Exploit world!

Remote exploits section

Compiled by Fyodor fyodor@insecure.org
on Thu Jan 13 21:41:32 UTC 2000

[Back] to Fyodor's Playhouse


Many holes in the Netmanager Chameleon tool suite
Description:Mostly standard overflows, but there are lots of them. Virtually every product that comes in the suite seems exploitable.
Author:arager@MCGRAW-HILL.COM
Compromise:remote attackers can likely obtain root /administrator privileges on the machines running Chameleion daemons. The clients also have serious security holes.
Vulnerable Systems:These holes are in the Windows versions, although I would be very careful about running something like thier Unix Z-mail product.
Date:4 May 1998
Exploit &amp full info:Available here


Overflow in lynx processing of mailto: URLs
Description:a mailto: URL with a long email address causes lynx 2.8 to crashh and can cause it to execute arbitrary code
Author:Michal Zalewski <lcamtuf@boss.staszic.waw.pl>
Compromise:remote pages can cause commands to be executed on the lynx user's machine. This can also be used to break out of restricted lynx shells.
Vulnerable Systems:Those running lynx 2.8 and probably earlier.
Date:3 May 1998
Exploit &amp full info:Available here


ID games Backdoor in quake
Description:ID software blatantly put a backdoor in Quake 1/2 and QuakeWorld including both the Linux/Solaris Quake2. RCON commands sent from the subnet 192.246.40.0/24 and containing the password "tms" are automaticly executed on the server without being logged.
Author:Mark Zielinski <markz@repsec.com>
Compromise: root (remote)
Vulnerable Systems:Those running Quake 1, QuakeWorld, Quake 2, Quake 2 Linux and Quake 2 Solaris, all versions. Thus many Windows and UNIX boxes are affected
Date:1 May 1998
Notes:Quake was always a horrible security hole, but I never thought Id would stoop to introducing an intentional backdoor to allow them access to systems running Quake. I am surprised this didn't get more publicity.
Exploit &amp full info:Available here


Many, many, many security holes in the Microsoft Frontpage extensions
Description:There are many horrible security holes in the Microsoft Frontpage extensions. For example, you can list all files in directories on FP enabled sites, you can download password files on many of them, and a lot of FP sites even let you UPLOAD your own password files (!).
Author:pedward@WEBCOM.COM
Compromise:Break into user accounts on a web server (remote)
Vulnerable Systems:Those running the Fronpage server extensions. Sone of the vulnerabilities are UNIX only while others also work agains WindowsNT sites.
Date:23 April 1998
Exploit &amp full info:Available here


Nestea "Off By One" attack
Description:A popular attack against Linux boxes
Author:John McDonald <jmcdonal@UNF.EDU>
Compromise:Stupid remote DOS attack
Vulnerable Systems:Linux 2.0.33 and earlier, PalmOS, HP Jet Direct printer cards, some 3COM routers, Magnum 5000 Ethernet switch, Some Windows boxes, perhaps others
Date:17 April 1998
Notes:I have appended the original Linux code, a BSD port, an improved Linux version, and a few other messages on the topic.
Exploit &amp full info:Available here


Overflow in Microsoft Netmeeting
Description:Standard overflow
Author:DilDog <dildog@L0PHT.COM>
Compromise:remotely execute arbitrary commands on the machine of a windows/netmeeting user (the user must click on your neetmeeting .conf file)
Vulnerable Systems:Windows boxes running Micro$oft Netmeeting V. 2.1
Date:16 April 1998
Notes:For a lot more information on this exploit, including a short windows overflow tutorial, see http://www.cultdeadcow.com/cDc_files/cDc-351/ .
Exploit &amp full info:Available here


Overflows in various Macintosh mail clients.
Description:Standard overflows.
Author:Chris Wedgwood <chris@CYBERNET.CO.NZ>
Compromise:DOS attack at least, there is at least a possibility of remote code execution (I've never seen this done on a Mac though).
Vulnerable Systems:Macintosh boxes running Stalker Internet Mail Server V.1.6 or AppleShare IP Mail Server 5.0.3 SMTP Server
Date:8 April 1998
Exploit &amp full info:Available here


Multiple Vulnerabilities in BIND named
Description:There are a number of security holes in some bind 4.9 and 8 releases. One is a remote-root exploit that works if fake-iquery is enabled, the other two are DOS attacks
Author:Unknown
Compromise: root (remote)
Vulnerable Systems:Those running BIND 8 prior to 8.1.2 or BIND 4.9 prior to 4.9.7 .
Date:8 April 1998
Exploit &amp full info:Available here


Yet another SGI pfdispaly CGI hole
Description:As has been demonstrated many times, SGI CANNOT write secure CGI scripts. Nor can they write secure setuid programs. They fixed the last pfdisplay.cgi hole, but the new version is still quite buggy -- as this post demonstrates.
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise:run arbitrary commands remotely as the UID running the webserver
Vulnerable Systems:SGI IRIX 6.2 using the performer_tools CGIs.
Date:7 April 1998
Notes:I honestly believe default SGI security is as bad as default Windows NT security. That is sad.
Exploit &amp full info:Available here


RedHat 5 metamail hole
Description:Many mail clients, MTA's, etc. are poorly written and can interpret mail in ways that lead to security wholes. One of the bugs in this message demonstrates a way to execute arbitrary commands by sending mail to a Redhat 5 user. The bug is in metamail script processing of MIME messages.
Author:Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Compromise:potential root (remote). The victim must read the mail with Pine (or something else that calls metamail).
Vulnerable Systems:RedHat 5, other linux boxes with vulnerable metamail script.
Date:5 April 1998
Exploit &amp full info:Available here


Irix pfdispaly CGI hole
Description:Standard .. read-any-file CGI exploit.
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise:Read any file (remotely) that user nobody (or whatever web server runs as) can read.
Vulnerable Systems:IRIX 6.2 with performer_tools.sw.webtools (Performer API Search Tool 2.2) installed, check for /var/www/cgi-bin/pfdispaly.cgi.
Date:17 March 1998
Exploit &amp full info:Available here


Ascend Router Insecurities
Description:There is a flaw in the Ascend router OS which allows the machines to be crashed by certain malformed UDP probe packets. Also the routers have a default SNMP "write" community which allows attackers to download the entire Ascend configuration file.
Author:"Secure Networks Inc." <sni@SECURENETWORKS.COM>
Compromise:Download sensitive ascend configuration information (passwords, etc.) plus a remote DOS attack to take out the router.
Vulnerable Systems:Ascend Pipeline and MAX routers including OS release 5.0Ap42 (MAX) and 5.0A (Pipeline).
Date:16 March 1998
Notes:Whee! We've got C exploit, CAPE exploit, IPsend exploit, and a Perl exploit!
Exploit &amp full info:Available here


info2www CGI hole
Description:Another dumb cgi blidnly using the (magical) perl open()
Author:Niall Smart <njs3@DOC.IC.AC.UK>
Compromise:execute arbitrary commands as web server's UID (remote)
Vulnerable Systems:Those running a vulnerable version of the info2www CGI
Date:3 March 1998
Exploit &amp full info:Available here


Various gaping security holes in QuakeII (and Quake I and QuakeWorld and Quake Client).
Description:These games by ID software are absolutely riddled with glaring security holes and no one should even CONSIDER running them (or any other game for that matter) on a machine that is supposed to be secure. I have stuffed a bunch of quake exploits in this one section although there is one Quake II server hole I will treate separately later.
Author:kevingeo@CRUZIO.COM and others
Compromise: root (remote)
Vulnerable Systems:Those running pretty much any version of quake by id software, the client or server. Quake runs on many Linux boxes as well as Win95/NT.
Date:25 February 1998
Exploit &amp full info:Available here


Htmlscript file access bug
Description:Another stupid .. bug.
Author:Dennis Moore <rainking@FEEDING.FRENZY.COM>
Compromise:read any file the web server can read on the remote system.
Vulnerable Systems:Those running htmlscript (distributed by www.htmlscript.com)
Date:26 January 1998
Exploit &amp full info:Available here


Lotus Domino database security problems
Description:Databases under this system do not correctly inherit ACLs, plus some default database ACLs are set to allow unrestricted access to all web users(!). Thus users can can manipulate the files remotely.
Author:mattw <mattw@L0PHT.COM>
Compromise:manipulate server configuration files remotely
Vulnerable Systems:Those running vulnerable versions of Lotus Domino
Date:20 January 1998
Exploit &amp full info:Available here


ssh-agent RSA authentication problem
Description:SSH doesn't check permissions on credential files enough so that users can trick ssh into using the credentials of other users.
Author:"Secure Networks Inc." <sni@SECURENETWORKS.COM>
Compromise:Trick ssh into using the credentials of another user when you login to a remote server.
Vulnerable Systems:Those running ssh (setuid) on multiple-user systems where RSA authentication is being used.
Date:20 January 1998
Exploit &amp full info:Available here


Overflow in MS PWS
Description:typical buffer overflow
Author:Gurney Halleck <gurneyh@ix.netcom.com>
Compromise:Crash the personal web server (it is also possible that you could be able to execute arbitrary code remotely)
Vulnerable Systems:Those running MS Personal Web Server (pws32/2.0.2.1112), it is apparently packaged with FrontPage 97.
Date:15 January 1998
Exploit &amp full info:Available here


DOS against realvideoserver by Progressive Networks
Description:Another DOS attack
Author:Rootshell
Compromise:remotely crash Progressive Networks Real Video Server
Vulnerable Systems:those running Progressive Networks Real Video Server. This includes the Linux version and the NT version
Date:15 January 1998
Exploit &amp full info:Available here


routed trace file exploit
Description:routed has the ability to have trace mode turned on remotely using any arbitrary filename. Thus you can append stuff to arbitrary files remotely.
Author:Rootshell
Compromise:You should be able to leverage this to root remote access.
Vulnerable Systems:Redhat linux; IRIX 5.2-5.3-6.2 is vulnerable, NetBSD 1.2 is vulnerable.
Date:8 January 1998
Exploit &amp full info:Available here


Holes in Apache prior to 1.2.5
Description:The fine folks who work on the Apache web server team kindly advised us of these holes in older versions of Apache. They are fixed in 1.2.5. The most important are probably cfg_getline() overflow which allows local users to run arbitrary commands with the UID of the webserver and the '//////////' hole which allows people to remotely effect a DOS attack on a server by giving a URL with more than 7500 forward slashes in the filename.
Author:Marc Slemko <marcs@ZNEP.COM>
Compromise:local users can run arbitrary commands with the UID of the webserver, remote DOS attack (slows the server to a crawl)
Vulnerable Systems:Those running Apache versions prior to 1.2.5
Date:6 January 1998
Exploit &amp full info:Available here


The "Bonk" NT/Win95 fragmentation attack
Description:In an attack that is basically the reverse of the teardrop attack, Windows machines that are patched for teardrop can be crashed.
Author:bendi
Compromise:crash Windoze machines remotely
Vulnerable Systems:Windows 95, Windowsw NT
Date:5 January 1998
Exploit &amp full info:Available here


DOS attack on XTACACS servers
Description:You can crash these servers by sending ICMP unreachable messages to them.
Author:Coaxial Karma <c_karma@HOTMAIL.COM>
Compromise:remotely crash vulnerable XTACACS servers.
Vulnerable Systems:some XTACACS servers
Date:23 December 1997
Exploit &amp full info:Available here


Overflow in Livingston RADIUS 1.16 and derived code
Description:There is a buffer overflow in the handling of buffers related to inverse IP lookup in RADIUS 1.16 and derived code (including Ascend RADIUS)
Author:"Secure Networks Inc." <sni@SECURENETWORKS.COM>
Compromise: root (remote)
Vulnerable Systems:Those running RADIUS server software derived from Livingston RADIUS 1.x
Date:17 December 1997
Exploit &amp full info:Available here


EWS (Excite for Web Servers) CGI hole
Description:A classic CGI mistake: CWS launches a shell with query results. They change spaces to $ and somehow think this solves the problem ;)
Author:Marc Merlin <marc_merlin@MAGIC.METAWIRE.COM>
Compromise:run arbitrary commands as the processid that runs the webserver (remote)
Vulnerable Systems:Those running EWS 1.1 on both UNIX and NT
Date:17 December 1997
Exploit &amp full info:Available here


Sun ^D DOS attack
Description:By connecting to the telnet port of a Solaris 2.5.1 box, sending some bogus telnet negotiation option and then flooding the channel with ^D, you can (temporarily) slow the machine to a near halt.
Author:Jason Zapman II <zapman@CC.GATECH.EDU>
Compromise:remote DOS attack
Vulnerable Systems:Solaris 2.5.1, 2.6
Date:13 December 1997
Notes:I appended a better version after the first (the second forks extra processes to increase the flood). I also appended an NT port.
Exploit &amp full info:Available here


Overflow in cgiwrap-3.5 and 3.6beta1
Description:Standard overflow
Author:Duncan Simpson <dps@IO.STARGATE.CO.UK>
Compromise:Run arbitrary commants with the UID of the webserver process owner
Vulnerable Systems:Those running vulnerable versions of cgiwrap
Date:7 December 1997
Exploit &amp full info:Available here


BSD Termcap overflow
Description:This program creates a malicous termcap file which can cede root access.
Author:Bug originally discovered by Theo de Raadt <deraadt@CVS.OPENBSD.ORG> exploit written by Written by Joseph_K the 22-Oct-1997
Compromise:Theoretically this may allow you to become root remotely You can definately become root locally.
Vulnerable Systems:BSDI, probably FreeBSD/NetBSD/OpenBSD prior to October 1997
Date:1 December 1997
Exploit &amp full info:Available here


NT RAS Point to Point Tunneling Protocol hole
Description:You can crash NT boxes running RAS PPTP by sending a pptp start session request with an invalid packet length specified in the header.
Author:Kevin Wormington <kworm@SOFNET.COM>
Compromise:crash NT machines remotely
Vulnerable Systems:Windows NT 4.0 with RAS PPTP running
Date:26 November 1997
Exploit &amp full info:Available here


Solaris Statd exploit
Description:Solaris 2.5.1 x86 remote overflow for statd. There is apparently an earlier patch which doesn't fix the problem.
Author:Anonymous
Compromise: root (remote)
Vulnerable Systems:Solaris 2.5.1 x86 is what this exploit is written for. According to a later CERT advisory, vulnerable systems include Digital UNIX (4.0 through 4.0c), AIX 3.2 and 4.1, Solaris 2.5, 2.51 and SunOS 4.1.* for both X86 and SPARC
Date:24 November 1997
Exploit &amp full info:Available here


Security hole in iCat Carbo Server 3.0
Description:Another pathetic hole, this one allows people to view any file on the web server (which the web server process owner can view)
Author:Mikael Johansson <Mikael.Johansson@ABC.SE>
Compromise:View files on remote web servers, maybe even filch credit card numbers!
Vulnerable Systems:Those running iCat Carbo Server (ISAPI, Release) Version 3.0.0
Date:8 November 1997
Exploit &amp full info:Available here


in.telnetd tgetent buffer overflow
Description:By specifying an alternate terminal capability database with huge entries, you can overflow programs (like telnet, possibly xterm in some cases) which call tgetent() expecting a reasonable-length buffer.
Author:Secure Networks, INC
Compromise:In some cases, root (remote)
Vulnerable Systems:BSD/OS v2.1,Theo de Raadt mentions that you might be able to attack the suid xterm program locally with this hole to gain root access (possibly Linux, as well as other BSDs)
Date:21 October 1997
Notes:I have appended an exploit for BSDI in the addendum section.
Exploit &amp full info:Available here


PHP mlog.html and mylog.html vulnerabilities
Description:Trivially read any file on the remote system by exploiting these cgi scripts
Author:bryan berg <km@UNDERWORLD.NET>
Compromise:remotely read any httpd-readable file on the remote system
Vulnerable Systems:Those running vulnerable versions of the PHP distribution.
Date:19 October 1997
Exploit &amp full info:Available here


Count.cgi remote overflow
Description:standard buffer overflow, this time in Count.cgi
Author:Nicolas Dubee <dube0866@eurobretagne.fr>
Compromise:local or remote execution of arbitrary code
Vulnerable Systems:Those running a vulnerable version of Muhammad A. Muquit's wwwcount
Date:16 October 1997
Exploit &amp full info:Available here


Overflow in Seattle Lab Sendmail v2.5
Description:Overflow in the username given to this program when sending mail
Author:David LeBlanc <dleblanc@ISS.NET> (Who is a loser, BTW)
Compromise:Lame DoS, possible remote execution of commands
Vulnerable Systems:Windoze NT running Version 2.5 (probably earlier also) of Seattle Lab Sendmail for NT
Date:14 October 1997
Exploit &amp full info:Available here


Micro$oft's attempt at FrontPage 98 server-side extensions for Apache
Description:The setuid root program (fpexe) which comes with the FrontPage extensions is a pathetic joke security-wise, as Marc Slemko demonstrates.
Author:Marc Slemko <marcs@ZNEP.COM>
Compromise: root (remote)
Vulnerable Systems:Those using the Micro$oft FrontPage extensions to Apache under UNIX.
Date:11 October 1997
Exploit &amp full info:Available here


Count.cgi hole
Description:You can read any .gif or .jpg on a server (readable by httpd daemon, of course) by giving a "image=../../../../path" type argument
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:read protected .gif and .jpeg files (remote)
Vulnerable Systems:Those running version 2.3 of Muhammad A. Muquit's wwwcount
Date:10 October 1997
Exploit &amp full info:Available here


Security problems in the lpd protocol
Description:The protocol for lpd (Line Printer Daemon, RFC 1179) seems to have a number of insecurities, as discussed in this post
Author:Bennett Samowich <a42n8k9@REDROSE.NET>
Compromise: root (remote)
Vulnerable Systems:Those running a vulnerable version of lpd, many Linux and *BSD versions are vulnerable
Date:2 October 1997
Exploit &amp full info:Available here


mSQL authentication holes
Description:mSQL has a number of problems in its attempts at authentication, as well as another serious problem if the user doesn't use ACLs
Author:"John W. Temples" <john@KUWAIT.NET>
Compromise:remotely manipulate a mSQL database
Vulnerable Systems:Those running vulnerable versions of mSQL, many Linux boxes run this
Date:27 September 1997
Exploit &amp full info:Available here


Samba Remote buffer overflow
Description:Samba reads in a user's password into a fixed length buffer, allowing execution of arbitrary code on the target machine
Author:ADM
Compromise: root (remote)
Vulnerable Systems:Those running the SAMBA SMB server versions earlier than 1.9.17p2. The exploit is for Linux/X86
Date:26 September 1997
Notes:ADM send me this before it went out on Bugtraq, and then they sent me a newer version (appended). Thanks!
Exploit &amp full info:Available here


Uploader.exe insecurity
Description:pathetic insecurity in uploader.exe that comes with O'reilly's webserver 'website'
Author:Herman de Vette <herman@info.nl>
Compromise:run arbitrary commands on the web server (by placing arbitrary cgi scripts there)
Vulnerable Systems:Those running O'reilly's webserver, website. Mostly Windoze NT and W95 boxes. Some versions of 1.1 and 2.0beta have this vulnerability.
Date:4 September 1997
Exploit &amp full info:Available here


Hole in the vacation program
Description:The standard UNIX vacation program doesn't do enough checking on its input (specifically the From: line in the mail) before sending it to other programs (sendmail) for processing
Author:bukys@CS.ROCHESTER.EDU apparently reported it to CERT & SUN on June 1, 1994 but nothing happened. This vulnerability report is from "Secure Networks Inc." <sni@SILENCE.SECNET.COM>
Compromise:Run arbitrary commands remotely as the user running vacation
Vulnerable Systems:At least some versions of AIX, FreeBSD, NetBSD, and OpenBSD. Other systems if they have installed the vacation program themselves or a different version of sendmail.
Date:1 September 1997
Exploit &amp full info:Available here


Hole in the vacation program
Description:The standard UNIX vacation program doesn't do enough checking on its input (specifically the From: line in the mail) before sending it to other programs (sendmail) for processing
Author:bukys@CS.ROCHESTER.EDU apparently reported it to CERT & SUN on June 1, 1994 but nothing happened. This vulnerability report is from "Secure Networks Inc." <sni@SILENCE.SECNET.COM>
Compromise:Run arbitrary commands remotely as the user running vacation
Vulnerable Systems:At least some versions of AIX, FreeBSD, NetBSD, and OpenBSD. Other systems if they have installed the vacation program themselves or a different version of sendmail.
Date:1 September 1997
Exploit &amp full info:Available here


Security problems in CVS
Description:If CVS is run as root with pserver as suggested in the info page, any user can access any account (with the possible exception of root)
Author:Elliot Lee <sopwith@REDHAT.COM>
Compromise:access any nonuser account (remote)
Vulnerable Systems:Those running a vulnerable version of CVS pserver as suggested in the CVS info page. CVS 1.9.14 has this fixed
Date:29 August 1997
Exploit &amp full info:Available here


syslogd spoofing
Description:remote syslogd uses udp and is easily spoofable, as Yuri demonstrates in this excellent paper. Also, there isn't an easy way to turn off remote listening from AIX boxes.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:spoof syslogd, add fake log messages, overflow it, etc.
Vulnerable Systems:Those that have syslogd listening for remote messages, AIX is especially vulnerable.
Date:27 August 1997
Exploit &amp full info:Available here


Check for existance of files on systems runninng mountd
Description:Some mountd implementations apparently give different error messages depending on whether the mountpoint requested exists or not.
Author:Peter <deviant@UNIXNET.ORG>
Compromise:query for existance of arbitrary files (by name). This could help determine security flaws present on a remote system.
Vulnerable Systems:Those running vulnerable mountd. This includes at least some versions of AIX, Linux, *BSD, SunOS, Solaris, etc.
Date:24 August 1997
Exploit &amp full info:Available here


A perl eval error in majordomo allows remote execution of arbitrary commands
Description:A Perl eval() in Majordomo is not quite paranoid enough, allowing user commands to slip through with clever use of IFS.
Author:Razvan Dragomirescu <drazvan@KAPPA.RO>
Compromise:Run commands as whatever Majordomo runs as (often group daemon). (remote)
Vulnerable Systems:Those running a vulnerable version of majordomo
Date:24 August 1997
Exploit &amp full info:Available here


DG/UX in.fingerd hole
Description:Apparently (and amazingly) current dgux ships with a finger daemon that allows remote users to pipe commands. IE you can 'finger "|/bin/id@host'. This is made worse because many of these systems apparently run in.fingerd as root (!).
Author:George Imburgia <gti@HOPI.DTCC.EDU>
Compromise: remotely run arbitrary programs with UID that is running in.fingerd. Sometimes this means you can remotely become root .
Vulnerable Systems:dgux, versions unknown.
Date:11 August 1997
Notes:If this is true it is rather pathetic!
Exploit &amp full info:Available here


The VERY popular imapd remote overflow
Description:A buffer overflow in popular imapd packages allows remote root access. This has been very widely exploited on the internet.
Author:I am not sure who discovered it, savage@apostols.org wrote the Linux/Intel exploit I have put first. I have appended another exploit to that.
Compromise: root ( remote ) (Ohhhh, shit!)
Vulnerable Systems:This exploit is for linux, but a lot of other systems using the vulnerable IMAP are susceptible.
Date:7 August 1997
Exploit &amp full info:Available here


Remote INND buffer overflow exploit
Description:Standard overflow, nice exploit
Author:Method <method@arena.cwnet.com>
Compromise:root (remote)
Vulnerable Systems:Systems running INND versions < 1.6, the exploit seems to be for Linux x86
Date:1 August 1997
Exploit &amp full info:Available here


mSQL overflow and poor hostname authentication checks
Description:mSQL has several buffer overflows which allow intruders to remotely execute arbitrary code. msql2d and msqld are specific vulnerable programs. Also, mSQL doesn't do a forward lookup after resolving an IP->hostname, so it is trivial to spoof authentication by having your DNS return the hostname of an actual host.
Author:"Secure Networks Inc." <sni@SILENCE.SECNET.COM>
Compromise:run arbitrary commands remotely. Spoof access to an mSQL server.
Vulnerable Systems:Those running the mSQL server software, msqld or msql2d. Version 2.0 is vulnerable, probably earlier versions.
Date:27 July 1997
Exploit &amp full info:Available here


campus cgi hole
Description:A hole very similar to the standard phf hole alows people to execute arbitrary commands through the campus cgi.
Author:Francisco Torres <ftorres@CASTOR.JAVERIANA.EDU.CO>
Compromise:Execute arbitrary commands remotely as the owner of the cgi-running process (commonly nobody or daemon).
Vulnerable Systems:Those running a vulnerable version of the campus cgi. Version 1.2 is vulnerable. It may be distributed with the NCSA server.
Date:15 July 1997
Exploit &amp full info:Available here


L0phtcrack 1.5 Lanman / NT password hash cracker
Description:The Lanman password hash is used by NT for authenticating users locally and over the network (MS service packs are now out that allow a different method in both cases). L0phtcrack can brute-force these hashes (taken from network logs or progams like pwdump) and recover the plaintext password. l0phtcrack 1.5 also breaks the new NT style password hashes.
Author:Mudge <mudge@l0pht.com>
Compromise:Compromise account passwords (remotely if you can sniff a server challenge.
Vulnerable Systems:NT 4.0, 3.51. I believe NT4 Service Pack 3 SYSKEY fix will defeat pwdump style utilities. MS also has a fix out to disable Lanman authentication over the network, but this breaks compatibility w/W95 and 3.11.
Date:12 July 1997
Notes:First comes a very interesting message from mudge about M$ "authentication", then comes the readme file for l0phtcrack 1.5. Next comes the source distribution in uuencoded form. You can get executables at their webpage, www.l0pht.com.
Exploit &amp full info:Available here


WebGais forgot to strip single quotes in query string ... Oops!
Description:Webgais takes a query string, and quotes it in the perl code. But you can just close the quotes yourself, as it doesn't strip them from your query!
Author:Razvan Dragomirescu <drazvan@KAPPA.RO>
Compromise:run arbitrary commands remotely as the owner of the cgi running process.
Vulnerable Systems:Anything running a vulnerable version of WebGais
Date:10 July 1997
Notes:Remember to change the email address in the exploit!
Exploit &amp full info:Available here


websendmail cgi hole
Description:websendmail, a cgi-bin that comes with WEBgais, doesn't make any real attempts to check its input in some cases. Thus you can execute arbitrary commands.
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:Run arbitrary commands as the user who owns the webserver cgi proccess. (remote)
Vulnerable Systems:Any runnning an unpatched version of websendmail in their cgi directory.
Date:4 July 1997
Exploit &amp full info:Available here


Glimps HTTP evil inadequate evil char filter
Description:Glips HTTP, a web interface to the Glimps search program, doesn't adequately check its input for evil characters. By tricking it to open a pipe instead of a file, you can remotely execute arbitrary commands on the server.
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:Execute arbitrary commands on a server running Glimps HTTP (remote).
Vulnerable Systems:Anything running a vulnerable and unmodified version of Glimpse HTTP. Runs on most systems.
Date:2 July 1997
Notes:Razvan Dragomirescu claims that he is getting "angry" at all the idiots who send him passwd files by not modifying his example exploit. But *I* wouldn't mind! So I've modified the exploit to use my address instead of his. DON'T FORGET TO CHANGE IT!
Exploit &amp full info:Available here


IRIX fails to correctly patch /cgi-bin/handler exploit
Description:In an apparent attempt to prevent breakins through the common handler cgi technique, IRIX changed the code. They now check the end of a string for a pipe (trying to make sure perl opens the file as a plain file), but you can still get away with putting tabs after the pipe, to hide it.
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:remotely run commands through this pathetic CGI
Vulnerable Systems:IRIX 6.3 and 6.4, the older versions are vulnerable to an even easier version of the same problem.
Date:19 June 1997
Exploit &amp full info:Available here


cgi-bin/test-cgi allows arbitrary remote file listing
Description:If you give test-cgi an argument which includes a *, you can get a directory listing from the SERVER_PROTOCOL field. In other words, it is another pathetic cgi.
Author:Jason Uhlenkott <jasonuhl@usa.net>
Compromise:remotely obtain directory listings
Vulnerable Systems:Systems running Apache/1.2b2, probably earlier versions, many systems that have test-cgi installed.
Date:6 June 1997
Exploit &amp full info:Available here


IRIX default guest account
Description:Apparently, all IRIX systems come by default with a unpassworded guest account. Almost as stupid as HP/UX's staticly passworded uid 0 sam_exec accounts.
Author:well known, but Mike Neuman <mcn@RIPOSTE.ENGARDE.COM> mentioned it on bugtraq
Compromise:remotely obtain local user privileges.
Vulnerable Systems:IRIX, apparently all versions up to 6.3
Date:15 May 1997
Exploit &amp full info:Available here


IRIX webdist CGI vulnerability
Description:Stupid cgi
Author:Grant Kaufmann <grant@CAPE.INTEKOM.COM>
Compromise:remotely execute arbitrary commands as httpd process owner (usually nobody or daemon)
Vulnerable Systems:IRIX 6.2, 6.3
Date:7 May 1997
Exploit &amp full info:Available here


Narf NT usernames from an untrusted NT Domain Controller
Description:Through an NT Domain Controller, you can get a full list of usernames on other servers by failing a logon and then examining the target with Explorer.
Author:webroot <webroot@WEBROOT.COM> (Steve Thomas)
Compromise:List usernames of remote server including full names, descriptions, and group memberships.
Vulnerable Systems:NT 4.0, probably 3.51 too.
Date:19 April 1997
Exploit &amp full info:Available here


NCSA PHP/FI CGI *2 HOLES*
Description:First of all, this rather pathetic cgi allows anyone to trivially read any file on the system which is readabl by the owner of the httpd process (usually nobody or daemon). It also has a buffer overflow.
Author:Shamanski <jshaman@M-NET.ARBORNET.ORG> posted the read-any-file exploit, The SNI advisory is by David Sacerdote
Compromise:read files and execute code as the httpd process owner (remote)
Vulnerable Systems:Those with php.cgi 2.0beta10 or earlier, distributed with NCAA httpd, possibly others.
Date:16 April 1997
Exploit &amp full info:Available here


Win95 Cleartext SMB authentication hole
Description:Win95 is that it will connect to SMB servers and try the user's plaintext password first. You can also direct this through a web page with a linke like file://\\server/hackmicrosoft/sploit.gif. You also have to inform it of your name (can be done through SAMBA's nmbd utility).
Author:Steve Birnbaum (sbirn@security.org.il)
Compromise:Grab Win95 Passwords (remote)
Vulnerable Systems:Win95, Internet Explorer to a slight degree
Date:25 March 1997
Exploit &amp full info:Available here


Buffer overflow in AOL Instant Messenger 1.7.466
Description:Overflow in message <TITLE>. Trivial DOS attack, probably could be exploited for remote access.
Author:Karl Koscher <mrsaturn@TEENCITY.ORG>
Compromise:DOS attack with strong possibility of remotely running arbitrary code.
Vulnerable Systems:People running AOL's Instant Messenger V.1.7.466 or before
Date:20 March 1997
Exploit &amp full info:Available here


WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4)
Description:Win95 will automatically try to authenticate the logged in user to an SMB server. Thus (through a web page, in this example), you can direct people to the server and then grab their username and "encrypted" LANMAN password.
Author:Aaron Spangler <pokee@MAXWELL.EE.WASHINGTON.EDU>
Compromise:Obtain LANMAN hashed passwords (remote)
Vulnerable Systems:Win95, WinNT 3.51 & 4.0
Date:14 March 1997
Exploit &amp full info:Available here


(Another) SOD HP/UX RemoteWatch hole
Description:pathetic daemon
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root or whatever remwatch runs as (remote!)
Vulnerable Systems:HP/UX with vulnerable Remote Watch running, probably 9.x, maybe 10.x
Date:November 1996
Notes:See the SOD HP Bug of the Week page
Exploit &amp full info:Available here


Microsoft Internet Information Server abracadabra.bat bug
Description:abracadabra.{bat,cmd} are insecure CGIs
Author:www.omna.com
Compromise:Execute arbitrary commands on the remote IIS Server
Vulnerable Systems:Microsoft IIS http server v.1.0, 2.0b
Date:June 1996
Exploit &amp full info:Available here


test-cgi vulnerability
Description:Some of the test-cgi scripts distributed with some http servers are buggy
Author:Mudge <mudge@l0pht.com>
Compromise:remotely obtain directory listings
Vulnerable Systems:systems with vulnerable test-cgi (many web servers)
Date:April 1996
Notes:If this exact exploit doesn't work, try slightly modified query strings.
Exploit &amp full info:Available here


PC Web site interpretor in cgi-bin directory vulnerability
Description:A lot of idiots with PC web servers put perl.exe in their cgi-bin directory.
Author:tchrist@perl.com wrote this exploit
Compromise:Execute arbitrary perl code on a PC (remote)
Vulnerable Systems:Mostly PC web servers. Wherever anyone is stupid enough to leave perl.exe in cgi-bin dir
Date:28 March 1996
Notes:You can find vulnerable site via altavista. More information on this program available at http://www.perl.com/perl/news/latro-announce.html
Exploit &amp full info:Available here


Microsoft Active Server Pages IIS server hole
Description:Microsoft really has a problem with clients that send "." don't they? Well here again they let people download asp source by appending a '.' to the url
Author:Mark Joseph Edwards (mark@NTSHOP.NET)
Compromise:Read raw unprocessed asp files which may contain privileged information (remote)
Vulnerable Systems:Systems running M$ IIS web server
Date:20 February 1996
Exploit &amp full info:Available here


WebSite v1.1e for Windows NT & 95 buffer overflows
Description:Cool. Win95/NT Buffer overflows with WebSite v1.1e for Windows NT and '95.
Author:solar@ideal.ru
Compromise:Run arbitrary commands remotely.
Vulnerable Systems:Systems running WebSite v1.1e for Windows NT and '95.
Date:6 January 1996
Exploit &amp full info:Available here



This page Copyright &#169 Fyodor 1996, 1997, 1998
[Back] to Fyodor's Exploit World main index