Exploit world!

Micro$oft Section

Hack the Evil Empire!

Compiled by Fyodor fyodor@insecure.org

on Thu Jan 13 21:41:31 UTC 2000

[Back] to Fyodor's Playhouse

NCSA httpd buffer overflow
Description:	Standard overflow in client request string
Author:	Renos <renosm@YAHOO.COM>
Compromise:	You can probably run arbitrary commands on the web server machine, it is trivial to crash the server
Vulnerable Systems:	Those running NCSA's httpd v1.4 for Windows. Probably earlier versions too.
Date:	8 May 1998
Exploit &amp full info:	Available here

Many holes in the Netmanager Chameleon tool suite
Description:	Mostly standard overflows, but there are lots of them. Virtually every product that comes in the suite seems exploitable.
Author:	arager@MCGRAW-HILL.COM
Compromise:	remote attackers can likely obtain root /administrator privileges on the machines running Chameleion daemons. The clients also have serious security holes.
Vulnerable Systems:	These holes are in the Windows versions, although I would be very careful about running something like thier Unix Z-mail product.
Date:	4 May 1998
Exploit &amp full info:	Available here

ID games Backdoor in quake
Description:	ID software blatantly put a backdoor in Quake 1/2 and QuakeWorld including both the Linux/Solaris Quake2. RCON commands sent from the subnet 192.246.40.0/24 and containing the password "tms" are automaticly executed on the server without being logged.
Author:	Mark Zielinski <markz@repsec.com>
Compromise:	root (remote)
Vulnerable Systems:	Those running Quake 1, QuakeWorld, Quake 2, Quake 2 Linux and Quake 2 Solaris, all versions. Thus many Windows and UNIX boxes are affected
Date:	1 May 1998
Notes:	Quake was always a horrible security hole, but I never thought Id would stoop to introducing an intentional backdoor to allow them access to systems running Quake. I am surprised this didn't get more publicity.
Exploit &amp full info:	Available here

Many, many, many security holes in the Microsoft Frontpage extensions
Description:	There are many horrible security holes in the Microsoft Frontpage extensions. For example, you can list all files in directories on FP enabled sites, you can download password files on many of them, and a lot of FP sites even let you UPLOAD your own password files (!).
Author:	pedward@WEBCOM.COM
Compromise:	Break into user accounts on a web server (remote)
Vulnerable Systems:	Those running the Fronpage server extensions. Sone of the vulnerabilities are UNIX only while others also work agains WindowsNT sites.
Date:	23 April 1998
Exploit &amp full info:	Available here

Nestea "Off By One" attack
Description:	A popular attack against Linux boxes
Author:	John McDonald <jmcdonal@UNF.EDU>
Compromise:	Stupid remote DOS attack
Vulnerable Systems:	Linux 2.0.33 and earlier, PalmOS, HP Jet Direct printer cards, some 3COM routers, Magnum 5000 Ethernet switch, Some Windows boxes, perhaps others
Date:	17 April 1998
Notes:	I have appended the original Linux code, a BSD port, an improved Linux version, and a few other messages on the topic.
Exploit &amp full info:	Available here

Overflow in Microsoft Netmeeting
Description:	Standard overflow
Author:	DilDog <dildog@L0PHT.COM>
Compromise:	remotely execute arbitrary commands on the machine of a windows/netmeeting user (the user must click on your neetmeeting .conf file)
Vulnerable Systems:	Windows boxes running Micro$oft Netmeeting V. 2.1
Date:	16 April 1998
Notes:	For a lot more information on this exploit, including a short windows overflow tutorial, see http://www.cultdeadcow.com/cDc_files/cDc-351/ .
Exploit &amp full info:	Available here

ICQ Spoofer
Description:	The ICQ protocol is poorly designed and leads to a number of problems. Included in this message is an ICQ spoofer in C, a Perl version, and an ICQ flooder. A sniffer is also included.
Author:	Seth McGann <smm@WPI.EDU> and others
Compromise:	Harass ICQ users to no end :).
Vulnerable Systems:	People running ICQ, mostly windows users. There is probably a Mac client too.
Date:	6 April 1998
Notes:	All the code is somewhat jumbled together -- I'm sure you can figure it out.
Exploit &amp full info:	Available here

Eudora 3.0 and 4.0 DOS
Description:	Eudora will crash if it tries to receive an email with an attachment that has a filename of at least 233 characters.
Author:	whiz <whizpig@TIR.COM>
Compromise:	Stupid DOS attack
Vulnerable Systems:	Windows users running Eudora Pro 4.0 or 3.0
Date:	29 March 1998
Exploit &amp full info:	Available here

Another WinGate hole -- this time with the LogFile service
Description:	The WinGate Logfile service basically puts up a web server on port 8010 giving full read access to the victim's hard drive(!)
Author:	HKirk <hkirk@tech-point.com>
Compromise:	Remote read access to a Wingate user's hard drive
Vulnerable Systems:	Windows users who run Wingate. This program is a huge security hole, a much better (cheaper, more secure, more robust, better performing) solution is to install a Linux gateway with IP masquerading.
Date:	29 March 1998
Exploit &amp full info:	Available here

dot bug in MS Personal Web Server
Description:	IIS 3.0 had a bug which allowed ASP source to be downloaded by appending a . to the filename. That was eventually fixed by MS but they didn't fix the same hole in their Personal Web Server.
Author:	Lynn Kyle <lynn@RAINC.COM>
Compromise:	Read ASP file source, could contain passwords, etc.
Vulnerable Systems:	Those running vulnerable version of MS Personal Web Server
Date:	22 March 1998
Exploit &amp full info:	Available here

Another MSIE 4.0 overflow
Description:	Standard overflow, this one can almost certainly be exploited by a malicious page to run arbitrary code on a user's system.
Author:	Georgi Guninski <guninski@hotmail.com>
Compromise:	Run arbitrary code on the machines of Windows users connecting to your web page.
Vulnerable Systems:	Windows 95/NT running MSIE 4.0. Perhaps even the Solaris version is vulnerable, though I've never seen anyone run it.
Date:	20 March 1998
Exploit &amp full info:	Available here

Win95 "save password" nonsense
Description:	Win95 offers dialup users to save their RAS credentials by checking a box when dialing in. Security minded folks generally decline. However, Microsoft saves the password anyway!
Author:	Aleph One <aleph1@DFW.NET>
Compromise:	Obtain cleartext passwords for dialup accounts. On NT you can sometimes retrieve the lanman and NT hashes (which you can then run a cracker on).
Vulnerable Systems:	Windows95, NT.
Date:	20 March 1998
Notes:	In some cases information on the last SEVERAL logins are stored without permission (!)
Exploit &amp full info:	Available here

Even more IE 4 bugs
Description:	3 bugs which range in severity from crashing Internet Explorer to crashing all of windows. These can be put on malicious web pages to take out the IE users.
Author:	Aleph One <aleph1@DFW.NET>
Compromise:	Stupid DOS attack
Vulnerable Systems:	Win95/WinNT running Internet Explorer 4.01 (perhaps earlier)
Date:	16 March 1998
Exploit &amp full info:	Available here

MDaemon/SLMail Mail server overflows
Description:	Most Windows servers in generally seem to have horrific security. Here is info on overflows in the MDaemon SMTP/Pop Server and the Seattle labs server. Many Macintosh servers also have these problems, and even UNIX isn't always immune to poor coding.
Author:	Alvaro Martinez Echevarria <alvaro-bugtraq@LANDER.ES>
Compromise:	Crash the server, perhaps arbitrary code could be executed.
Vulnerable Systems:	Windows boxes running a vulnerable version of MDaemon, Seattle Labs SLMail, and several other crappy Windows servers.
Date:	11 March 1998
Exploit &amp full info:	Available here

Various gaping security holes in QuakeII (and Quake I and QuakeWorld and Quake Client).
Description:	These games by ID software are absolutely riddled with glaring security holes and no one should even CONSIDER running them (or any other game for that matter) on a machine that is supposed to be secure. I have stuffed a bunch of quake exploits in this one section although there is one Quake II server hole I will treate separately later.
Author:	kevingeo@CRUZIO.COM and others
Compromise:	root (remote)
Vulnerable Systems:	Those running pretty much any version of quake by id software, the client or server. Quake runs on many Linux boxes as well as Win95/NT.
Date:	25 February 1998
Exploit &amp full info:	Available here

Radius spaces-in-password DOS attack.
Description:	A number of Radius implementations will crash if the right number of spaces are appended to a username.
Author:	"Phillip R. Jaenke" <prj@NLS.NET>
Compromise:	Stupid DOS attack
Vulnerable Systems:	Several UNIX and NT radius implementations including Livingston 1.16 to 2.01, RadiusNT v2.x, and merit radius 2.4.23C
Date:	20 February 1998
Exploit &amp full info:	Available here

NT Login DOS
Description:	Uh-Oh! NT isn't correctly checking its input. By sending an SMB logon request with an incorrect data length field you can blue screen the NT box.
Author:	"Secure Networks Inc." <sni@SECURENETWORKS.COM>
Compromise:	Yet another NT DOS attack
Vulnerable Systems:	Windows NT 4.0 up to and including Service Pack 3
Date:	14 February 1998
Notes:	It shouldn't be hard to write a quick exploit for this. Any volunteers? Just hack SAMBA login request code and experiment with different data lengths. If you do write one, please mail it to me (fyodor@insecure.org).
Exploit &amp full info:	Available here

Wingate telnet redirection
Description:	A somewhat common technique for attackers is to install "telnet redirectors" on a system they have compromised. This allows them to telnet to the redirector and then telnet out from there anonymously, masking their true point of origin. These attackers no longer need to bother with penetrating systems, as the Wingate includes anonymous telnet redirection as a feature enabled by default! Just telnet to port 1080 or 23 and then telnet right back out to wreak havok on the internet. And don't worry, it doesn't (by default) log anything! <sigh>
Author:	Alans other account <alanb@MANAWATU.GEN.NZ>
Compromise:	Intruders can mask their true point of origin by going through Wingate
Vulnerable Systems:	Windows boxes running Wingate
Date:	11 February 1998
Notes:	Many thanks to Dairo Bel <dairo@akrata.org> for translating his spanish article on Wingate and sending it in! Also note that you can use nmap, a network portscanner I wrote to locate hosts on your network that are running Wingate.
Exploit &amp full info:	Available here

Windows share passwords are right there in the registry and poorly encrypted
Description:	Share encryption is by a simple XOR and the passwords are stored in registry entries such as SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\Parm1enc .
Author:	a42n8k9@redrose.net
Compromise:	With local access to a windoze box you can determine the read-only and full access passwords to the file system/printer/etc. Also these passwords might be the same as for more important access (ie to company servers).
Vulnerable Systems:	Windoze 95, NT
Date:	9 February 1998
Exploit &amp full info:	Available here

Poor authentication used with NT domain controllers for authenticating SMB requests.
Description:	There are a number of problems with the way NT implements authentication of clients accessing an smb fileshare.
Author:	Paul Ashton <paul@ARGO.DEMON.CO.UK>
Compromise:	Learn a users' password, and cause other mischief
Vulnerable Systems:	Windows NT 4.0 and 3.51
Date:	6 February 1998
Notes:	This probably won't be fixed anytime soon.
Exploit &amp full info:	Available here

NT port binding insecurity
Description:	UNIX does not allow normal users to bind ports < 1024. NT apparently has no such concept of privileged ports. It even allows users to bind ports in use by the system and sniff or redirect data from them!!!
Author:	Weld Pond <weld@L0PHT.COM>
Compromise:	Obtain passwords, sniff information, change information before passing it to the real server, spoof UNIX r-services, etc.
Vulnerable Systems:	Windows NT 3.51, 4.0
Date:	6 February 1998
Notes:	Appended to this message is a SMB redirectory which allows local unprivileged users to redirect smb trafic to a remote server so that the local server doesn't even see it. This obviously has quite severe implications.
Exploit &amp full info:	Available here

Obtaining Domain Admins access on a LAN
Description:	There are problems with the NT domain authentication protocol which allow anyone on a Domain to gain Domain access
Author:	Paul Ashton <paul@ARGO.DEMON.CO.UK>
Compromise:	Gain Domain Admin Access
Vulnerable Systems:	NT 4.0
Date:	28 January 1998
Exploit &amp full info:	Available here

Microsoft private key recovery
Description:	There are a number of flaws in the way Microsoft stores private keys.
Author:	Peter Gutmann, pgut001@cs.auckland.ac.nz
Compromise:	Obtain a users private keys which can allow you to intercept their email, digitally sign contracts and agreements (in their name), etc.
Vulnerable Systems:	Windoze NT and Win95
Date:	25 January 1998
Notes:	This paper is from Peter Gutmann's web site and can be found at: <http://www.cs.auckland.ac.nz/~pgut001/pubs/breakms.txt>
Exploit &amp full info:	Available here

Overflow in MS PWS
Description:	typical buffer overflow
Author:	Gurney Halleck <gurneyh@ix.netcom.com>
Compromise:	Crash the personal web server (it is also possible that you could be able to execute arbitrary code remotely)
Vulnerable Systems:	Those running MS Personal Web Server (pws32/2.0.2.1112), it is apparently packaged with FrontPage 97.
Date:	15 January 1998
Exploit &amp full info:	Available here

DOS against realvideoserver by Progressive Networks
Description:	Another DOS attack
Author:	Rootshell
Compromise:	remotely crash Progressive Networks Real Video Server
Vulnerable Systems:	those running Progressive Networks Real Video Server. This includes the Linux version and the NT version
Date:	15 January 1998
Exploit &amp full info:	Available here

mk: URL overflow in Internet Explorer 4.0
Description:	Another Internet Explorer overflow, this time in the mk: URL type
Author:	DilDog <dildog@L0PHT.COM>
Compromise:	run arbitrary code on the machines of IE users who visit your page
Vulnerable Systems:	Microsoft Internet Explorer 4.0 and 4.01, Outlook Express, Windows Explorer (it is an explorer library problem)
Date:	14 January 1998
Exploit &amp full info:	Available here

DOS attack on backoffice viewcode.asp
Description:	You can leave a host running backoffice in a state of not accepting connections by using http://server.com/whetever/viewcode.asp?source=/////////////////<lots more slashes>///
Author:	Anonymous
Compromise:	DOS attack against web server
Vulnerable Systems:	Those running Microsoft Backoffice with viewcode.asp available
Date:	14 January 1998
Exploit &amp full info:	Available here

Microsoft FrontPage server extensions file permissions problems
Description:	Abhorrent permissions are required for some files related to the Microsoft FrontPage server extensions. For example _vti_pvt is a 775 directory which contains mode 664 service.pwd that contains the crypt()ed passwords for users.
Author:	Dave Pifke <dave@VICTIM.COM>
Compromise:	Not only can local users find out (or sometimes change) the passwords used for web accounts, but determing these passwords may lead to compromise of more important accounts that may use the same passwords.
Vulnerable Systems:	Those running Microsoft FrontPage server extensions 3.0.2.1117 under UNIX
Date:	9 January 1998
Exploit &amp full info:	Available here

The "Bonk" NT/Win95 fragmentation attack
Description:	In an attack that is basically the reverse of the teardrop attack, Windows machines that are patched for teardrop can be crashed.
Author:	bendi
Compromise:	crash Windoze machines remotely
Vulnerable Systems:	Windows 95, Windowsw NT
Date:	5 January 1998
Exploit &amp full info:	Available here

MIRC worm bug
Description:	There is a bug in MIRC (a Windoze IRC client) which allows people to send an arbitrary script.irc to MIRC users. This allows arbitrary MIRC scripting commands to be interpreted.
Author:	Unknown
Compromise:	Windows IRC users can be harassed and their files can be snatched and/or deleted.
Vulnerable Systems:	Windows versions running MIRC prior to 5.3
Date:	18 December 1997
Exploit &amp full info:	Available here

EWS (Excite for Web Servers) CGI hole
Description:	A classic CGI mistake: CWS launches a shell with query results. They change spaces to $ and somehow think this solves the problem ;)
Author:	Marc Merlin <marc_merlin@MAGIC.METAWIRE.COM>
Compromise:	run arbitrary commands as the processid that runs the webserver (remote)
Vulnerable Systems:	Those running EWS 1.1 on both UNIX and NT
Date:	17 December 1997
Exploit &amp full info:	Available here

ICQ so-called protocol
Description:	The ICQ protocol is ridiculously simplistic and is riddled with security holes. So is the ICQ software. So ICQ users can be spoofed, have their machine crashed, or have evil haxxors run arbitrary code on their boxes. Geez, these poor users might as well run Internet Explorer!
Author:	Alan Cox <alan@CYMRU.NET>
Compromise:	Spoof, Crash, or exploit the buffer overflow to run arbitrary code
Vulnerable Systems:	Mostly Windows boxes where the user is running ICQ
Date:	14 December 1997
Exploit &amp full info:	Available here

mIRC crash via new socket feature
Description:	A problem with the way mIRC handles bound sockets allows mean people to crash the mIRC clients of poor, defenseless Windows users.
Author:	Derek Reynolds <startnet@NATION.ORG>
Compromise:	Crash an mIRC user and make thier Windows run even slower than usual
Vulnerable Systems:	Those running mIRC 5.3 under Windows
Date:	7 December 1997
Exploit &amp full info:	Available here

Xscreensaver problem
Description:	Apparently if you type more then 80 characters into an xscreensaver password window it will die and you will gain access to the desktop. Also not that with XFree86 you can often use CNTRL-SHIFT-BACKSPACE to simply kill the server (and whatever X program is locking it).
Author:	Kim San Su <shanx@comp67.snu.ac.kr>
Compromise:	Bypass xscreensaver password security
Vulnerable Systems:	Those where people run a vulnerable version of xscreensaver to lock their X-Windows sessions.
Date:	2 December 1997
Exploit &amp full info:	Available here

Long filesystem paths
Description:	One thing you can do to be highly annoying is create very long directory paths. These cause major problems to many system utilities. This post provides useful one-liners for the purpose.
Author:	Zack Weinberg <zack@RABI.PHYS.COLUMBIA.EDU>
Compromise:	Annoying DOS
Vulnerable Systems:	Those that allow very long directory paths. I just created one 10002 directories deep on my Linux box (I stopped it, it could have gone further). Fortunately Microsoft OS users don't have this problem due to small filesystem depth restrictions ;)
Date:	2 December 1997
Exploit &amp full info:	Available here

NT RAS Point to Point Tunneling Protocol hole
Description:	You can crash NT boxes running RAS PPTP by sending a pptp start session request with an invalid packet length specified in the header.
Author:	Kevin Wormington <kworm@SOFNET.COM>
Compromise:	crash NT machines remotely
Vulnerable Systems:	Windows NT 4.0 with RAS PPTP running
Date:	26 November 1997
Exploit &amp full info:	Available here

The LAND attack (IP DOS)
Description:	Sending a packet to a machine with the source host/port the same as the destination host/port crashes a lot of boxes.
Author:	m3lt <meltman@LAGGED.NET>
Compromise:	Remote DOS attack (reboots many systems)
Vulnerable Systems:	Windows95, Windows NT 4.0, WfWG 3.11, FreeBSD
Date:	20 November 1997
Exploit &amp full info:	Available here

Linux and Windows IP fragmentation (Teadrop) bug
Description:	Win* and Linux deal with overlapping IP fragments in an incorrect manner which allows the systems to be crashed remotely.
Author:	Apparently datagram in flip.c
Compromise:	Remote DOS attack
Vulnerable Systems:	Windows NT 4.0, Win95 , Linux up to 2.0.32
Date:	15 November 1997
Notes:	I also included a program called "syndrop" which is a modified version of teardrop (exploits an M$ SYN sequence bug.
Exploit &amp full info:	Available here

Cybercash 2.1.2 insecurities
Description:	A number of insecurities in Cybercash
Author:	Megan Alexander <malexander@COMMANDCOM.COM>
Compromise:	Get credit card numbers, plaintext password registry settings, tons of fun stuff!
Vulnerable Systems:	Windows95 and NT systems running Cybercash 2.1.2 or Verifone vPOS
Date:	11 November 1997
Exploit &amp full info:	Available here

Exchange & Outlook client extensions problem
Description:	Anyone can register "extensions" to Exchange Client or Outlook which cause evil things to happen for various events. Typical idiotic Microsoft bug.
Author:	Martin Stanek <stanek@DCS.FMPH.UNIBA.SK>
Compromise:	Steal mail, cause users to run malicious code, etc.
Vulnerable Systems:	Microsoft systems where multiple users run Outlook or Exchange client
Date:	9 November 1997
Exploit &amp full info:	Available here

Intel "f00f" Pentium bug
Description:	A bug in the Intel Pentium (and Pentium + MMX) chips allows usermode processes to crash the system by executing the invalid instruction 0xf00fc7c8
Author:	Sent through an anonymous remailer
Compromise:	Users who can run code on the system can totally freeze the system
Vulnerable Systems:	Those running on a Pentium including versions of Linux, Dos, WinNT, Win95, SolarisX86, etc.
Date:	8 November 1997
Exploit &amp full info:	Available here

Attachments to Office files not encrypted
Description:	Not only is the "encryption" used for Microsoft Office applications hopelessly weak, but attachments are not encrypted at all.
Author:	lustiger@att.com
Compromise:	Read attachments to "encrypted" Office documents without having to spend 30 seconds decrypting them.
Vulnerable Systems:	Microsoft Office 95 and 97
Date:	7 November 1997
Exploit &amp full info:	Available here

Micro$oft Internet Explorer 4 res:// overflow bug
Description:	There is a standard buffer overflow in Microsoft's parsing of the new res:// URL protocol.
Author:	DilDog <dildog@L0PHT.COM>
Compromise:	Execute arbitrary code on the machines of Windows users who connect to your web pages.
Vulnerable Systems:	Windows 95 boxes running IE 4.0
Date:	1 November 1997
Exploit &amp full info:	Available here

NT Syscalls insecurity
Description:	In this excellent paper, Solar Designer points out a number of serious flaws in the Micro$oft NT syscall implementations. He demonstrates code that will crash NT boxes, and points out that even more serious holes could probably be found by examining other syscalls.
Author:	Solar Designer <solar@FALSE.COM> (This guy rocks!)
Compromise:	Crash NT, possibly bypass security
Vulnerable Systems:	Windoze NT 4.0 and earlier
Date:	19 October 1997
Exploit &amp full info:	Available here

NT SetThreadPriority() hole
Description:	NT SetThreadPriority call resets a Thread's time quantum, possibly allowing the process to run forever and hog available resources.
Author:	ntinternals.com
Compromise:	NT local DoS
Vulnerable Systems:	Windoze NT
Date:	19 October 1997
Exploit &amp full info:	Available here

Bad registry permissions on NT allows users to defeat security restrictions
Description:	Users can set registry settings like HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to run programs at startup in a heightened security context.
Author:	Unknown (Aleph One?)
Compromise:	heighten privileges on NT
Vulnerable Systems:	NT 3.5, 3.51, and 4.0 default configuration
Date:	17 October 1997
Exploit &amp full info:	Available here

Spy on IE users' files
Description:	A hole in IE 4.0 allows web pages to read arbitrary files on a users hard drive.
Author:	Jabadoo software (www.jabadoo.de)
Compromise:	web servers can steal files from people who visit.
Vulnerable Systems:	Those running Micro$oft Internet Explorer 4.0
Date:	17 October 1997
Exploit &amp full info:	Available here

MS exchange/service user problems
Description:	Apparently many people use service accounts for Exchange. Apparently, those also generally don't have auto-account-disabling or password expiration, which makes exchange a great target for brute-force password guessing
Author:	Russ <Russ.Cooper@RC.ON.CA> and Geremy Cohen
Compromise:	Hack a Windoze box
Vulnerable Systems:	Windoze NT running Exchange 5.0 as a service account
Date:	15 October 1997
Exploit &amp full info:	Available here

Overflow in Seattle Lab Sendmail v2.5
Description:	Overflow in the username given to this program when sending mail
Author:	David LeBlanc <dleblanc@ISS.NET> (Who is a loser, BTW)
Compromise:	Lame DoS, possible remote execution of commands
Vulnerable Systems:	Windoze NT running Version 2.5 (probably earlier also) of Seattle Lab Sendmail for NT
Date:	14 October 1997
Exploit &amp full info:	Available here

Micro$oft's attempt at FrontPage 98 server-side extensions for Apache
Description:	The setuid root program (fpexe) which comes with the FrontPage extensions is a pathetic joke security-wise, as Marc Slemko demonstrates.
Author:	Marc Slemko <marcs@ZNEP.COM>
Compromise:	root (remote)
Vulnerable Systems:	Those using the Micro$oft FrontPage extensions to Apache under UNIX.
Date:	11 October 1997
Exploit &amp full info:	Available here

SNMP holes in Windoze NT 4.0
Description:	One bug described allows you to dump all domain usernames with smnpwalk. Another allows you to delete WINS database records remotely. Micro$oft is pathetic. Nobody should by their products. Get Linux, or OpenBSD, or Solaris.
Author:	"Rouland, Christopher J" <CRouland@EXAMNYC.lehman.com>
Compromise:	Determine usernames, potenet DoS
Vulnerable Systems:	Those running WindoZe 4.0 Server with snmp
Date:	8 October 1997
Exploit &amp full info:	Available here

M$ IIS 3.0 newdsn.exe problem
Description:	newdsn.exe under MS IIS 3.0 allows creation of arbitrary files (just names, not contents) in the wwwroot directory tree
Author:	Vytis Fedaravicius <vytix@FLOYD.KTU.LT>
Compromise:	create bogus files on webservers, it isn't clear if you can overwrite files. A DoS attack at minumum
Vulnerable Systems:	Those running Micro$oft IIS v.3.0 with newdsn.exe installed. This includes a number of WinNT machines.
Date:	25 September 1997
Exploit &amp full info:	Available here

ARP and ICMP redirection games
Description:	This excellent article/code from Yuri points out a number of (mostly known) problems with the ARP and ICMP protocols/implementations
Author:	Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:	spoof as a trusted host, redirect trafic through your host, DoS
Vulnerable Systems:	Many versions of Linux, numerous hubs/routers. AFAIK, IRIX, HP-UX, *BSD, and probably Windoze can be spoofed with gratuitous ARP
Date:	19 September 1997
Exploit &amp full info:	Available here

CC:Mail password vulnerability
Description:	CC:Mail stores cleartext passwords in a "hidden" batch file which is apparently read/writeable by all users on NT (and of course is on W95)
Author:	Carl Byington <carl@five-ten-sg.com>
Compromise:	Take over a CC:Mail postoffice
Vulnerable Systems:	Windoze NT/95 running cc:Mail release 8
Date:	8 September 1997
Exploit &amp full info:	Available here

Uploader.exe insecurity
Description:	pathetic insecurity in uploader.exe that comes with O'reilly's webserver 'website'
Author:	Herman de Vette <herman@info.nl>
Compromise:	run arbitrary commands on the web server (by placing arbitrary cgi scripts there)
Vulnerable Systems:	Those running O'reilly's webserver, website. Mostly Windoze NT and W95 boxes. Some versions of 1.1 and 2.0beta have this vulnerability.
Date:	4 September 1997
Exploit &amp full info:	Available here

Overwrite people's files through IE3 with malicious forms
Description:	MS Internet Exploder 3 will overwrite local files if the remote form asks it to.
Author:	Andrew McNaughton <andrew@SQUIZ.CO.NZ>
Compromise:	Malicious web page can overwrite files belonging to visitors who use M$ IE3
Vulnerable Systems:	Microsoft Explorer version 3.0 PPC running on a mac, probably other IE3 versions.
Date:	29 August 1997
Exploit &amp full info:	Available here

SPOOLSS.EXE memory leak
Description:	DOS attack by remotely exploiting \\server\PIPE\SPOOLSS
Author:	"Holas, Ond�ej" <OHolas@EXCH.DIGI-TRADE.CZ>
Compromise:	Stupid DOS attack
Vulnerable Systems:	WindoZE machines such as NT
Date:	21 August 1997
Notes:	Holas' message comes first, then the exploit he mailed to me.
Exploit &amp full info:	Available here

NT LSA secrets
Description:	This program allows you to obtain verious LSA secrets such as service passwords, cached password hashes of recent users, and a bunch of others.
Author:	Paul Ashton <paul@ARGO.DEMON.CO.UK>
Compromise:	The administrator (or someone who has hacked admin) of an NT box can find a lot of juicy information which M$ tried to hide.
Vulnerable Systems:	Presumably just NT (4.0, maybe 3.51) boxes.
Date:	9 August 1997
Exploit &amp full info:	Available here

Internet Explorer keeps a record of every page you've visit since it was installed!
Description:	*.DAT files in the Win95/NT "Temporary Internet Files" directory store every move you make on the web.
Author:	From something called "technet"
Compromise:	Huge potential privacy violation if you can get physical access to a computer running IE. Also some URLs have access information encoded in them.
Vulnerable Systems:	Those running M$ Internet Explorer 4.0 or earlier. Mostly W95/NT boxes.
Date:	5 August 1997
Notes:	Apparently %SystemRoot%\History also contains .DAT files with the same information. Asking IE to clear the cache doesn't eliminate this, see the post in the addendum.
Exploit &amp full info:	Available here

WINS nameservice (137/UDP) flood DOS attack
Description:	You can take out WINS service by sending random shit to 137/udp NETBIOS Name Service. Of course, this is true of most Micro$oft services.
Author:	"Holas, Ondxej" <OHolas@EXCH.DIGI-TRADE.CZ>
Compromise:	Stupid DOS attack
Vulnerable Systems:	Windows systems (NT 4.0, probably 3.5 and Win95) that aren't protected by a firewall/packet filter that blocks 137/udp.
Date:	1 August 1997
Exploit &amp full info:	Available here

NT file execution path
Description:	NT has a HORRIBLY insecure path, and there is nothing you can do about it!
Author:	Jeremy Allison <jallison@WHISTLE.COM> quotes some M$ documentation which confirms the ugly rumors.
Compromise:	Can you say TROJAN HORSE!
Vulnerable Systems:	Windoze NT 4.0, probably earlier.
Date:	25 July 1997
Exploit &amp full info:	Available here

NT chargen flood DOS
Description:	Systems with the Simple TCP/IP Services installed will respond to broadcast UDP datagrams sent to the subnet broadcast address. You could presumably use this to attack someone else (by using your target's source address in the broadcast) or take down the NT network by having the source be port 19 of the same broadcast address.
Author:	Unknown
Compromise:	stupid DOS attack
Vulnerable Systems:	Micro$oft NT with the Simple TCP/IP services installed. M$ has a post-SP3 fix available.
Date:	23 July 1997
Exploit &amp full info:	Available here

L0phtcrack 1.5 Lanman / NT password hash cracker
Description:	The Lanman password hash is used by NT for authenticating users locally and over the network (MS service packs are now out that allow a different method in both cases). L0phtcrack can brute-force these hashes (taken from network logs or progams like pwdump) and recover the plaintext password. l0phtcrack 1.5 also breaks the new NT style password hashes.
Author:	Mudge <mudge@l0pht.com>
Compromise:	Compromise account passwords (remotely if you can sniff a server challenge.
Vulnerable Systems:	NT 4.0, 3.51. I believe NT4 Service Pack 3 SYSKEY fix will defeat pwdump style utilities. MS also has a fix out to disable Lanman authentication over the network, but this breaks compatibility w/W95 and 3.11.
Date:	12 July 1997
Notes:	First comes a very interesting message from mudge about M$ "authentication", then comes the readme file for l0phtcrack 1.5. Next comes the source distribution in uuencoded form. You can get executables at their webpage, www.l0pht.com.
Exploit &amp full info:	Available here

NT fragmentation attack
Description:	A flaw in the NT fragment reassembly algorithm allows you to smuggle packets to NT boxes through packet-filtering firewalls. You "hide" the TCP header in an offset IP fragment and just neglect to send the first (zero offset) packet. NT (Pre-SP3) will still happily reassemble your packet, placing the fragment with the lowest-offset at the front.
Author:	Thomas Lopatic
Compromise:	Talk to NT boxes behind packet-filtering firwalls
Vulnerable Systems:	NT 4.0 w/o SP3 installed, and probably 3.51
Date:	10 July 1997
Notes:	I LOVE this advisory. Fully detailed ... includes source code so I don't have to spend 5 hours reproducing this. Thanks Thomas!
Exploit &amp full info:	Available here

NT case insensitive filename problems
Description:	]You can create trojan directories in all lowercase, which will in some cases be accessed before the Mixed case directories and files NT likes to create.
Author:	Paul Ashton <paul@ARGO.DEMON.CO.UK>
Compromise:	This has the potential to cause an administrator level compromise.
Vulnerable Systems:	Windoze NT 4.0
Date:	4 July 1997
Notes:	Paul Ashton also suggested the idea of creating a trojan parallel help directory, with hard links to all the original Help files, except one could call a special DLL to compromise NT. Also not that the POSIX subsystem doesn't need to be installed. You can create a files of the same name but different case by calling the Win32 function CreateFile() with the FILE_FLAG_POSIX_SAMANTICS flag specified (also noted by Paul Ashton).
Exploit &amp full info:	Available here

The ever popular getadmin exploit
Description:	Someone posted this executable to several newsgroups. It allows any normal user to join the administrator group! Woop! M$ tried to fix the bug, but, not surprisingly, their hotfix didn't help.
Author:	Konstantin Sobolev
Compromise:	Become administrator on a NT box
Vulnerable Systems:	NT 4.0, I think service pack 3 must be installed.
Date:	4 July 1997
Notes:	First I give the source to the program, then the source to the program which works even after the hotfix. Then I give the uuencoded getadmin.zip which was posted to the newsgroups.
Exploit &amp full info:	Available here

Many RAS Service packet filtering rules are insecure.
Description:	Because it has no notion of an established connection, allowing connections often require two rules to specify the allowed source and destination ports. But allowing data back from, say, port 25 to allow outgoing mail, also allows a malicious attacker to come in from a source port of 25, even though you never initiated a connection with that host.
Author:	Russ <Russ.Cooper@RC.ON.CA>
Compromise:	Bypass silly NT packet filters (when will people learn not to use NT as a firewall????)
Vulnerable Systems:	Windows NT running the Routing and RAS Service (Steelhead)
Date:	26 June 1997
Exploit &amp full info:	Available here

M$ IIS DOS long URL vulnerability
Description:	If you send a specially formatted URL of about 8K to IIS, you can crash the server
Author:	Todd Fast (loser) found the bug, and Andrea Arcangeli <arcangeli@mbox.queen.it> ported the exploit to gcc.
Compromise:	Stupid DOS attack
Vulnerable Systems:	Anything running unpatched M$ IIS, mostly just NT.
Date:	21 June 1997
Notes:	The exploit is appended to the "advisory" cruft. Don't check his webside, these details and the code have been removed.
Exploit &amp full info:	Available here

Netscape gives away user's files!
Description:	A hole in the handling of the INPUT TYPE="FILE" tag allows a malicious website operator to download your files (if the filename is known). This apparently works on all platforms, and with Netscape up to Netscape Communicator.
Author:	"Paul T. Kooros" <kooros@TITAN.SRRB.NOAA.GOV>
Compromise:	Steal people's shit!
Vulnerable Systems:	Clients running Netscape Communicator 4.0 and earlier, as well as netscape navigator 3.* and probably earlier. This includes the Windoze, Macintosh, and UNIX platforms.
Date:	16 June 1997
Notes:	This is a great advisory! Show your thanks by buying his JavaScript book! I would if JavaScript wasn't such a lame language ;).
Exploit &amp full info:	Available here

poison the DNS cache by returning a bogus IP as a CNAME for a real server
Description:	You can poison DNS cache by returning a bogus IP as a CNAME for a real server.
Author:	Johannes Erdfelt outlined this type of attack originally.
Compromise:	Subvert DNS
Vulnerable Systems:	Almost all current DNS servers, including bind 8.1 and M$ DNS
Date:	14 June 1997 (It was actually discovered in April, apparently)
Exploit &amp full info:	Available here

NT password replacement program
Description:	Micro$oft tried to obfuscate the NT password storage method, but it has been broken and this program allows you to reset any user's password. Administrator might be a good example.
Author:	pnordahl@eunet.no
Compromise:	Administrator, if you have physical access.
Vulnerable Systems:	NT 4.0 (probably earlier) without service pack 3 syskey enabled.
Date:	11 June 1997
Notes:	A uuencoded of the source distribution is attached below. His web site also offers disk images.
Exploit &amp full info:	Available here

Another way to crash NT DNS server.
Description:	Apparently sending a flood of characters to port 53 (DNS) will crash the server. The MS advisory even gives advice for the lamers on how to do this.
Author:	Unknown
Compromise:	stupid DOS attach
Vulnerable Systems:	NT 4.0 without the postSP3 hotfix. Service Pack 4 will probably fix this.
Date:	10 June 1997
Exploit &amp full info:	Available here

Microsoft's Win95 stores your password in plaintext in the system registry.
Description:	Bill Stout notes several locations in the W95 registry where user's passwords are stored in plain text.
Author:	Bill Stout <stoutb@pios.com>
Compromise:	Find out a user's W95 password (which is often also their password on real machines)
Vulnerable Systems:	Microsoft Windoze 95
Date:	30 May 1997
Exploit &amp full info:	Available here

Windows NT/95/3.11 Out Of Band (OOB) data barf
Description:	Windows NT will completely crash if you send Out of Band (MSG_OOB) data to its port 139. Win95 will blue screen and network connectivity is usually lost, applications may crash. Win 3.11 with the M$ TCP/IP stack crashes too. Other ports like MS DNS may also be affected.
Author:	myst <myst@LIGHT-HOUSE.NET>
Compromise:	Stupid DOS attack, but it can be humorous.
Vulnerable Systems:	WinNT 4.0, 3.51, Win95 , WFWG 3.11
Date:	9 May 1997
Notes:	I'm also appending the perl exploit code and the visual basic code. The M$ FIX in service pack 3 and the Hotfix does NOT work! You just have to change the code a bit, or use the Macintosh exploit. Change the TCP Urgent pointer if you want to exploit the post-servicepacke 3 conditon from a UNIX box.
Exploit &amp full info:	Available here

Failed logouts in Windows NT and '95
Description:	Some people "logout" of their NT boxes and leave, but NT sometimes fails due to hung processes and give the option to abort the logout.
Author:	Peter da Silva <peter@BAILEYNM.COM>
Compromise:	Take over someone's local console login
Vulnerable Systems:	Windows NT 3.51, 4.0 and I believe Win95 is vulnerable
Date:	3 May 1997
Notes:	Not too big of a deal, but it should still be fixed
Exploit &amp full info:	Available here

Narf NT usernames from an untrusted NT Domain Controller
Description:	Through an NT Domain Controller, you can get a full list of usernames on other servers by failing a logon and then examining the target with Explorer.
Author:	webroot <webroot@WEBROOT.COM> (Steve Thomas)
Compromise:	List usernames of remote server including full names, descriptions, and group memberships.
Vulnerable Systems:	NT 4.0, probably 3.51 too.
Date:	19 April 1997
Exploit &amp full info:	Available here

NT 4.0 Stupid default SMB mount permissions
Description:	If you have an account on a NT box, you are by default allowed to mount any drive r/w by mounting \\server\c$ (replace 'c' with the drive letter).
Author:	Well known, but this post was by Yiorgos Adamopoulos <Y.Adamopoulos@noc.ntua.gr>
Compromise:	Mount any NT drive r/w (local)
Vulnerable Systems:	NT 4.0 with no service packs, 3.51?
Date:	7 April 1997
Exploit &amp full info:	Available here

NT crash via extra long username in Winpopup
Description:	You can crash an NT box (possibly W95 too) by sending a very long username in a Winpopup message. This is easy to do from UNIX with 'smbclient -U LOTSandLOTSofcrap -M host'.
Author:	Well known.
Compromise:	Crash Windows boxes
Vulnerable Systems:	Windows NT 4.0 and earlier, fixed in NT 4.0 Service pack 3. Win95 may be vulnerable.
Date:	April 1997
Exploit &amp full info:	Available here

Windows NT NTML Auto-Authentication
Description:	Internet Explorer running on NT will attemt to authenticate using your (hashed) password to anyone who asks! Worse, it doesn't even tell you that it is doing this. Even if you have a very strong password, a man-in-the-middle attack is possible. The server can request a challenge from another server, and then feed it back to you for encryption!
Author:	Paul Ashton <paul@argo.demon.co.uk>
Compromise:	WWW servers can obtain authentication information (username and Lanman password hash) from clients who connect using Internet Explorer from an NT box.
Vulnerable Systems:	NT 4.0, probably 3.51
Date:	April 1997 or so
Notes:	See Paul Ashton's demonstration at http://www.efsl.com/security/ntie/ . Also not that this isn't fixed as of 7/27/97. Will it ever be?
Exploit &amp full info:	Available here

Win95 Cleartext SMB authentication hole
Description:	Win95 is that it will connect to SMB servers and try the user's plaintext password first. You can also direct this through a web page with a linke like file://\\server/hackmicrosoft/sploit.gif. You also have to inform it of your name (can be done through SAMBA's nmbd utility).
Author:	Steve Birnbaum (sbirn@security.org.il)
Compromise:	Grab Win95 Passwords (remote)
Vulnerable Systems:	Win95, Internet Explorer to a slight degree
Date:	25 March 1997
Exploit &amp full info:	Available here

Windows NT password hash retrieval
Description:	Jeremy Allison has successfully de-obfuscated the NT LANMAN and md4 hashes from the registry. This has many useful implications, including allowing us to hack the real password, or use the hash to longin via SAMBA. To make things even better, the "encryption" has a LOT of problems.
Author:	Jeremy Allison <jra@cygnus.com>
Compromise:	Grab NT password hashes, which can then be cracked. You must be administrator or at least have the loser run your trojan.
Vulnerable Systems:	Windows NT 4.0 and 3.51 at least
Date:	22 March 1997
Notes:	The README for follows, and afterwords I have included the code. Also there are a lot of crackers available. Try NTCrack. Or you can get l0phtcrack, try www.l0pht.com
Exploit &amp full info:	Available here

ANOTHER pathetic IIS 3.0 vulnerability
Description:	Microsoft CANNOT seem to handle dots at all in their programs, after fixing the name.asp. bug, the great guys at the l0pht found that their "fix" introduced another '.' bug. This time using the hex representation.
Author:	Weld Pond <weld@l0pht.com&rt
Compromise:	Remotely obtain .asp, .ht, .id, .PL files etc.
Vulnerable Systems:	Those running vulnerable M$ IIS 3.0 web server
Date:	21 March 1997
Exploit &amp full info:	Available here

WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4)
Description:	Win95 will automatically try to authenticate the logged in user to an SMB server. Thus (through a web page, in this example), you can direct people to the server and then grab their username and "encrypted" LANMAN password.
Author:	Aaron Spangler <pokee@MAXWELL.EE.WASHINGTON.EDU>
Compromise:	Obtain LANMAN hashed passwords (remote)
Vulnerable Systems:	Win95, WinNT 3.51 & 4.0
Date:	14 March 1997
Exploit &amp full info:	Available here

Many Windows FTP servers are not very robust
Description:	This is an example of how tocrash War FTPD 1.65 for Win 95/NT, you can do similar things with ServU and most other ftpd's I have seen.
Author:	Well known, but here is a post to Bugtraq from rootshell
Compromise:	crash the Windows ftpd
Vulnerable Systems:	Those runnign Windows ftp servers
Date:	4 February 1997
Notes:	I have appended a serv-U crasher. Note that this may be the fault of Windows and not Serv-U.
Exploit &amp full info:	Available here

A collection of 6 Internet Explorer bugs
Description:	6 security holes in our favorite web browser (NOT), all in one neat package
Author:	Assorted, mentioned in package
Compromise:	Run commands as the user running IE, NT idiots often run as ADMINISTRATOR.
Vulnerable Systems:	Systems running Internet Explorer, the vicinity of 3.0. Microsoft Win95/NT mostly.
Date:	February 1997 might be a good average
Notes:	How many admins would respond to an email message promising "wet hot sex!" or something else enticing at a certain URL? Except for indiscriminate attacks, this would take a little social engineering. The appended UUencoded version probably looks funny in your web browser. Just "save as".
Exploit &amp full info:	Available here

Modstat exploit
Description:	Standard buffer overflow in modstat, which is distributed with many BSD variants (althought apparently not BSDI).
Author:	Mudge <mudge@l0pht.com>
Compromise:	root (local)
Vulnerable Systems:	Windows versions running MIRC prior to 5.3
Date:	9 December 1996
Exploit &amp full info:	Available here

dataman/cdman hole
Description:	system() call vulnerability in the dataman program (cdman is a symlink to it) in IRIX
Author:	Yuri Volobuev (volobuev@t1.chem.umn.edu)
Compromise:	root
Vulnerable Systems:	Windows95 and NT systems running Cybercash 2.1.2 or Verifone vPOS
Date:	9 December 1996
Exploit &amp full info:	Available here

Ping of Death
Description:	gazillions of machines can be crashed by sending IP packets that exceed the maximum legal length (65535 octets)
Author:	The page included was created by Malachi Kenney. The programs have attribution.
Compromise:	Stupid DOS
Vulnerable Systems:	I have heard that NT and 95 can actually lock up hard from the programs below. Also, early 2.0.x Linux, Solaris x86, and Macintosh systems are often vulnerable.
Date:	21 October 1996 was when this page came up.
Notes:	The Ping O' Death page is included first, then comes BSD source code, then comes a version of the above which is modified to compile on Linux 2.X. I also appended jolt.c, which IP spoofs to. Woop!
Exploit &amp full info:	Available here

HP/UX passwd hole
Description:	Standard buffer overflow
Author:	Colonel Panic of SOD (sod@command.com.inter.net)
Compromise:	root (local)
Vulnerable Systems:	Those running O'reilly's webserver, website. Mostly Windoze NT and W95 boxes. Some versions of 1.1 and 2.0beta have this vulnerability.
Date:	October 1996
Notes:	See the SOD HP Bug of the Week page
Exploit &amp full info:	Available here

Windows Screensaver bug
Description:	Some versions of Win/Win95/WinNT seem to allow people to bypass screensaver password "security" with control-alt-delete and contol-ESC
Author:	Common knowledge
Compromise:	Take over "passworded" winbloze machines (local)
Vulnerable Systems:	Some Win95 and WinNT boxes
Date:	October 1996
Exploit &amp full info:	Available here

Microsoft IIs '..' hole
Description:	ANOTHER stupid MS '..' bug, this time in their web server.
Author:	possibly Thomas Lopatic (lopatic@dbs.informatik.uni-muenchen.de)
Compromise:	Gain unauthorized access to files outside the public html directories.
Vulnerable Systems:	Systems running a vulnerable IIs http server, mostly Windows NT boxes.
Date:	26 July 1996
Exploit &amp full info:	Available here

Microsoft Internet Information Server abracadabra.bat bug
Description:	abracadabra.{bat,cmd} are insecure CGIs
Author:	www.omna.com
Compromise:	Execute arbitrary commands on the remote IIS Server
Vulnerable Systems:	Microsoft IIS http server v.1.0, 2.0b
Date:	June 1996
Exploit &amp full info:	Available here

Microsoft Active Server Pages IIS server hole
Description:	Microsoft really has a problem with clients that send "." don't they? Well here again they let people download asp source by appending a '.' to the url
Author:	Mark Joseph Edwards (mark@NTSHOP.NET)
Compromise:	Read raw unprocessed asp files which may contain privileged information (remote)
Vulnerable Systems:	Systems running M$ IIS web server
Date:	20 February 1996
Exploit &amp full info:	Available here

WebSite v1.1e for Windows NT & 95 buffer overflows
Description:	Cool. Win95/NT Buffer overflows with WebSite v1.1e for Windows NT and '95.
Author:	solar@ideal.ru
Compromise:	Run arbitrary commands remotely.
Vulnerable Systems:	Systems running WebSite v1.1e for Windows NT and '95.
Date:	6 January 1996
Exploit &amp full info:	Available here

This page Copyright &#169 Fyodor 1996, 1997, 1998
[Back] to Fyodor's Exploit World main index