Exploit world!

Master Index for ALL Exploits

Compiled by Fyodor fyodor@insecure.org
on Thu Jan 13 21:41:31 UTC 2000

[Back] to Fyodor's Playhouse


3com/USR Total Control Chassis termserver problem
Description:The IP filtering on these servers doesn't appear to work for dialin connections. Thus a user can dialin, get a "host:" prompt without authentication, and then type in any hostname on the internet (or intranet) to connect to. System logs incorrectly say that the connection was denied.
Author:Jason Downs <downsj@DOWNSJ.COM>
Compromise:Unauthorized access to Internet/Intranet through the terminal server
Vulnerable Systems:Those running the Total Control (tm) NETServer Card V.34/ISDN with Frame Relay V3.7.24, perhaps other versions.
Date:11 May 1998
Exploit &amp full info:Available here


Bay networks unpassworded "User" account
Description:Unless they sysadmins change it (they should!), bay networkds access node/wellfleet routers have a "User" account for ftp/telnet access with no password. The Manager account also ships w/o a password, but that is more likely to be changed.
Author:Marty Rigaletto <marty@SLACK.NET>
Compromise:Read valuable configuration information, edit routing tables, etc.
Vulnerable Systems:Networks using Bay Networks access node/wellfleet routers that haven't changed the default passwords.
Date:10 May 1998
Notes:Many products come w/o passwords with the assumption that they will be changed. This isn't really Bay Networks' fault, although perhaps the "User" account isn't documented well enough.
Exploit &amp full info:Available here


AIX rmail hole
Description:IFS attack, apparently AIX may be using system()
Author:Unknown
Compromise:gid mail
Vulnerable Systems:AIX 3.2, perhaps earlier
Date:10 May 1998 (it is actually much older)
Notes:Thanks to the person who submitted this to me!
Exploit &amp full info:Available here


Motorola Cablerouter hole
Description:Motorola CableRouters listen on port 1024 regardless of IP access restrictions for some reason. This hole in combination with the default login:cablecom pass:router can lead to easy unauthorized access
Author:January <january@SPY.NET>
Compromise:unathorized administrator access
Vulnerable Systems:Motorola CableRouters, especially those where the admin left the default passwords in place (always a horrible idea).
Date:10 May 1998
Notes:Cablemodem users must connect from the Internet interface, not from the interface on their side of the router. Also Motorola wrote me to say this has been fixed. They claim that all customers have upgraded to newer software.
Exploit &amp full info:Available here


Overflow in Vixie crontab
Description:standard overflow
Author:Dave G. wrote the exploit
Compromise: root (local)
Vulnerable Systems:Some RedHat distributions, a German distribution DLD 5.2, etc. Anyone running vulnerable version of Vixie crontab.
Date:10 May 1998 (actually it is an older problem)
Exploit &amp full info:Available here


Overflows in Minicom
Description:The terminal emulation modem program minicom has a number of blatant overflows.
Author:Tiago F P Rodrigues <11108496@LIS.ULUSIADA.PT>
Compromise:group uucp on some Linux distros (such as RedHat), but if installed from source with default makefile then it allows root access (local)
Vulnerable Systems:Most Linux boxes ship with minicom. Version 1.81 and presumably earlier are vulnerable.
Date:9 May 1998
Exploit &amp full info:Available here


NCSA httpd buffer overflow
Description:Standard overflow in client request string
Author:Renos <renosm@YAHOO.COM>
Compromise:You can probably run arbitrary commands on the web server machine, it is trivial to crash the server
Vulnerable Systems:Those running NCSA's httpd v1.4 for Windows. Probably earlier versions too.
Date:8 May 1998
Exploit &amp full info:Available here


Poor BSDI squid permissions
Description:on BSDI squid configuration files are owned by "www", which is the same UID that user CGI runs at. Thus a user could change start-squid to start a root shell, for example.
Author:"Jonathan A. Zdziarski" <jonz@NETRAIL.NET>
Compromise:user WWW privs -> root
Vulnerable Systems:BSDI 3.1 , perhaps other squid installs
Date:7 May 1998
Exploit &amp full info:Available here


dip 3.3.7o overflow
Description:Standard overflow (in the -l option processing).
Author:Goran Gajic <ggajic@AFRODITA.RCUB.BG.AC.YU>
Compromise: root (local)
Vulnerable Systems:Slackware Linux 3.4, presumably any other system using dip-3.3.7o or earlier suid root.
Date:5 May 1998
Notes:I've included a couple standard exploits and one that works against systems utilizing Solar Designer's excellent non-executable-stack patch.
Exploit &amp full info:Available here


Backdoor passwords in 3com switches,routers,smart hubs.
Description:Numerous 3com products apparently have secret backdoors in case the administrator "forgets the password". Yeah, there is a good idea. BIOS vendors have the annoying habit of making passwords useless the same way, but at least there the attacker needs physical access. With 3com the attacker can telnet over to your network from bis.bg in Sofiya, Bulgaria and reconfigure your routers!
Author:Eric Monti <monti@MAIL.NETURAL.COM> and others
Compromise:Intruders can reconfigure and basically take over your switches
Vulnerable Systems:Many 3com products have various backdoors including: LanPlex/Corebuilder switches, 3Com LANplex 2500 , CellPlex 7000
Date:5 May 1998
Notes:Another post I appended notes that admin passwords and SNMP keys are available vi the "public" SNMP community by default.
Exploit &amp full info:Available here


Many holes in the Netmanager Chameleon tool suite
Description:Mostly standard overflows, but there are lots of them. Virtually every product that comes in the suite seems exploitable.
Author:arager@MCGRAW-HILL.COM
Compromise:remote attackers can likely obtain root /administrator privileges on the machines running Chameleion daemons. The clients also have serious security holes.
Vulnerable Systems:These holes are in the Windows versions, although I would be very careful about running something like thier Unix Z-mail product.
Date:4 May 1998
Exploit &amp full info:Available here


Xaw and Xterm vulnerabilities
Description:There are a number of vulnerabilities in X11R6 xterm(1) and Xaw(3c) libraries. They are mostly all overflows
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> and the exploit was written by alcuin
Compromise: root (local)
Vulnerable Systems:Those running Xterm or X apps linked to vulnerable Xaw. Virtually all versions of X are vulnerable to the *Keymap hole and the others are mostly X11R6 specific (which virtually everyone uses anyway). Thus it is likely that many Solaris, Linux, HP/UX, and perhaps IRIX and AIX boxes are vulnerable.
Date:4 May 1998
Notes:I have also included an exploit sent to me by "M.C.Mar" <emsi@it.com.pl>. This exploit works against Xaw and neXtaw even WITH Solar Designer's non-executable stack patch applied. Check it out!
Exploit &amp full info:Available here


Overflow in lynx processing of mailto: URLs
Description:a mailto: URL with a long email address causes lynx 2.8 to crashh and can cause it to execute arbitrary code
Author:Michal Zalewski <lcamtuf@boss.staszic.waw.pl>
Compromise:remote pages can cause commands to be executed on the lynx user's machine. This can also be used to break out of restricted lynx shells.
Vulnerable Systems:Those running lynx 2.8 and probably earlier.
Date:3 May 1998
Exploit &amp full info:Available here


ID games Backdoor in quake
Description:ID software blatantly put a backdoor in Quake 1/2 and QuakeWorld including both the Linux/Solaris Quake2. RCON commands sent from the subnet 192.246.40.0/24 and containing the password "tms" are automaticly executed on the server without being logged.
Author:Mark Zielinski <markz@repsec.com>
Compromise: root (remote)
Vulnerable Systems:Those running Quake 1, QuakeWorld, Quake 2, Quake 2 Linux and Quake 2 Solaris, all versions. Thus many Windows and UNIX boxes are affected
Date:1 May 1998
Notes:Quake was always a horrible security hole, but I never thought Id would stoop to introducing an intentional backdoor to allow them access to systems running Quake. I am surprised this didn't get more publicity.
Exploit &amp full info:Available here


Overflow in kppp -c option
Description:Standard overflow
Author:"|[TDP]|" <tdp@psynet.net>
Compromise: root (local)
Vulnerable Systems:Those running kppp version < 1.1.3 suid root. This comes with the KDE system (which is pretty neat -- www.kde.org) and runs on Solaris, Linux, IRIX, and HP/UX
Date:29 April 1998
Notes:The hole was fixed a while prior to this posting so the (then) current version was not vulnerable.
Exploit &amp full info:Available here


Horrendous suidexec hole
Description:Debian Linux apparently distributes a program called suidexec as part of the suidmanager package. This program is trivially exploitable to run any program on the system as root.
Author:Thomas Roessler <roessler@GUUG.DE>
Compromise: root (local)
Vulnerable Systems:Debian Linux 2.0 (probably won't be in the final 2.0 Hamm release).
Date:28 April 1998
Exploit &amp full info:Available here


Yet ANOTHER hole in the HP/UX Glance program
Description:Standard symlink-following TMPFILE stupidity
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise: root (local)
Vulnerable Systems:HP/UX 10.20, perhaps other versions.
Date:27 April 1998
Exploit &amp full info:Available here


cxhextris overflow
Description:Standard overflow
Author:Chris Evans <chris@FERRET.LMH.OX.AC.UK>
Compromise:Local users can obtain uid=games privileges! This allows them to cause chaos by changing the high score table or trojaning various games, etc.
Vulnerable Systems:At least RedHat Linux 5.0
Date:25 April 1998
Exploit &amp full info:Available here


Livewire "source" problem
Description:It is often possible in sites using Livewire to download the actual application rather than individual pages generated by it. If the page is http://www.blah.com/foo/ try downloading http://www.blah.com/foo.web .
Author:Daragh Malone <daragh_malone@ACCURIS.IE>
Compromise:Obtain the livewire application rather than the pages it generates. These may have passwords and other sensitive info stored in them.
Vulnerable Systems:Those running Livewire, in particular DEC UNIX 4.0D running Netscape Enterprise Server 3.0.
Date:24 April 1998
Exploit &amp full info:Available here


Many, many, many security holes in the Microsoft Frontpage extensions
Description:There are many horrible security holes in the Microsoft Frontpage extensions. For example, you can list all files in directories on FP enabled sites, you can download password files on many of them, and a lot of FP sites even let you UPLOAD your own password files (!).
Author:pedward@WEBCOM.COM
Compromise:Break into user accounts on a web server (remote)
Vulnerable Systems:Those running the Fronpage server extensions. Sone of the vulnerabilities are UNIX only while others also work agains WindowsNT sites.
Date:23 April 1998
Exploit &amp full info:Available here


Overflows in Solaris ufsdump and ufsrestore binaries
Description:Standard buffer overflow (in device name passed as arguments)
Author:Seth McGann <smm@WPI.EDU>
Compromise:Get UID of tty (local)
Vulnerable Systems:Solaris 2.6/SPARC, opinions differed on whether 2.6/X86 is vulnerable.
Date:23 April 1998
Exploit &amp full info:Available here


OpenBSD (and others) lprm overflow
Description:There is a subtle overflow in the pointer arithmetic in copying a command string to a buffer.
Author:Niall Smart <rotel@indigo.ie>
Compromise: root (local)
Vulnerable Systems:OpenBSD 2.2 and earlier, some versions of FreeBSD, NetBSD
Date:23 April 1998
Notes:This is an excellent description of the problem. Also congratulations go to Niall Smart for finding this bug in the heavily audited OpenBSD codebase.
Exploit &amp full info:Available here


qcam overflows
Description:several qcam apps as well as libqcam seem to have rather obvious security holes when installed setuid root.
Author:bst@INAME.COM
Compromise: root (local)
Vulnerable Systems:Thos running qcam, sqcam,xqcam, SANE-0.67. Mostly Linux boxes, perhaps BSD.
Date:20 April 1998
Exploit &amp full info:Available here


lprm Linux/BSD/Solaris Overflow
Description:The lprm program on some machines has a standard overflow in the name you feed it to remove a job from a remote printer
Author:Chris Evans <chris@FERRET.LMH.OX.AC.UK> posted this problem to BugTraq, it turns out the the OpenBSD folks (probably Theo De Raadt) fixed the problem in 1996.
Compromise: root (local)
Vulnerable Systems:RedHat Linux 4.2 and 5.0, Solaris 2.6, Some *BSD variants vulnerable, but most fixed it 6 months to two years prior to this notice
Date:18 April 1998
Exploit &amp full info:Available here


Nestea "Off By One" attack
Description:A popular attack against Linux boxes
Author:John McDonald <jmcdonal@UNF.EDU>
Compromise:Stupid remote DOS attack
Vulnerable Systems:Linux 2.0.33 and earlier, PalmOS, HP Jet Direct printer cards, some 3COM routers, Magnum 5000 Ethernet switch, Some Windows boxes, perhaps others
Date:17 April 1998
Notes:I have appended the original Linux code, a BSD port, an improved Linux version, and a few other messages on the topic.
Exploit &amp full info:Available here


Overflow in Microsoft Netmeeting
Description:Standard overflow
Author:DilDog <dildog@L0PHT.COM>
Compromise:remotely execute arbitrary commands on the machine of a windows/netmeeting user (the user must click on your neetmeeting .conf file)
Vulnerable Systems:Windows boxes running Micro$oft Netmeeting V. 2.1
Date:16 April 1998
Notes:For a lot more information on this exploit, including a short windows overflow tutorial, see http://www.cultdeadcow.com/cDc_files/cDc-351/ .
Exploit &amp full info:Available here


MGE UPS serious security holes
Description:Standard security holes are plentiful in the MGE UPS software
Author:Ryan Murray <rmurray@PC-42839.BC.ROGERS.WAVE.CA>
Compromise: root (local)
Vulnerable Systems:Those running vulnerable versions of MGE UPS software. It apparently runs on Solaris, AIX, SCO, etc.
Date:12 April 1998
Exploit &amp full info:Available here


Major holes in IRIX IPX tools
Description:Sigh, IRIX was trivial to root before, but now thanks to their IPX tools it is even easier. We are talking blatant system() calls here! The story in this message is rather pathetic.
Author:Fabrice Planchon <fabrice@MATH.PRINCETON.EDU>
Compromise: root (local)
Vulnerable Systems:IRIX 6.3, perhaps earlier versions.
Date:8 April 1998
Exploit &amp full info:Available here


Overflows in various Macintosh mail clients.
Description:Standard overflows.
Author:Chris Wedgwood <chris@CYBERNET.CO.NZ>
Compromise:DOS attack at least, there is at least a possibility of remote code execution (I've never seen this done on a Mac though).
Vulnerable Systems:Macintosh boxes running Stalker Internet Mail Server V.1.6 or AppleShare IP Mail Server 5.0.3 SMTP Server
Date:8 April 1998
Exploit &amp full info:Available here


Multiple Vulnerabilities in BIND named
Description:There are a number of security holes in some bind 4.9 and 8 releases. One is a remote-root exploit that works if fake-iquery is enabled, the other two are DOS attacks
Author:Unknown
Compromise: root (remote)
Vulnerable Systems:Those running BIND 8 prior to 8.1.2 or BIND 4.9 prior to 4.9.7 .
Date:8 April 1998
Exploit &amp full info:Available here


BSDI tcpmux DOS
Description:Apparently BSDI 2.0,2.1,3.0,and 3.1 servers with tcpmux enabled can be crashed with a fast portscanner.
Author:Mark Schaefer <marks@SHELL.FLINET.COM>
Compromise:DOS attack
Vulnerable Systems:BSDI 2.0, 2.1, 3.0, and 3.1 with tcpmux enabled and without patch M310-009
Date:7 April 1998
Notes:Note the portscanner he used -- my nmap.
Exploit &amp full info:Available here


TTCP spoofing problem
Description:Apparently TTCP allows commands to be executed before the full 3-way handshake has been completed. This means an attacker can set up a malicious connection without the trouble of TCP sequence prediction.
Author:Vasim Valejev <vasim@DIASPRO.COM>
Compromise:Exploit trust relationships, avoid logging, all the other benefits that come with "classical" TCP sequencing attacks.
Vulnerable Systems:Those implementing T/TCP (rfc1644). Perhaps FreeBSD allows this attack?
Date:7 April 1998
Exploit &amp full info:Available here


Yet another SGI pfdispaly CGI hole
Description:As has been demonstrated many times, SGI CANNOT write secure CGI scripts. Nor can they write secure setuid programs. They fixed the last pfdisplay.cgi hole, but the new version is still quite buggy -- as this post demonstrates.
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise:run arbitrary commands remotely as the UID running the webserver
Vulnerable Systems:SGI IRIX 6.2 using the performer_tools CGIs.
Date:7 April 1998
Notes:I honestly believe default SGI security is as bad as default Windows NT security. That is sad.
Exploit &amp full info:Available here


ICQ Spoofer
Description:The ICQ protocol is poorly designed and leads to a number of problems. Included in this message is an ICQ spoofer in C, a Perl version, and an ICQ flooder. A sniffer is also included.
Author:Seth McGann <smm@WPI.EDU> and others
Compromise:Harass ICQ users to no end :).
Vulnerable Systems:People running ICQ, mostly windows users. There is probably a Mac client too.
Date:6 April 1998
Notes:All the code is somewhat jumbled together -- I'm sure you can figure it out.
Exploit &amp full info:Available here


RedHat 5 metamail hole
Description:Many mail clients, MTA's, etc. are poorly written and can interpret mail in ways that lead to security wholes. One of the bugs in this message demonstrates a way to execute arbitrary commands by sending mail to a Redhat 5 user. The bug is in metamail script processing of MIME messages.
Author:Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Compromise:potential root (remote). The victim must read the mail with Pine (or something else that calls metamail).
Vulnerable Systems:RedHat 5, other linux boxes with vulnerable metamail script.
Date:5 April 1998
Exploit &amp full info:Available here


Eudora 3.0 and 4.0 DOS
Description:Eudora will crash if it tries to receive an email with an attachment that has a filename of at least 233 characters.
Author:whiz <whizpig@TIR.COM>
Compromise:Stupid DOS attack
Vulnerable Systems:Windows users running Eudora Pro 4.0 or 3.0
Date:29 March 1998
Exploit &amp full info:Available here


Another WinGate hole -- this time with the LogFile service
Description:The WinGate Logfile service basically puts up a web server on port 8010 giving full read access to the victim's hard drive(!)
Author:HKirk <hkirk@tech-point.com>
Compromise:Remote read access to a Wingate user's hard drive
Vulnerable Systems:Windows users who run Wingate. This program is a huge security hole, a much better (cheaper, more secure, more robust, better performing) solution is to install a Linux gateway with IP masquerading.
Date:29 March 1998
Exploit &amp full info:Available here


Majordomo tmpfile bug
Description:Standard tmpfile problem
Author:Karl G - NOC Admin <ovrneith@tqgnet.com>
Compromise:Any user on a system running majordomo can append arbitrary data to any file owned by the majordomo account.
Vulnerable Systems:Those running majordomo. This runs on a ton of systems (Solaris, Linux, IRIX, etc.).
Date:26 March 1998
Exploit &amp full info:Available here


Overflows in the MesaGL OpenGL implementation
Description:There are many overflows in this library, one of which can be used to compromise xlock in some cases
Author:bjorn smedman <bs@ODEN.SE>
Compromise: root (local)
Vulnerable Systems:This exploits is for FreeBSD 2.2.5 although other OSes that use MesaGL are likely to be vulnerable.
Date:24 March 1998
Exploit &amp full info:Available here


dot bug in MS Personal Web Server
Description:IIS 3.0 had a bug which allowed ASP source to be downloaded by appending a . to the filename. That was eventually fixed by MS but they didn't fix the same hole in their Personal Web Server.
Author:Lynn Kyle <lynn@RAINC.COM>
Compromise:Read ASP file source, could contain passwords, etc.
Vulnerable Systems:Those running vulnerable version of MS Personal Web Server
Date:22 March 1998
Exploit &amp full info:Available here


Linux Mailhandler overflow
Description:the Mailhandler (mh) ver 6.8.4-5 has an overflow relating to the SIGNATURE environmental variable . I think RedHat 5 among other distributions are vulnerable.
Author:Catalin Mitrofan <md@LSPVS.SOROSIS.RO>
Compromise: root (local)
Vulnerable Systems:Those running mh version 6.8.4-5 suid.
Date:21 March 1998
Exploit &amp full info:Available here


Another MSIE 4.0 overflow
Description:Standard overflow, this one can almost certainly be exploited by a malicious page to run arbitrary code on a user's system.
Author:Georgi Guninski <guninski@hotmail.com>
Compromise:Run arbitrary code on the machines of Windows users connecting to your web page.
Vulnerable Systems:Windows 95/NT running MSIE 4.0. Perhaps even the Solaris version is vulnerable, though I've never seen anyone run it.
Date:20 March 1998
Exploit &amp full info:Available here


Win95 "save password" nonsense
Description:Win95 offers dialup users to save their RAS credentials by checking a box when dialing in. Security minded folks generally decline. However, Microsoft saves the password anyway!
Author:Aleph One <aleph1@DFW.NET>
Compromise:Obtain cleartext passwords for dialup accounts. On NT you can sometimes retrieve the lanman and NT hashes (which you can then run a cracker on).
Vulnerable Systems:Windows95, NT.
Date:20 March 1998
Notes:In some cases information on the last SEVERAL logins are stored without permission (!)
Exploit &amp full info:Available here


Irix pfdispaly CGI hole
Description:Standard .. read-any-file CGI exploit.
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise:Read any file (remotely) that user nobody (or whatever web server runs as) can read.
Vulnerable Systems:IRIX 6.2 with performer_tools.sw.webtools (Performer API Search Tool 2.2) installed, check for /var/www/cgi-bin/pfdispaly.cgi.
Date:17 March 1998
Exploit &amp full info:Available here


LinCity and Conquest Game overflows
Description:Typical buffer overflows
Author:bst@INAME.COM
Compromise: root (local)
Vulnerable Systems:Those running vulnerable versions of LinCity or Conquest setuid (dumb!). This is mostly Linux boxes.
Date:16 March 1998
Exploit &amp full info:Available here


Ascend Router Insecurities
Description:There is a flaw in the Ascend router OS which allows the machines to be crashed by certain malformed UDP probe packets. Also the routers have a default SNMP "write" community which allows attackers to download the entire Ascend configuration file.
Author:"Secure Networks Inc." <sni@SECURENETWORKS.COM>
Compromise:Download sensitive ascend configuration information (passwords, etc.) plus a remote DOS attack to take out the router.
Vulnerable Systems:Ascend Pipeline and MAX routers including OS release 5.0Ap42 (MAX) and 5.0A (Pipeline).
Date:16 March 1998
Notes:Whee! We've got C exploit, CAPE exploit, IPsend exploit, and a Perl exploit!
Exploit &amp full info:Available here


Even more IE 4 bugs
Description:3 bugs which range in severity from crashing Internet Explorer to crashing all of windows. These can be put on malicious web pages to take out the IE users.
Author:Aleph One <aleph1@DFW.NET>
Compromise:Stupid DOS attack
Vulnerable Systems:Win95/WinNT running Internet Explorer 4.01 (perhaps earlier)
Date:16 March 1998
Exploit &amp full info:Available here


Insecure scripts that come with RedHat 5.0 (and other OS's)
Description:The scripts named in this message have standard insecure tmpfile bugs. If someone can predict when these will be run (like if they are in cron) then they can generally overwrite files of the person running the command (could be root).
Author:Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Compromise:Potential for root compromise
Vulnerable Systems:Specifically this list is for RedHat 5 although many other Linux systems and probably some *BSD systems are vulnerable.
Date:14 March 1998
Exploit &amp full info:Available here


MDaemon/SLMail Mail server overflows
Description:Most Windows servers in generally seem to have horrific security. Here is info on overflows in the MDaemon SMTP/Pop Server and the Seattle labs server. Many Macintosh servers also have these problems, and even UNIX isn't always immune to poor coding.
Author:Alvaro Martinez Echevarria <alvaro-bugtraq@LANDER.ES>
Compromise:Crash the server, perhaps arbitrary code could be executed.
Vulnerable Systems:Windows boxes running a vulnerable version of MDaemon, Seattle Labs SLMail, and several other crappy Windows servers.
Date:11 March 1998
Exploit &amp full info:Available here


Solaris 2.6 printd tmpfile problem
Description:Standard insecure tmpfile hole
Author:Silicosis <sili@l0pht.com>
Compromise:unprivileged users can overwrite and create system files and print files they shouldn't be able to read.
Vulnerable Systems:Solaris 2.6
Date:11 March 1998
Exploit &amp full info:Available here


Another TMPfile problem in updatedb script
Description:updatedb creates a tmp file in /tmp, moves it to /var/lib/locatedb, then chowns it to root. The race condition is clear.
Author:Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Compromise: root (local)
Vulnerable Systems:RedHat 5.0, perhaps other systems such as FreeBSD using updatedb.
Date:6 March 1998
Exploit &amp full info:Available here


info2www CGI hole
Description:Another dumb cgi blidnly using the (magical) perl open()
Author:Niall Smart <njs3@DOC.IC.AC.UK>
Compromise:execute arbitrary commands as web server's UID (remote)
Vulnerable Systems:Those running a vulnerable version of the info2www CGI
Date:3 March 1998
Exploit &amp full info:Available here


X11Amp playlist bug
Description:When installed SUID root (as suggested in the README), X11Amp creates ~/.x11amp insecurely with root privs. Oops! There are very likely to be many more security bugs in X11Amp. The performance hit of making it suid is probably not worth the security risk (IMHO).
Author:viinikala <kala@DRAGON.CZ>
Compromise: root (local)
Vulnerable Systems:Those running a vulnerable version of X11Amp (.65 and prior) suid. Mostly Linux boxes.
Date:28 February 1998
Exploit &amp full info:Available here


updatedb on Redhat
Description:RedHat Linux updatedb/sort insecure tmpfiles
Author:viinikala <kala@DRAGON.CZ>
Compromise:become user 'nobody' via updatedb (or root on a really old distro of RedHat) (local)
Vulnerable Systems:Redhat Linux (presumably 5.0) is very vulnerable due to updatedb calling sort regularly, many other systems (such as Solaris) have an insecure sort. Also FreeBSD 2.2.2 is apparently vulnerable to the same updatedb problem.
Date:28 February 1998
Notes:Dave Goldsmith may have found this first, although I cannot currently access his website for more info.
Exploit &amp full info:Available here


4.4BSD mmap() vulnerability
Description:A 4.4BSD problem allows a read-only descriptor to a char device to be mmap()ed in RW mode. This can allow group kmem to become root and root to lower the system secure-level.
Author:Theo de Raadt and Chuck Cranor
Compromise:User kmem-> root ->modify secure-level->delete audit trail and load evil kernel mods.
Vulnerable Systems:OpenBSD 2.2 and below, FreeBSD 2.2.5 and below, BSDI 3.0 and NetBSD.
Date:26 February 1998
Notes:This is an excellent advisory, I wish other groups and people would use a full-disclosure, detailed, and well organized format like this.
Exploit &amp full info:Available here


ZIP disk password recovery
Description:ZIP disk passwords provide very little security. Here is a way to bypass their silly little "passwords". If you wish to secure your data, ENCRYPT IT!.
Author:<mentzy@ath.forthnet.gr>
Compromise:Full access to password-protected Iomega ZIP disks.
Vulnerable Systems:People relying on the password protect feature of the ZIP drive.
Date:26 February 1998
Exploit &amp full info:Available here


Various gaping security holes in QuakeII (and Quake I and QuakeWorld and Quake Client).
Description:These games by ID software are absolutely riddled with glaring security holes and no one should even CONSIDER running them (or any other game for that matter) on a machine that is supposed to be secure. I have stuffed a bunch of quake exploits in this one section although there is one Quake II server hole I will treate separately later.
Author:kevingeo@CRUZIO.COM and others
Compromise: root (remote)
Vulnerable Systems:Those running pretty much any version of quake by id software, the client or server. Quake runs on many Linux boxes as well as Win95/NT.
Date:25 February 1998
Exploit &amp full info:Available here


Squid access control problem
Description:The squid http proxy allows an administrator to specify banned sites. Unfortunately, users can get around this by using URL hex escapes or specifying an IP address.
Author:"Vitaly V. Fedrushkov" <willy@CSU.AC.RU> and Mauro Lacy <mauro@INTER-SOFT.COM>
Compromise:Bypass some squid access restrictions.
Vulnerable Systems:Those relying on squid access restrictions to keep students, employees, etc. from undesireable sites.
Date:23 February 1998
Exploit &amp full info:Available here


Solaris /usr/dt/bin/dtappgather symlink problem.
Description:Standard symlink problem allows arbitrary files to be chowned the the attacker's UID.
Author:Mastoras <mastoras@PAPARI.HACK.GR>
Compromise: root (local)
Vulnerable Systems:Solaris 2.5,2.5.1 running CDE version 1.0.2 with suid /usr/dt/bin/dtappgather
Date:23 February 1998
Exploit &amp full info:Available here


Foolproof stores cleartext passwords in memory
Description:Foolproof security can be completely subverted by using a meory dumper/editor and finding the password sitting their in plaintext right after the string FOOLPROO . Of course, I have never seen a system that CAN secure Win95. The true solution is to upgrade to a decent OS that doesn't allow unprivileged users full access to the disk/memory/etc. I humbly suggest Linux, FreeBSD, OpenBSD, or Solaris.
Author:Mark M Marko <john__wayne@JUNO.COM>
Compromise:Break into Win95 machines protected by Foolproof.
Vulnerable Systems:Anyone relying on Foolproof for security on systems where users can manage to execute arbitrary commands (very difficult to prevent).
Date:21 February 1998
Exploit &amp full info:Available here


Named Pipe attack
Description:This is not really an "exploit" per se, but just a note about the possibility of exploiting programs that open files insecurely. The usual attack is something like ln -s /etc/passwd /tmp/prog.lock'. Solar Designer's excellent symlink kernel patch stops most of that nonsense. Here the attack uses named pipes to modify the data in the file and feed it back to the app.
Author:"[UNKNOWN-8BIT] Micha³ Zalewski" <lcamtuf@BOSS.STASZIC.WAW.PL>
Compromise:Exploit potential for some insecure file opens and reads (such as gcc 2.7.2)
Vulnerable Systems:general UNIX feature
Date:20 February 1998
Exploit &amp full info:Available here


Radius spaces-in-password DOS attack.
Description:A number of Radius implementations will crash if the right number of spaces are appended to a username.
Author:"Phillip R. Jaenke" <prj@NLS.NET>
Compromise:Stupid DOS attack
Vulnerable Systems:Several UNIX and NT radius implementations including Livingston 1.16 to 2.01, RadiusNT v2.x, and merit radius 2.4.23C
Date:20 February 1998
Exploit &amp full info:Available here


NT Login DOS
Description:Uh-Oh! NT isn't correctly checking its input. By sending an SMB logon request with an incorrect data length field you can blue screen the NT box.
Author:"Secure Networks Inc." <sni@SECURENETWORKS.COM>
Compromise:Yet another NT DOS attack
Vulnerable Systems:Windows NT 4.0 up to and including Service Pack 3
Date:14 February 1998
Notes:It shouldn't be hard to write a quick exploit for this. Any volunteers? Just hack SAMBA login request code and experiment with different data lengths. If you do write one, please mail it to me (fyodor@insecure.org).
Exploit &amp full info:Available here


Wingate telnet redirection
Description:A somewhat common technique for attackers is to install "telnet redirectors" on a system they have compromised. This allows them to telnet to the redirector and then telnet out from there anonymously, masking their true point of origin. These attackers no longer need to bother with penetrating systems, as the Wingate includes anonymous telnet redirection as a feature enabled by default! Just telnet to port 1080 or 23 and then telnet right back out to wreak havok on the internet. And don't worry, it doesn't (by default) log anything! <sigh>
Author:Alans other account <alanb@MANAWATU.GEN.NZ>
Compromise:Intruders can mask their true point of origin by going through Wingate
Vulnerable Systems:Windows boxes running Wingate
Date:11 February 1998
Notes:Many thanks to Dairo Bel <dairo@akrata.org> for translating his spanish article on Wingate and sending it in! Also note that you can use nmap, a network portscanner I wrote to locate hosts on your network that are running Wingate.
Exploit &amp full info:Available here


Windows share passwords are right there in the registry and poorly encrypted
Description:Share encryption is by a simple XOR and the passwords are stored in registry entries such as SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\Parm1enc .
Author:a42n8k9@redrose.net
Compromise:With local access to a windoze box you can determine the read-only and full access passwords to the file system/printer/etc. Also these passwords might be the same as for more important access (ie to company servers).
Vulnerable Systems:Windoze 95, NT
Date:9 February 1998
Exploit &amp full info:Available here


Poor authentication used with NT domain controllers for authenticating SMB requests.
Description:There are a number of problems with the way NT implements authentication of clients accessing an smb fileshare.
Author:Paul Ashton <paul@ARGO.DEMON.CO.UK>
Compromise:Learn a users' password, and cause other mischief
Vulnerable Systems:Windows NT 4.0 and 3.51
Date:6 February 1998
Notes:This probably won't be fixed anytime soon.
Exploit &amp full info:Available here


NT port binding insecurity
Description:UNIX does not allow normal users to bind ports < 1024. NT apparently has no such concept of privileged ports. It even allows users to bind ports in use by the system and sniff or redirect data from them!!!
Author:Weld Pond <weld@L0PHT.COM>
Compromise:Obtain passwords, sniff information, change information before passing it to the real server, spoof UNIX r-services, etc.
Vulnerable Systems:Windows NT 3.51, 4.0
Date:6 February 1998
Notes:Appended to this message is a SMB redirectory which allows local unprivileged users to redirect smb trafic to a remote server so that the local server doesn't even see it. This obviously has quite severe implications.
Exploit &amp full info:Available here


Poor device permissions on Redhat 4.0/5.0
Description:Lax device perms on RedHat boxes allow unprivileged users to do nasty things such as peeking at the contents of a floppy in your drive or DOS attacks against the system.
Author:Smart List user <slist@cyber.com.au>
Compromise:Local users can read floppy device, be annoying
Vulnerable Systems:RedHat Linux 4.0 and 5.0
Date:4 February 1998
Exploit &amp full info:Available here


X11R6.3 Xkeyboard hole
Description:X11R6.3 based Xservers with the XKEYBOARD extension that are setuid can be exploited with the -xkbdir option
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Compromise: root (local)
Vulnerable Systems:Those systems running a setuid X11R6.3-based Xserver with XKEYBOARD extension (R6.1 is also probably affected). The XFree86 servers that come with many Linux and *BSD distributions is a good example of this.
Date:3 February 1998
Exploit &amp full info:Available here


Coredump hole in imapd and ipop3d in slackware 3.4
Description:When fed an unknown username, imapd and ipop3d will dump core in Slackware 3.4. /etc/shadow can be found in the core file.
Author:Peter van Dijk <peter@ATTIC.VUURWERK.NL>
Compromise:Learn the contents of /etc/shadow (which would allow you to crack the passwords and break into other accounts)
Vulnerable Systems:Slackware Linux 3.4 and the imapd in 3.3. possibly others
Date:2 February 1998
Exploit &amp full info:Available here


Defeating Solar Designer's Non-executable Stack Patch
Description:A very interesting paper on defeating non-executable stack patches. It goes through the steps needed to exploit the XServer <LONGDISPLAY> hole in Linux even with a non-execute patch.
Author:Rafal Wojtczuk <nergal@ICM.EDU.PL>
Compromise: root (local)
Vulnerable Systems:This just shows (as Solar Designer is well aware) that in some cases the non-executable stack patch can be subverted via sneaky techniques.
Date:30 January 1998
Notes:Solar Designer's respons is in the addendum.
Exploit &amp full info:Available here


Obtaining Domain Admins access on a LAN
Description:There are problems with the NT domain authentication protocol which allow anyone on a Domain to gain Domain access
Author:Paul Ashton <paul@ARGO.DEMON.CO.UK>
Compromise:Gain Domain Admin Access
Vulnerable Systems:NT 4.0
Date:28 January 1998
Exploit &amp full info:Available here


Htmlscript file access bug
Description:Another stupid .. bug.
Author:Dennis Moore <rainking@FEEDING.FRENZY.COM>
Compromise:read any file the web server can read on the remote system.
Vulnerable Systems:Those running htmlscript (distributed by www.htmlscript.com)
Date:26 January 1998
Exploit &amp full info:Available here


Quake2 shared library nonsens
Description:Heh, quake2 is suid root and loads shared libraries from the working directory. This exploit overfloads _init.
Author:kevingeo@CRUZIO.COM
Compromise: root (local)
Vulnerable Systems:Those running a vulnerable version of QuakeII
Date:26 January 1998
Exploit &amp full info:Available here


Microsoft private key recovery
Description:There are a number of flaws in the way Microsoft stores private keys.
Author:Peter Gutmann, pgut001@cs.auckland.ac.nz
Compromise:Obtain a users private keys which can allow you to intercept their email, digitally sign contracts and agreements (in their name), etc.
Vulnerable Systems:Windoze NT and Win95
Date:25 January 1998
Notes:This paper is from Peter Gutmann's web site and can be found at: <http://www.cs.auckland.ac.nz/~pgut001/pubs/breakms.txt>
Exploit &amp full info:Available here


OpenBSD mkfifo DOS attack
Description:You can run the *BSD kernel out of non-pageable memory by making a fifo (via mkfifo) and forking a bunch of processes trying to cat it.
Author:Jason Downs <downsj@DOWNSJ.COM>
Compromise:Crash the system (stupid DOS attack)
Vulnerable Systems:OpenBSD, presumably NetBSD, FreeBSD, BSDI
Date:25 January 1998
Exploit &amp full info:Available here


Buffer overflow in the Yapp Conferencing System Version 2.2
Description:standard overflow
Author:satan <satan@FREENET.NETHER.NET>
Compromise:Run arbitrary commands as the uid yapp is running under (often 'yapp').
Vulnerable Systems:This exploit is for x86/Linux . Any other platform running Yapp should be vulnerable.
Date:20 January 1998
Exploit &amp full info:Available here


Lotus Domino database security problems
Description:Databases under this system do not correctly inherit ACLs, plus some default database ACLs are set to allow unrestricted access to all web users(!). Thus users can can manipulate the files remotely.
Author:mattw <mattw@L0PHT.COM>
Compromise:manipulate server configuration files remotely
Vulnerable Systems:Those running vulnerable versions of Lotus Domino
Date:20 January 1998
Exploit &amp full info:Available here


ssh-agent RSA authentication problem
Description:SSH doesn't check permissions on credential files enough so that users can trick ssh into using the credentials of other users.
Author:"Secure Networks Inc." <sni@SECURENETWORKS.COM>
Compromise:Trick ssh into using the credentials of another user when you login to a remote server.
Vulnerable Systems:Those running ssh (setuid) on multiple-user systems where RSA authentication is being used.
Date:20 January 1998
Exploit &amp full info:Available here


Mail Handler 6.8.4 overflow
Description:standard overflow
Author:Cesar Tascon Alvarez <tascon@enete.gui.uva.es>
Compromise: root (local)
Vulnerable Systems:Those running Mail Hanldler 6.8.4 (and presumably earlier versions). Redhat 5.0 is affected.
Date:19 January 1998
Exploit &amp full info:Available here


Exploit for the gcc tempfile issue
Description:gcc 2.7.2.x (and earlier as far as I know) creates temporary files in /tmp which will follow symlinks and allows you to clobber the files of the person running gcc
Author:"Micha=B3 Zalewski" <lcamtuf@boss.staszic.waw.pl>
Compromise:Overwrite files owned by the user running gcc (possibly root )
Vulnerable Systems:Those running gcc 2.7.2.x this includes most linux, and *BSD boxes. Many admins of Solaris boxes have also added gcc. This problem is finally fixed in gcc 2.8.0
Date:16 January 1998
Notes:This has been mentioned before on Bugtraq but this is the first actual exploit I've seen.
Exploit &amp full info:Available here


Overflow in MS PWS
Description:typical buffer overflow
Author:Gurney Halleck <gurneyh@ix.netcom.com>
Compromise:Crash the personal web server (it is also possible that you could be able to execute arbitrary code remotely)
Vulnerable Systems:Those running MS Personal Web Server (pws32/2.0.2.1112), it is apparently packaged with FrontPage 97.
Date:15 January 1998
Exploit &amp full info:Available here


DOS against realvideoserver by Progressive Networks
Description:Another DOS attack
Author:Rootshell
Compromise:remotely crash Progressive Networks Real Video Server
Vulnerable Systems:those running Progressive Networks Real Video Server. This includes the Linux version and the NT version
Date:15 January 1998
Exploit &amp full info:Available here


mk: URL overflow in Internet Explorer 4.0
Description:Another Internet Explorer overflow, this time in the mk: URL type
Author:DilDog <dildog@L0PHT.COM>
Compromise:run arbitrary code on the machines of IE users who visit your page
Vulnerable Systems:Microsoft Internet Explorer 4.0 and 4.01, Outlook Express, Windows Explorer (it is an explorer library problem)
Date:14 January 1998
Exploit &amp full info:Available here


inode count integer overflow in Linux kernel
Description:Member i_count in struct inode of the Linux kernel is an unsigned short, which can be overflowed by mapping one file more than 65535 times.
Author:<Jan.Kotas@acm.org>
Compromise: root (local)
Vulnerable Systems:Linux, probably versions up to 2.0.31 (or so)
Date:14 January 1998
Exploit &amp full info:Available here


DOS attack on backoffice viewcode.asp
Description:You can leave a host running backoffice in a state of not accepting connections by using http://server.com/whetever/viewcode.asp?source=/////////////////<lots more slashes>///
Author:Anonymous
Compromise:DOS attack against web server
Vulnerable Systems:Those running Microsoft Backoffice with viewcode.asp available
Date:14 January 1998
Exploit &amp full info:Available here


Xserver overflow in the display command-line argument
Description:typical overflow, although this one affects a lot of people.
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Compromise: root (local)
Vulnerable Systems:X11R6 (possibly X11R5) based X servers. This includes XFree86. The servers have to be suid, of course (some systems use XDM and have a non-suid server)
Date:13 January 1998
Exploit &amp full info:Available here


Buffer overflow in the 'deliver' mail delivery program
Description:standard overflow
Author:"KSR[T]" <ksrt@DEC.NET>
Compromise: root (local)
Vulnerable Systems:Slackware 2.x, Debian 1.3.1, possibly other Linux distributions. Basically anything running deliver version 2.0.12 and below.
Date:12 January 1998
Exploit &amp full info:Available here


Sendmail 8.8.8 HELO problem
Description:By specifying a very long hostname in the HELO command at the beginning of SMTP negotiation, you can cause your real hostname and IP to not be displayed in the header Received: field. This leaves potential for mischief by mail forgers and (unfortuantely) spammers.
Author:Micha³ Zalewski <lcamtuf@boss.staszic.waw.pl>
Compromise:Send forged mail without your IP appearing in the message headers.
Vulnerable Systems:Those running Sendmail 8.8.8 and probably earlier.
Date:12 January 1998
Exploit &amp full info:Available here


A problem in Amanda backup software V. 2.3.0.4
Description:According to this advisory (which I haven't verified), attackers can remotely access backed up data on an index server. Also attackers with local access to a machine being backed up can access any other machine or any partition being backed up.
Author:joey@CORINNE.CPIO.ORG
Compromise:unauthorized access to index servers and partition data
Vulnerable Systems:Those running Amanda version 2.3.0.4 (probably earlier as well).
Date:10 January 1998
Exploit &amp full info:Available here


Buffer overflow in the cidentd authlie file
Description:typical overflow
Author:Jackal <jackal@HACK.GR>
Compromise:run arbitrary code as the UID running cidentd (probably user nobody) (local)
Vulnerable Systems:Those running cidentd with ~/.authlie enabled
Date:10 January 1998
Exploit &amp full info:Available here


Microsoft FrontPage server extensions file permissions problems
Description:Abhorrent permissions are required for some files related to the Microsoft FrontPage server extensions. For example _vti_pvt is a 775 directory which contains mode 664 service.pwd that contains the crypt()ed passwords for users.
Author:Dave Pifke <dave@VICTIM.COM>
Compromise:Not only can local users find out (or sometimes change) the passwords used for web accounts, but determing these passwords may lead to compromise of more important accounts that may use the same passwords.
Vulnerable Systems:Those running Microsoft FrontPage server extensions 3.0.2.1117 under UNIX
Date:9 January 1998
Exploit &amp full info:Available here


routed trace file exploit
Description:routed has the ability to have trace mode turned on remotely using any arbitrary filename. Thus you can append stuff to arbitrary files remotely.
Author:Rootshell
Compromise:You should be able to leverage this to root remote access.
Vulnerable Systems:Redhat linux; IRIX 5.2-5.3-6.2 is vulnerable, NetBSD 1.2 is vulnerable.
Date:8 January 1998
Exploit &amp full info:Available here


NT/Win95 8.3 webserver exploit
Description:By default, when a file like "verylongname.html" is created, Windows also creates an 8.3 equivalent ("verylo~1.htm" for example). Unfortunately, when people use Win* webservers to restrict access to long directories and files, the webservers often don't check access on the 8.3 equivalents. So people can grab stuff using the 8.3 names.
Author:Marc Slemko <marcs@ZNEP.COM>
Compromise:Obtain restricted files from NT/Win95 web servers
Vulnerable Systems:IIS 4.0, Netscape Enterprise 3.0x, probably others. Probably ftp servers and so forth too.
Date:8 January 1998
Exploit &amp full info:Available here


Netware NFS compromise
Description:A flaw in the way NetWare-NFS mode 1 and 2 maps the "Read Only" flag to UNIX allows a root compromise on systems which mount user-writable volumes exported via NetWare NFS
Author:"Andrew J. Anderson" <andrew@DB.ERAU.EDU>
Compromise: root (local)
Vulnerable Systems:Those mounting user-writable volumes exported via NetWare NFS
Date:8 January 1998
Exploit &amp full info:Available here


Screen cloaking 'feature'
Description:Versions of the popular program 'screen' allow users to cloak themselves out of wtmp/utmp and appear to not be logged on.
Author:Taz <taz@webmaster.com>
Compromise:Cloak yourself from finger/wtmp/utmp etc. using screen
Vulnerable Systems:Those running screen 3.7.4 and probably earlier, maybe later
Date:7 January 1998
Notes:I consider it a good thing when people send me bugs. Also, note that you can effect the same sort of thing as this by running 'xterm -ut' and then logging off
Exploit &amp full info:Available here


Holes in Apache prior to 1.2.5
Description:The fine folks who work on the Apache web server team kindly advised us of these holes in older versions of Apache. They are fixed in 1.2.5. The most important are probably cfg_getline() overflow which allows local users to run arbitrary commands with the UID of the webserver and the '//////////' hole which allows people to remotely effect a DOS attack on a server by giving a URL with more than 7500 forward slashes in the filename.
Author:Marc Slemko <marcs@ZNEP.COM>
Compromise:local users can run arbitrary commands with the UID of the webserver, remote DOS attack (slows the server to a crawl)
Vulnerable Systems:Those running Apache versions prior to 1.2.5
Date:6 January 1998
Exploit &amp full info:Available here


The "Bonk" NT/Win95 fragmentation attack
Description:In an attack that is basically the reverse of the teardrop attack, Windows machines that are patched for teardrop can be crashed.
Author:bendi
Compromise:crash Windoze machines remotely
Vulnerable Systems:Windows 95, Windowsw NT
Date:5 January 1998
Exploit &amp full info:Available here


ccdconfig sgid kmem BSD exploit
Description:ccdconfig is sgid kmem and can be exploited to read /dev/mem . It shouldn't be too tough to leverage this into root access.
Author:Niall Smart <rotel@INDIGO.IE>
Compromise: root (local)
Vulnerable Systems:NetBSD, FreeBSD, older version of OpenBSD
Date:31 December 1997
Exploit &amp full info:Available here


AIX mount vunlerability
Description:AIX mount has a serious problem that allows people to mount any filesystem on top of any writeable space.
Author:"S. Ryan Quick" <ryan@PHAEDO.COM>
Compromise:Mount filesystems on top of any writeable space (this could allow you to clobber files, among other things).
Vulnerable Systems:AIX 4.1.3, 4.1.4, 4.2.0, 4.2.1
Date:28 December 1997
Exploit &amp full info:Available here


DOS attack on XTACACS servers
Description:You can crash these servers by sending ICMP unreachable messages to them.
Author:Coaxial Karma <c_karma@HOTMAIL.COM>
Compromise:remotely crash vulnerable XTACACS servers.
Vulnerable Systems:some XTACACS servers
Date:23 December 1997
Exploit &amp full info:Available here


Vsyslog overflow in Linux libc 5.4.38
Description:Standard overflow (although it is pretty sad to see these things in syslog ...)
Author:Posted by Solar Designer <solar@FALSE.COM>
Compromise: root (local)
Vulnerable Systems:Slackware 3.1, Redhat 4.2, possibly other Linux boxes
Date:21 December 1997
Exploit &amp full info:Available here


MIRC worm bug
Description:There is a bug in MIRC (a Windoze IRC client) which allows people to send an arbitrary script.irc to MIRC users. This allows arbitrary MIRC scripting commands to be interpreted.
Author:Unknown
Compromise:Windows IRC users can be harassed and their files can be snatched and/or deleted.
Vulnerable Systems:Windows versions running MIRC prior to 5.3
Date:18 December 1997
Exploit &amp full info:Available here


Overflow in Livingston RADIUS 1.16 and derived code
Description:There is a buffer overflow in the handling of buffers related to inverse IP lookup in RADIUS 1.16 and derived code (including Ascend RADIUS)
Author:"Secure Networks Inc." <sni@SECURENETWORKS.COM>
Compromise: root (remote)
Vulnerable Systems:Those running RADIUS server software derived from Livingston RADIUS 1.x
Date:17 December 1997
Exploit &amp full info:Available here


EWS (Excite for Web Servers) CGI hole
Description:A classic CGI mistake: CWS launches a shell with query results. They change spaces to $ and somehow think this solves the problem ;)
Author:Marc Merlin <marc_merlin@MAGIC.METAWIRE.COM>
Compromise:run arbitrary commands as the processid that runs the webserver (remote)
Vulnerable Systems:Those running EWS 1.1 on both UNIX and NT
Date:17 December 1997
Exploit &amp full info:Available here


WordPerfect 7 filepermission problems
Description:Apparently WordPerfect 7 has serious problems with regard to permissions on the files it creates in users directories. It will also follow symlinks when creating them.
Author:Hans Petter Bieker <hanspb@PERSBRATEN.VGS.NO>
Compromise:break into a users account or clobber their files (user could potentially be root )
Vulnerable Systems:Linux boxes running WordPerfect 7 (possibly other *NIXes)
Date:15 December 1997
Exploit &amp full info:Available here


ICQ so-called protocol
Description:The ICQ protocol is ridiculously simplistic and is riddled with security holes. So is the ICQ software. So ICQ users can be spoofed, have their machine crashed, or have evil haxxors run arbitrary code on their boxes. Geez, these poor users might as well run Internet Explorer!
Author:Alan Cox <alan@CYMRU.NET>
Compromise:Spoof, Crash, or exploit the buffer overflow to run arbitrary code
Vulnerable Systems:Mostly Windows boxes where the user is running ICQ
Date:14 December 1997
Exploit &amp full info:Available here


Sun ^D DOS attack
Description:By connecting to the telnet port of a Solaris 2.5.1 box, sending some bogus telnet negotiation option and then flooding the channel with ^D, you can (temporarily) slow the machine to a near halt.
Author:Jason Zapman II <zapman@CC.GATECH.EDU>
Compromise:remote DOS attack
Vulnerable Systems:Solaris 2.5.1, 2.6
Date:13 December 1997
Notes:I appended a better version after the first (the second forks extra processes to increase the flood). I also appended an NT port.
Exploit &amp full info:Available here


gethostbyname() overflow in glibc
Description:Overflow in glibc gethostbyname() allows overflows in ping, rsh, traceroute, etc.
Author:Wilton Wong - ListMail <listmail@NOVA.BLACKSTAR.NET>
Compromise: root (local)
Vulnerable Systems:Redhat 5, presumably others with glibc (GNU HURD?)
Date:13 December 1997
Exploit &amp full info:Available here


Cisco password overflow
Description:Cisco 76x routers reboot when you telnet to them and feed a very long password.
Author:Laslo Orto <Laslo@CPOL.COM>
Compromise:Reboot the Cisco router
Vulnerable Systems:Cisco 76x series of routers.
Date:11 December 1997
Exploit &amp full info:Available here


Firewall1 smtpd open access vulnerability
Description:By default, Firewall-1 allows anyone to obtain confidential operation and statistical info from its SNMP daemon.
Author:"Secure Networks Inc." <sni@SECURENETWORKS.COM>
Compromise:The information could help an attacker bypass the firewall as well as giving private network statistical information.
Vulnerable Systems:Those running a Vulnerable version of Checkpoitn Firewall-1
Date:9 December 1997
Exploit &amp full info:Available here


Dillon crontab 2.2 overflow
Description:standard overflow
Author:"KSR[T]" <ksrt@DEC.NET>
Compromise: root (local)
Vulnerable Systems:Slackware Linux 3.4, other systems that runn dillon crontab / crond ( dcron 2.2 )
Date:9 December 1997
Exploit &amp full info:Available here


mIRC crash via new socket feature
Description:A problem with the way mIRC handles bound sockets allows mean people to crash the mIRC clients of poor, defenseless Windows users.
Author:Derek Reynolds <startnet@NATION.ORG>
Compromise:Crash an mIRC user and make thier Windows run even slower than usual
Vulnerable Systems:Those running mIRC 5.3 under Windows
Date:7 December 1997
Exploit &amp full info:Available here


Overflow in cgiwrap-3.5 and 3.6beta1
Description:Standard overflow
Author:Duncan Simpson <dps@IO.STARGATE.CO.UK>
Compromise:Run arbitrary commants with the UID of the webserver process owner
Vulnerable Systems:Those running vulnerable versions of cgiwrap
Date:7 December 1997
Exploit &amp full info:Available here


Xscreensaver problem
Description:Apparently if you type more then 80 characters into an xscreensaver password window it will die and you will gain access to the desktop. Also not that with XFree86 you can often use CNTRL-SHIFT-BACKSPACE to simply kill the server (and whatever X program is locking it).
Author:Kim San Su <shanx@comp67.snu.ac.kr>
Compromise:Bypass xscreensaver password security
Vulnerable Systems:Those where people run a vulnerable version of xscreensaver to lock their X-Windows sessions.
Date:2 December 1997
Exploit &amp full info:Available here


Long filesystem paths
Description:One thing you can do to be highly annoying is create very long directory paths. These cause *major* problems to many system utilities. This post provides useful one-liners for the purpose.
Author:Zack Weinberg <zack@RABI.PHYS.COLUMBIA.EDU>
Compromise:Annoying DOS
Vulnerable Systems:Those that allow very long directory paths. I just created one 10002 directories deep on my Linux box (I stopped it, it could have gone further). Fortunately Microsoft OS users don't have this problem due to small filesystem depth restrictions ;)
Date:2 December 1997
Exploit &amp full info:Available here


Sendmail file-as-username problem
Description:A quirk in Sendmail that could potentially be exploited is that usernames like '/etc/passwd' get written into the file of the same name when mail is received for them. This could be a problem on systems where users can specify their username without sysadmin intervention.
Author:Duck Vader <tiepilot@THEPOND.THEPOND.ML.ORG>
Compromise:Could potentially lead to root access
Vulnerable Systems:Mostly just BBSes or whatever systems allow users to specify a username and then create an /etc/passwd entry for them.
Date:2 December 1997
Exploit &amp full info:Available here


BSD Termcap overflow
Description:This program creates a malicous termcap file which can cede root access.
Author:Bug originally discovered by Theo de Raadt <deraadt@CVS.OPENBSD.ORG> exploit written by Written by Joseph_K the 22-Oct-1997
Compromise:Theoretically this may allow you to become root remotely You can definately become root locally.
Vulnerable Systems:BSDI, probably FreeBSD/NetBSD/OpenBSD prior to October 1997
Date:1 December 1997
Exploit &amp full info:Available here


Xyplex terminal login problems
Description:Apparently you can get into some Xyplex terminals by entering ^Z or '?' at the login prompt.
Author:Aleksandr Pilosov <apilos01@UTOPIA.POLY.EDU>
Compromise:Obtain unauthorized access to Xyplex terminals.
Vulnerable Systems:Xyplex terminals
Date:1 December 1997
Notes:Another problem with these terminals, this time with regard to their interaction with scripts is in the addendum.
Exploit &amp full info:Available here


Solaris 2.5.1 automound hole
Description:standard popen() hole
Author:Anonymous
Compromise: root (local)
Vulnerable Systems:Solaris 2.5.1 without patch 10465[45] applie
Date:26 November 1997
Exploit &amp full info:Available here


Common XDM and CDE insecurity
Description:Many implementations of these allow any host XDMCP connection access. This can allow people to effectivly login remotely even if they are denied telnet (etc.) access through /etc/hosts.deny of tcp wrappers. Also failed attempts are often not logged so this is useful for brute force password guessing.
Author:Eric Augustus <augustus@stic.net>
Compromise:Brute force password guessing, bypassing tcp wrappers
Vulnerable Systems:Those running vulnerable implementations of XDM or CDE and those with poor access configuration files.
Date:26 November 1997
Exploit &amp full info:Available here


NT RAS Point to Point Tunneling Protocol hole
Description:You can crash NT boxes running RAS PPTP by sending a pptp start session request with an invalid packet length specified in the header.
Author:Kevin Wormington <kworm@SOFNET.COM>
Compromise:crash NT machines remotely
Vulnerable Systems:Windows NT 4.0 with RAS PPTP running
Date:26 November 1997
Exploit &amp full info:Available here


Solaris Statd exploit
Description:Solaris 2.5.1 x86 remote overflow for statd. There is apparently an earlier patch which doesn't fix the problem.
Author:Anonymous
Compromise: root (remote)
Vulnerable Systems:Solaris 2.5.1 x86 is what this exploit is written for. According to a later CERT advisory, vulnerable systems include Digital UNIX (4.0 through 4.0c), AIX 3.2 and 4.1, Solaris 2.5, 2.51 and SunOS 4.1.* for both X86 and SPARC
Date:24 November 1997
Exploit &amp full info:Available here


XFree86 (and apparently other X11R6 XC/TOG derived servers) -config insecurity
Description:XFree86 is setuid root in many cases and takes a -config option to use a different config file. Unfortunately it doesn't check permissions on this file so you can (for example) read the first line of /etc/shadow (printed in the warning message)
Author:plaguez <dube0866@eurobretagne.fr>
Compromise:Read files that you shouldn't have permissions for
Vulnerable Systems:Those with a suid root XFree86 X server as well as some other X servers. This affects many Linux (and probably FreeBSD/OpenBSD)boxes.
Date:21 November 1997
Exploit &amp full info:Available here


The LAND attack (IP DOS)
Description:Sending a packet to a machine with the source host/port the same as the destination host/port crashes a lot of boxes.
Author:m3lt <meltman@LAGGED.NET>
Compromise:Remote DOS attack (reboots many systems)
Vulnerable Systems:Windows95, Windows NT 4.0, WfWG 3.11, FreeBSD
Date:20 November 1997
Exploit &amp full info:Available here


Symlink problems with fstab and advfsd in OSF1
Description:These programs create /tmp files that will follow symlinks and lcobber system files
Author:Efrain Torres Mejia <etorres@POLLUX.JAVERIANA.EDU.CO>
Compromise: root (local)
Vulnerable Systems:Digital Unix OSF1 V4.0
Date:18 November 1997
Exploit &amp full info:Available here


Kernel Buffer Overflow in the ISDN subsystem
Description:When dialing, the old Linux ISDN drivers copied everything after ATD into a 40 char stack buffer (!).
Author:Andi Kleen <ak@muc.de>
Compromise: root (local)
Vulnerable Systems:Linux 2.0.31, perhaps earlier.
Date:16 November 1997
Exploit &amp full info:Available here


Core file problem with Digital Unix 4.0
Description:With dbx you can cause suid root programs to core dump and clobber system files
Author:John McDonald <jmcdonal@osprey.unf.edu>
Compromise: root (local)
Vulnerable Systems:Digital Unix 4.0 and 4.0B
Date:16 November 1997
Notes:I wish more people would send me their exploits like John did ... this way I'm less likely to miss them.
Exploit &amp full info:Available here


Terminal hijacking via pppd
Description:pppd offers read/write access to any tty. This allows a man in the middle attack for trojan terminals as well as other mischief. Also it allows users to freely dial out with the modem (often not a good idea).
Author:David Neil <theoe@EUROPA.COM>
Compromise:Hijack terminals, dial arbitrary numbers with the modem, other mischief.
Vulnerable Systems:Those running pppd. Many linunx boxes, perhaps some BSD, solaris.
Date:15 November 1997
Exploit &amp full info:Available here


Linux and Windows IP fragmentation (Teadrop) bug
Description:Win* and Linux deal with overlapping IP fragments in an incorrect manner which allows the systems to be crashed remotely.
Author:Apparently datagram in flip.c
Compromise:Remote DOS attack
Vulnerable Systems:Windows NT 4.0, Win95 , Linux up to 2.0.32
Date:15 November 1997
Notes:I also included a program called "syndrop" which is a modified version of teardrop (exploits an M$ SYN sequence bug.
Exploit &amp full info:Available here


Redhat 4.2 X11 /tmp/.X11-unix permissions problem
Description:Any local user can destroy X service by moving (or deleting) the UNIX domain socket redhat puts in /tmp/.X11-unix/X0 . Redhat apparently forgot the sticky bit. I think this works in Redhat 4.0 too.
Author:Carlo Wood <carlo@RUNAWAY.XS4ALL.NL>
Compromise:Screw up X (local)
Vulnerable Systems:Thos running the Redhat 4.2 and 4.0 Linux distributions.
Date:14 November 1997
Exploit &amp full info:Available here


Overflow in suidperl 5.003
Description:Overflow (via sprintf()) in the mess() function in suidperl
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Compromise: root (local)
Vulnerable Systems:Thos running suid-perl 5.003, this includes many Linux, *BSD, Solaris and UNIX boxes in general.
Date:13 November 1997
Exploit &amp full info:Available here


Digital Unix xterm overflow
Description:Patch kit 5 includes a replacement xterm which can be forced to dump core and clobber system files. A buffer overflow may also exist.
Author:Tom Leffingwell <tom@sba.miami.edu>
Compromise: root (local)
Vulnerable Systems:Digital Unix 4.0B *with* patch kit 5
Date:12 November 1997
Exploit &amp full info:Available here


Slackware lizards suid-root problem
Description:The lizards game is NOT intended to be suid root, but Slackware 3.4 sets it that way anyway. This makes it trivial to become root through code like system("clear"), etc.
Author:SUID <suid@BOMBER.STEALTH.COM.AU>
Compromise: root (local)
Vulnerable Systems:Linux boxes using the Slackware 3.4 (earlier?) distributions.
Date:12 November 1997
Exploit &amp full info:Available here


Security Dynamics FTP server core problem
Description:It is possible to cause this server to dump core while ftping in. The core file will clobber files and also contains crypt(3)ed passwords.
Author:sp00n <sp00n@COUPLER.300BAUD.COM>
Compromise: root (local)
Vulnerable Systems:Solaris 2.5 running Security Dynamics' FTP server (Version 2.2) perhaps other versions.
Date:12 November 1997
Exploit &amp full info:Available here


Core bug in the Security Dynamics ftp server
Description:typical core file bug
Author:sp00n <sp00n@COUPLER.300BAUD.COM>
Compromise: root (local)
Vulnerable Systems:Those running the Security Dynamics FTP server (Version 2.2). This is available at least for solaris boxes.
Date:12 November 1997
Exploit &amp full info:Available here


Cybercash 2.1.2 insecurities
Description:A number of insecurities in Cybercash
Author:Megan Alexander <malexander@COMMANDCOM.COM>
Compromise:Get credit card numbers, plaintext password registry settings, tons of fun stuff!
Vulnerable Systems:Windows95 and NT systems running Cybercash 2.1.2 or Verifone vPOS
Date:11 November 1997
Exploit &amp full info:Available here


Cisco password decryption
Description:Cisco passwords can be trivially decrypted although this isn't really the fault of Cisco (since the router itself needs to be able to decrypt them).
Author:Jared Mauch <jared@puck.nether.net>
Compromise:Obtain extra access to Cisco routers
Vulnerable Systems:Cisco routers
Date:11 November 1997
Exploit &amp full info:Available here


Exchange & Outlook client extensions problem
Description:Anyone can register "extensions" to Exchange Client or Outlook which cause evil things to happen for various events. Typical idiotic Microsoft bug.
Author:Martin Stanek <stanek@DCS.FMPH.UNIBA.SK>
Compromise:Steal mail, cause users to run malicious code, etc.
Vulnerable Systems:Microsoft systems where multiple users run Outlook or Exchange client
Date:9 November 1997
Exploit &amp full info:Available here


Security hole in iCat Carbo Server 3.0
Description:Another pathetic hole, this one allows people to view any file on the web server (which the web server process owner can view)
Author:Mikael Johansson <Mikael.Johansson@ABC.SE>
Compromise:View files on remote web servers, maybe even filch credit card numbers!
Vulnerable Systems:Those running iCat Carbo Server (ISAPI, Release) Version 3.0.0
Date:8 November 1997
Exploit &amp full info:Available here


BRU (Backup and Recovery Utility) poor permissions
Description:This commercial UNIX backup program creates the /usr/local/lib/bru directory mode 777. This directory apparently contains sources. Enough said.
Author:Kyle Amon <amonk@GNUTEC.COM>
Compromise: root (local)
Vulnerable Systems:Any running vulnerable version of BRU (There is a Linux version, probably also Solaris and other *NIX).
Date:8 November 1997
Exploit &amp full info:Available here


Intel "f00f" Pentium bug
Description:A bug in the Intel Pentium (and Pentium + MMX) chips allows usermode processes to crash the system by executing the invalid instruction 0xf00fc7c8
Author:Sent through an anonymous remailer
Compromise:Users who can run code on the system can totally freeze the system
Vulnerable Systems:Those running on a Pentium including versions of Linux, Dos, WinNT, Win95, SolarisX86, etc.
Date:8 November 1997
Exploit &amp full info:Available here


Attachments to Office files not encrypted
Description:Not only is the "encryption" used for Microsoft Office applications hopelessly weak, but attachments are not encrypted at all.
Author:lustiger@att.com
Compromise:Read attachments to "encrypted" Office documents without having to spend 30 seconds decrypting them.
Vulnerable Systems:Microsoft Office 95 and 97
Date:7 November 1997
Exploit &amp full info:Available here


Kerberos $KRBTKFILE hole
Description:the rsh, rcp, and rlogin included in the kth-krb4 Kerberos package will blindly use any ticketfile given in $KRBTKFILE, even if it is owned by another user and unreadable by the current user!
Author:Mattias Amnefelt <mattiasa@stacken.kth.se> finally gave real information on the bug (thanks are due to him!). I don't know who discovered it originally.
Compromise:Use other people's ticket files (which are often stored in /tmp , just find one and set $KRBTKFILE appropriately.
Vulnerable Systems:Those runing Kerberos kth-krb4 .
Date:6 November 1997
Exploit &amp full info:Available here


Kerberos KRBTKFILE ticketfile vulnerability
Description:Suid root programs in the Kerberos 4 suite don't check permissions on $KRBTKFILE before using it for authentication.
Author:Mattias Amnefelt <mattiasa@stacken.kth.se>
Compromise:Spoof Kerberos authentication
Vulnerable Systems:Those running Kerberos 4 with rsh,rcp, or rlogin suid-root .
Date:6 November 1997
Exploit &amp full info:Available here


ftp mget vulnerability
Description:If the nlist caused by a mget returns a file like /etc/passwd , most ftp clients seem to (try to) overwrite/create it without signaling anything wrong. You can also use files with names like "|sh" to execute arbitrary commands.
Author:I don't recall who found it first, in the appended post af@c4c.com gives an example of the bug using Linus slackware
Compromise:ftp servers can compromise clients who use mget to d/l files
Vulnerable Systems:ftp clients on Linux, AIX, HP/UX, Solaris 2.6, and probably many other systems
Date:3 November 1997 was when this example was posted (the bug was found a while back)
Exploit &amp full info:Available here


Micro$oft Internet Explorer 4 res:// overflow bug
Description:There is a standard buffer overflow in Microsoft's parsing of the new res:// URL protocol.
Author:DilDog <dildog@L0PHT.COM>
Compromise:Execute arbitrary code on the machines of Windows users who connect to your web pages.
Vulnerable Systems:Windows 95 boxes running IE 4.0
Date:1 November 1997
Exploit &amp full info:Available here


Security holes in Metamail
Description:Some metamail scripts (such as sun-audio-file) call innapropriate helper-apps (like uudecode) which allow things like overwriting files on the system.
Author:Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
Compromise:Obtain access to the account running metamail.
Vulnerable Systems:Those running vulnerable versions of metamail (often Elm users). Redhat linux 4.x uses metamail in some cases.
Date:24 October 1997
Exploit &amp full info:Available here


BSD color_xterm xlib overflow
Description:Standard buffer overflow, I believe the root of this is in the X libraries
Author:Ladislav Bukvicka <Ladislav.Bukvicka@EUNET.CZ>
Compromise: root (local)
Vulnerable Systems:Many systems vulnerable, but this particular exploit is for BSD
Date:23 October 1997 is when this exploit was published, but the hole is well known.
Exploit &amp full info:Available here


BSDI exploit for color_xterm and kterm
Description:standard overflow
Author:Ladislav Bukvicka <Ladislav.Bukvicka@EUNET.CZ>
Compromise: root (local)
Vulnerable Systems:BSDI 2.1
Date:23 October 1997
Exploit &amp full info:Available here


AIX xdat overflow
Description:Typical buffer overflow, this time with $TZ in AIX's xdat program
Author:Unknown
Compromise: root (local)
Vulnerable Systems:AIX 4.1, 4.2
Date:22 October 1997
Exploit &amp full info:Available here


Gather all mailing list members through SMTP expn command
Description:In some cases it is possible to determine all the subscribers of a mailing list, even if you have disabled commands like "who" in your majordomo (or other listserv) software.
Author:"Christopher M. Conway" <cmconwa@SANDIA.GOV>
Compromise:unauthorized people can obtain subscriber lists.
Vulnerable Systems:Those running majordomo in a vulnerable fashion
Date:22 October 1997
Exploit &amp full info:Available here


in.telnetd tgetent buffer overflow
Description:By specifying an alternate terminal capability database with huge entries, you can overflow programs (like telnet, possibly xterm in some cases) which call tgetent() expecting a reasonable-length buffer.
Author:Secure Networks, INC
Compromise:In some cases, root (remote)
Vulnerable Systems:BSD/OS v2.1,Theo de Raadt mentions that you might be able to attack the suid xterm program locally with this hole to gain root access (possibly Linux, as well as other BSDs)
Date:21 October 1997
Notes:I have appended an exploit for BSDI in the addendum section.
Exploit &amp full info:Available here


Kill syslogd remotely on solaris boxes
Description:There is a problem where syslogd will crash if it can't do a DNS lookup on the source IP it get the message from.
Author:lb - STAFF <lb@POSH.INEXWORKS.NET>
Compromise:Kill syslogd (I'm sure hackers would love to do that before launchign a real attack)
Vulnerable Systems:Solaris 2.5, 2.51 both Sparc and x86
Date:21 October 1997
Exploit &amp full info:Available here


Overfow in the Ideafix development environment
Description:standard overflow, in $TERM
Author:Bst Perez Companc <bst@INAME.COM>
Compromise: root (local)
Vulnerable Systems:Any systems running flawed version of ideafix, this exploit is for Linux
Date:19 October 1997
Exploit &amp full info:Available here


NT Syscalls insecurity
Description:In this excellent paper, Solar Designer points out a number of serious flaws in the Micro$oft NT syscall implementations. He demonstrates code that will crash NT boxes, and points out that even more serious holes could probably be found by examining other syscalls.
Author:Solar Designer <solar@FALSE.COM> (This guy rocks!)
Compromise:Crash NT, possibly bypass security
Vulnerable Systems:Windoze NT 4.0 and earlier
Date:19 October 1997
Exploit &amp full info:Available here


NT SetThreadPriority() hole
Description:NT SetThreadPriority call resets a Thread's time quantum, possibly allowing the process to run forever and hog available resources.
Author:ntinternals.com
Compromise:NT local DoS
Vulnerable Systems:Windoze NT
Date:19 October 1997
Exploit &amp full info:Available here


PHP mlog.html and mylog.html vulnerabilities
Description:Trivially read any file on the remote system by exploiting these cgi scripts
Author:bryan berg <km@UNDERWORLD.NET>
Compromise:remotely read any httpd-readable file on the remote system
Vulnerable Systems:Those running vulnerable versions of the PHP distribution.
Date:19 October 1997
Exploit &amp full info:Available here


open() on BSD succeeds and cedes valid fd with the argument "-1"
Description:You can't read a file you shouldn't be able to, but by feeding bad args to open, you can get a valid file descriptor and do inappropriate ioctl's to it. This is especially important for certain devices.
Author:explorer@flame.org
Compromise:DoS, possible other uses
Vulnerable Systems:*BSD
Date:17 October 1997
Exploit &amp full info:Available here


Bad registry permissions on NT allows users to defeat security restrictions
Description:Users can set registry settings like HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to run programs at startup in a heightened security context.
Author:Unknown (Aleph One?)
Compromise:heighten privileges on NT
Vulnerable Systems:NT 3.5, 3.51, and 4.0 default configuration
Date:17 October 1997
Exploit &amp full info:Available here


Spy on IE users' files
Description:A hole in IE 4.0 allows web pages to read arbitrary files on a users hard drive.
Author:Jabadoo software (www.jabadoo.de)
Compromise:web servers can steal files from people who visit.
Vulnerable Systems:Those running Micro$oft Internet Explorer 4.0
Date:17 October 1997
Exploit &amp full info:Available here


Count.cgi remote overflow
Description:standard buffer overflow, this time in Count.cgi
Author:Nicolas Dubee <dube0866@eurobretagne.fr>
Compromise:local or remote execution of arbitrary code
Vulnerable Systems:Those running a vulnerable version of Muhammad A. Muquit's wwwcount
Date:16 October 1997
Exploit &amp full info:Available here


MS exchange/service user problems
Description:Apparently many people use service accounts for Exchange. Apparently, those also generally don't have auto-account-disabling or password expiration, which makes exchange a great target for brute-force password guessing
Author:Russ <Russ.Cooper@RC.ON.CA> and Geremy Cohen
Compromise:Hack a Windoze box
Vulnerable Systems:Windoze NT running Exchange 5.0 as a service account
Date:15 October 1997
Exploit &amp full info:Available here


Overflow in Seattle Lab Sendmail v2.5
Description:Overflow in the username given to this program when sending mail
Author:David LeBlanc <dleblanc@ISS.NET> (Who is a loser, BTW)
Compromise:Lame DoS, possible remote execution of commands
Vulnerable Systems:Windoze NT running Version 2.5 (probably earlier also) of Seattle Lab Sendmail for NT
Date:14 October 1997
Exploit &amp full info:Available here


Micro$oft's attempt at FrontPage 98 server-side extensions for Apache
Description:The setuid root program (fpexe) which comes with the FrontPage extensions is a pathetic joke security-wise, as Marc Slemko demonstrates.
Author:Marc Slemko <marcs@ZNEP.COM>
Compromise: root (remote)
Vulnerable Systems:Those using the Micro$oft FrontPage extensions to Apache under UNIX.
Date:11 October 1997
Exploit &amp full info:Available here


Count.cgi hole
Description:You can read any .gif or .jpg on a server (readable by httpd daemon, of course) by giving a "image=../../../../path" type argument
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:read protected .gif and .jpeg files (remote)
Vulnerable Systems:Those running version 2.3 of Muhammad A. Muquit's wwwcount
Date:10 October 1997
Exploit &amp full info:Available here


imapd core hole
Description:imapd can leave privileged info in core files when crashed by a user.
Author:mudge@L0PHT.COM
Compromise:Obtain shadowed password file
Vulnerable Systems:Those running imap-4.1Beta (or presumably earlier releases) on systems which allow core dumps by processes that have changed UIDs.
Date:8 October 1997
Exploit &amp full info:Available here


SNMP holes in Windoze NT 4.0
Description:One bug described allows you to dump all domain usernames with smnpwalk. Another allows you to delete WINS database records remotely. Micro$oft is pathetic. Nobody should by their products. Get Linux, or OpenBSD, or Solaris.
Author:"Rouland, Christopher J" <CRouland@EXAMNYC.lehman.com>
Compromise:Determine usernames, potenet DoS
Vulnerable Systems:Those running WindoZe 4.0 Server with snmp
Date:8 October 1997
Exploit &amp full info:Available here


DNS Games
Description:Some games you can play with resolvers (if you control a DNS server) Phillip Jaenke shows some examples.
Author:"Phillip R. Jaenke" <prj@NLS.NET>
Compromise:Trick resolvers
Vulnerable Systems:Those with flaky resolvers (like gethostbyname()) (I guess). It is a wierd sort of problem.
Date:6 October 1997
Exploit &amp full info:Available here


xsecurekeyboard problem
Description:Many people think that by clicking "secure keyboard" on their xterm, they are safe froom snoopers. This is not always true, as Christopher Creutzig demonstrates by making 100 connect attempts per second
Author:Christopher Creutzig <christopher@nescio.foebud.org>
Compromise:read someone's keystrokes if you can connect to their Xserver, even if they are using the "secure keyboard" feature
Vulnerable Systems:XFree86, probably other implementations
Date:6 October 1997
Exploit &amp full info:Available here


Redhat Linux 4.2 printfilter problems
Description:Redhat 4.2 uses the "printfilter" software package called by lpd to determine the type of a file, unfortunately this program calls others which were not made to handle malicious data (such as groff).
Author:"KSR[T]" <ksrt@dec.net>
Compromise: root (local)
Vulnerable Systems:Redhat Linux 4.2 (maybe earlier)
Date:6 October 1997
Exploit &amp full info:Available here


JetDirect printer card problem
Description:The JetDirect card with TCP/IP enabled will by default open high ports (9099 and 9100) which can be used to print arbitrary files
Author:Klaus Steding-Jessen <jessen@AHAND.UNICAMP.BR>
Compromise:DoS Attack (send 500 page documents), or free printing if you have access to the printer in question
Vulnerable Systems:Those using JetDirect with TCP/IP enabled and the default unrestricted connections.
Date:4 October 1997
Notes:Cool! He used my here


Security problems in the lpd protocol
Description:The protocol for lpd (Line Printer Daemon, RFC 1179) seems to have a number of insecurities, as discussed in this post
Author:Bennett Samowich <a42n8k9@REDROSE.NET>
Compromise: root (remote)
Vulnerable Systems:Those running a vulnerable version of lpd, many Linux and *BSD versions are vulnerable
Date:2 October 1997
Exploit &amp full info:Available here


mSQL authentication holes
Description:mSQL has a number of problems in its attempts at authentication, as well as another serious problem if the user doesn't use ACLs
Author:"John W. Temples" <john@KUWAIT.NET>
Compromise:remotely manipulate a mSQL database
Vulnerable Systems:Those running vulnerable versions of mSQL, many Linux boxes run this
Date:27 September 1997
Exploit &amp full info:Available here


Samba Remote buffer overflow
Description:Samba reads in a user's password into a fixed length buffer, allowing execution of arbitrary code on the target machine
Author:ADM
Compromise: root (remote)
Vulnerable Systems:Those running the SAMBA SMB server versions earlier than 1.9.17p2. The exploit is for Linux/X86
Date:26 September 1997
Notes:ADM send me this before it went out on Bugtraq, and then they sent me a newer version (appended). Thanks!
Exploit &amp full info:Available here


kerneld auto-load of modules requested by unprivileged users
Description:If an unprivileged user types 'ifconfig <devname>' the system will try to load the kernel module /lib/modules/<kernel ver>/fs/devname.o . Thus any unprivileged user can load any modules in your module directory.
Author:Zygo Blaxell <zblaxell@fiction.org>
Compromise:Could be a DoS, or a more serious security problem, depending on the modules you have available.
Vulnerable Systems:Linux with vulnerable version of kerneld installed
Date:26 September 1997
Exploit &amp full info:Available here


M$ IIS 3.0 newdsn.exe problem
Description:newdsn.exe under MS IIS 3.0 allows creation of arbitrary files (just names, not contents) in the wwwroot directory tree
Author:Vytis Fedaravicius <vytix@FLOYD.KTU.LT>
Compromise:create bogus files on webservers, it isn't clear if you can overwrite files. A DoS attack at minumum
Vulnerable Systems:Those running Micro$oft IIS v.3.0 with newdsn.exe installed. This includes a number of WinNT machines.
Date:25 September 1997
Exploit &amp full info:Available here


HP/UX newgroup hole
Description:Standard buffer overflow
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable newgroup,HP 9000 Series 700/800s running versions of HP-UX 9.X & 10.X
Date:25 September 1997
Notes:See the SOD HP Bug of the Week page
Exploit &amp full info:Available here


Oracle webserver insecurities
Description:Anyone who is given control of an oracle webserver account can trivially become root
Author:hurtta+zz@OZONE.FMI.FI
Compromise: root (local)
Vulnerable Systems:Those running Oracle Wbserver 2.1 or Oracle Webserver 1.0 (included to Oracle7 Server and Oracle7 Workgroup Server)
Date:19 September 1997
Exploit &amp full info:Available here


ARP and ICMP redirection games
Description:This excellent article/code from Yuri points out a number of (mostly known) problems with the ARP and ICMP protocols/implementations
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:spoof as a trusted host, redirect trafic through your host, DoS
Vulnerable Systems:Many versions of Linux, numerous hubs/routers. AFAIK, IRIX, HP-UX, *BSD, and probably Windoze can be spoofed with gratuitous ARP
Date:19 September 1997
Exploit &amp full info:Available here


Asynchronous I/O signal handling
Description:Two problems in the Asynchronous I/O handling of many *NIX boxes. The most important ones allows SIGIO, SIGURG, and possiby other signals to be sent to arbitrary processes on the system (from unpriviliged code)
Author:"Thomas H. Ptacek" <tqbf@RDIST.ORG> wrote the advisory, Alan Peakall found the original problem
Compromise:In some cases you can kill or disrupt many system processes
Vulnerable Systems:*BSD, IRIX, probably others
Date:15 September 1997
Exploit &amp full info:Available here


wu_ftpd recursive nlist DOS
Description:An attacker can long into a wu_ftpd server and do a recursive nlist that hogs a tremendous amount of system resources
Author:Josef Karthauser <joe@pavilion.net>
Compromise:lame DOS
Vulnerable Systems:Those running wu_ftpd, most Linux and *BSD systems run this
Date:9 September 1997
Exploit &amp full info:Available here


AIX bugfiler hole
Description:running -b bugfiler <user> <directory> allows you to create wierd files in the directory (owned by <user>).
Author:Johannes Schwabe <schwabe@rzaix530.rz.uni-leipzig.de>
Compromise:In some cases root privileges can be gained (local)
Vulnerable Systems:AIX 3.*
Date:8 September 1997
Exploit &amp full info:Available here


CC:Mail password vulnerability
Description:CC:Mail stores cleartext passwords in a "hidden" batch file which is apparently read/writeable by all users on NT (and of course is on W95)
Author:Carl Byington <carl@five-ten-sg.com>
Compromise:Take over a CC:Mail postoffice
Vulnerable Systems:Windoze NT/95 running cc:Mail release 8
Date:8 September 1997
Exploit &amp full info:Available here


SunOS rlogin overflow
Description:Aparrently an overflow in parsing argv
Author:I have no clue, _PHANTOM_ <phantom@lhab-gw.soroscj.ro> sent it to me
Compromise: root (apparently) (local)
Vulnerable Systems:SunOS
Date:8 September 1997
Notes:Someone confirmed to me that this works with Solaris 2.5.1 but not 2.6. Anyoen care to try SunOS 4.x?
Exploit &amp full info:Available here


Uploader.exe insecurity
Description:pathetic insecurity in uploader.exe that comes with O'reilly's webserver 'website'
Author:Herman de Vette <herman@info.nl>
Compromise:run arbitrary commands on the web server (by placing arbitrary cgi scripts there)
Vulnerable Systems:Those running O'reilly's webserver, website. Mostly Windoze NT and W95 boxes. Some versions of 1.1 and 2.0beta have this vulnerability.
Date:4 September 1997
Exploit &amp full info:Available here


Pico symlink vulnerability
Description:Typical symlink problem, in pico (the editor used by pine)
Author:dynamo@IME.NET
Compromise:overwrite files owned by the user running pico
Vulnerable Systems:Those running a vulnerable version of pico
Date:2 September 1997
Exploit &amp full info:Available here


Linux exploit code for the already known buffer overflow in sperl 5.003
Description:Linux exploit code for the already known buffer overflow in sperl 5.003
Author:ggajic@FREENET.NETHER.NET
Compromise: root (local)
Vulnerable Systems:Those with sperl 5.003 installed suid, the exploit is for linux
Date:2 September 1997
Exploit &amp full info:Available here


Pathetic hole in HP/UX 10.20 CUE
Description:the cue (character-based User Environment) program that ships with HP/UX 10.20 uses $LOGNAME to verify who the user is!@#$@#!$ and it has an exploitable symlink problem
Author:Leonid S Knyshov <wiseleo@JUNO.COM>
Compromise: root (local)
Vulnerable Systems:HP-UX 10.20, probably others
Date:1 September 1997
Exploit &amp full info:Available here


Hole in the vacation program
Description:The standard UNIX vacation program doesn't do enough checking on its input (specifically the From: line in the mail) before sending it to other programs (sendmail) for processing
Author:bukys@CS.ROCHESTER.EDU apparently reported it to CERT & SUN on June 1, 1994 but nothing happened. This vulnerability report is from "Secure Networks Inc." <sni@SILENCE.SECNET.COM>
Compromise:Run arbitrary commands remotely as the user running vacation
Vulnerable Systems:At least some versions of AIX, FreeBSD, NetBSD, and OpenBSD. Other systems if they have installed the vacation program themselves or a different version of sendmail.
Date:1 September 1997
Exploit &amp full info:Available here


Hole in the vacation program
Description:The standard UNIX vacation program doesn't do enough checking on its input (specifically the From: line in the mail) before sending it to other programs (sendmail) for processing
Author:bukys@CS.ROCHESTER.EDU apparently reported it to CERT & SUN on June 1, 1994 but nothing happened. This vulnerability report is from "Secure Networks Inc." <sni@SILENCE.SECNET.COM>
Compromise:Run arbitrary commands remotely as the user running vacation
Vulnerable Systems:At least some versions of AIX, FreeBSD, NetBSD, and OpenBSD. Other systems if they have installed the vacation program themselves or a different version of sendmail.
Date:1 September 1997
Exploit &amp full info:Available here


MAC tcp stack syn problem
Description:Apparently some Macintoshes crash from a high rate of TCP SYN packets (IE through a portscan)
Author:nomad@APOLLO.TOMCO.NET
Compromise:crash a mac
Vulnerable Systems:Mac TCP system 7.1 and 7.8
Date:31 August 1997
Notes:According to Jake Luck this problem was solved with OpenTransport 1.2
Exploit &amp full info:Available here


Security problems in CVS
Description:If CVS is run as root with pserver as suggested in the info page, any user can access any account (with the possible exception of root)
Author:Elliot Lee <sopwith@REDHAT.COM>
Compromise:access any nonuser account (remote)
Vulnerable Systems:Those running a vulnerable version of CVS pserver as suggested in the CVS info page. CVS 1.9.14 has this fixed
Date:29 August 1997
Exploit &amp full info:Available here


Overwrite people's files through IE3 with malicious forms
Description:MS Internet Exploder 3 will overwrite local files if the remote form asks it to.
Author:Andrew McNaughton <andrew@SQUIZ.CO.NZ>
Compromise:Malicious web page can overwrite files belonging to visitors who use M$ IE3
Vulnerable Systems:Microsoft Explorer version 3.0 PPC running on a mac, probably other IE3 versions.
Date:29 August 1997
Exploit &amp full info:Available here


Eggdrop set owner vulnerability
Description:Apparently some versions of eggdrop allow people with master access to become owner with .set owner <nick>. You can then do stuff like .tcl exec cat /etc/passwd
Author:-*- Chotaire -*- <chotaire@CHOTAIRE.NET>
Compromise:obtain complete access to account running eggdrop bot (if you have master access already)
Vulnerable Systems:Those running vulnerable versions of eggdrop (an IRC bot)
Date:29 August 1997
Exploit &amp full info:Available here


Linux setrlimit and sysctl integer overflows
Description:setrlimit() Linux kernel call (up to 2.0.29) does a signed comparison only on the resource changes, which allows users to increase their resource limits by passing negative numbers. Also, a sysctl() problems allows generation of kernel faults by unpriviliged users.
Author:Solar Designer <solar@FALSE.COM>
Compromise:bypass resource limits
Vulnerable Systems:Linux <= 2.0.29
Date:28 August 1997
Exploit &amp full info:Available here


syslogd spoofing
Description:remote syslogd uses udp and is easily spoofable, as Yuri demonstrates in this excellent paper. Also, there isn't an easy way to turn off remote listening from AIX boxes.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:spoof syslogd, add fake log messages, overflow it, etc.
Vulnerable Systems:Those that have syslogd listening for remote messages, AIX is especially vulnerable.
Date:27 August 1997
Exploit &amp full info:Available here


UNIX Oracle stores "system" account passwords in plaintext
Description:plaintext passwords are stored in $ORACLE_HOME/network/config/sql/add*_net.sql
Author:Markus Fleck <fleck@informatik.uni-bonn.de>
Compromise:With these plaintext passwords, database information can be manipulated
Vulnerable Systems:Those running Oracle 7.1, 7.2, and probably earlier versions
Date:24 August 1997
Notes:I like it when people send me security holes like this. I wish it would happen more often! <hint, hint, mail me.
Exploit &amp full info:Available here


Check for existance of files on systems runninng mountd
Description:Some mountd implementations apparently give different error messages depending on whether the mountpoint requested exists or not.
Author:Peter <deviant@UNIXNET.ORG>
Compromise:query for existance of arbitrary files (by name). This could help determine security flaws present on a remote system.
Vulnerable Systems:Those running vulnerable mountd. This includes at least some versions of AIX, Linux, *BSD, SunOS, Solaris, etc.
Date:24 August 1997
Exploit &amp full info:Available here


A perl eval error in majordomo allows remote execution of arbitrary commands
Description:A Perl eval() in Majordomo is not quite paranoid enough, allowing user commands to slip through with clever use of IFS.
Author:Razvan Dragomirescu <drazvan@KAPPA.RO>
Compromise:Run commands as whatever Majordomo runs as (often group daemon). (remote)
Vulnerable Systems:Those running a vulnerable version of majordomo
Date:24 August 1997
Exploit &amp full info:Available here


SPOOLSS.EXE memory leak
Description:DOS attack by remotely exploiting \\server\PIPE\SPOOLSS
Author:"Holas, Ondøej" <OHolas@EXCH.DIGI-TRADE.CZ>
Compromise:Stupid DOS attack
Vulnerable Systems:WindoZE machines such as NT
Date:21 August 1997
Notes:Holas' message comes first, then the exploit he mailed to me.
Exploit &amp full info:Available here


Overflow in bash's PS1 (promptline) and a neat overflow program
Description:An overflow in bash, but since it isn't setuid the repercusions aren't entirely clear. Maybe someone can find something useful to do with this. At a minimum, the "eggo" buffer overflow code ought to be useful.
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:none (actually it might be able to get you out of some captive shells, and it might have other potential).
Vulnerable Systems:Those running bash 2.0 or earlier.
Date:21 August 1997
Exploit &amp full info:Available here


root bug in IRIX game spaceware
Description:Root hole in SpaceWare trackball software
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise: root (local)
Vulnerable Systems:Presumably any system running spaceware 7.3 v1.0 (probably earlier). I don't know if it is IRIX specific. From the message it sounds like there are likely other holes in the program.
Date:20 August 1997
Exploit &amp full info:Available here


Write to arbitrary files (owned by your UID) from pine
Description:The Pine 3.95 & 3.96 attachment viewer will overwrite any file owned by the user running pine in his directory. You can put arbitrary data in this file. This "hole" is obviously only useful if Pine is being used as a restricted shell (there are numerous other problems with this, too).
Author:Jesse Brown <bextreme@POBOX.COM>
Compromise:break out of restricted pine "shell"
Vulnerable Systems:Systems offering pine 3.95 & 3.96 restricted accounts to untrusted users
Date:20 August 1997
Exploit &amp full info:Available here


DG/UX in.fingerd hole
Description:Apparently (and amazingly) current dgux ships with a finger daemon that allows remote users to pipe commands. IE you can 'finger "|/bin/id@host'. This is made worse because many of these systems apparently run in.fingerd as root (!).
Author:George Imburgia <gti@HOPI.DTCC.EDU>
Compromise: remotely run arbitrary programs with UID that is running in.fingerd. Sometimes this means you can remotely become root .
Vulnerable Systems:dgux, versions unknown.
Date:11 August 1997
Notes:If this is true it is rather pathetic!
Exploit &amp full info:Available here


lpr LIBC RETURN exploit
Description:Solar Designer has done it again! Here he proves the viability of overflow exploits returning into libc functions. He includes lpr and color_xterm exploits.
Author:Solar Designer <solar@FALSE.COM>
Compromise: root (local)
Vulnerable Systems:Systems running Linux with vulnerable lpr or color_xterm suid. Even if they have stack execution disabled in some cases.
Date:10 August 1997
Notes:Solar Designer is amazing! He comes through again with another neat proof-of-concept sploit.
Exploit &amp full info:Available here


*BSD procfs forc() mem device hole
Description:Under the *BSD proc filesystem, /proc/#/mem access is controlled by the permissions on the file. Thus you can fork(), have the childe run something suid, and then modify that file's memory.
Author:Brian Mitchell <brian@FIREHOUSE.NET>
Compromise: root (local)
Vulnerable Systems:FreeBSD 2.2.1, probably 3.x. OpenBSD 2.1-RELEASE. Possibly BSDI.
Date:10 August 1997
Exploit &amp full info:Available here


NT LSA secrets
Description:This program allows you to obtain verious LSA secrets such as service passwords, cached password hashes of recent users, and a bunch of others.
Author:Paul Ashton <paul@ARGO.DEMON.CO.UK>
Compromise:The administrator (or someone who has hacked admin) of an NT box can find a lot of juicy information which M$ tried to hide.
Vulnerable Systems:Presumably just NT (4.0, maybe 3.51) boxes.
Date:9 August 1997
Exploit &amp full info:Available here


Trivial "encryption" (obfuscation) in ws_ftp.ini
Description:WS_FTP offers the facility for morons to store their ftp password to remote systems. It keeps this information in ws_ftp.ini in obfuscated form which is easy to decode. Additionally, some idiots have their ws_ftp.ini (including passwords) available on public internet ftp sites.
Author:Milosch Meriac <anotherPI@studbox.uni-stuttgart.de>
Compromise:Obtain cleartext passwors from ws_ftp.ini files
Vulnerable Systems:People who save passwords w/ws_ftp and keep the .ini file where it is accessible to others.
Date:9 August 1997
Notes:I have appended a simple program to "decrypt" the ini file.
Exploit &amp full info:Available here


The VERY popular imapd remote overflow
Description:A buffer overflow in popular imapd packages allows remote root access. This has been very widely exploited on the internet.
Author:I am not sure who discovered it, savage@apostols.org wrote the Linux/Intel exploit I have put first. I have appended another exploit to that.
Compromise: root ( remote ) (Ohhhh, shit!)
Vulnerable Systems:This exploit is for linux, but a lot of other systems using the vulnerable IMAP are susceptible.
Date:7 August 1997
Exploit &amp full info:Available here


Popper and qpopper symlink hole
Description:qpopper and popper use an insecure lockfile creation mechanism that allows you to read other people's mail.
Author:dynamo@IME.NET
Compromise:Read other people's mail when they fetch it via pop.
Vulnerable Systems:Those running vulnerable versions of popper and qpopper. Probably those below version 2.2
Date:7 August 1997
Exploit &amp full info:Available here


Block reserved ports with XFree86
Description:Unprivileged users can black reserved ports by using a high display number which wraps arround the highest possible port (65535) and causes X to listen on a <1023 port.
Author:Willy TARREAU <tarreau@AEMIAIF.LIP6.FR>
Compromise:Block privileged ports
Vulnerable Systems:Those running XFree86 as an X-server. This probably most affects systems like Linux and {Open,Free,Net}BSD.
Date:6 August 1997
Exploit &amp full info:Available here


Vulnerability with -C in *IBM's* version of sendmail
Description:Supposedly, /usr/lib/sendmail -C <anyfile> while display the file specified regardless of permissions. This is also true on versions of sendmail prior to 8.8.7 if they are installed setgid. They shouldn't be setgid, but an errant makefile sets them that way.
Author:"DI. Dr. Klaus Kusche" <Klaus.Kusche@OOE.GV.AT>
Compromise:Read files beyond your permissiosn.
Vulnerable Systems:the IBM sendmail on AIX 4.1.5 and sendmail prior to 8.8.7 which is installed setgid.
Date:6 August 1997
Notes:A post from Troy Bollinger at IBM clarified that you have to be in the "system" group (gid 0) in order to use the -C trick. This limits the exploit potential A LOT! Also, A post by Eric Allman is appended to Dr. Kusche's post.
Exploit &amp full info:Available here


SGI NIS Domain Name disclosure
Description:In what seems to be YET ANOTHER stupid SGI bug, the system is apparently "nice" enough to create a "home page" for new users in public_html/index.html or public_html/index.html.N if they already have an index.html. The problem is that this file often discloses the NIS domain name of the host, which obviously has serious repercusions.
Author:Joerg Kuemmerlen <joku@BTGIX8.BGI.UNI-BAYREUTH.DE>
Compromise:Leak of the NIS domain name.
Vulnerable Systems:SGI O2 machines, presumably IRIX 6.3, 6.4
Date:5 August 1997
Exploit &amp full info:Available here


Internet Explorer keeps a record of every page you've visit since it was installed!
Description:*.DAT files in the Win95/NT "Temporary Internet Files" directory store every move you make on the web.
Author:From something called "technet"
Compromise:Huge potential privacy violation if you can get physical access to a computer running IE. Also some URLs have access information encoded in them.
Vulnerable Systems:Those running M$ Internet Explorer 4.0 or earlier. Mostly W95/NT boxes.
Date:5 August 1997
Notes:Apparently %SystemRoot%\History also contains .DAT files with the same information. Asking IE to clear the cache doesn't eliminate this, see the post in the addendum.
Exploit &amp full info:Available here


Hole in the *BSD implementation of rfork()
Description:The rfork() system call allows the creation of a new process which can share file descriptor tables with its parent. Unfortunately a suid program exec'd by the child still shares those descriptors with the parent! The implecations are rather obvious (and scary).
Author:"Thomas H. Ptacek" <tqbf@enteract.com>,Danny
Compromise:Dulai
Vulnerable Systems:All 4.4BSD operating systems, including OpenBSD 2.1, FreeBSD 3.0, possibly
Date:2 August 1997
Notes:This is another kick-ass advisory! Will CERT ever realize the benefits of providing details and offering credit where it is due??? Also note that plan9 is NOT vulnerable.
Exploit &amp full info:Available here


SSH localforward vulnerability
Description:SSH forgets to check that a user is root before forwarding privileged ports as directed by the users ~/.ssh/config . This could cause a number of very serious security holes.
Author:Kristof Van Damme <aeneas@sesuadra.org>
Compromise:Redirect privileged ports to arbitrary ports on other (or the same) hosts.
Vulnerable Systems:Anything running ssh 1.2.20 (probably earlier versions too).
Date:2 August 1997
Notes:Also note that some implementations of sshd will allow you to give a portno like 65616, which is really port 80 when the 2 byte unsigned short is wrapped around. And remember that in some cases you can fool these things by giving them a negative number, but fortunately ssh catches that (albeit probably accidentally with (port < 1024) check.
Exploit &amp full info:Available here


Another stupid SGI hole
Description:By default SGIs (IRIX 6.3, probably 6.4) will take files of type application/x-sgi-exec or application/x-sgi-task and allow them to run /sr/sysadm commands. Thus you can put a malicous file on your web page and hack root on SGI boxes that connect to it.
Author:Arthur Hagen <art@kether.global-one.no>
Compromise:Trojan a webpage to gain access to the accounts of SGI users who visit it.
Vulnerable Systems:SGI IRIX 6.3, probably 6.4
Date:1 August 1997
Exploit &amp full info:Available here


WINS nameservice (137/UDP) flood DOS attack
Description:You can take out WINS service by sending random shit to 137/udp NETBIOS Name Service. Of course, this is true of most Micro$oft services.
Author:"Holas, Ondxej" <OHolas@EXCH.DIGI-TRADE.CZ>
Compromise:Stupid DOS attack
Vulnerable Systems:Windows systems (NT 4.0, probably 3.5 and Win95) that aren't protected by a firewall/packet filter that blocks 137/udp.
Date:1 August 1997
Exploit &amp full info:Available here


Remote INND buffer overflow exploit
Description:Standard overflow, nice exploit
Author:Method <method@arena.cwnet.com>
Compromise:root (remote)
Vulnerable Systems:Systems running INND versions < 1.6, the exploit seems to be for Linux x86
Date:1 August 1997
Exploit &amp full info:Available here


mSQL overflow and poor hostname authentication checks
Description:mSQL has several buffer overflows which allow intruders to remotely execute arbitrary code. msql2d and msqld are specific vulnerable programs. Also, mSQL doesn't do a forward lookup after resolving an IP->hostname, so it is trivial to spoof authentication by having your DNS return the hostname of an actual host.
Author:"Secure Networks Inc." <sni@SILENCE.SECNET.COM>
Compromise:run arbitrary commands remotely. Spoof access to an mSQL server.
Vulnerable Systems:Those running the mSQL server software, msqld or msql2d. Version 2.0 is vulnerable, probably earlier versions.
Date:27 July 1997
Exploit &amp full info:Available here


Overflow in Mailhandler 6.8.3
Description:The suid MH-6.8.3 package has several buffer overflow bugs (among other holes). Also some BSD ruserpass() libc functions have the same hole.
Author:Matt Conover <shok@COBRA.ONLINEX.NET>
Compromise: root (local)
Vulnerable Systems:Redhat Linux 4.1, although you may have to specifically enable something. Also old versions of the *BSD libc function ruserpass().
Date:26 July 1997
Notes:I appended Alan Cox's post about *BSD ruserpass() to the end. I also put some new information from Matt Conover (who sent the original post) in the addendum.. Also note that the vulnerable programs are bbc,inc,mhn,msgchk, and popi. Redhat's package mh-6.8.3-13.i386.rpm installs /usr/bin/mh/inc and /usr/bin/mh/msgchk suid ROOT.
Exploit &amp full info:Available here


request-route script tempfile symlink problem.
Description:The request-route script which is used with kerneld has a serious symlink /tmp file vulnerability. It always uses /tmp/request-route as its lockfile, so you don't even have to predict anything!
Author:Nicolas Dubee <dube0866@EUROBRETAGNE.FR>
Compromise:It is pretty easy to become root on vulnerable hosts.
Vulnerable Systems:Those linux boxes with kerneld/request-route set up. Redhat 4.1 and 3.0.3 are vulnerable if the sysadmin has installed this.
Date:26 July 1997
Exploit &amp full info:Available here


NT file execution path
Description:NT has a HORRIBLY insecure path, and there is nothing you can do about it!
Author:Jeremy Allison <jallison@WHISTLE.COM> quotes some M$ documentation which confirms the ugly rumors.
Compromise:Can you say TROJAN HORSE!
Vulnerable Systems:Windoze NT 4.0, probably earlier.
Date:25 July 1997
Exploit &amp full info:Available here


Solaris dtlogin core vulnerability
Description:Dtlogin apparently explicityly sets its umask 027 and when it dumps core it can leave both encrypted and UNENCRYPTED passwords of remote users available via 'strings'.
Author:Arve Kjoelen <akjoele@SIUE.EDU>
Compromise:Narf passwords from dtlogin /core
Vulnerable Systems:Solaris 2.5.1 CDE with vulnerable dtlogin.
Date:24 July 1997
Exploit &amp full info:Available here


NT chargen flood DOS
Description:Systems with the Simple TCP/IP Services installed will respond to broadcast UDP datagrams sent to the subnet broadcast address. You could presumably use this to attack someone else (by using your target's source address in the broadcast) or take down the NT network by having the source be port 19 of the same broadcast address.
Author:Unknown
Compromise:stupid DOS attack
Vulnerable Systems:Micro$oft NT with the Simple TCP/IP services installed. M$ has a post-SP3 fix available.
Date:23 July 1997
Exploit &amp full info:Available here


Expect password spy vulnerability
Description:Expect is frequently used to automate login sessions, and it is possible to spy on the information transferred through it (often passwords).
Author:Austin Schutz <tex@COLLEGENET.COM>
Compromise:Gather authentication information passwd by expect.
Vulnerable Systems:Those running expect 5.14, probably older and newer versions too.
Date:22 July 1997
Exploit &amp full info:Available here


AIX /usr/sbin/lchangelv overflow
Description:Standard buffer overflow
Author:"Bryan P. Self" <bryan@SCOTT.NET> ( BeastMaster V)
Compromise:gid or egid system -> root
Vulnerable Systems:AIX 4.x (at least 4.2). PowerPC platform.
Date:21 July 1997
Exploit &amp full info:Available here


AIX /usr/bin/X11/xlock exploit
Description:standard overflow
Author:Well known vulnerability, but "Bryan P. Self" <bryan@SCOTT.NET> posted the exploit for it.
Compromise: root (local)
Vulnerable Systems:AIX 4.x PowerPC architecture
Date:21 July 1997
Exploit &amp full info:Available here


Exim ~/.forward :include: overflow
Description:Standard buffer overflow.
Author:djb@koobera.math.uic.edu (D. J. Bernstein)
Compromise: root (local)
Vulnerable Systems:Anything running exim 1.62 (probably earlier). This exploit is for BSD/OS
Date:21 July 1997
Exploit &amp full info:Available here


AIX ping overflow
Description:standard overflow, AIX 4.2/PPC ping
Author:"Bryan P. Self" <bryan@SCOTT.NET>
Compromise: root (local)
Vulnerable Systems:Systems?: AIX 4.2, exploit for PPC platform
Date:21 July 1997
Exploit &amp full info:Available here


Routed broadcast ping DOS attack
Description:If you spoof a PING packet FROM your target and TO the subnet-wide broadcast address of another network, you can flood your target with all the ICMP echo replies from the hosts on the broadcast subnet.
Author:Edward Henigin <ed@texas.net>
Compromise:Stupid DOS attack
Vulnerable Systems:everybody (minimized if your provider filters out ICMP upstream, which causes major problems of its own).
Date:19 July 1997
Notes:In the addendum you'll find Tfreak's original "smurf" code for exploiting this, as well as Jimbo Bahooli's port to *BSD. I also put a UDP version by T. Freak in the addendum. Also, my program nmap will locate these evil addresses on your network with the ping (-P) scan
Exploit &amp full info:Available here


ld-linux.so.1.9.2 overflow
Description:Error handling code in ld.so has a buffer overflow problem. This exploit uses LD_PRELOAD to get by various problems with other methods.
Author:Was originally a KSR[T] Advisory (#2), exploit written by Dan McGuirk <mcguirk@INDIRECT.COM>
Compromise: root (local)
Vulnerable Systems:Linux boxes running ld-linux.so.1.9.2. Various people have suggested that the solaris /usr/lib/libdl.so may have a similar vulnerability. If anyone has any info on this, please mail me.
Date:19 July 1997
Notes:I've put another exploit in the addendum
Exploit &amp full info:Available here


JavaWebServer viewable source bug
Description:You can view the source of .jhtml files by appending a '.' or '\' to their name. ie http://target.com/authenticate.jhtml. .
Author:Brian Krahmer <brian@KRAHMER.COM>
Compromise:View the source code of .jhtml files which in some cases should be secret
Vulnerable Systems:Those running vulnerable versions of JavaWebServer for win32
Date:16 July 1997
Exploit &amp full info:Available here


campus cgi hole
Description:A hole very similar to the standard phf hole alows people to execute arbitrary commands through the campus cgi.
Author:Francisco Torres <ftorres@CASTOR.JAVERIANA.EDU.CO>
Compromise:Execute arbitrary commands remotely as the owner of the cgi-running process (commonly nobody or daemon).
Vulnerable Systems:Those running a vulnerable version of the campus cgi. Version 1.2 is vulnerable. It may be distributed with the NCSA server.
Date:15 July 1997
Exploit &amp full info:Available here


L0phtcrack 1.5 Lanman / NT password hash cracker
Description:The Lanman password hash is used by NT for authenticating users locally and over the network (MS service packs are now out that allow a different method in both cases). L0phtcrack can brute-force these hashes (taken from network logs or progams like pwdump) and recover the plaintext password. l0phtcrack 1.5 also breaks the new NT style password hashes.
Author:Mudge <mudge@l0pht.com>
Compromise:Compromise account passwords (remotely if you can sniff a server challenge.
Vulnerable Systems:NT 4.0, 3.51. I believe NT4 Service Pack 3 SYSKEY fix will defeat pwdump style utilities. MS also has a fix out to disable Lanman authentication over the network, but this breaks compatibility w/W95 and 3.11.
Date:12 July 1997
Notes:First comes a very interesting message from mudge about M$ "authentication", then comes the readme file for l0phtcrack 1.5. Next comes the source distribution in uuencoded form. You can get executables at their webpage, www.l0pht.com.
Exploit &amp full info:Available here


Overflow in solaris passwd (and yppasswd and nispasswd)
Description:Standard overflows
Author:Cristian SCHIPOR (skipo@SUNDY.CS.PUB.RO)
Compromise: root (local)
Vulnerable Systems:Solaris 2.X, including 2.4 and 2.5
Date:12 July 1997
Notes:I somehow missed this in my collection, thanks to the fellow (who wishes to be anonymous) who reminded me of this beauty!
Exploit &amp full info:Available here


WebGais forgot to strip single quotes in query string ... Oops!
Description:Webgais takes a query string, and quotes it in the perl code. But you can just close the quotes yourself, as it doesn't strip them from your query!
Author:Razvan Dragomirescu <drazvan@KAPPA.RO>
Compromise:run arbitrary commands remotely as the owner of the cgi running process.
Vulnerable Systems:Anything running a vulnerable version of WebGais
Date:10 July 1997
Notes:Remember to change the email address in the exploit!
Exploit &amp full info:Available here


NT fragmentation attack
Description:A flaw in the NT fragment reassembly algorithm allows you to smuggle packets to NT boxes through packet-filtering firewalls. You "hide" the TCP header in an offset IP fragment and just neglect to send the first (zero offset) packet. NT (Pre-SP3) will still happily reassemble your packet, placing the fragment with the lowest-offset at the front.
Author:Thomas Lopatic
Compromise:Talk to NT boxes behind packet-filtering firwalls
Vulnerable Systems:NT 4.0 w/o SP3 installed, and probably 3.51
Date:10 July 1997
Notes:I *LOVE* this advisory. Fully detailed ... includes source code so I don't have to spend 5 hours reproducing this. Thanks Thomas!
Exploit &amp full info:Available here


Overflows in libxview
Description:Standard environmental variable buffer overflows
Author:Nicolas Dubee <dube0866@EUROBRETAGNE.FR>
Compromise: root (local)
Vulnerable Systems:Those running X11 and xview 3.2p1.4, all older 3.x varified, probably earlier ones vulnerable.
Date:10 July 1997
Exploit &amp full info:Available here


snprintf(3c) redefined by libdb-1.85.4
Description:This idiotic library redefines snprintf() and vsnprintf() to ignore the length parameter! Thus any programs which use *nprintf() for bounds checking and link to libdb.so can be subverted! Sendmail may very well be vulnerable.
Author:Thomas Roessler <roessler@guug.de>
Compromise:subvert programs which use libdb.so
Vulnerable Systems:Linux programs using libdb.so.1.85.4, as well as other versions.
Date:8 July 1997
Exploit &amp full info:Available here


SunOS 4.x overflows! This example is for xterm
Description:Willy has created SunOS 4.x buffer overflow code, and gives the appended example, which overflows the X libraries.
Author:Willy TARREAU <tarreau@AEMIAIF.LIP6.FR>
Compromise: root (local)
Vulnerable Systems:SunOS 4.x for this particular exploit. Many other systems are vulnerable (see my other pages on the topic).
Date:8 July 1997
Notes:This is in uuencoded form. Be sure to copy & paste, don't save as a file because it has html codez in it.
Exploit &amp full info:Available here


NT case insensitive filename problems
Description:]You can create trojan directories in all lowercase, which will in some cases be accessed before the Mixed case directories and files NT likes to create.
Author:Paul Ashton <paul@ARGO.DEMON.CO.UK>
Compromise:This has the potential to cause an administrator level compromise.
Vulnerable Systems:Windoze NT 4.0
Date:4 July 1997
Notes:Paul Ashton also suggested the idea of creating a trojan parallel help directory, with hard links to all the original Help files, except one could call a special DLL to compromise NT. Also not that the POSIX subsystem doesn't need to be installed. You can create a files of the same name but different case by calling the Win32 function CreateFile() with the FILE_FLAG_POSIX_SAMANTICS flag specified (also noted by Paul Ashton).
Exploit &amp full info:Available here


websendmail cgi hole
Description:websendmail, a cgi-bin that comes with WEBgais, doesn't make any real attempts to check its input in some cases. Thus you can execute arbitrary commands.
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:Run arbitrary commands as the user who owns the webserver cgi proccess. (remote)
Vulnerable Systems:Any runnning an unpatched version of websendmail in their cgi directory.
Date:4 July 1997
Exploit &amp full info:Available here


The ever popular getadmin exploit
Description:Someone posted this executable to several newsgroups. It allows any normal user to join the administrator group! Woop! M$ tried to fix the bug, but, not surprisingly, their hotfix didn't help.
Author:Konstantin Sobolev
Compromise:Become administrator on a NT box
Vulnerable Systems:NT 4.0, I think service pack 3 must be installed.
Date:4 July 1997
Notes:First I give the source to the program, then the source to the program which works even after the hotfix. Then I give the uuencoded getadmin.zip which was posted to the newsgroups.
Exploit &amp full info:Available here


Another BSD & Linux lpr overflow
Description:Standard overflow. Is this the same as the earlier ones? They did lpr -C <overflow-code>, while this just does lpr <overflow code>. Well, I'll include it incase they are different.
Author:a42n8k9 <a42n8k9@REDROSE.NET>
Compromise: root (local)
Vulnerable Systems:Linux 2.0.0, BSD 4.4 is also vulnerable, although you obviously need a new exploit.
Date:4 July 1997
Exploit &amp full info:Available here


Glimps HTTP evil inadequate evil char filter
Description:Glips HTTP, a web interface to the Glimps search program, doesn't adequately check its input for evil characters. By tricking it to open a pipe instead of a file, you can remotely execute arbitrary commands on the server.
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:Execute arbitrary commands on a server running Glimps HTTP (remote).
Vulnerable Systems:Anything running a vulnerable and unmodified version of Glimpse HTTP. Runs on most systems.
Date:2 July 1997
Notes:Razvan Dragomirescu claims that he is getting "angry" at all the idiots who send him passwd files by not modifying his example exploit. But *I* wouldn't mind! So I've modified the exploit to use my address instead of his. DON'T FORGET TO CHANGE IT!
Exploit &amp full info:Available here


ircd overflow DOS
Description:You can overflow the third argument to the SERVER irc command, and crash IRC servers. With all the lamer wannabe hackers on IRC, I would hope this is already fixed on all servers of any consequence.
Author:Aaron Campbell <aaron@UG.CS.DAL.CA> wrote the exploit
Compromise:Stupid DOS attack
Vulnerable Systems:Those running ircd2.8.21 and probably older versions.
Date:2 July 1997
Exploit &amp full info:Available here


Linux smbmount buffer overflow
Description:Standard overflow ...
Author:Gerald Britton <gbritton@NIH.GOV>
Compromise:root, but only if smbmount is suid root (it isn't suid at all in Redhat Linux.
Vulnerable Systems:Linux systems that use default source distributions, probably other linux distributions.
Date:27 June 1997
Exploit &amp full info:Available here


Many RAS Service packet filtering rules are insecure.
Description:Because it has no notion of an established connection, allowing connections often require two rules to specify the allowed source and destination ports. But allowing data back from, say, port 25 to allow outgoing mail, also allows a malicious attacker to come in from a source port of 25, even though you never initiated a connection with that host.
Author:Russ <Russ.Cooper@RC.ON.CA>
Compromise:Bypass silly NT packet filters (when will people learn not to use NT as a firewall????)
Vulnerable Systems:Windows NT running the Routing and RAS Service (Steelhead)
Date:26 June 1997
Exploit &amp full info:Available here


ULTRIX 4.4 dxterm file linking hole
Description:dxterm, which is suid root, allows the user to specify a file to log output too. Unfortunately it will follow a hardlink to append your stuff to files you shouldn't be able to write to.
Author:Trevor Schroeder <tschroed@CHEETAH.WSC.EDU>
Compromise: root (local)
Vulnerable Systems:Ultrix 4.4, probably 4.5
Date:26 June 1997
Exploit &amp full info:Available here


Ascend MAX 4000 IP address theft flaw
Description:The Ascend MAX 40000 software (4.x up to at least 5.0Ap8) has a bug which allows any user to request any IP address they want.
Author:Joe Shaw <jshaw@INSYNC.NET>
Compromise:Use of an unauthorized IP address.
Vulnerable Systems:Ascend MAX 4000 series with at least 4.x and 5.0Ap13 versions.
Date:26 June 1997
Exploit &amp full info:Available here


Solaris local ping DOS attack
Description:You can reboot solaris boxes with ping -sv -i 127.0.0.1 224.0.0.1
Author:Adam Caldwell <adam@ATL.ENI.NET>
Compromise:Stupid DOS attack, plus you need to be a local user.
Vulnerable Systems:Apparently all versions of Solaris up to (but not including) 2.6
Date:26 June 1997
Exploit &amp full info:Available here


4.4BSD procfs hole
Description:A bug in the procfs filesystem code allows people to modify the (priviliged) init process and reduce the system securelevel.
Author:Alex Nash, exploit by Tim Newsham
Compromise:Lower the security level kernal veriable, allowing to bypass certain restrictions, like the filesystem immuteable flag.
Vulnerable Systems:4.4BSD including OpenBSD 2.0 and 2.1, FreeBSD, NetBSD, probably BSDI.
Date:24 June 1997
Notes:If only all security advisories contained exploit code, the world would be a safer place!
Exploit &amp full info:Available here


Linux imapd remote overflow
Description:Apparently a remote buffer overflow of imapd for linux. I think this is sort of old, and many other systems are affected.
Author:Akylonius (aky@galeb.etf.bg.ac.yu)
Compromise: root (local)
Vulnerable Systems:The exploit is for Linux, but I believe that many systems using older IMAP daemons are vulnerable.
Date:24 June 1997 was when this was posted, but I think this is much older
Exploit &amp full info:Available here


Obtain unauthorised list of mailing lists from majordomo 1.94.1
Description:Majordomo 1.94.1 allows you to disable the 'lists' command, but people can still obtain it by 'unsubscribe * jdoe@fairy.net' and getting an unsubscribe failure for every list.
Author:The Spectre <spectre@NAC.NET>
Compromise:obtain unauthorised data from majordomo list server.
Vulnerable Systems:Anything running unpatched majordomo 1.94.1, possibly other versions.
Date:23 June 1997
Exploit &amp full info:Available here


Obtain an interactive shell through lynx
Description:It is possible to obtain an interactive shell via special LYNXDOWNLOAD URLs. This is a big security hole for sites that use lynx "guest accounts" and other public services.
Author:Unknown
Compromise:run unauthorized arbitrary commands
Vulnerable Systems:Sites trying to keep visitors captive in a lynx session.
Date:23 June 1997
Exploit &amp full info:Available here


M$ IIS DOS long URL vulnerability
Description:If you send a specially formatted URL of about 8K to IIS, you can crash the server
Author:Todd Fast (loser) found the bug, and Andrea Arcangeli <arcangeli@mbox.queen.it> ported the exploit to gcc.
Compromise:Stupid DOS attack
Vulnerable Systems:Anything running unpatched M$ IIS, mostly just NT.
Date:21 June 1997
Notes:The exploit is appended to the "advisory" cruft. Don't check his webside, these details and the code have been removed.
Exploit &amp full info:Available here


Inetd udp port spoofing DOS attack
Description:This has been very well known for a long time, it even had a CERT advisory quite a while ago. Yet Willy seems to have just found it. Here is the code he sent.
Author:Willy TARREAU <tarreau@AEMIAIF.IBP.FR>
Compromise:Stupid DOS attack
Vulnerable Systems:Netware, Most UNIX variants with shitty admins who don't properly close these trivial UDP services.
Date:21 June 1997 was when this message was sent, but it is really an *OLD* bug.
Exploit &amp full info:Available here


B-DASH 0.31 $HOME overflow
Description:Standard pathetic suid-for-svgalab-totally-insecure application overflow.
Author:Nicolas Dubee <dube0866@EUROBRETAGNE.FR>
Compromise: root (local)
Vulnerable Systems:Mostly old versions of Linux. Possibly current Slackware. Anything with B-DASH v0.31
Date:21 June 1997 was when he posted his OLD exploit, ignore the date in the header, it is bogus.
Exploit &amp full info:Available here


BSDI 3.0 symlink hole
Description:BSDI 3.0 apparently allows you to cause a code dump and the core file will overwrite what you symlink it to.
Author:Stacey Son <sson@ISERVER.COM> and Ariel Biener <ariel@FIREBALL.TAU.AC.IL>
Compromise: root (local)
Vulnerable Systems:BSDI 3.0, other versions don't seem to be affected.
Date:20 June 1997
Exploit &amp full info:Available here


IRIX fails to correctly patch /cgi-bin/handler exploit
Description:In an apparent attempt to prevent breakins through the common handler cgi technique, IRIX changed the code. They now check the end of a string for a pipe (trying to make sure perl opens the file as a plain file), but you can still get away with putting tabs after the pipe, to hide it.
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:remotely run commands through this pathetic CGI
Vulnerable Systems:IRIX 6.3 and 6.4, the older versions are vulnerable to an even easier version of the same problem.
Date:19 June 1997
Exploit &amp full info:Available here


zgv $HOME overflow
Description:zgv, which is setuid r00t on many systems, takes untrusted environmental information ($HOME) and copies it into an automatic character buffer, thus allowing a standard buffer overflow.
Author:ksrt <ksrt@DEC.NET> sent the advisory, beastmaster wrote the exploit code
Compromise: root (local)
Vulnerable Systems:Linux, Redhat 3.0.3 - 4.1, anything else running zgv setuid root
Date:19 June 1997
Notes:Note that the exploit is appended to the advisory.
Exploit &amp full info:Available here


Buffer overflows in the listserv mailing list manager.
Description:Stander buffer overflow stuff, although this may not be exploitable.
Author:PLaGuEZ <root@MEAT.PLAGUEZ.ORG>
Compromise:Possibly just a DOS attack, unless you can make an exploit out of it.
Vulnerable Systems:Systems running unpatched versions of listserv.
Date:19 June 1997
Notes:This is NOT the L-Soft "listserv" program, instead it is a significantly less popular (and less powerful) listserv program available on sunsite.
Exploit &amp full info:Available here


BSDI 3.x corefile problem
Description:BSDI 3.0 apparently allows any program to overwrite/create files through a core dump link.
Author:Nir Soffer <scorpios@CS.HUJI.AC.IL>
Compromise:Definately DOS, possibly become r00t
Vulnerable Systems:BSDI 3.0
Date:19 June 1997
Notes:Several people mentioned that he was wrong about overwriting files. If the mode is 0600, you CAN overwrite them. This includes a lot of files you might want to overwrite ;).
Exploit &amp full info:Available here


Solaris root socket descriptor bug
Description:You can swipe control of a root owned socket descriptor from user-owned inetd processes like rshd.
Author:Alan Cox (alan@LXORGUK.UKUU.ORG.UK)
Compromise:control of a root owned socket
Vulnerable Systems:Solaris 2.5.1, probably earlier versions. I hear that 2.6 if fixed. Sun doesn't seem interested in fixing this, for some reason.
Date:19 June 1997 was the data of this post, although Alan has been complaining about the bug for ages.
Notes:You may have to change your interface to le0, hme0, or whatever to make it work.
Exploit &amp full info:Available here


symlink problem in mj_key_cache program
Description:This perl prog, which is part of MajorCool, which is apparently related to the Majordomo listserver software, has a standard symlink problem.
Author:Benjamin J Stassart <dszd0g@DASB.FHDA.EDU>
Compromise:corrupt files writeable by the user/group mj_key_cache runs as (usually through cron). This user is usually majordom.
Vulnerable Systems:Anything running MajorCool 1.0.3 or below with mj_key_cache cron'd
Date:18 June 1997
Exploit &amp full info:Available here


Seyon calls system(xterm), Krad!
Description:seyon, which is setgid uucp on RedHat 4 at least, calls system(xterm) if it can't find seyon-emu. The exploit is obvious, 'nuff said
Author:Shawn Hillis <shillis@CLCSMAIL.KSC.NASA.GOV>
Compromise:root on some systems, like IRIX. Otherwise join the UUCP group, or whatever seyon is setgid to.
Vulnerable Systems:Redhat Linux 4.0, Irix 6.3, anything else with vulnerable version of seyon installed
Date:17 June 1997
Notes:system(xterm) from a setuid root prog? Is this really 1997???
Exploit &amp full info:Available here


Netscape gives away user's files!
Description:A hole in the handling of the INPUT TYPE="FILE" tag allows a malicious website operator to download your files (if the filename is known). This apparently works on all platforms, and with Netscape up to Netscape Communicator.
Author:"Paul T. Kooros" <kooros@TITAN.SRRB.NOAA.GOV>
Compromise:Steal people's shit!
Vulnerable Systems:Clients running Netscape Communicator 4.0 and earlier, as well as netscape navigator 3.* and probably earlier. This includes the Windoze, Macintosh, and UNIX platforms.
Date:16 June 1997
Notes:This is a great advisory! Show your thanks by buying his JavaScript book! I would if JavaScript wasn't such a lame language ;).
Exploit &amp full info:Available here


Shotgon 1.1b overflows
Description:Shotgon 1.1b, an svgalib based Linux file manager, apparently has "more than 10 buffer overflows".
Author:PLaGuEZ <dube0866@EUROBRETAGNE.FR>
Compromise: root (local)
Vulnerable Systems:Linux, apparently anything running shotgun, although I suspect that is almost exclusively linux.
Date:16 June 1997 (Ignore his fucked up date)
Exploit &amp full info:Available here


IRIX handler cgi hole
Description:another prog that uses a perl open() with untrusted filenames, allowing the pipe symbol to be used to create a pipe instead. I think this is a serious problem with perl which should be fixed (perl is supposed to make programming securely EASIER than C does.)
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:Run arbitrary commands as the owner of the httpd process
Vulnerable Systems:IRIX 6.2, the later versions try to fix this, but without success (see the other handler entry). It also works on 5.3
Date:15 June 1997
Exploit &amp full info:Available here


poison the DNS cache by returning a bogus IP as a CNAME for a real server
Description:You can poison DNS cache by returning a bogus IP as a CNAME for a real server.
Author:Johannes Erdfelt outlined this type of attack originally.
Compromise:Subvert DNS
Vulnerable Systems:Almost all current DNS servers, including bind 8.1 and M$ DNS
Date:14 June 1997 (It was actually discovered in April, apparently)
Exploit &amp full info:Available here


sshd and rshd leak usernames.
Description:sshd and rshd leak usernames. A lot of sites security-consious enough to run sshd probably don't want username validation to be this easy
Author:Christophe Kalt <kalt@STEALTH.NET> and David Holland
Compromise:Test validity of suspected system usernames
Vulnerable Systems:Linux, NetBSD, Digital UNIX 4.0, all from rshd, as well as any systems running a vulnerable version of sshd. Remember to use the VERBOSE (-v) flag if you try to exploit sshd.
Date:13 June 1997
Notes:The syntax quoted at the bottom is not correct, you need to give an actual command (like ls) for the rsh problem to be demonstrated.
Exploit &amp full info:Available here


qmail rcpt DOS attack
Description:qmail lets you send messages to an unlimited number of people, so you can actually run the system out of swap space by feeding recipients until it crashes.
Author:wietse@wzv.win.tue.nl (Wietse Venema)
Compromise:Stupid DOS attack
Vulnerable Systems:Systems running unpatched qmail. This includes a lot of Linux boxes as well as many other systems.
Date:12 June 1997
Exploit &amp full info:Available here


QMAIL DOS attack #1
Description:A denial of service (DOS) attack against QMAIL, which doesn't set a maximum limit on command length.
Author:wietse@wzv.win.tue.nl (Wietse Venema)
Compromise:Stupid DOS attack.
Vulnerable Systems:Systems running unpatched qmail. This includes a lot of Linux boxes as well as many other systems.
Date:12 June 1997
Exploit &amp full info:Available here


NT password replacement program
Description:Micro$oft tried to obfuscate the NT password storage method, but it has been broken and this program allows you to reset any user's password. Administrator might be a good example.
Author:pnordahl@eunet.no
Compromise:Administrator, if you have physical access.
Vulnerable Systems:NT 4.0 (probably earlier) without service pack 3 syskey enabled.
Date:11 June 1997
Notes:A uuencoded of the source distribution is attached below. His web site also offers disk images.
Exploit &amp full info:Available here


Another way to crash NT DNS server.
Description:Apparently sending a flood of characters to port 53 (DNS) will crash the server. The MS advisory even gives advice for the lamers on how to do this.
Author:Unknown
Compromise:stupid DOS attach
Vulnerable Systems:NT 4.0 without the postSP3 hotfix. Service Pack 4 will probably fix this.
Date:10 June 1997
Exploit &amp full info:Available here


AIX 4.2 HOME environmental variable overflow
Description:Typical environmental variable overflow.
Author:Georgi Guninski <guninski@hotmail.com>
Compromise: root (local)
Vulnerable Systems:AIX 4.2, probably other versions
Date:10 June 1997
Exploit &amp full info:Available here


cgi-bin/test-cgi allows arbitrary remote file listing
Description:If you give test-cgi an argument which includes a *, you can get a directory listing from the SERVER_PROTOCOL field. In other words, it is another pathetic cgi.
Author:Jason Uhlenkott <jasonuhl@usa.net>
Compromise:remotely obtain directory listings
Vulnerable Systems:Systems running Apache/1.2b2, probably earlier versions, many systems that have test-cgi installed.
Date:6 June 1997
Exploit &amp full info:Available here


Solaris rpcbind listens on undocumented high UDP port
Description:rcpbind for solaris, which belongs on UDP port 111, is also found on a UDP port above 32770. Thus many packet filters aren't effective.
Author:Oliver Friedrichs <oliver@silence.secnet.com> (Secure Networks Inc.)
Compromise:Access rcpbind, even from sites that filter it at their firwall or packet filter.
Vulnerable Systems:Unpatched Solaris 2.X up to 2.5.1
Date:4 June 1997
Notes:Apparently rpcbind also lists on high solaris *TCP* ports sometimes. I've included a a hacked rcpinfo client below the secnet advisory.
Exploit &amp full info:Available here


Trojan in fake v1.2b version of the AtlantiS IRC script
Description:Simple trojan. Use /ctcp <target_nick> jupe <command> to exploit.
Author:raf@licj.soroscj.ro
Compromise:Remotely fuck with a Atlantis IRC script user
Vulnerable Systems:Anyone running the AtlantiS script v1.2, other versions are also affected, though the author notes that v1.1 is clean.
Date:31 May 1997
Notes:This trojan was *NOT* inserted by the author, so don't flame Deathnite. Some lamer put it in. I haven't seen any evidence that the post author is correct about other versions being vulnerable
Exploit &amp full info:Available here


Microsoft's Win95 stores your password in plaintext in the system registry.
Description:Bill Stout notes several locations in the W95 registry where user's passwords are stored in plain text.
Author:Bill Stout <stoutb@pios.com>
Compromise:Find out a user's W95 password (which is often also their password on real machines)
Vulnerable Systems:Microsoft Windoze 95
Date:30 May 1997
Exploit &amp full info:Available here


X11R6 library GetDatabase vulnerability
Description:There is a security hole in the GetDatabase function of the X11 libraries, which appears to be present in every distribution of X11. The attached exploit is for Solaris xterm, not that you will only get a shell with your own uid if xterm is not suid
Author:David Hedley <hedley@CS.BRIS.AC.UK>
Compromise: root (local)
Vulnerable Systems:many systems are vulnerable, including Linux and *BSD. This particular exploit is for Soaris 2.5.1 xterm
Date:28 May 1997
Exploit &amp full info:Available here


IRIX /usr/sbin/printers and /usr/bin/X11/xterm overflows
Description:two more buffer overflows for IRIX, this time in xterm and printers.
Author:David Hedley <hedley@CS.BRIS.AC.UK>
Compromise: root (local)
Vulnerable Systems:IRIX 5.x, 6.x
Date:27 May 1997
Notes:Note that David Hedley thinks the xterm problem is more general. He was able to overflow xlockmore on a FreeBSD machine. The xterm exploit post is right after the printers post below.
Exploit &amp full info:Available here


Buffer overflow in /usr/sbin/iwsh for Irix 5.3
Description:This overflow of /usr/sbin/iwsh is specifically taylored for IRIX 5.3. It is also possible to write a similar overflow for 6.x.
Author:David Hedley <hedley@CS.BRIS.AC.UK>
Compromise: root (local)
Vulnerable Systems:IRIX 5.3 (6.x would work with another exploit)
Date:27 May 1997
Exploit &amp full info:Available here


Overflows in IRIX /usr/sbin/X11/xconsole, /usr/sbin/X11/cdplayer, /usr/sbin/xwsh, and /usr/sbin/monpanel.
Description:As he mentions, there must be some bad IRIX library which is causing all of these IRIX progs to overflow. Anyway, this is a standard overflow which works on all of the above.
Author:"Patrick J. Paulus" <pjp@STEPAHEAD.NET> posted the exploit which was a _very_ slighty modified version of David Hedley's code posted earlier.
Compromise: root (local)
Vulnerable Systems:IRIX 5.3, probably 6.x
Date:27 May 1997
Notes:Someone reported to me that he couldn't get these to work. Has anyone used them successfully?
Exploit &amp full info:Available here


IRIX /bin/login overflow
Description:Overflow in /bin/login on IRIX 5.3-6.4
Author:David Hedley <hedley@CS.BRIS.AC.UK>
Compromise: root (local)
Vulnerable Systems:IRIX 5.3 through 6.4
Date:26 May 1997
Exploit &amp full info:Available here


Overflow in IRIX /usr/lib/desktop/permissions
Description:standard IRIX overflow, in /usr/lib/desktop/permissions
Author:David Hedley <hedley@CS.BRIS.AC.UK>
Compromise:Gain egid sys
Vulnerable Systems:IRIX 6.2, 5.x is probably vulnerable, but needs a rewritten exploit due to stack position.
Date:26 May 1997
Exploit &amp full info:Available here


AIX lquerylv overflow
Description:standard overflow
Author:Georgi Guninski <guninski@hotmail.com>
Compromise: root (local)
Vulnerable Systems:AIX 4.2 tested on a RS/6000 box. All 4.x, 3.x probably affected.
Date:26 May 1997
Exploit &amp full info:Available here


3 More IRIX buffer overflows, courtesy of LsD
Description:Apparently, the "anonymous friend" who sent exploit code to Yuri may have swiped it from the polish group LsD. Anyway, they sent in 3 more exploits which are very similar (actually almost exactly the same) as those Yuri's polish friend sent.
Author:Sent from a hacked account by LsD, Last Stage of Delirium
Compromise: root (local)
Vulnerable Systems:IRIX, presumably up to 6.3
Date:25 May 1997
Exploit &amp full info:Available here


cfingerd search username vulnerability
Description:With cfingerd 1.2.2 (and probably earlier), a "feature" lets you get all the usernames on a system with finger search.*@host . Even after that was fixed, you can do it with search.**@host . Also, the author even admits that there are probably buffer overflows in there because sprintf() is used instead of snprintf().
Author:Rodrigo Barbosa <rodrigob@MORCEGO.LINKWAY.COM.BR> mentioned the search.*@ , and "Edward S. Marshall" <emarshal@COMMON.NET> mentioned search.**@
Compromise:Remotely obtain all the usernames on a system.
Vulnerable Systems:Systems running all versions of cfingerd. The author says he won't fix the problem.
Date:24 May 1997
Notes:Three relevent messages are appended below.
Exploit &amp full info:Available here


PMDF 5.107 debug mode vulnerability
Description:PMDF 5.1-7 sendmail (NO relation to standard sendmail) has a debugging mode that can be entered by setting environmental variable PMDF_SENDMAIL_DEBUG. This then allows a standard symlink vulnerability in which you can put arbitrary binary data into the pdmf owned file of your choosing.
Author:Jonathan Rozes <jrozes@GUMBO.TCS.TUFTS.EDU>
Compromise:quash files owned by user pmdf with arbitrary data.
Vulnerable Systems:Digital Unix 4.0B reported by the author. Probably any systems running PDMF sendmail
Date:23 May 1997
Exploit &amp full info:Available here


Macintosh At Ease Apple Share automated login "feature"
Description:By default, At Ease will automate the login process to AppleShare servers, and store the login and password in clear text in the At Ease Preference file. You can usually read this file trivially by exploiting applications (like netscape file:// URLs).
Author:Paul Melson <melson@SCNC.HOLT.K12.MI.US>
Compromise:Unauthorised access to an AppleShare fileserver.
Vulnerable Systems:Macintoshes, running At Ease and using the Auto Login "feature".
Date:21 May 1997
Exploit &amp full info:Available here


AIX 4.2 /usr/dt/bin/dtterm buffer overflow
Description:Standard buffer overflow. Possibly in the X library.
Author:Georgi Guninski <guninski@hotmail.com> (and who says all hotmail users are idiots?)
Compromise: root (local)
Vulnerable Systems:AIX 4.2, possibly others. Exploit for a RS/6000 box.
Date:20 May 1997
Exploit &amp full info:Available here


SunOS 4.1.4 crashes when (l)users read /dev/tcx0
Description:Sparcstations running 4.1.4 (probably other versions too) crash when users read /dev/tcx0 with something like 'cat'. Not that this is a VERY generall problem. There are a lot of devices on many devices that will crash if you do wierd things to them. Especially cat'ing binary files to them. I am not going to write up a page on each.
Author:Dixon Ly <dly@BAYNETWORKS.COM> mentioned this particular problem.
Compromise:DOS attack, obviously annoy people. You could also do more devious thing, taking down the machine so you can IP spoof "from" it without it sending thos damn RST's!
Vulnerable Systems:Sparc 5,10,20,etc. running SunOS 4.1.4 probably other versions.
Date:19 May 1997
Exploit &amp full info:Available here


Data Buffer overrun in Solaris 2.5.1, 2.5.0 in ps and chkey
Description:The solaris ps (both /usr/bin and /usr/ucb) and chkey programs are insecure, and it is possible to exploit them via a rather complicated data buffer overrun. This overrun is probably present in many other programs.
Author:Joe Zbiciak <jzbiciak@DALDD.SC.TI.COM> wrote the ps exploit. Adam Morrison <adam@MATH.TAU.AC.IL> provided a lot of information and mentioned that chkey was also vulnerable. Adam also posted a cool stdio overflow program which will get its own entry.
Compromise: root (local)
Vulnerable Systems:Solaris 2.5.1, 2.5.0, possibly earlier versions.
Date:19 May 1997
Notes:There were a bunch of interesting postings on this topic which help to exploit the vulnerability. I've included the best ones below.
Exploit &amp full info:Available here


Program for exploiting data overrun conditions
Description:This isn't an exploit per se, (although, as mentioned in another exploit, it works for chkey and ps). Now you can exploit these overruns when you find them yourself!
Author:adam@math.tau.ac.il (Adam Morrison), Joe Zbiciak <jzbiciak@DALDD.SC.TI.COM> also contributed a useful script for finding the proc_link value for an overflow.
Compromise: root (local)
Vulnerable Systems:This program works for Solaris on SPARC. Other OSes are vulnerable to similar overflows, although this program obviously won't work.
Date:19 May 1997
Notes:I've included Adam Morrison's original post as well as Joe Zbiciak's supplimentary script below.
Exploit &amp full info:Available here


IRIX stupid xhost + default
Description:For X sessions, IRIX (I think up to 6.3) by default gives global access (ie xhost +). Duh. Of course this fits in very well with their default non-passworded guest account and their security-filled default crontab (see those other exploit entries for more information).
Author:Well known, but Matt Harrigan <matth@CONNECTNET.COM> posted interesting comments on exploiting the hole to someone who mentioned the problem.
Compromise:Take over an X session
Vulnerable Systems:IRIX, up to 6.3 I believe, using default IRIX default X access permissions.
Date:19 May 1997
Exploit &amp full info:Available here


Failure of Solaris and old BSD versions to honor the filesystem permissions of unix domain sockets.
Description:Solaris (including SunOS) and old (4.3 and earlier) versions of BSD don't honor permissions on the filesystem representations of unix domain sockets. A lot of programmers might not realize that anyone can send data to their programs by writing to the "file".
Author:Thamer Al-Herbish <shadows@whitefang.com> posted this to bugtraq, but it was somewhat well known.
Compromise:write malicious data to unsuspecting applications
Vulnerable Systems:Solaris 2.5 and earlier (not sure about 2.5.1). Version 2.6 will supposedly not be vulnerable.
Date:17 May 1997
Exploit &amp full info:Available here


Assorted IRIX WWW vulnerabilities
Description:IRIX has serious problems with some of their CGI's and other WWW programs like handler. Yuri explores these and exposes a lot of problems.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:Become owner of httpd process, read files that are "protected" by .htaccess.
Vulnerable Systems:Irix 6.2
Date:16 May 1997
Notes:Woo! I'm glad to see Yuri isn't out of the scene like I was afraid he was.
Exploit &amp full info:Available here


Ascom Timeplex Router Backdoor
Description:You can enter a backdoor 'debug' mode in these routers by sending a bunch of cntrl-d characters to the device.
Author:Brent Huston <bhuston@NETWALK.COM>
Compromise:Change the router setup, this would obviously be bad ;)
Vulnerable Systems:Ascom Timeplex Routers
Date:15 May 1997
Exploit &amp full info:Available here


IRIX default guest account
Description:Apparently, all IRIX systems come by default with a unpassworded guest account. Almost as stupid as HP/UX's staticly passworded uid 0 sam_exec accounts.
Author:well known, but Mike Neuman <mcn@RIPOSTE.ENGARDE.COM> mentioned it on bugtraq
Compromise:remotely obtain local user privileges.
Vulnerable Systems:IRIX, apparently all versions up to 6.3
Date:15 May 1997
Exploit &amp full info:Available here


LibXt XtAppInitialize() overflow *xterm exploit.
Description:overflow in libXt from XFree86 allows exploitation of suid *xterm s.
Author:Ming Zhang <mzhang@softcom.net> useful info also contributed by Marcin Bohosiewicz <marcus@venus.wis.pk.edu.pl>
Compromise: root (local)
Vulnerable Systems:Systems running XFree86-3.2-9, probably lower who have suid cxterm, mxterm, xterm, etc. Includes RedHat 4.0, Slackware 3.1 and 3.2
Date:14 May 1997
Notes:I have appended useful info from Marcin Bohosiewicz <marcus@venus.wis.pk.edu.pl>
Exploit &amp full info:Available here


HP/UX 10.X /var/tmp/outdata symlink hole
Description:Typical symlink problem
Author:David Hyams <nhyamd@ASCOM.CH>
Compromise:Wipe SAM data to arbitrary files, I don't know what happens with existing files. If you can clobber existing files, you can obviously become root.
Vulnerable Systems:HP/UX 10.X
Date:14 May 1997
Exploit &amp full info:Available here


Elm 2.3 and 2.4 curses overflow
Description:Buffer overflow with environmental veriable TERM
Author:Wojciech Swieboda <wojtek@AJAX.UMCS.LUBLIN.PL>
Compromise:GID mail
Vulnerable Systems:Many linux boxes, anything else with vulnerable ELM 2.3, 2.4
Date:13 May 1997
Exploit &amp full info:Available here


IRIX sadc symlink vulnerability
Description:the IRIX program /usr/lib/sa/sadc is sgid sys and writes to /tmp/sa.adrfl, even if that is a symlink.
Author:Well known, but Jaechul Choe <poison@COSMOS.KAIST.AC.KR> posted this warning that IRIX is still vulnerable.
Compromise:GID sys
Vulnerable Systems:IRIX 5.3, 6.2
Date:9 May 1997
Exploit &amp full info:Available here


Socks5 symlink bug
Description:Just do a standard symlink to /tmp/socks5.pid and connect() to port 1080.
Author:Trevor Schroeder <tschroed@CHEETAH.WSC.EDU>
Compromise:obtain access of the owner of the socks daemon (probably nobody or daemon).
Vulnerable Systems:Systems running Socks5 beta-0.17.2 from NEC and probably earlier versions.
Date:9 May 1997
Exploit &amp full info:Available here


IRIX addnetpr race condition
Description:IRIX's addnetpr program has a symlink race condition that allows the clobbering of arbitrary files.
Author:Jaechul Choe <poison@COSMOS.KAIST.AC.KR>
Compromise:cause addnetpr to write to arbitrary files. It is unclear whether it appends or overwrites to already existing files. Could probably lead to root access.
Vulnerable Systems:IRIX 5.3, 6.2
Date:9 May 1997
Exploit &amp full info:Available here


Windows NT/95/3.11 Out Of Band (OOB) data barf
Description:Windows NT will completely crash if you send Out of Band (MSG_OOB) data to its port 139. Win95 will blue screen and network connectivity is usually lost, applications may crash. Win 3.11 with the M$ TCP/IP stack crashes too. Other ports like MS DNS may also be affected.
Author:myst <myst@LIGHT-HOUSE.NET>
Compromise:Stupid DOS attack, but it can be humorous.
Vulnerable Systems:WinNT 4.0, 3.51, Win95 , WFWG 3.11
Date:9 May 1997
Notes:I'm also appending the perl exploit code and the visual basic code. The M$ FIX in service pack 3 and the Hotfix does NOT work! You just have to change the code a bit, or use the Macintosh exploit. Change the TCP Urgent pointer if you want to exploit the post-servicepacke 3 conditon from a UNIX box.
Exploit &amp full info:Available here


IRIX rmail system() and LOGNAME hole
Description:rmail is setgid mail and apparently does a system() involving the contents of untrusted user environmental variable LOGNAME. Duh.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:Group mail, the uses of this are obvious
Vulnerable Systems:IRIX, 5.3, 6.2, possibly 6.3
Date:7 May 1997
Notes:Too bad Yuri Volobuev is retiring. There wouldn't be a IRIX section without him. Good job Yuri!
Exploit &amp full info:Available here


IRIX inpview hole
Description:inpview is part of a video conferencing package. Wow, in 1997 we've got a system() without absolute path vulnerability. Haven't seen something that pathetic in a while, except for the M$ OOB problem.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise: root (local)
Vulnerable Systems:IRIX, presumably 5.3, 6.2, and 6.3
Date:7 May 1997
Exploit &amp full info:Available here


IRIX webdist CGI vulnerability
Description:Stupid cgi
Author:Grant Kaufmann <grant@CAPE.INTEKOM.COM>
Compromise:remotely execute arbitrary commands as httpd process owner (usually nobody or daemon)
Vulnerable Systems:IRIX 6.2, 6.3
Date:7 May 1997
Exploit &amp full info:Available here


IRIX xfsdump hole
Description:standard symlink problem.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise: root (local)
Vulnerable Systems:IRIX, presumably 5.3, 6.2, 6.3
Date:7 May 1997
Exploit &amp full info:Available here


IRIX crontab problems
Description:IRIX's default crontab contains some bad stuff. Like find that execs rm. Check the bugtrac archives for ways to leverage this to delete anything from the filesystem.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:Delete any files on the (probably root) filesystem. You should be able to leverage root access from this.
Vulnerable Systems:IRIX, probably 5.3, 6.2, and 6.3
Date:7 May 1997
Exploit &amp full info:Available here


A bunch of IRIX holes found by Yuri Volubuev
Description:I have made a lot of these into their own pages, but I didn't include the more obscure ones, and I didn't have a good place to include his IRIX bashing. So I'm putting the whole post here.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise: root (local)
Vulnerable Systems:IRIX 5.3, 6.2, 6.3
Date:7 May 1997
Exploit &amp full info:Available here


KDE unsecured TCP socket vulnerability
Description:the KDE desktop apparently uses network TCP sockets for process comunication instead of AF_UNIX domain sockets. The TCP sockets have no authentication, so you can send malicious commands to the port for copying files, etc.
Author:Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
Compromise:Subvert the user running KDE
Vulnerable Systems:Anything running unpatched KDE
Date:5 May 1997
Exploit &amp full info:Available here


Failed logouts in Windows NT and '95
Description:Some people "logout" of their NT boxes and leave, but NT sometimes fails due to hung processes and give the option to abort the logout.
Author:Peter da Silva <peter@BAILEYNM.COM>
Compromise:Take over someone's local console login
Vulnerable Systems:Windows NT 3.51, 4.0 and I believe Win95 is vulnerable
Date:3 May 1997
Notes:Not too big of a deal, but it should still be fixed
Exploit &amp full info:Available here


Soaris lp and lpsched symlink vulnerabilities
Description:A typical symlink-to-.rhosts exploit
Author:Chris Sheldon (csh@viewgraphics.com)
Compromise: root (local)
Vulnerable Systems:Solaris 2.51, possibly others
Date:3 May 1997
Exploit &amp full info:Available here


CERN httpd server authorization bypass
Description:You can bypass password authorization by adding extra forward slashes in the URL. ie: http://www.server.com//secret.html.
Author:Peter Lord <plord@perrin.demon.co.uk>
Compromise:Unauthorized viewing of passworded html files
Vulnerable Systems:Systems running CERN httpd, apparently up to their last version.
Date:30 April 1997
Exploit &amp full info:Available here


FreeBSD exploits for the Perl 5.003 (and earlier) overflow bug.
Description:Buffer overflow in Perl, already discussed in another entry. These are FreeBSD exploits for perl4.036, and 5.00X
Author:Deliver <deliver@FREE.POLBOX.PL> wrote the exploits
Compromise: root (local)
Vulnerable Systems:FreeBSD with vulnerable perl (Version <= 5.003) installed.
Date:21 April 1997
Exploit &amp full info:Available here


Narf NT usernames from an untrusted NT Domain Controller
Description:Through an NT Domain Controller, you can get a full list of usernames on other servers by failing a logon and then examining the target with Explorer.
Author:webroot <webroot@WEBROOT.COM> (Steve Thomas)
Compromise:List usernames of remote server including full names, descriptions, and group memberships.
Vulnerable Systems:NT 4.0, probably 3.51 too.
Date:19 April 1997
Exploit &amp full info:Available here


Sperl 5.003 hole
Description:Another hole in sperl, this time a buffer overflow.
Author:Willy Tarreau (tarreau@aemiaif.ibp.fr)
Compromise: root (local)
Vulnerable Systems:Systems with Sperl 5.003, this exploit is for Linux x86.
Date:17 April 1997
Notes:I have appended the uuencoded exploit src&bin after this post. Debian is vulnerable if you use offset of 1169 instead of those tried by the exploit, according to David Luyer (luyer@ucs.uwa.edu.au)
Exploit &amp full info:Available here


NCSA PHP/FI CGI *2 HOLES*
Description:First of all, this rather pathetic cgi allows anyone to trivially read any file on the system which is readabl by the owner of the httpd process (usually nobody or daemon). It also has a buffer overflow.
Author:Shamanski <jshaman@M-NET.ARBORNET.ORG> posted the read-any-file exploit, The SNI advisory is by David Sacerdote
Compromise:read files and execute code as the httpd process owner (remote)
Vulnerable Systems:Those with php.cgi 2.0beta10 or earlier, distributed with NCAA httpd, possibly others.
Date:16 April 1997
Exploit &amp full info:Available here


WU-FTPD core dump vulnerability (the old patch doesn't work)
Description:A common problem with many OS's is that you can cause ftpd (or other network services) to crash and find remnants of the shadowed password file in the resultant corefile. wu-ftpd was patched, but is apparently still broken.
Author:Vadim Kolontsov <vadim@tversu.ac.ru>
Compromise:read crypt(8)ed passwords, which could lead to root (local)
Vulnerable Systems:Systems running wu-ftpd v2.1, 2.2, 3.0, possibly others.
Date:13 April 1997
Exploit &amp full info:Available here


RedHat 4.1 amd-920824upl102-6.i386.rpm nodev hole.
Description:The above mentioned distribution fails to prevent devices on mounted drives, even if the nodev option is specified.
Author:Bradley M Keryan <keryan@andrew.cmu.edu>
Compromise: root with a little work (local)
Vulnerable Systems:Redhat 4.1, anyone who uses amd-920824upl102-6.i386.rpm, possibly other distributions
Date:7 April 1997
Exploit &amp full info:Available here


NT 4.0 Stupid default SMB mount permissions
Description:If you have an account on a NT box, you are by default allowed to mount any drive r/w by mounting \\server\c$ (replace 'c' with the drive letter).
Author:Well known, but this post was by Yiorgos Adamopoulos <Y.Adamopoulos@noc.ntua.gr>
Compromise:Mount any NT drive r/w (local)
Vulnerable Systems:NT 4.0 with no service packs, 3.51?
Date:7 April 1997
Exploit &amp full info:Available here


/usr/bin/filter NLSPATH buffer overflow
Description:Standard buffer overflow, filter is sometimes setgid mail.
Author:Mikhail Iakovlev <miakovle@SN.NO>. Sploit by "Dmitry E. Kim" <jason@REDLINE.RU>
Compromise:group mail (local)
Vulnerable Systems:Systems with vulnerable /usr/bin/filter setgid mail. Include slackware 3.1, possibly 3.0
Date:6 April 1997
Exploit &amp full info:Available here


Novell Netware PERL.NLM vulnerability
Description:Netware 4.1 puts a special version of perl on TCP port 8002.
Author:Axel Dunkel <ad@Dunkel.de>
Compromise:access, read, modify or delete any file on Netware 4.1 or Intranetware systems
Vulnerable Systems:Novell Netware 4.1, Intranetware
Date:5 April 1997
Exploit &amp full info:Available here


AIX LC_MESSAGES /usr/sbin/mount and /bin/host holes
Description:Standard buffer overflow, using LC_MESSAGES
Author:Georgi Guninski (guninski@linux2.vmei.acad.bg)
Compromise: root (local)
Vulnerable Systems:AIX 4.2, possibly 4.1 and more
Date:3 April 1997
Exploit &amp full info:Available here


XFREE86 Console Hacking
Description:You can often break out of a Xlock session from the console with <CTRL><ALT><Backspace>. You can also do <CTRL><ALT><F1> and then ^C (sometimes ^Z works better) to get to a shall.
Author:Roman Garcia <nykros@sol.info.unlp.edu.ar>
Compromise:Obtain interactive shell as the user who used 'startx' to start an X session
Vulnerable Systems:XFree86 sessions started with startx from a shell, rather than with XDM
Date:1 April 1997
Exploit &amp full info:Available here


NT crash via extra long username in Winpopup
Description:You can crash an NT box (possibly W95 too) by sending a very long username in a Winpopup message. This is easy to do from UNIX with 'smbclient -U LOTSandLOTSofcrap -M host'.
Author:Well known.
Compromise:Crash Windows boxes
Vulnerable Systems:Windows NT 4.0 and earlier, fixed in NT 4.0 Service pack 3. Win95 may be vulnerable.
Date:April 1997
Exploit &amp full info:Available here


Windows NT NTML Auto-Authentication
Description:Internet Explorer running on NT will attemt to authenticate using your (hashed) password to anyone who asks! Worse, it doesn't even tell you that it is doing this. Even if you have a very strong password, a man-in-the-middle attack is possible. The server can request a challenge from another server, and then feed it back to you for encryption!
Author:Paul Ashton <paul@argo.demon.co.uk>
Compromise:WWW servers can obtain authentication information (username and Lanman password hash) from clients who connect using Internet Explorer from an NT box.
Vulnerable Systems:NT 4.0, probably 3.51
Date:April 1997 or so
Notes:See Paul Ashton's demonstration at http://www.efsl.com/security/ntie/ . Also not that this isn't fixed as of 7/27/97. Will it ever be?
Exploit &amp full info:Available here


Linux inetd port theft vulnerability
Description:Inetd clos()es its sockets sometimes which (if they are unpriviliged) allows a user to just swipe them to put up a trojan service or whatever. Note that users can generally cause inetd to close the port by connecting over and over rapidly to make inetd think there is a loop.
Author:Marc Slemko (marcs@znep.com) posted this, it might have originally been discovered by someone else and I don't have the original post.
Compromise:Steal unpriviliged services from INETD
Vulnerable Systems:Linux, possibly others
Date:28 March 1997
Exploit &amp full info:Available here


ELM NLSPATH overflow
Description:Elm , which is often setgid mail, has a buffer overflow with the NLSPATH variable. This is NOT the same as the libc NLSPATH bug.
Author:"Dmitry E. Kim" <jason@REDLINE.RU>
Compromise:GID mail (local)
Vulnerable Systems:Linux with vulnerable setGID mail ELM
Date:26 March 1997
Notes:Joining group mail *CAN* be very helpful to hackers, some linux boxes allow you to write to mail spool and read other people's mail if you achieve this. Also, if anyone has a working exploit please mail it this way, I don't feel like writing & testing right now.
Exploit &amp full info:Available here


Win95 Cleartext SMB authentication hole
Description:Win95 is that it will connect to SMB servers and try the user's plaintext password first. You can also direct this through a web page with a linke like file://\\server/hackmicrosoft/sploit.gif. You also have to inform it of your name (can be done through SAMBA's nmbd utility).
Author:Steve Birnbaum (sbirn@security.org.il)
Compromise:Grab Win95 Passwords (remote)
Vulnerable Systems:Win95, Internet Explorer to a slight degree
Date:25 March 1997
Exploit &amp full info:Available here


Linux tftpd vulnerability
Description:Linux tftpd doesn't check corectly for requests beginning with ../
Author:Alex Belits (abelits@phobos.illtel.denver.co.us)
Compromise:Access directories beyond permissions REMOTELY
Vulnerable Systems:Idiots on Linux running tftpd
Date:23 March 1997
Exploit &amp full info:Available here


Solaris /bin/fdformat overflow sploit
Description:Buffer overflow in find_media() in /bin/fdformat
Author:Cristian Schipor (skipo@Math.PUB.Ro)
Compromise: root (local)
Vulnerable Systems:Solaris 2.4, 2.5
Date:23 March 1997
Exploit &amp full info:Available here


Windows NT password hash retrieval
Description:Jeremy Allison has successfully de-obfuscated the NT LANMAN and md4 hashes from the registry. This has many useful implications, including allowing us to hack the real password, or use the hash to longin via SAMBA. To make things even better, the "encryption" has a LOT of problems.
Author:Jeremy Allison <jra@cygnus.com>
Compromise:Grab NT password hashes, which can then be cracked. You must be administrator or at least have the loser run your trojan.
Vulnerable Systems:Windows NT 4.0 and 3.51 at least
Date:22 March 1997
Notes:The README for follows, and afterwords I have included the code. Also there are a lot of crackers available. Try NTCrack. Or you can get l0phtcrack, try www.l0pht.com
Exploit &amp full info:Available here


Sendmail 8.8.[34] dead.letter exploit
Description:A hard-link vulnerability
Author:C0WZ1LL4@NETSPACE.ORG
Compromise: root (local)
Vulnerable Systems:SOME systems running sendmail 8.8.[34] possibly 8.8.5 in some situations.
Date:22 March 1997
Notes:This doesn't always work, it depends among other things on if they have POSTMASTER of MAIL_DAEMON defined in /etc/aliases. Remember if /var is on another partition, ln to a file in /var ... there are plenty to choose from ;)
Exploit &amp full info:Available here


Linux SuperProbe vulnerability
Description:Buffer overflow in SuperProbe, which should NOT be suid root!
Author:Solar Designer
Compromise: root (local)
Vulnerable Systems:Linux with vulnerable SuperProbe SUID root
Date:21 March 1997 (I could have swarn it was known before this)
Exploit &amp full info:Available here


ANOTHER pathetic IIS 3.0 vulnerability
Description:Microsoft CANNOT seem to handle dots at all in their programs, after fixing the name.asp. bug, the great guys at the l0pht found that their "fix" introduced another '.' bug. This time using the hex representation.
Author:Weld Pond <weld@l0pht.com&rt
Compromise:Remotely obtain .asp, .ht, .id, .PL files etc.
Vulnerable Systems:Those running vulnerable M$ IIS 3.0 web server
Date:21 March 1997
Exploit &amp full info:Available here


Buffer overflow in AOL Instant Messenger 1.7.466
Description:Overflow in message <TITLE>. Trivial DOS attack, probably could be exploited for remote access.
Author:Karl Koscher <mrsaturn@TEENCITY.ORG>
Compromise:DOS attack with strong possibility of remotely running arbitrary code.
Vulnerable Systems:People running AOL's Instant Messenger V.1.7.466 or before
Date:20 March 1997
Exploit &amp full info:Available here


WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4)
Description:Win95 will automatically try to authenticate the logged in user to an SMB server. Thus (through a web page, in this example), you can direct people to the server and then grab their username and "encrypted" LANMAN password.
Author:Aaron Spangler <pokee@MAXWELL.EE.WASHINGTON.EDU>
Compromise:Obtain LANMAN hashed passwords (remote)
Vulnerable Systems:Win95, WinNT 3.51 & 4.0
Date:14 March 1997
Exploit &amp full info:Available here


INND header control characters hole
Description:This hole allows someone to attack THOUSANDS of news servers at once by inserting special characters into post headers. This has been widely exploited.
Author:Been known for a while
Compromise:You can REMOTELY execute arbitrary commands under UID of news server.
Vulnerable Systems:Systems running versions of INND prior to and including 1.5, some sites with later versions are vulnerable if they forgot to delete some scripts in the new installation
Date:Was widely exploited in March 1997
Notes:Here are some examples of exploit postings
Exploit &amp full info:Available here


SCO Openserver 5 expired password hole
Description:SCO OpenSERVER 5 apparently doesn't prompt users for their expired password before making them change it. Duh.
Author:ultima@CORINNE.MAC.EDU
Compromise: root (local)
Vulnerable Systems:SCO OpenSERVER5
Date:22 February 1997 (could be pretty old)
Exploit &amp full info:Available here


Many Windows FTP servers are not very robust
Description:This is an example of how tocrash War FTPD 1.65 for Win 95/NT, you can do similar things with ServU and most other ftpd's I have seen.
Author:Well known, but here is a post to Bugtraq from rootshell
Compromise:crash the Windows ftpd
Vulnerable Systems:Those runnign Windows ftp servers
Date:4 February 1997
Notes:I have appended a serv-U crasher. Note that this may be the fault of Windows and not Serv-U.
Exploit &amp full info:Available here


A collection of 6 Internet Explorer bugs
Description:6 security holes in our favorite web browser (NOT), all in one neat package
Author:Assorted, mentioned in package
Compromise:Run commands as the user running IE, NT idiots often run as ADMINISTRATOR.
Vulnerable Systems:Systems running Internet Explorer, the vicinity of 3.0. Microsoft Win95/NT mostly.
Date:February 1997 might be a good average
Notes:How many admins would respond to an email message promising "wet hot sex!" or something else enticing at a certain URL? Except for indiscriminate attacks, this would take a little social engineering. The appended UUencoded version probably looks funny in your web browser. Just "save as".
Exploit &amp full info:Available here


Irix netprint vulnerability
Description:standard system() call/path hole
Author:Yuri Volobuev <volobuev@t1.chem.umn.edu&rt;
Compromise: root (local)
Vulnerable Systems:IRIX with vulnerable Netprint
Date:4 January 1997
Exploit &amp full info:Available here


xdm UNIX Ware exploit
Description:standard tempfile vulnerability in setuid root xdm on UNIX Ware systems with X, possibly others.
Author:Angel Ortiz <angelo@tawny.ssd.hcsc.com>
Compromise: root (local)
Vulnerable Systems:Systems with vulnerable xdm setuid (at least some UNIXware systems)
Date:2 January 1997
Notes:See addendum.
Exploit &amp full info:Available here


Linux Doom sndserver vulnerability
Description:This one is pathetic. The user can configure a soundserver in .doomrc, and this program that the user chose, runs as root!
Author:Joe Zbiciak <im14u2c@cegt201.bradley.edu>
Compromise: root (local)
Vulnerable Systems:Linux running an insecure version of doom setuid root.
Date:17 December 1996
Exploit &amp full info:Available here


Doom killmouse/startmouse vulnerability
Description:Doom calls insecure shell scripts as root, leading to easy root compromise.
Author:Bo (bo@ebony.iaehv.nl)
Compromise: root (local)
Vulnerable Systems:Linux, including Slackware 3.0. Possibly other distributions.
Date:14 December 1996
Notes:If anyone runs suid root GAMES on a system they want secure, they DESERVE to be hacked! I've appended the obvious exploit to the end of this.
Exploit &amp full info:Available here


Modstat exploit
Description:Standard buffer overflow in modstat, which is distributed with many BSD variants (althought apparently not BSDI).
Author:Mudge <mudge@l0pht.com>
Compromise: root (local)
Vulnerable Systems:Windows versions running MIRC prior to 5.3
Date:9 December 1996
Exploit &amp full info:Available here


dataman/cdman hole
Description:system() call vulnerability in the dataman program (cdman is a symlink to it) in IRIX
Author:Yuri Volobuev (volobuev@t1.chem.umn.edu)
Compromise: root
Vulnerable Systems:Windows95 and NT systems running Cybercash 2.1.2 or Verifone vPOS
Date:9 December 1996
Exploit &amp full info:Available here


Solaris chkperm vulnerability
Description:Solaris 2.4's /usr/vmsys/bin/chkperm creates $VMSYS/.facerc in a laughably insecure fashion.
Author:Duncan Simpson <dps@IO.STARGATE.CO.UK>
Compromise:bin, which trivially leads to root (local)
Vulnerable Systems:Solaris 2.4, NOT 2.5 or 2.5.1, the author is apparently wrong about this.
Date:5 December 1996
Exploit &amp full info:Available here


IRIX suid_exec hole
Description:suid_exec, a program apparently distributed with ksh, has a number of security holes, including trusting the user's $SHELL variable.
Author:Yuri Volobuev (volobuev@t1.chem.umn.edu)
Compromise: root (local)
Vulnerable Systems:Irix 5.3 and 6.2, possibly AIX and others.
Date:2 December 1996
Exploit &amp full info:Available here


HP/UX chfn bug
Description:Standard buffer overflow
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable chfn (probably 9.x, 10.x)
Date:December 1996
Notes:See the SOD HP Bug of the Week page
Exploit &amp full info:Available here


IRIX fsdump hole
Description:/var/rfindd/fsdump handles lock files poorly, which can lead to root access.
Author:Yuri Volobuev (volobuev@t1.chem.umn.edu)
Compromise: root (local)
Vulnerable Systems:Irix 5.3 and some 6.2 systems (its apparently optional in 6.2)
Date:28 November 1996
Notes:There is a better exploit at the addendum
Exploit &amp full info:Available here


IRIX /usr/etc/LicenseManager hole
Description:/usr/etc/LicenseManager handles log files poorly, which can lead to root access.
Author:Yuri Volobuev (volobuev@t1.chem.umn.edu)
Compromise: root (local)
Vulnerable Systems:Irix 5.3 and 6.2 systems (possibly other Irix systems)
Date:22 November 1996
Exploit &amp full info:Available here


IRIX /usr/bin/X11/cdplayer hole
Description:/usr/bin/X11/cdplayer is setuid on IRIX and is very insecure in file/directory creation, which can lead to root access.
Author:Yuri Volobuev (volobuev@t1.chem.umn.edu)
Compromise: root
Vulnerable Systems:at least Irix 5.3 and 6.2
Date:21 November 1996
Exploit &amp full info:Available here


Solaris gethostbyname() exploit
Description:gcc 2.7.2.x (and earlier as far as I know) creates temporary files in /tmp which will follow symlinks and allows you to clobber the files of the person running gcc
Author:Jeremy Elson (jelson@helix.nih.gov)
Compromise:Overwrite files owned by the user running gcc (possibly root )
Vulnerable Systems:Solaris 2.5 and 2.5.1
Date:18 November 1996
Notes:See addendum
Exploit &amp full info:Available here


Digital Unix /usr/tcb/bin/dxchpwd hole
Description:In Digital Unix, /usr/tcb/bin/dxchpwd creates log files in a very insecure manner.
Author:Eric Augustus (augustus@mail.stic.net)
Compromise: root (local)
Vulnerable Systems:at least Digital Unix v3.x with c2 security package installed
Date:17 November 1996
Exploit &amp full info:Available here


Sendmail HUP bug
Description:smtpd, part of the sendmail distribution, can be tricked into executing arbitrary programs as root after receiving a hang-up signal.
Author:Leshka Zakharoff (leshka@leshka.chuvashia.su)
Compromise: root (local)
Vulnerable Systems:systems running Sendmail versions 8.7-8.8.2
Date:16 November 1996
Exploit &amp full info:Available here


More SOD HP/UX RemWatch vulnerabilities
Description:A number of internal HP/UX RemWatch binaries, including checkcore, rwiDCOM, and showdisk are vulnerabile. Several exploits included
Author:SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable RemWatch binaries, probably 9.x, 10.x
Date:6 November 1996 and earlier
Notes:See the SOD HP Bug of the Week page
Exploit &amp full info:Available here


SOD HP/UX /tmp/fpkg2swpk bug
Description:Standard buffer overflow
Author:Dog Catcher
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable fpkg2swpk, probably just 10.x
Date:November 1996
Notes:See the SOD HP Bug of the Week page
Exploit &amp full info:Available here


SOD /usr/diag/bin/[cm]stm buffer overflow
Description:Standard buffer overflow
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable [cm]stm, probably 9.x 10.x
Date:November 1996
Notes:See the SOD HP Bug of the Week page
Exploit &amp full info:Available here


(Another) SOD HP/UX RemoteWatch hole
Description:pathetic daemon
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root or whatever remwatch runs as (remote!)
Vulnerable Systems:HP/UX with vulnerable Remote Watch running, probably 9.x, maybe 10.x
Date:November 1996
Notes:See the SOD HP Bug of the Week page
Exploit &amp full info:Available here


IRIX systour package security holes
Description:The "systour" packaged shipped with IRIX contains numerous security holes.
Author:Tung-Hui Hu (hhui@STARDOT.NET)
Compromise: root (local)
Vulnerable Systems:At least Irix 5.3 and 6.2 with systour installed
Date:30 October 1996
Exploit &amp full info:Available here


Linux & *BSD lpr holes
Description:A standard buffer overflow exists Berleley derived lpr
Author:Vadim Kolontsov (vadim@tversu.ac.ru) wrote the exploits at least
Compromise: root (local)
Vulnerable Systems:Systems with vulnerable lpr setuid (many Linux and BSD distributions)
Date:25 October 1996
Exploit &amp full info:Available here


Ping of Death
Description:gazillions of machines can be crashed by sending IP packets that exceed the maximum legal length (65535 octets)
Author:The page included was created by Malachi Kenney. The programs have attribution.
Compromise:Stupid DOS
Vulnerable Systems:I have heard that NT and 95 can actually lock up hard from the programs below. Also, early 2.0.x Linux, Solaris x86, and Macintosh systems are often vulnerable.
Date:21 October 1996 was when this page came up.
Notes:The Ping O' Death page is included first, then comes BSD source code, then comes a version of the above which is modified to compile on Linux 2.X. I also appended jolt.c, which IP spoofs to. Woop!
Exploit &amp full info:Available here


Solaris /usr/bin/solstice bug
Description:/usr/bin/solstice is setgid bin and gives this privilege away freely.
Author:Unknown (it was known before the attached post)
Compromise:group bin, which leads quickly to root (local)
Vulnerable Systems:Systems with vulnerable /usr/bin/solstice (Solaris 2.5, 2.5.1)
Date:18 October 1996 (known prior to this)
Notes:See addendum.
Exploit &amp full info:Available here


Another hpux ppl bug by SOD
Description:standard symlink/core vulnerability
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable ppl, probably 9.x 10.x
Date:15 October 1996
Notes:See the SOD HP Bug of the Week page
Exploit &amp full info:Available here


Solaris (and others) ftpd core dump bug
Description:Solaris ftpd (as well as others) can be made to core dump and divulge shadowed passwords
Author:Unknown
Compromise:Can obtained crypt()ed root password
Vulnerable Systems:Solaris (at least 2.5) and others including wu.ftpd. If enclosed doesn't work, try killing the process yourself.
Date:15 October 1996
Notes:See addendum
Exploit &amp full info:Available here


Linux ldt kernel bug
Description:see exploit.
Author:Marin Purgar - PMC (pmc@asgard.hr) wrote this exploit
Compromise: root
Vulnerable Systems:Unpatched Linux 1.2.* systems (possibly some 1.3.x)
Date:11 October 1996
Exploit &amp full info:Available here


swinstall symlink exploit
Description:Standard symlink hole
Author:"Salty"
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable swinstall, mostly 10.x, some 9.x
Date:6 October 1996
Notes:See the SOD HP Bug of the Week page
Exploit &amp full info:Available here


HP/UX passwd hole
Description:Standard buffer overflow
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:Those running O'reilly's webserver, website. Mostly Windoze NT and W95 boxes. Some versions of 1.1 and 2.0beta have this vulnerability.
Date:October 1996
Notes:See the SOD HP Bug of the Week page
Exploit &amp full info:Available here


HP OpenCall SCP /opt/OV/bin/OpC/opcragt exploit
Description:Standard /tmp symlink vulnerability
Author:Dog Catcher
Compromise: root on a potentially very cool system! (local)
Vulnerable Systems:many phone network operators use OpenCall SCP
Date:October 1996
Notes:See the SOD HP Bug of the Week page
Exploit &amp full info:Available here


Windows Screensaver bug
Description:Some versions of Win/Win95/WinNT seem to allow people to bypass screensaver password "security" with control-alt-delete and contol-ESC
Author:Common knowledge
Compromise:Take over "passworded" winbloze machines (local)
Vulnerable Systems:Some Win95 and WinNT boxes
Date:October 1996
Exploit &amp full info:Available here


HP/UX SOD glance bug
Description:symlink bug due to poor error file creation
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable /usr/perf/bin/glance , probably just 9.x
Date:October 1996
Notes:See the SOD HP Bug of the Week page
Exploit &amp full info:Available here


HP/UX ppl symlink problem
Description:ppl insecurely creates log files in world writeable directory, I'm sure you can see where this is headed.
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable ppl, 9.x 10.x
Date:October 1996
Notes:See the SOD HP Bug of the Week page
Exploit &amp full info:Available here


Race condition exploit for HP/UX SAM
Description:standard /tmp symlink race condition with HP/UX SAM
Author:John W. Jacobi (jjacobi@nova.umuc.edu)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable SAM, at least HP-UX 9.04 & 9.05 on 9000/700 & 9000/800
Date:25 September 1996
Notes:for more HP bugs see the SOD HP Bug of the Week page
Exploit &amp full info:Available here


Sendmail gecos buffer overflow vulnerability
Description:A quirk in Sendmail that could potentially be exploited is that usernames like '/etc/passwd' get written into the file of the same name when mail is received for them. This could be a problem on systems where users can specify their username without sysadmin intervention.
Author:mudge@l0pht.com found this hole in a l0pht advisory. This exploit for FreeBSD written by Alexey Zakharov (leshka@chci.chuvashia.su)
Compromise: root (local)
Vulnerable Systems:Any systems using Sendmail ~8.6.12, possibly up to 8.75 that allow user-specified /etc/passwd gecos fields (ie through chfn(1)). This exploit will work for FreeBSD
Date:23 September 1996
Notes:The original L0pht Security Advisory is in addendum
Exploit &amp full info:Available here


Xt library bug xterm exploit
Description:The Xt library has a number of buffer overflow vulnerabilities which can be exploited on the suid root programs linked to it.
Author:"b0z0 bra1n"
Compromise: root (local)
Vulnerable Systems:This exploit will work for FreeBSD and with tweaking other x86 operating systems (eg linux). Most systems running any version of X11 prior to Aug '96 are vulnerable
Date:24 August 1996
Exploit &amp full info:Available here


Linux & *BSD umount holes
Description:A standard buffer overflow exists in Linux and *BSD umount
Author:bloodmask (bloodmask@mymail.com) claims to have found the vulnerability. Paulo Jorge Alves Oliveira (pjao@dux.isec.pt) wrote the freebsd/linux exploits included first.
Compromise: root (local)
Vulnerable Systems:Systems with vulnerable umount setuid (many Linux and BSD distributions)
Date:13 August 1996
Notes:If mount is fixed, try ncpmount/ncpumount and possibly wuftpd. Another mount exploit is in addendum.
Exploit &amp full info:Available here


HP/UX Rdist exploit
Description:SOD HP/UX rdist exploit
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable rdist, probably 9.x 10.x
Date:10 August 1996
Notes:See the SOD HP Bug of the Week page
Exploit &amp full info:Available here


IRIX day5notifier hole
Description:Hehe, the good folks at SGI apparently tried to avoid the system() call security problems, by an execve("/sbin/sh", "sh", "-c", "command..."). Ha!
Author:Mike Neuman <mcn@RIPOSTE.ENGARDE.COM>
Compromise: root (local)
Vulnerable Systems:IRIX 6.2
Date:Mike reported it on 6 August 1996, but they apparently didn't get around to fixing it.
Exploit &amp full info:Available here


IRIX 5.3 chost vulnerability
Description:IRIX 5.3 chost apparently fails to drip privileges sufficiently when an invalid root password is entered
Author:Grant Kaufmann (gkaufman@cs.uct.ac.za)
Compromise: root (local)
Vulnerable Systems:IRIX 5.3 with vulnerable chost.
Date:6 August 1996
Notes:The SGI patch may not always plug the hole!
Exploit &amp full info:Available here


setgid Core dumping vulnerability in Solaris 2.4
Description:Solaris 2.4 prior to kernel jumbo patch 35 in many circumstances allows setgid programs to dump core which is especially bad since Solaris has WAY too many group-writable files.
Author:Jungseok Roh <beren@cosmos.kaist.ac.kr>
Compromise:It is easy to overwrite files writeable by group bin, which leads quickly to root access (local)
Vulnerable Systems:Solaris 2.4 prior to kernel jumbo patch -35
Date:3 August 1996
Exploit &amp full info:Available here


Solaris admintool and /usr/openwin/bin/kfcs_* tmpfile vulnerabilities
Description:Standard insecure tempfile creation, symlink to /.rhosts exploit
Author:Jungseok Roh (beren@cosmos.kaist.ac.kr) posted the kcms_* stuff, Leif Hedstrom (leif@netscape.com) posted that admintool had the same problem.
Compromise: root (local)
Vulnerable Systems:Solaris 2.5.[01]
Date:26 July 1996
Exploit &amp full info:Available here


Microsoft IIs '..' hole
Description:ANOTHER stupid MS '..' bug, this time in their web server.
Author:possibly Thomas Lopatic (lopatic@dbs.informatik.uni-muenchen.de)
Compromise:Gain unauthorized access to files outside the public html directories.
Vulnerable Systems:Systems running a vulnerable IIs http server, mostly Windows NT boxes.
Date:26 July 1996
Exploit &amp full info:Available here


DG/UX ospf_monitor vulnerability
Description:It is suid and contains a command to write to file, which it does w/o dropping privileges. Brilliant.
Author:Brian Mitchell (brian@saturn.net)
Compromise: root (local)
Vulnerable Systems:Tested on DG/UX 5.4r3.10
Date:23 July 1996
Exploit &amp full info:Available here


Linux sliplogin hole
Description:sliplogin does system() as root w/o clearing environment, so you can do things like set IFS='/'.
Author:David Holland <dholland@hcs.HARVARD.EDU>
Compromise: root (local)
Vulnerable Systems:Any with sliplogin older than 2.1.0, mostly linux systems (many BSD distributions have the program, but it apparently can't be exploited to another error).
Date:16 July 1996
Exploit &amp full info:Available here


Rdist buffer overrun (BSD Code)
Description:Another vulnerability in rdist, standard buffer overflow
Author:found in [8lgm]-Advisory-26.UNIX.rdist.20-3-1996, *BSD exploit written by Brian Mitchell (brian@saturn.net)
Compromise: root (local)
Vulnerable Systems:Solaris 2.x, Sunos 4.*, some *BSD systems. Included exploit only for *BSD.
Date:10 July 1996
Exploit &amp full info:Available here


Novell httpd convert.bas cgi hole
Description:Another '..' bug, this time by Novell
Author:TTT Group <ttt@broder.com&rt;
Compromise:read any file on server
Vulnerable Systems:systems running vulnerable versions of Novell's httpd
Date:3 July 1996
Exploit &amp full info:Available here


HP/UX Remote Watch hole
Description:Standard /tmp symlink exploit
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable , probably 9.x 10.x
Date:June 1996
Notes:See the SOD HP Bug of the Week page
Exploit &amp full info:Available here


suid_perl 5.001 vulnerability
Description:On systems that support saved set-user-IDs, perl isn't thorough enough in giving up its root priviledges.
Author:Jon Lewis (jlewis@inorganic5.fdt.net) wrote this basic exploit, though it has been modified. It is unclear who found the hole.
Compromise: root (local)
Vulnerable Systems:Systems that support saved set-user-IDs and set-group-IDs and have suid_perl 5.001 (and possibly below) installed. Many linux and *BSD boxes.
Date:June 1996
Exploit &amp full info:Available here


Microsoft Internet Information Server abracadabra.bat bug
Description:abracadabra.{bat,cmd} are insecure CGIs
Author:www.omna.com
Compromise:Execute arbitrary commands on the remote IIS Server
Vulnerable Systems:Microsoft IIS http server v.1.0, 2.0b
Date:June 1996
Exploit &amp full info:Available here


xrw bug
Description:shelling from a xrw telnet session cedes EUID 0
Author:Ess Jay
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable xrw, probably 9.x 10.x
Date:23 May 1996
Notes:See the SOD HP Bug of the Week page
Exploit &amp full info:Available here


test-cgi vulnerability
Description:Some of the test-cgi scripts distributed with some http servers are buggy
Author:Mudge <mudge@l0pht.com>
Compromise:remotely obtain directory listings
Vulnerable Systems:systems with vulnerable test-cgi (many web servers)
Date:April 1996
Notes:If this exact exploit doesn't work, try slightly modified query strings.
Exploit &amp full info:Available here


PC Web site interpretor in cgi-bin directory vulnerability
Description:A lot of idiots with PC web servers put perl.exe in their cgi-bin directory.
Author:tchrist@perl.com wrote this exploit
Compromise:Execute arbitrary perl code on a PC (remote)
Vulnerable Systems:Mostly PC web servers. Wherever anyone is stupid enough to leave perl.exe in cgi-bin dir
Date:28 March 1996
Notes:You can find vulnerable site via altavista. More information on this program available at http://www.perl.com/perl/news/latro-announce.html
Exploit &amp full info:Available here


Solaris /bin/eject Buffer overflow
Description:Solaris /bin/eject takes a device name (floppy, etc) for argv[2] which can be overflowed via standard techniques.
Author:Cristian SCHIPOR (skipo@SUNDY.CS.PUB.RO)
Compromise: root (local)
Vulnerable Systems:Unpatched Solaris 2.4, 2.5
Date:13 March 1996
Exploit &amp full info:Available here


Solaris 2.5.1 sdtcm_convert hole
Description:sdtcm_convert is kind enough to watch the permissions of your calendar file and if you change them it will change them back ... even following symlinks ;)
Author:Cristian SCHIPOR (skipo@SUNDY.CS.PUB.RO)
Compromise: root (local)
Vulnerable Systems:Solaris at least 2.5.1
Date:22 February 1996
Exploit &amp full info:Available here


Microsoft Active Server Pages IIS server hole
Description:Microsoft really has a problem with clients that send "." don't they? Well here again they let people download asp source by appending a '.' to the url
Author:Mark Joseph Edwards (mark@NTSHOP.NET)
Compromise:Read raw unprocessed asp files which may contain privileged information (remote)
Vulnerable Systems:Systems running M$ IIS web server
Date:20 February 1996
Exploit &amp full info:Available here


*BSD (and others) SetUID core vulnerabilities
Description:A 4.4BSD problem allows a read-only descriptor to a char device to be mmap()ed in RW mode. This can allow group kmem to become root and root to lower the system secure-level.
Author:Theo de Raadt and Chuck Cranor
Compromise:User kmem-> root ->modify secure-level->delete audit trail and load evil kernel mods.
Vulnerable Systems:OpenBSD 2.2 and below, FreeBSD 2.2.5 and below, BSDI 3.0 and NetBSD.
Date:17 February 1996 for this posting
Exploit &amp full info:Available here


Apache httpd 1.1.3 apache_status vulnerability
Description:Older versions of Apache httpd would blindly follow symlinks and overwrite files with its /tmp/apache_status file.
Author:Dean Gaudet (dgaudet@ARCTIC.ORG)
Compromise: root (local)
Vulnerable Systems:systems running Apache httpd v1.1.3 or lower on some architectures
Date:16 February 1996
Exploit &amp full info:Available here


Linux NLSPATH libc overflow
Description:Standard Buffer overflow in libc, neat shellcode though
Author:solar@IDEAL.RU posted exploit, libc had already been fixed
Compromise: root (local)
Vulnerable Systems:Linux with libc around or before 5.3.12, 5.4.7 not vulnerable. SOME versions of Redhat 4.0 are vulnerable
Date:14 February 1996
Exploit &amp full info:Available here


sudo.bin exploit for NLSPATH vulnerability
Description:Another NLSPATH exploit, this time for sudo.bin
Author:_Phantom_ <vali@lhab.soroscj.ro>
Compromise: root (local)
Vulnerable Systems:Linux with libc around or before 5.3.12, 5.4.7, and sudo.bin installed (Slackware 3.1 and 3.0 maybe?)
Date:13 February 1996 was when we started seeing this class of exploits
Notes:I wish more people would email me exploits like _Phantom_ did! He has also sent in a bunch of other NLSPATH sploits. If the system doesn't have this particular binary, pick another suid program and just change the execl
Exploit &amp full info:Available here


Insecure Solaris default nissetup password table permissions!
Description:The nissetup.sh program for setting up NIS+ databases leaves insecure permissions on the password table. This allows you to, for example, use nistbladm to change your UID!
Author:Well known
Compromise: root (local)
Vulnerable Systems:Unpatched Solaris 2.5.1 systems (possibly earlier versions of Solaris).
Date:10 February 1996
Notes:Here is an anonymous posting reminding us of the problem. Also, Casper Dik (casper@HOLLAND.SUN.COM) mentioned that just installing the Solaris patch doesn't fix the problem. You need to manually reset the bad permissions. How many people do you think forgot to do that?
Exploit &amp full info:Available here


AIX powerPC gethostbyname() and /bin/host exploits
Description:standard buffer overflow in gethostbyname
Author:Georgi Guninski (guninski@technologica.bg)
Compromise: root (local)
Vulnerable Systems:AIX systems on PowerPC with vulnerable gethostbyname(). AIX 4.1, possibly 3.x, 4.x.
Date:13 January 1996
Exploit &amp full info:Available here


AUTOSOFT/RTS holes
Description:A BUNCH of pathetic security holes in AUTOSOFT/RTS (an inventory control system).
Author:Brian Mitchell <brian@saturn.net>
Compromise: root (local)
Vulnerable Systems:Any running unfixed vunerable versions of AUTOSOFT/RTS
Date:9 January 1996
Exploit &amp full info:Available here


IRIX/usr/Cadmin/bin/csetup vulnerability
Description:standard dumb tmpfile creation vulnerability in csetup
Author:Discovered by Jay (srinivas@t2.chem.umn.edu)
Compromise: root (local)
Vulnerable Systems:IRIX with vulnerable suid csetup
Date:6 January 1996
Exploit &amp full info:Available here


WebSite v1.1e for Windows NT & 95 buffer overflows
Description:Cool. Win95/NT Buffer overflows with WebSite v1.1e for Windows NT and '95.
Author:solar@ideal.ru
Compromise:Run arbitrary commands remotely.
Vulnerable Systems:Systems running WebSite v1.1e for Windows NT and '95.
Date:6 January 1996
Exploit &amp full info:Available here


Telnetd Environmental variable passing problem
Description:A "feature" of most telnetd programs is that they will pass environmental variables (like TERM, DISPLAY, etc) for you. Unfortunately this can be a problem if someone passes LD_PRELOAD and causes /bin/login to load trojan libraries!
Author:Well known, squidge (squidge@onyx.infonexus.com) wrote this, but I doubt you can reach him. Isn't he in jail now?
Compromise:root REMOTELY!
Vulnerable Systems:Older Linux boxes, I think SunOS systems, probably others.
Date:January 1996 maybe? Quite old but lives forever like phf.
Notes:Appended is a uuencoded version of squidge's telnetd_ex.tar.gz
Exploit &amp full info:Available here


/cgi-bin/phf vulnerability
Description:A VERY well known character escaping vulnerabity in some phf cgi scripts.
Author:Unknown
Compromise:Generally 'nobody' or 'daemon', but sometimes root . Whatever httpd is running. (REMOTE)
Vulnerable Systems:Many old web server distributions came with phf installed
Date:January 1996 or something like that.
Notes:Since some systems have vulnerable bash, you can also try http://host.com/cgi-bin/phf?Qalias=%ff/bin/cat%20/etc/passwd. Also see addendum for a fake phf script to fool would-be crackers. After that I've put a phf exploit with a little more obfuscation.
Exploit &amp full info:Available here


Resolv+ Linux library bug
Description:The libresolv+ library can give out too much information and possibly to crash the system
Author:Possibly Jared Mauch (jared@puck.nether.net)
Compromise:users can read first line of any file (ie /etc/shadow) and they can possibly crash the system.
Vulnerable Systems:Many Linux distributions.
Date:1996
Exploit &amp full info:Available here


HP/UX sam_exec user vulnerability
Description:In a particularly dumb move, HP/UX's remote administration program, SAM, adds a user 'sam_exec' with UID 0 and a standard password.
Author:bogus technician (bogus@command.com.inter.net) (apparently it is SOD again) was the first to find the 10.x password.
Compromise: root (local)
Vulnerable Systems:HP/UX 9.x,10.x where SAM has been used
Date:1996
Notes:See the SOD HP Bug of the Week page
Exploit &amp full info:Available here


xwcreate/destroy vulnerability
Description:xwcreate and xwdestroy let you delete any file on system!
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise:delete any file on system, this can lead to root if you take out /etc/passwd, but BE CAREFUL! (local)
Vulnerable Systems:HP/UX with vulnerable xwcreate/xwdestroy 9.x and possibly 10.x
Date:Unknown
Notes:See the SOD HP Bug of the Week page
Exploit &amp full info:Available here


Old HPUX subnetconfig vulnerability
Description:trojan in path vulnerability in subnetconfig
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable netconfig, possibly just 9.0
Date:OLD
Notes:See the SOD HP Bug of the Week page
Exploit &amp full info:Available here


Linux lilo vulnerabilities
Description:Lilo offers a lot of ways to get root by people who have physical access to the machine. This should be obvious, as these are advertiese features of lilo. If some one has physical access, they can get in somehow anyway. But these make it easy to do inconspicuously.
Author:These are quite well known, though BeastMaster V apparently wrote the textfile.
Compromise: root (local)
Vulnerable Systems:Linux systems running lilo which allow physical access to untrusted users (really dumb!).
Date:Old (very), but still applicable to many systems, as it is a feature and thus hasn't been "patched".
Notes:BeastMaster doesn't mention that you can also boot with "linux single" to get a root single-user-mode shell on many linux boxes. I've added another post about lilo "vulnerabilities" in the addendum section.
Exploit &amp full info:Available here


More HP/UX glance vulnerabilities
Description:A couple more old glance vulnerabilities
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable glance, maybe 9.x or 10.x
Date:Unknown
Notes:See the SOD HP Bug of the Week page
Exploit &amp full info:Available here



This page Copyright &#169 Fyodor 1996, 1997, 1998
[Back] to Fyodor's Exploit World main index