and 5.0A (Pipeline).
Date:16 March 1998
Notes:Whee! We've got C exploit, CAPE exploit, IPsend exploit, and a Perl exploit!
Exploit & full info:Available here


Even more IE 4 bugs
Description:3 bugs which range in severity from crashing Internet Explorer to crashing all of windows. These can be put on malicious web pages to take out the IE users.
Author:Aleph One <aleph1@DFW.NET>
Compromise:Stupid DOS attack
Vulnerable Systems:Win95/WinNT running Internet Explorer 4.01 (perhaps earlier)
Date:16 March 1998
Exploit & full info:Available here


Insecure scripts that come with RedHat 5.0 (and other OS's)
Description:The scripts named in this message have standard insecure tmpfile bugs. If someone can predict when these will be run (like if they are in cron) then they can generally overwrite files of the person running the command (could be root).
Author:Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Compromise:Potential for root compromise
Vulnerable Systems:Specifically this list is for RedHat 5 although many other Linux systems and probably some *BSD systems are vulnerable.
Date:14 March 1998
Exploit & full info:Available here


MDaemon/SLMail Mail server overflows
Description:Most Windows servers in generally seem to have horrific security. Here is info on overflows in the MDaemon SMTP/Pop Server and the Seattle labs server. Many Macintosh servers also have these problems, and even UNIX isn't always immune to poor coding.
Author:Alvaro Martinez Echevarria <alvaro-bugtraq@LANDER.ES>
Compromise:Crash the server, perhaps arbitrary code could be executed.
Vulnerable Systems:Windows boxes running a vulnerable version of MDaemon, Seattle Labs SLMail, and several other crappy Windows servers.
Date:11 March 1998
Exploit & full info:Available here


Solaris 2.6 printd tmpfile problem
Description:Standard insecure tmpfile hole
Author:Silicosis <sili@l0pht.com>
Compromise:unprivileged users can overwrite and create system files and print files they shouldn't be able to read.
Vulnerable Systems:Solaris 2.6
Date:11 March 1998
Exploit & full info:Available here


Another TMPfile problem in updatedb script
Description:updatedb creates a tmp file in /tmp, moves it to /var/lib/locatedb, then chowns it to root. The race condition is clear.
Author:Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Compromise: root (local)
Vulnerable Systems:RedHat 5.0, perhaps other systems such as FreeBSD using updatedb.
Date:6 March 1998
Exploit & full info:Available here


info2www CGI hole
Description:Another dumb cgi blidnly using the (magical) perl open()
Author:Niall Smart <njs3@DOC.IC.AC.UK>
Compromise:execute arbitrary commands as web server's UID (remote)
Vulnerable Systems:Those running a vulnerable version of the info2www CGI
Date:3 March 1998
Exploit & full info:Available here


X11Amp playlist bug
Description:When installed SUID root (as suggested in the README), X11Amp creates ~/.x11amp insecurely with root privs. Oops! There are very likely to be many more security bugs in X11Amp. The performance hit of making it suid is probably not worth the security risk (IMHO).
Author:viinikala <kala@DRAGON.CZ>
Compromise: root (local)
Vulnerable Systems:Those running a vulnerable version of X11Amp (.65 and prior) suid. Mostly Linux boxes.
Date:28 February 1998
Exploit & full info:Available here


updatedb on Redhat
Description:RedHat Linux updatedb/sort insecure tmpfiles
Author:viinikala <kala@DRAGON.CZ>
Compromise:become user 'nobody' via updatedb (or root on a really old distro of RedHat) (local)
Vulnerable Systems:Redhat Linux (presumably 5.0) is very vulnerable due to updatedb calling sort regularly, many other systems (such as Solaris) have an insecure sort. Also FreeBSD 2.2.2 is apparently vulnerable to the same updatedb problem.
Date:28 February 1998
Notes:Dave Goldsmith may have found this first, although I cannot currently access his website for more info.
Exploit & full info:Available here


4.4BSD mmap() vulnerability
Description:A 4.4BSD problem allows a read-only descriptor to a char device to be mmap()ed in RW mode. This can allow group kmem to become root and root to lower the system secure-level.
Author:Theo de Raadt and Chuck Cranor
Compromise:User kmem-> root ->modify secure-level->delete audit trail and load evil kernel mods.
Vulnerable Systems:OpenBSD 2.2 and below, FreeBSD 2.2.5 and below, BSDI 3.0 and NetBSD.
Date:26 February 1998
Notes:This is an excellent advisory, I wish other groups and people would use a full-disclosure, detailed, and well organized format like this.
Exploit & full info:Available here


ZIP disk password recovery
Description:ZIP disk passwords provide very little security. Here is a way to bypass their silly little "passwords". If you wish to secure your data, ENCRYPT IT!.
Author:<mentzy@ath.forthnet.gr>
Compromise:Full access to password-protected Iomega ZIP disks.
Vulnerable Systems:People relying on the password protect feature of the ZIP drive.
Date:26 February 1998
Exploit & full info:Available here


Various gaping security holes in QuakeII (and Quake I and QuakeWorld and Quake Client).
Description:These games by ID software are absolutely riddled with glaring security holes and no one should even CONSIDER running them (or any other game for that matter) on a machine that is supposed to be secure. I have stuffed a bunch of quake exploits in this one section although there is one Quake II server hole I will treate separately later.
Author:kevingeo@CRUZIO.COM and others
Compromise: root (remote)
Vulnerable Systems:Those running pretty much any version of quake by id software, the client or server. Quake runs on many Linux boxes as well as Win95/NT.
Date:25 February 1998
Exploit & full info:Available here


Squid access control problem
Description:The squid http proxy allows an administrator to specify banned sites. Unfortunately, users can get around this by using URL hex escapes or specifying an IP address.
Author:"Vitaly V. Fedrushkov" <willy@CSU.AC.RU> and Mauro Lacy <mauro@INTER-SOFT.COM>
Compromise:Bypass some squid access restrictions.
Vulnerable Systems:Those relying on squid access restrictions to keep students, employees, etc. from undesireable sites.
Date:23 February 1998
Exploit & full info:Available here


Solaris /usr/dt/bin/dtappgather symlink problem.
Description:Standard symlink problem allows arbitrary files to be chowned the the attacker's UID.
Author:Mastoras <mastoras@PAPARI.HACK.GR>
Compromise: root (local)
Vulnerable Systems:Solaris 2.5,2.5.1 running CDE version 1.0.2 with suid /usr/dt/bin/dtappgather
Date:23 February 1998
Exploit & full info:Available here


Foolproof stores cleartext passwords in memory
Description:Foolproof security can be completely subverted by using a meory dumper/editor and finding the password sitting their in plaintext right after the string FOOLPROO . Of course, I have never seen a system that CAN secure Win95. The true solution is to upgrade to a decent OS that doesn't allow unprivileged users full access to the disk/memory/etc. I humbly suggest Linux, FreeBSD, OpenBSD, or Solaris.
Author:Mark M Marko <john__wayne@JUNO.COM>
Compromise:Break into Win95 machines protected by Foolproof.
Vulnerable Systems:Anyone relying on Foolproof for security on systems where users can manage to execute arbitrary commands (very difficult to prevent).
Date:21 February 1998
Exploit & full info:Available here


Named Pipe attack
Description:This is not really an "exploit" per se, but just a note about the possibility of exploiting programs that open files insecurely. The usual attack is something like ln -s /etc/passwd /tmp/prog.lock'. Solar Designer's excellent symlink kernel patch stops most of that nonsense. Here the attack uses named pipes to modify the data in the file and feed it back to the app.
Author:"[UNKNOWN-8BIT] Micha³ Zalewski" <lcamtuf@BOSS.STASZIC.WAW.PL>
Compromise:Exploit potential for some insecure file opens and reads (such as gcc 2.7.2)
Vulnerable Systems:general UNIX feature
Date:20 February 1998
Exploit & full info:Available here


Radius spaces-in-password DOS attack.
Description:A number of Radius implementations will crash if the right number of spaces are appended to a username.
Author:"Phillip R. Jaenke" <prj@NLS.NET>
Compromise:Stupid DOS attack
Vulnerable Systems:Several UNIX and NT radius implementations including Livingston 1.16 to 2.01, RadiusNT v2.x, and merit radius 2.4.23C
Date:20 February 1998
Exploit & full info:Available here


NT Login DOS
Description:Uh-Oh! NT isn't correctly checking its input. By sending an SMB logon request with an incorrect data length field you can blue screen the NT box.
Author:"Secure Networks Inc." <sni@SECURENETWORKS.COM>
Compromise:Yet another NT DOS attack
Vulnerable Systems:Windows NT 4.0 up to and including Service Pack 3
Date:14 February 1998
Notes:It shouldn't be hard to write a quick exploit for this. Any volunteers? Just hack SAMBA login request code and experiment with different data lengths. If you do write one, please mail it to me (fyodor@insecure.org).
Exploit & full info:Available here


Wingate telnet redirection
Description:A somewhat common technique for attackers is to install "telnet redirectors" on a system they have compromised. This allows them to telnet to the redirector and then telnet out from there anonymously, masking their true point of origin. These attackers no longer need to bother with penetrating systems, as the Wingate includes anonymous telnet redirection as a feature enabled by default! Just telnet to port 1080 or 23 and then telnet right back out to wreak havok on the internet. And don't worry, it doesn't (by default) log anything! <sigh>
Author:Alans other account <alanb@MANAWATU.GEN.NZ>
Compromise:Intruders can mask their true point of origin by going through Wingate
Vulnerable Systems:Windows boxes running Wingate
Date:11 February 1998
Notes:Many thanks to Dairo Bel <dairo@akrata.org> for translating his spanish article on Wingate and sending it in! Also note that you can use nmap, a network portscanner I wrote to locate hosts on your network that are running Wingate.
Exploit & full info:Available here


Windows share passwords are right there in the registry and poorly encrypted
Description:Share encryption is by a simple XOR and the passwords are stored in registry entries such as SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\Parm1enc .
Author:a42n8k9@redrose.net
Compromise:With local access to a windoze box you can determine the read-only and full access passwords to the file system/printer/etc. Also these passwords might be the same as for more important access (ie to company servers).
Vulnerable Systems:Windoze 95, NT
Date:9 February 1998
Exploit & full info:Available here


Poor authentication used with NT domain controllers for authenticating SMB requests.
Description:There are a number of problems with the way NT implements authentication of clients accessing an smb fileshare.
Author:Paul Ashton <paul@ARGO.DEMON.CO.UK>
Compromise:Learn a users' password, and cause other mischief
Vulnerable Systems:Windows NT 4.0 and 3.51
Date:6 February 1998
Notes:This probably won't be fixed anytime soon.
Exploit & full info:Available here


NT port binding insecurity
Description:UNIX does not allow normal users to bind ports < 1024. NT apparently has no such concept of privileged ports. It even allows users to bind ports in use by the system and sniff or redirect data from them!!!
Author:Weld Pond <weld@L0PHT.COM>
Compromise:Obtain passwords, sniff information, change information before passing it to the real server, spoof UNIX r-services, etc.
Vulnerable Systems:Windows NT 3.51, 4.0
Date:6 February 1998
Notes:Appended to this message is a SMB redirectory which allows local unprivileged users to redirect smb trafic to a remote server so that the local server doesn't even see it. This obviously has quite severe implications.
Exploit & full info:Available here


Poor device permissions on Redhat 4.0/5.0
Description:Lax device perms on RedHat boxes allow unprivileged users to do nasty things such as peeking at the contents of a floppy in your drive or DOS attacks against the system.
Author:Smart List user <slist@cyber.com.au>
Compromise:Local users can read floppy device, be annoying
Vulnerable Systems:RedHat Linux 4.0 and 5.0
Date:4 February 1998
Exploit & full info:Available here


X11R6.3 Xkeyboard hole
Description:X11R6.3 based Xservers with the XKEYBOARD extension that are setuid can be exploited with the -xkbdir option
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Compromise: root (local)
Vulnerable Systems:Those systems running a setuid X11R6.3-based Xserver with XKEYBOARD extension (R6.1 is also probably affected). The XFree86 servers that come with many Linux and *BSD distributions is a good example of this.
Date:3 February 1998
Exploit & full info:Available here


Coredump hole in imapd and ipop3d in slackware 3.4
Description:When fed an unknown username, imapd and ipop3d will dump core in Slackware 3.4. /etc/shadow can be found in the core file.
Author:Peter van Dijk <peter@ATTIC.VUURWERK.NL>
Compromise:Learn the contents of /etc/shadow (which would allow you to crack the passwords and break into other accounts)
Vulnerable Systems:Slackware Linux 3.4 and the imapd in 3.3. possibly others
Date:2 February 1998
Exploit & full info:Available here


Defeating Solar Designer's Non-executable Stack Patch
Description:A very interesting paper on defeating non-executable stack patches. It goes through the steps needed to exploit the XServer <LONGDISPLAY> hole in Linux even with a non-execute patch.
Author:Rafal Wojtczuk <nergal@ICM.EDU.PL>
Compromise: root (local)
Vulnerable Systems:This just shows (as Solar Designer is well aware) that in some cases the non-executable stack patch can be subverted via sneaky techniques.
Date:30 January 1998
Notes:Solar Designer's respons is in the addendum.
Exploit & full info:Available here


Obtaining Domain Admins access on a LAN
Description:There are problems with the NT domain authentication protocol which allow anyone on a Domain to gain Domain access
Author:Paul Ashton <paul@ARGO.DEMON.CO.UK>
Compromise:Gain Domain Admin Access
Vulnerable Systems:NT 4.0
Date:28 January 1998
Exploit & full info:Available here


Htmlscript file access bug
Description:Another stupid .. bug.
Author:Dennis Moore <rainking@FEEDING.FRENZY.COM>
Compromise:read any file the web server can read on the remote system.
Vulnerable Systems:Those running htmlscript (distributed by www.htmlscript.com)
Date:26 January 1998
Exploit & full info:Available here


Quake2 shared library nonsens
Description:Heh, quake2 is suid root and loads shared libraries from the working directory. This exploit overfloads _init.
Author:kevingeo@CRUZIO.COM
Compromise: root (local)
Vulnerable Systems:Those running a vulnerable version of QuakeII
Date:26 January 1998
Exploit & full info:Available here


Microsoft private key recovery
Description:There are a number of flaws in the way Microsoft stores private keys.
Author:Peter Gutmann, pgut001@cs.auckland.ac.nz
Compromise:Obtain a users private keys which can allow you to intercept their email, digitally sign contracts and agreements (in their name), etc.
Vulnerable Systems:Windoze NT and Win95
Date:25 January 1998
Notes:This paper is from Peter Gutmann's web site and can be found at: <http://www.cs.auckland.ac.nz/~pgut001/pubs/breakms.txt>
Exploit & full info:Available here


OpenBSD mkfifo DOS attack
Description:You can run the *BSD kernel out of non-pageable memory by making a fifo (via mkfifo) and forking a bunch of processes trying to cat it.
Author:Jason Downs <downsj@DOWNSJ.COM>
Compromise:Crash the system (stupid DOS attack)
Vulnerable Systems:OpenBSD, presumably NetBSD, FreeBSD, BSDI
Date:25 January 1998
Exploit & full info:Available here


Buffer overflow in the Yapp Conferencing System Version 2.2
Description:standard overflow
Author:satan <satan@FREENET.NETHER.NET>
Compromise:Run arbitrary commands as the uid yapp is running under (often 'yapp').
Vulnerable Systems:This exploit is for x86/Linux . Any other platform running Yapp should be vulnerable.
Date:20 January 1998
Exploit & full info:Available here


Lotus Domino database security problems
Description:Databases under this system do not correctly inherit ACLs, plus some default database ACLs are set to allow unrestricted access to all web users(!). Thus users can can manipulate the files remotely.
Author:mattw <mattw@L0PHT.COM>
Compromise:manipulate server configuration files remotely
Vulnerable Systems:Those running vulnerable versions of Lotus Domino
Date:20 January 1998
Exploit & full info:Available here


ssh-agent RSA authentication problem
Description:SSH doesn't check permissions on credential files enough so that users can trick ssh into using the credentials of other users.
Author:"Secure Networks Inc." <sni@SECURENETWORKS.COM>
Compromise:Trick ssh into using the credentials of another user when you login to a remote server.
Vulnerable Systems:Those running ssh (setuid) on multiple-user systems where RSA authentication is being used.
Date:20 January 1998
Exploit & full info:Available here


Mail Handler 6.8.4 overflow
Description:standard overflow
Author:Cesar Tascon Alvarez <tascon@enete.gui.uva.es>
Compromise: root (local)
Vulnerable Systems:Those running Mail Hanldler 6.8.4 (and presumably earlier versions). Redhat 5.0 is affected.
Date:19 January 1998
Exploit & full info:Available here


Exploit for the gcc tempfile issue
Description:gcc 2.7.2.x (and earlier as far as I know) creates temporary files in /tmp which will follow symlinks and allows you to clobber the files of the person running gcc
Author:"Micha=B3 Zalewski" <lcamtuf@boss.staszic.waw.pl>
Compromise:Overwrite files owned by the user running gcc (possibly root )
Vulnerable Systems:Those running gcc 2.7.2.x this includes most linux, and *BSD boxes. Many admins of Solaris boxes have also added gcc. This problem is finally fixed in gcc 2.8.0
Date:16 January 1998
Notes:This has been mentioned before on Bugtraq but this is the first actual exploit I've seen.
Exploit & full info:Available here


Overflow in MS PWS
Description:typical buffer overflow
Author:Gurney Halleck <gurneyh@ix.netcom.com>
Compromise:Crash the personal web server (it is also possible that you could be able to execute arbitrary code remotely)
Vulnerable Systems:Those running MS Personal Web Server (pws32/2.0.2.1112), it is apparently packaged with FrontPage 97.
Date:15 January 1998
Exploit & full info:Available here


DOS against realvideoserver by Progressive Networks
Description:Another DOS attack
Author:Rootshell
Compromise:remotely crash Progressive Networks Real Video Server
Vulnerable Systems:those running Progressive Networks Real Video Server. This includes the Linux version and the NT version
Date:15 January 1998
Exploit & full info:Available here


mk: URL overflow in Internet Explorer 4.0
Description:Another Internet Explorer overflow, this time in the mk: URL type
Author:DilDog <dildog@L0PHT.COM>
Compromise:run arbitrary code on the machines of IE users who visit your page
Vulnerable Systems:Microsoft Internet Explorer 4.0 and 4.01, Outlook Express, Windows Explorer (it is an explorer library problem)
Date:14 January 1998
Exploit & full info:Available here


inode count integer overflow in Linux kernel
Description:Member i_count in struct inode of the Linux kernel is an unsigned short, which can be overflowed by mapping one file more than 65535 times.
Author:<Jan.Kotas@acm.org>
Compromise: root (local)
Vulnerable Systems:Linux, probably versions up to 2.0.31 (or so)
Date:14 January 1998
Exploit & full info:Available here


DOS attack on backoffice viewcode.asp
Description:You can leave a host running backoffice in a state of not accepting connections by using http://server.com/whetever/viewcode.asp?source=/////////////////<lots more slashes>///
Author:Anonymous
Compromise:DOS attack against web server
Vulnerable Systems:Those running Microsoft Backoffice with viewcode.asp available
Date:14 January 1998
Exploit & full info:Available here


Xserver overflow in the display command-line argument
Description:typical overflow, although this one affects a lot of people.
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Compromise: root (local)
Vulnerable Systems:X11R6 (possibly X11R5) based X servers. This includes XFree86. The servers have to be suid, of course (some systems use XDM and have a non-suid server)
Date:13 January 1998
Exploit & full info:Available here


Buffer overflow in the 'deliver' mail delivery program
Description:standard overflow
Author:"KSR[T]" <ksrt@DEC.NET>
Compromise: root (local)
Vulnerable Systems:Slackware 2.x, Debian 1.3.1, possibly other Linux distributions. Basically anything running deliver version 2.0.12 and below.
Date:12 January 1998
Exploit & full info:Available here


Sendmail 8.8.8 HELO problem
Description:By specifying a very long hostname in the HELO command at the beginning of SMTP negotiation, you can cause your real hostname and IP to not be displayed in the header Received: field. This leaves potential for mischief by mail forgers and (unfortuantely) spammers.
Author:Micha³ Zalewski <lcamtuf@boss.staszic.waw.pl>
Compromise:Send forged mail without your IP appearing in the message headers.
Vulnerable Systems:Those running Sendmail 8.8.8 and probably earlier.
Date:12 January 1998
Exploit & full info:Available here


A problem in Amanda backup software V. 2.3.0.4
Description:According to this advisory (which I haven't verified), attackers can remotely access backed up data on an index server. Also attackers with local access to a machine being backed up can access any other machine or any partition being backed up.
Author:joey@CORINNE.CPIO.ORG
Compromise:unauthorized access to index servers and partition data
Vulnerable Systems:Those running Amanda version 2.3.0.4 (probably earlier as well).
Date:10 January 1998
Exploit & full info:Available here


Buffer overflow in the cidentd authlie file
Description:typical overflow
Author:Jackal <jackal@HACK.GR>
Compromise:run arbitrary code as the UID running cidentd (probably user nobody) (local)
Vulnerable Systems:Those running cidentd with ~/.authlie enabled
Date:10 January 1998
Exploit & full info:Available here


Microsoft FrontPage server extensions file permissions problems
Description:Abhorrent permissions are required for some files related to the Microsoft FrontPage server extensions. For example _vti_pvt is a 775 directory which contains mode 664 service.pwd that contains the crypt()ed passwords for users.
Author:Dave Pifke <dave@VICTIM.COM>
Compromise:Not only can local users find out (or sometimes change) the passwords used for web accounts, but determing these passwords may lead to compromise of more important accounts that may use the same passwords.
Vulnerable Systems:Those running Microsoft FrontPage server extensions 3.0.2.1117 under UNIX
Date:9 January 1998
Exploit & full info:Available here


routed trace file exploit
Description:routed has the ability to have trace mode turned on remotely using any arbitrary filename. Thus you can append stuff to arbitrary files remotely.
Author:Rootshell
Compromise:You should be able to leverage this to root remote access.
Vulnerable Systems:Redhat linux; IRIX 5.2-5.3-6.2 is vulnerable, NetBSD 1.2 is vulnerable.
Date:8 January 1998
Exploit & full info:Available here


NT/Win95 8.3 webserver exploit
Description:By default, when a file like "verylongname.html" is created, Windows also creates an 8.3 equivalent ("verylo~1.htm" for example). Unfortunately, when people use Win* webservers to restrict access to long directories and files, the webservers often don't check access on the 8.3 equivalents. So people can grab stuff using the 8.3 names.
Author:Marc Slemko <marcs@ZNEP.COM>
Compromise:Obtain restricted files from NT/Win95 web servers
Vulnerable Systems:IIS 4.0, Netscape Enterprise 3.0x, probably others. Probably ftp servers and so forth too.
Date:8 January 1998
Exploit & full info:Available here


Netware NFS compromise
Description:A flaw in the way NetWare-NFS mode 1 and 2 maps the "Read Only" flag to UNIX allows a root compromise on systems which mount user-writable volumes exported via NetWare NFS
Author:"Andrew J. Anderson" <andrew@DB.ERAU.EDU>
Compromise: root (local)
Vulnerable Systems:Those mounting user-writable volumes exported via NetWare NFS
Date:8 January 1998
Exploit & full info:Available here


Screen cloaking 'feature'
Description:Versions of the popular program 'screen' allow users to cloak themselves out of wtmp/utmp and appear to not be logged on.
Author:Taz <taz@webmaster.com>
Compromise:Cloak yourself from finger/wtmp/utmp etc. using screen
Vulnerable Systems:Those running screen 3.7.4 and probably earlier, maybe later
Date:7 January 1998
Notes:I consider it a good thing when people send me bugs. Also, note that you can effect the same sort of thing as this by running 'xterm -ut' and then logging off
Exploit & full info:Available here


Holes in Apache prior to 1.2.5
Description:The fine folks who work on the Apache web server team kindly advised us of these holes in older versions of Apache. They are fixed in 1.2.5. The most important are probably cfg_getline() overflow which allows local users to run arbitrary commands with the UID of the webserver and the '//////////' hole which allows people to remotely effect a DOS attack on a server by giving a URL with more than 7500 forward slashes in the filename.
Author:Marc Slemko <marcs@ZNEP.COM>
Compromise:local users can run arbitrary commands with the UID of the webserver, remote DOS attack (slows the server to a crawl)
Vulnerable Systems:Those running Apache versions prior to 1.2.5
Date:6 January 1998
Exploit & full info:Available here


The "Bonk" NT/Win95 fragmentation attack
Description:In an attack that is basically the reverse of the teardrop attack, Windows machines that are patched for teardrop can be crashed.
Author:bendi
Compromise:crash Windoze machines remotely
Vulnerable Systems:Windows 95, Windowsw NT
Date:5 January 1998
Exploit & full info:Available here


ccdconfig sgid kmem BSD exploit
Description:ccdconfig is sgid kmem and can be exploited to read /dev/mem . It shouldn't be too tough to leverage this into root access.
Author:Niall Smart <rotel@INDIGO.IE>
Compromise: root (local)
Vulnerable Systems:NetBSD, FreeBSD, older version of OpenBSD
Date:31 December 1997
Exploit & full info:Available here


AIX mount vunlerability
Description:AIX mount has a serious problem that allows people to mount any filesystem on top of any writeable space.
Author:"S. Ryan Quick" <ryan@PHAEDO.COM>
Compromise:Mount filesystems on top of any writeable space (this could allow you to clobber files, among other things).
Vulnerable Systems:AIX 4.1.3, 4.1.4, 4.2.0, 4.2.1
Date:28 December 1997
Exploit & full info:Available here


DOS attack on XTACACS servers
Description:You can crash these servers by sending ICMP unreachable messages to them.
Author:Coaxial Karma <c_karma@HOTMAIL.COM>
Compromise:remotely crash vulnerable XTACACS servers.
Vulnerable Systems:some XTACACS servers
Date:23 December 1997
Exploit & full info:Available here


Vsyslog overflow in Linux libc 5.4.38
Description:Standard overflow (although it is pretty sad to see these things in syslog ...)
Author:Posted by Solar Designer <solar@FALSE.COM>
Compromise: root (local)
Vulnerable Systems:Slackware 3.1, Redhat 4.2, possibly other Linux boxes
Date:21 December 1997
Exploit & full info:Available here


MIRC worm bug
Description:There is a bug in MIRC (a Windoze IRC client) which allows people to send an arbitrary script.irc to MIRC users. This allows arbitrary MIRC scripting commands to be interpreted.
Author:Unknown
Compromise:Windows IRC users can be harassed and their files can be snatched and/or deleted.
Vulnerable Systems:Windows versions running MIRC prior to 5.3
Date:18 December 1997
Exploit & full info:Available here


Overflow in Livingston RADIUS 1.16 and derived code
Description:There is a buffer overflow in the handling of buffers related to inverse IP lookup in RADIUS 1.16 and derived code (including Ascend RADIUS)
Author:"Secure Networks Inc." <sni@SECURENETWORKS.COM>
Compromise: root (remote)
Vulnerable Systems:Those running RADIUS server software derived from Livingston RADIUS 1.x
Date:17 December 1997
Exploit & full info:Available here


EWS (Excite for Web Servers) CGI hole
Description:A classic CGI mistake: CWS launches a shell with query results. They change spaces to $ and somehow think this solves the problem ;)
Author:Marc Merlin <marc_merlin@MAGIC.METAWIRE.COM>
Compromise:run arbitrary commands as the processid that runs the webserver (remote)
Vulnerable Systems:Those running EWS 1.1 on both UNIX and NT
Date:17 December 1997
Exploit & full info:Available here


WordPerfect 7 filepermission problems
Description:Apparently WordPerfect 7 has serious problems with regard to permissions on the files it creates in users directories. It will also follow symlinks when creating them.
Author:Hans Petter Bieker <hanspb@PERSBRATEN.VGS.NO>
Compromise:break into a users account or clobber their files (user could potentially be root )
Vulnerable Systems:Linux boxes running WordPerfect 7 (possibly other *NIXes)
Date:15 December 1997
Exploit & full info:Available here


ICQ so-called protocol
Description:The ICQ protocol is ridiculously simplistic and is riddled with security holes. So is the ICQ software. So ICQ users can be spoofed, have their machine crashed, or have evil haxxors run arbitrary code on their boxes. Geez, these poor users might as well run Internet Explorer!
Author:Alan Cox <alan@CYMRU.NET>
Compromise:Spoof, Crash, or exploit the buffer overflow to run arbitrary code
Vulnerable Systems:Mostly Windows boxes where the user is running ICQ
Date:14 December 1997
Exploit & full info:Available here


Sun ^D DOS attack
Description:By connecting to the telnet port of a Solaris 2.5.1 box, sending some bogus telnet negotiation option and then flooding the channel with ^D, you can (temporarily) slow the machine to a near halt.
Author:Jason Zapman II <zapman@CC.GATECH.EDU>
Compromise:remote DOS attack
Vulnerable Systems:Solaris 2.5.1, 2.6
Date:13 December 1997
Notes:I appended a better version after the first (the second forks extra processes to increase the flood). I also appended an NT port.
Exploit & full info:Available here


gethostbyname() overflow in glibc
Description:Overflow in glibc gethostbyname() allows overflows in ping, rsh, traceroute, etc.
Author:Wilton Wong - ListMail <listmail@NOVA.BLACKSTAR.NET>
Compromise: root (local)
Vulnerable Systems:Redhat 5, presumably others with glibc (GNU HURD?)
Date:13 December 1997
Exploit & full info:Available here


Cisco password overflow
Description:Cisco 76x routers reboot when you telnet to them and feed a very long password.
Author:Laslo Orto <Laslo@CPOL.COM>
Compromise:Reboot the Cisco router
Vulnerable Systems:Cisco 76x series of routers.
Date:11 December 1997
Exploit & full info:Available here


Firewall1 smtpd open access vulnerability
Description:By default, Firewall-1 allows anyone to obtain confidential operation and statistical info from its SNMP daemon.
Author:"Secure Networks Inc." <sni@SECURENETWORKS.COM>
Compromise:The information could help an attacker bypass the firewall as well as giving private network statistical information.
Vulnerable Systems:Those running a Vulnerable version of Checkpoitn Firewall-1
Date:9 December 1997
Exploit & full info:Available here


Dillon crontab 2.2 overflow
Description:standard overflow
Author:"KSR[T]" <ksrt@DEC.NET>
Compromise: root (local)
Vulnerable Systems:Slackware Linux 3.4, other systems that runn dillon crontab / crond ( dcron 2.2 )
Date:9 December 1997
Exploit & full info:Available here


mIRC crash via new socket feature
Description:A problem with the way mIRC handles bound sockets allows mean people to crash the mIRC clients of poor, defenseless Windows users.
Author:Derek Reynolds <startnet@NATION.ORG>
Compromise:Crash an mIRC user and make thier Windows run even slower than usual
Vulnerable Systems:Those running mIRC 5.3 under Windows
Date:7 December 1997
Exploit & full info:Available here


Overflow in cgiwrap-3.5 and 3.6beta1
Description:Standard overflow
Author:Duncan Simpson <dps@IO.STARGATE.CO.UK>
Compromise:Run arbitrary commants with the UID of the webserver process owner
Vulnerable Systems:Those running vulnerable versions of cgiwrap
Date:7 December 1997
Exploit & full info:Available here


Xscreensaver problem
Description:Apparently if you type more then 80 characters into an xscreensaver password window it will die and you will gain access to the desktop. Also not that with XFree86 you can often use CNTRL-SHIFT-BACKSPACE to simply kill the server (and whatever X program is locking it).
Author:Kim San Su <shanx@comp67.snu.ac.kr>
Compromise:Bypass xscreensaver password security
Vulnerable Systems:Those where people run a vulnerable version of xscreensaver to lock their X-Windows sessions.
Date:2 December 1997
Exploit & full info:Available here


Long filesystem paths
Description:One thing you can do to be highly annoying is create very long directory paths. These cause *major* problems to many system utilities. This post provides useful one-liners for the purpose.
Author:Zack Weinberg <zack@RABI.PHYS.COLUMBIA.EDU>
Compromise:Annoying DOS
Vulnerable Systems:Those that allow very long directory paths. I just created one 10002 directories deep on my Linux box (I stopped it, it could have gone further). Fortunately Microsoft OS users don't have this problem due to small filesystem depth restrictions ;)
Date:2 December 1997
Exploit & full info:Available here


Sendmail file-as-username problem
Description:A quirk in Sendmail that could potentially be exploited is that usernames like '/etc/passwd' get written into the file of the same name when mail is received for them. This could be a problem on systems where users can specify their username without sysadmin intervention.
Author:Duck Vader <tiepilot@THEPOND.THEPOND.ML.ORG>
Compromise:Could potentially lead to root access
Vulnerable Systems:Mostly just BBSes or whatever systems allow users to specify a username and then create an /etc/passwd entry for them.
Date:2 December 1997
Exploit & full info:Available here


BSD Termcap overflow
Description:This program creates a malicous termcap file which can cede root access.
Author:Bug originally discovered by Theo de Raadt <deraadt@CVS.OPENBSD.ORG> exploit written by Written by Joseph_K the 22-Oct-1997
Compromise:Theoretically this may allow you to become root remotely You can definately become root locally.
Vulnerable Systems:BSDI, probably FreeBSD/NetBSD/OpenBSD prior to October 1997
Date:1 December 1997
Exploit & full info:Available here


Xyplex terminal login problems
Description:Apparently you can get into some Xyplex terminals by entering ^Z or '?' at the login prompt.
Author:Aleksandr Pilosov <apilos01@UTOPIA.POLY.EDU>
Compromise:Obtain unauthorized access to Xyplex terminals.
Vulnerable Systems:Xyplex terminals
Date:1 December 1997
Notes:Another problem with these terminals, this time with regard to their interaction with scripts is in the addendum.
Exploit & full info:Available here


Solaris 2.5.1 automound hole
Description:standard popen() hole
Author:Anonymous
Compromise: root (local)
Vulnerable Systems:Solaris 2.5.1 without patch 10465[45] applie
Date:26 November 1997
Exploit & full info:Available here


Common XDM and CDE insecurity
Description:Many implementations of these allow any host XDMCP connection access. This can allow people to effectivly login remotely even if they are denied telnet (etc.) access through /etc/hosts.deny of tcp wrappers. Also failed attempts are often not logged so this is useful for brute force password guessing.
Author:Eric Augustus <augustus@stic.net>
Compromise:Brute force password guessing, bypassing tcp wrappers
Vulnerable Systems:Those running vulnerable implementations of XDM or CDE and those with poor access configuration files.
Date:26 November 1997
Exploit & full info:Available here


NT RAS Point to Point Tunneling Protocol hole
Description:You can crash NT boxes running RAS PPTP by sending a pptp start session request with an invalid packet length specified in the header.
Author:Kevin Wormington <kworm@SOFNET.COM>
Compromise:crash NT machines remotely
Vulnerable Systems:Windows NT 4.0 with RAS PPTP running
Date:26 November 1997
Exploit & full info:Available here


Solaris Statd exploit
Description:Solaris 2.5.1 x86 remote overflow for statd. There is apparently an earlier patch which doesn't fix the problem.
Author:Anonymous
Compromise: root (remote)
Vulnerable Systems:Solaris 2.5.1 x86 is what this exploit is written for. According to a later CERT advisory, vulnerable systems include Digital UNIX (4.0 through 4.0c), AIX 3.2 and 4.1, Solaris 2.5, 2.51 and SunOS 4.1.* for both X86 and SPARC
Date:24 November 1997
Exploit & full info:Available here


XFree86 (and apparently other X11R6 XC/TOG derived servers) -config insecurity
Description:XFree86 is setuid root in many cases and takes a -config option to use a different config file. Unfortunately it doesn't check permissions on this file so you can (for example) read the first line of /etc/shadow (printed in the warning message)
Author:plaguez <dube0866@eurobretagne.fr>
Compromise:Read files that you shouldn't have permissions for
Vulnerable Systems:Those with a suid root XFree86 X server as well as some other X servers. This affects many Linux (and probably FreeBSD/OpenBSD)boxes.
Date:21 November 1997
Exploit & full info:Available here


The LAND attack (IP DOS)
Description:Sending a packet to a machine with the source host/port the same as the destination host/port crashes a lot of boxes.
Author:m3lt <meltman@LAGGED.NET>
Compromise:Remote DOS attack (reboots many systems)
Vulnerable Systems:Windows95, Windows NT 4.0, WfWG 3.11, FreeBSD
Date:20 November 1997
Exploit & full info:Available here


Symlink problems with fstab and advfsd in OSF1
Description:These programs create /tmp files that will follow symlinks and lcobber system files
Author:Efrain Torres Mejia <etorres@POLLUX.JAVERIANA.EDU.CO>
Compromise: root (local)
Vulnerable Systems:Digital Unix OSF1 V4.0
Date:18 November 1997
Exploit & full info:Available here


Kernel Buffer Overflow in the ISDN subsystem
Description:When dialing, the old Linux ISDN drivers copied everything after ATD into a 40 char stack buffer (!).
Author:Andi Kleen <ak@muc.de>
Compromise: root (local)
Vulnerable Systems:Linux 2.0.31, perhaps earlier.
Date:16 November 1997
Exploit & full info:Available here


Core file problem with Digital Unix 4.0
Description:With dbx you can cause suid root programs to core dump and clobber system files
Author:John McDonald <jmcdonal@osprey.unf.edu>
Compromise: root (local)
Vulnerable Systems:Digital Unix 4.0 and 4.0B
Date:16 November 1997
Notes:I wish more people would send me their exploits like John did ... this way I'm less likely to miss them.
Exploit & full info:Available here


Terminal hijacking via pppd
Description:pppd offers read/write access to any tty. This allows a man in the middle attack for trojan terminals as well as other mischief. Also it allows users to freely dial out with the modem (often not a good idea).
Author:David Neil <theoe@EUROPA.COM>
Compromise:Hijack terminals, dial arbitrary numbers with the modem, other mischief.
Vulnerable Systems:Those running pppd. Many linunx boxes, perhaps some BSD, solaris.
Date:15 November 1997
Exploit & full info:Available here


Linux and Windows IP fragmentation (Teadrop) bug
Description:Win* and Linux deal with overlapping IP fragments in an incorrect manner which allows the systems to be crashed remotely.
Author:Apparently datagram in flip.c
Compromise:Remote DOS attack
Vulnerable Systems:Windows NT 4.0, Win95 , Linux up to 2.0.32
Date:15 November 1997
Notes:I also included a program called "syndrop" which is a modified version of teardrop (exploits an M$ SYN sequence bug.
Exploit & full info:Available here


Redhat 4.2 X11 /tmp/.X11-unix permissions problem
Description:Any local user can destroy X service by moving (or deleting) the UNIX domain socket redhat puts in /tmp/.X11-unix/X0 . Redhat apparently forgot the sticky bit. I think this works in Redhat 4.0 too.
Author:Carlo Wood <carlo@RUNAWAY.XS4ALL.NL>
Compromise:Screw up X (local)
Vulnerable Systems:Thos running the Redhat 4.2 and 4.0 Linux distributions.
Date:14 November 1997
Exploit & full info:Available here


Overflow in suidperl 5.003
Description:Overflow (via sprintf()) in the mess() function in suidperl
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Compromise: root (local)
Vulnerable Systems:Thos running suid-perl 5.003, this includes many Linux, *BSD, Solaris and UNIX boxes in general.
Date:13 November 1997
Exploit & full info:Available here


Digital Unix xterm overflow
Description:Patch kit 5 includes a replacement xterm which can be forced to dump core and clobber system files. A buffer overflow may also exist.
Author:Tom Leffingwell <tom@sba.miami.edu>
Compromise: root (local)
Vulnerable Systems:Digital Unix 4.0B *with* patch kit 5
Date:12 November 1997
Exploit & full info:Available here


Slackware lizards suid-root problem
Description:The lizards game is NOT intended to be suid root, but Slackware 3.4 sets it that way anyway. This makes it trivial to become root through code like system("clear"), etc.
Author:SUID <suid@BOMBER.STEALTH.COM.AU>
Compromise: root (local)
Vulnerable Systems:Linux boxes using the Slackware 3.4 (earlier?) distributions.
Date:12 November 1997
Exploit & full info:Available here


Security Dynamics FTP server core problem
Description:It is possible to cause this server to dump core while ftping in. The core file will clobber files and also contains crypt(3)ed passwords.
Author:sp00n <sp00n@COUPLER.300BAUD.COM>
Compromise: root (local)
Vulnerable Systems:Solaris 2.5 running Security Dynamics' FTP server (Version 2.2) perhaps other versions.
Date:12 November 1997
Exploit & full info:Available here


Core bug in the Security Dynamics ftp server
Description:typical core file bug
Author:sp00n <sp00n@COUPLER.300BAUD.COM>
Compromise: root (local)
Vulnerable Systems:Those running the Security Dynamics FTP server (Version 2.2). This is available at least for solaris boxes.
Date:12 November 1997
Exploit & full info:Available here


Cybercash 2.1.2 insecurities
Description:A number of insecurities in Cybercash
Author:Megan Alexander <malexander@COMMANDCOM.COM>
Compromise:Get credit card numbers, plaintext password registry settings, tons of fun stuff!
Vulnerable Systems:Windows95 and NT systems running Cybercash 2.1.2 or Verifone vPOS
Date:11 November 1997
Exploit & full info:Available here


Cisco password decryption
Description:Cisco passwords can be trivially decrypted although this isn't really the fault of Cisco (since the router itself needs to be able to decrypt them).
Author:Jared Mauch <jared@puck.nether.net>
Compromise:Obtain extra access to Cisco routers
Vulnerable Systems:Cisco routers
Date:11 November 1997
Exploit & full info:Available here


Exchange & Outlook client extensions problem
Description:Anyone can register "extensions" to Exchange Client or Outlook which cause evil things to happen for various events. Typical idiotic Microsoft bug.
Author:Martin Stanek <stanek@DCS.FMPH.UNIBA.SK>
Compromise:Steal mail, cause users to run malicious code, etc.
Vulnerable Systems:Microsoft systems where multiple users run Outlook or Exchange client
Date:9 November 1997
Exploit & full info:Available here


Security hole in iCat Carbo Server 3.0
Description:Another pathetic hole, this one allows people to view any file on the web server (which the web server process owner can view)
Author:Mikael Johansson <Mikael.Johansson@ABC.SE>
Compromise:View files on remote web servers, maybe even filch credit card numbers!
Vulnerable Systems:Those running iCat Carbo Server (ISAPI, Release) Version 3.0.0
Date:8 November 1997
Exploit & full info:Available here


BRU (Backup and Recovery Utility) poor permissions
Description:This commercial UNIX backup program creates the /usr/local/lib/bru directory mode 777. This directory apparently contains sources. Enough said.
Author:Kyle Amon <amonk@GNUTEC.COM>
Compromise: root (local)
Vulnerable Systems:Any running vulnerable version of BRU (There is a Linux version, probably also Solaris and other *NIX).
Date:8 November 1997
Exploit & full info:Available here


Intel "f00f" Pentium bug
Description:A bug in the Intel Pentium (and Pentium + MMX) chips allows usermode processes to crash the system by executing the invalid instruction 0xf00fc7c8
Author:Sent through an anonymous remailer
Compromise:Users who can run code on the system can totally freeze the system
Vulnerable Systems:Those running on a Pentium including versions of Linux, Dos, WinNT, Win95, SolarisX86, etc.
Date:8 November 1997
Exploit & full info:Available here


Attachments to Office files not encrypted
Description:Not only is the "encryption" used for Microsoft Office applications hopelessly weak, but attachments are not encrypted at all.
Author:lustiger@att.com
Compromise:Read attachments to "encrypted" Office documents without having to spend 30 seconds decrypting them.
Vulnerable Systems:Microsoft Office 95 and 97
Date:7 November 1997
Exploit & full info:Available here


Kerberos $KRBTKFILE hole
Description:the rsh, rcp, and rlogin included in the kth-krb4 Kerberos package will blindly use any ticketfile given in $KRBTKFILE, even if it is owned by another user and unreadable by the current user!
Author:Mattias Amnefelt <mattiasa@stacken.kth.se> finally gave real information on the bug (thanks are due to him!). I don't know who discovered it originally.
Compromise:Use other people's ticket files (which are often stored in /tmp , just find one and set $KRBTKFILE appropriately.
Vulnerable Systems:Those runing Kerberos kth-krb4 .
Date:6 November 1997
Exploit & full info:Available here


Kerberos KRBTKFILE ticketfile vulnerability
Description:Suid root programs in the Kerberos 4 suite don't check permissions on $KRBTKFILE before using it for authentication.
Author:Mattias Amnefelt <mattiasa@stacken.kth.se>
Compromise:Spoof Kerberos authentication
Vulnerable Systems:Those running Kerberos 4 with rsh,rcp, or rlogin suid-root .
Date:6 November 1997
Exploit & full info:Available here


ftp mget vulnerability
Description:If the nlist caused by a mget returns a file like /etc/passwd , most ftp clients seem to (try to) overwrite/create it without signaling anything wrong. You can also use files with names like "|sh" to execute arbitrary commands.
Author:I don't recall who found it first, in the appended post af@c4c.com gives an example of the bug using Linus slackware
Compromise:ftp servers can compromise clients who use mget to d/l files
Vulnerable Systems:ftp clients on Linux, AIX, HP/UX, Solaris 2.6, and probably many other systems
Date:3 November 1997 was when this example was posted (the bug was found a while back)
Exploit & full info:Available here


Micro$oft Internet Explorer 4 res:// overflow bug
Description:There is a standard buffer overflow in Microsoft's parsing of the new res:// URL protocol.
Author:DilDog <dildog@L0PHT.COM>
Compromise:Execute arbitrary code on the machines of Windows users who connect to your web pages.
Vulnerable Systems:Windows 95 boxes running IE 4.0
Date:1 November 1997
Exploit & full info:Available here


Security holes in Metamail
Description:Some metamail scripts (such as sun-audio-file) call innapropriate helper-apps (like uudecode) which allow things like overwriting files on the system.
Author:Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
Compromise:Obtain access to the account running metamail.
Vulnerable Systems:Those running vulnerable versions of metamail (often Elm users). Redhat linux 4.x uses metamail in some cases.
Date:24 October 1997
Exploit & full info:Available here


BSD color_xterm xlib overflow
Description:Standard buffer overflow, I believe the root of this is in the X libraries
Author:Ladislav Bukvicka <Ladislav.Bukvicka@EUNET.CZ>
Compromise: root (local)
Vulnerable Systems:Many systems vulnerable, but this particular exploit is for BSD
Date:23 October 1997 is when this exploit was published, but the hole is well known.
Exploit & full info:Available here


BSDI exploit for color_xterm and kterm
Description:standard overflow
Author:Ladislav Bukvicka <Ladislav.Bukvicka@EUNET.CZ>
Compromise: root (local)
Vulnerable Systems:BSDI 2.1
Date:23 October 1997
Exploit & full info:Available here


AIX xdat overflow
Description:Typical buffer overflow, this time with $TZ in AIX's xdat program
Author:Unknown
Compromise: root (local)
Vulnerable Systems:AIX 4.1, 4.2
Date:22 October 1997
Exploit & full info:Available here


Gather all mailing list members through SMTP expn command
Description:In some cases it is possible to determine all the subscribers of a mailing list, even if you have disabled commands like "who" in your majordomo (or other listserv) software.
Author:"Christopher M. Conway" <cmconwa@SANDIA.GOV>
Compromise:unauthorized people can obtain subscriber lists.
Vulnerable Systems:Those running majordomo in a vulnerable fashion
Date:22 October 1997
Exploit & full info:Available here


in.telnetd tgetent buffer overflow
Description:By specifying an alternate terminal capability database with huge entries, you can overflow programs (like telnet, possibly xterm in some cases) which call tgetent() expecting a reasonable-length buffer.
Author:Secure Networks, INC
Compromise:In some cases, root (remote)
Vulnerable Systems:BSD/OS v2.1,Theo de R