Exploit world!
Remote exploits section
[Back] to Fyodor's Playhouse
| Many holes in the Netmanager Chameleon tool suite | |
|---|---|
| Description: | Mostly standard overflows, but there are lots of them. Virtually every product that comes in the suite seems exploitable. |
| Author: | arager@MCGRAW-HILL.COM |
| Compromise: | remote attackers can likely obtain root /administrator privileges on the machines running Chameleion daemons. The clients also have serious security holes. |
| Vulnerable Systems: | These holes are in the Windows versions, although I would be very careful about running something like thier Unix Z-mail product. |
| Date: | 4 May 1998 |
| Exploit & full info: | Available here |
| Overflow in lynx processing of mailto: URLs | |
|---|---|
| Description: | a mailto: URL with a long email address causes lynx 2.8 to crashh and can cause it to execute arbitrary code |
| Author: | Michal Zalewski <lcamtuf@boss.staszic.waw.pl> |
| Compromise: | remote pages can cause commands to be executed on the lynx user's machine. This can also be used to break out of restricted lynx shells. |
| Vulnerable Systems: | Those running lynx 2.8 and probably earlier. |
| Date: | 3 May 1998 |
| Exploit & full info: | Available here |
| ID games Backdoor in quake | |
|---|---|
| Description: | ID software blatantly put a backdoor in Quake 1/2 and QuakeWorld including both the Linux/Solaris Quake2. RCON commands sent from the subnet 192.246.40.0/24 and containing the password "tms" are automaticly executed on the server without being logged. |
| Author: | Mark Zielinski <markz@repsec.com> |
| Compromise: | root (remote) |
| Vulnerable Systems: | Those running Quake 1, QuakeWorld, Quake 2, Quake 2 Linux and Quake 2 Solaris, all versions. Thus many Windows and UNIX boxes are affected |
| Date: | 1 May 1998 |
| Notes: | Quake was always a horrible security hole, but I never thought Id would stoop to introducing an intentional backdoor to allow them access to systems running Quake. I am surprised this didn't get more publicity. |
| Exploit & full info: | Available here |
| Many, many, many security holes in the Microsoft Frontpage extensions | |
|---|---|
| Description: | There are many horrible security holes in the Microsoft Frontpage extensions. For example, you can list all files in directories on FP enabled sites, you can download password files on many of them, and a lot of FP sites even let you UPLOAD your own password files (!). |
| Author: | pedward@WEBCOM.COM |
| Compromise: | Break into user accounts on a web server (remote) |
| Vulnerable Systems: | Those running the Fronpage server extensions. Sone of the vulnerabilities are UNIX only while others also work agains WindowsNT sites. |
| Date: | 23 April 1998 |
| Exploit & full info: | Available here |
| Nestea "Off By One" attack | |
|---|---|
| Description: | A popular attack against Linux boxes |
| Author: | John McDonald <jmcdonal@UNF.EDU> |
| Compromise: | Stupid remote DOS attack |
| Vulnerable Systems: | Linux 2.0.33 and earlier, PalmOS, HP Jet Direct printer cards, some 3COM routers, Magnum 5000 Ethernet switch, Some Windows boxes, perhaps others |
| Date: | 17 April 1998 |
| Notes: | I have appended the original Linux code, a BSD port, an improved Linux version, and a few other messages on the topic. |
| Exploit & full info: | Available here |
| Overflow in Microsoft Netmeeting | |
|---|---|
| Description: | Standard overflow |
| Author: | DilDog <dildog@L0PHT.COM> |
| Compromise: | remotely execute arbitrary commands on the machine of a windows/netmeeting user (the user must click on your neetmeeting .conf file) |
| Vulnerable Systems: | Windows boxes running Micro$oft Netmeeting V. 2.1 |
| Date: | 16 April 1998 |
| Notes: | For a lot more information on this exploit, including a short windows overflow tutorial, see http://www.cultdeadcow.com/cDc_files/cDc-351/ . |
| Exploit & full info: | Available here |
| Overflows in various Macintosh mail clients. | |
|---|---|
| Description: | Standard overflows. |
| Author: | Chris Wedgwood <chris@CYBERNET.CO.NZ> |
| Compromise: | DOS attack at least, there is at least a possibility of remote code execution (I've never seen this done on a Mac though). |
| Vulnerable Systems: | Macintosh boxes running Stalker Internet Mail Server V.1.6 or AppleShare IP Mail Server 5.0.3 SMTP Server |
| Date: | 8 April 1998 |
| Exploit & full info: | Available here |
| Multiple Vulnerabilities in BIND named | |
|---|---|
| Description: | There are a number of security holes in some bind 4.9 and 8 releases. One is a remote-root exploit that works if fake-iquery is enabled, the other two are DOS attacks |
| Author: | Unknown |
| Compromise: | root (remote) |
| Vulnerable Systems: | Those running BIND 8 prior to 8.1.2 or BIND 4.9 prior to 4.9.7 . |
| Date: | 8 April 1998 |
| Exploit & full info: | Available here |
| Yet another SGI pfdispaly CGI hole | |
|---|---|
| Description: | As has been demonstrated many times, SGI CANNOT write secure CGI scripts. Nor can they write secure setuid programs. They fixed the last pfdisplay.cgi hole, but the new version is still quite buggy -- as this post demonstrates. |
| Author: | "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES> |
| Compromise: | run arbitrary commands remotely as the UID running the webserver |
| Vulnerable Systems: | SGI IRIX 6.2 using the performer_tools CGIs. |
| Date: | 7 April 1998 |
| Notes: | I honestly believe default SGI security is as bad as default Windows NT security. That is sad. |
| Exploit & full info: | Available here |
| RedHat 5 metamail hole | |
|---|---|
| Description: | Many mail clients, MTA's, etc. are poorly written and can interpret mail in ways that lead to security wholes. One of the bugs in this message demonstrates a way to execute arbitrary commands by sending mail to a Redhat 5 user. The bug is in metamail script processing of MIME messages. |
| Author: | Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL> |
| Compromise: | potential root (remote). The victim must read the mail with Pine (or something else that calls metamail). |
| Vulnerable Systems: | RedHat 5, other linux boxes with vulnerable metamail script. |
| Date: | 5 April 1998 |
| Exploit & full info: | Available here |
| Irix pfdispaly CGI hole | |
|---|---|
| Description: | Standard .. read-any-file CGI exploit. |
| Author: | "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES> |
| Compromise: | Read any file (remotely) that user nobody (or whatever web server runs as) can read. |
| Vulnerable Systems: | IRIX 6.2 with performer_tools.sw.webtools (Performer API Search Tool 2.2) installed, check for /var/www/cgi-bin/pfdispaly.cgi. |
| Date: | 17 March 1998 |
| Exploit & full info: | Available here |
| Ascend Router Insecurities | |
|---|---|
| Description: | There is a flaw in the Ascend router OS which allows the machines to be crashed by certain malformed UDP probe packets. Also the routers have a default SNMP "write" community which allows attackers to download the entire Ascend configuration file. |
| Author: | "Secure Networks Inc." <sni@SECURENETWORKS.COM> |
| Compromise: | Download sensitive ascend configuration information (passwords, etc.) plus a remote DOS attack to take out the router. |
| Vulnerable Systems: | Ascend Pipeline and MAX routers including OS release 5.0Ap42 (MAX) and 5.0A (Pipeline). |
| Date: | 16 March 1998 |
| Notes: | Whee! We've got C exploit, CAPE exploit, IPsend exploit, and a Perl exploit! |
| Exploit & full info: | Available here |
| info2www CGI hole | |
|---|---|
| Description: | Another dumb cgi blidnly using the (magical) perl open() |
| Author: | Niall Smart <njs3@DOC.IC.AC.UK> |
| Compromise: | execute arbitrary commands as web server's UID (remote) |
| Vulnerable Systems: | Those running a vulnerable version of the info2www CGI |
| Date: | 3 March 1998 |
| Exploit & full info: | Available here |
| Various gaping security holes in QuakeII (and Quake I and QuakeWorld and Quake Client). | |
|---|---|
| Description: | These games by ID software are absolutely riddled with glaring security holes and no one should even CONSIDER running them (or any other game for that matter) on a machine that is supposed to be secure. I have stuffed a bunch of quake exploits in this one section although there is one Quake II server hole I will treate separately later. |
| Author: | kevingeo@CRUZIO.COM and others |
| Compromise: | root (remote) |
| Vulnerable Systems: | Those running pretty much any version of quake by id software, the client or server. Quake runs on many Linux boxes as well as Win95/NT. |
| Date: | 25 February 1998 |
| Exploit & full info: | Available here |
| Htmlscript file access bug | |
|---|---|
| Description: | Another stupid .. bug. |
| Author: | Dennis Moore <rainking@FEEDING.FRENZY.COM> |
| Compromise: | read any file the web server can read on the remote system. |
| Vulnerable Systems: | Those running htmlscript (distributed by www.htmlscript.com) |
| Date: | 26 January 1998 |
| Exploit & full info: | Available here |
| Lotus Domino database security problems | |
|---|---|
| Description: | Databases under this system do not correctly inherit ACLs, plus some default database ACLs are set to allow unrestricted access to all web users(!). Thus users can can manipulate the files remotely. |
| Author: | mattw <mattw@L0PHT.COM> |
| Compromise: | manipulate server configuration files remotely |
| Vulnerable Systems: | Those running vulnerable versions of Lotus Domino |
| Date: | 20 January 1998 |
| Exploit & full info: | Available here |
| ssh-agent RSA authentication problem | |
|---|---|
| Description: | SSH doesn't check permissions on credential files enough so that users can trick ssh into using the credentials of other users. |
| Author: | "Secure Networks Inc." <sni@SECURENETWORKS.COM> |
| Compromise: | Trick ssh into using the credentials of another user when you login to a remote server. |
| Vulnerable Systems: | Those running ssh (setuid) on multiple-user systems where RSA authentication is being used. |
| Date: | 20 January 1998 |
| Exploit & full info: | Available here |
| Overflow in MS PWS | |
|---|---|
| Description: | typical buffer overflow |
| Author: | Gurney Halleck <gurneyh@ix.netcom.com> |
| Compromise: | Crash the personal web server (it is also possible that you could be able to execute arbitrary code remotely) |
| Vulnerable Systems: | Those running MS Personal Web Server (pws32/2.0.2.1112), it is apparently packaged with FrontPage 97. |
| Date: | 15 January 1998 |
| Exploit & full info: | Available here |
| DOS against realvideoserver by Progressive Networks | |
|---|---|
| Description: | Another DOS attack |
| Author: | Rootshell |
| Compromise: | remotely crash Progressive Networks Real Video Server |
| Vulnerable Systems: | those running Progressive Networks Real Video Server. This includes the Linux version and the NT version |
| Date: | 15 January 1998 |
| Exploit & full info: | Available here |
| routed trace file exploit | |
|---|---|
| Description: | routed has the ability to have trace mode turned on remotely using any arbitrary filename. Thus you can append stuff to arbitrary files remotely. |
| Author: | Rootshell |
| Compromise: | You should be able to leverage this to root remote access. |
| Vulnerable Systems: | Redhat linux; IRIX 5.2-5.3-6.2 is vulnerable, NetBSD 1.2 is vulnerable. |
| Date: | 8 January 1998 |
| Exploit & full info: | Available here |
| Holes in Apache prior to 1.2.5 | |
|---|---|
| Description: | The fine folks who work on the Apache web server team kindly advised us of these holes in older versions of Apache. They are fixed in 1.2.5. The most important are probably cfg_getline() overflow which allows local users to run arbitrary commands with the UID of the webserver and the '//////////' hole which allows people to remotely effect a DOS attack on a server by giving a URL with more than 7500 forward slashes in the filename. |
| Author: | Marc Slemko <marcs@ZNEP.COM> |
| Compromise: | local users can run arbitrary commands with the UID of the webserver, remote DOS attack (slows the server to a crawl) |
| Vulnerable Systems: | Those running Apache versions prior to 1.2.5 |
| Date: | 6 January 1998 |
| Exploit & full info: | Available here |
| The "Bonk" NT/Win95 fragmentation attack | |
|---|---|
| Description: | In an attack that is basically the reverse of the teardrop attack, Windows machines that are patched for teardrop can be crashed. |
| Author: | bendi |
| Compromise: | crash Windoze machines remotely |
| Vulnerable Systems: | Windows 95, Windowsw NT |
| Date: | 5 January 1998 |
| Exploit & full info: | Available here |
| DOS attack on XTACACS servers | |
|---|---|
| Description: | You can crash these servers by sending ICMP unreachable messages to them. |
| Author: | Coaxial Karma <c_karma@HOTMAIL.COM> |
| Compromise: | remotely crash vulnerable XTACACS servers. |
| Vulnerable Systems: | some XTACACS servers |
| Date: | 23 December 1997 |
| Exploit & full info: | Available here |
| Overflow in Livingston RADIUS 1.16 and derived code | |
|---|---|
| Description: | There is a buffer overflow in the handling of buffers related to inverse IP lookup in RADIUS 1.16 and derived code (including Ascend RADIUS) |
| Author: | "Secure Networks Inc." <sni@SECURENETWORKS.COM> |
| Compromise: | root (remote) |
| Vulnerable Systems: | Those running RADIUS server software derived from Livingston RADIUS 1.x |
| Date: | 17 December 1997 |
| Exploit & full info: | Available here |
| EWS (Excite for Web Servers) CGI hole | |
|---|---|
| Description: | A classic CGI mistake: CWS launches a shell with query results. They change spaces to $ and somehow think this solves the problem ;) |
| Author: | Marc Merlin <marc_merlin@MAGIC.METAWIRE.COM> |
| Compromise: | run arbitrary commands as the processid that runs the webserver (remote) |
| Vulnerable Systems: | Those running EWS 1.1 on both UNIX and NT |
| Date: | 17 December 1997 |
| Exploit & full info: | Available here |
| Sun ^D DOS attack | |
|---|---|
| Description: | By connecting to the telnet port of a Solaris 2.5.1 box, sending some bogus telnet negotiation option and then flooding the channel with ^D, you can (temporarily) slow the machine to a near halt. |
| Author: | Jason Zapman II <zapman@CC.GATECH.EDU> |
| Compromise: | remote DOS attack |
| Vulnerable Systems: | Solaris 2.5.1, 2.6 |
| Date: | 13 December 1997 |
| Notes: | I appended a better version after the first (the second forks extra processes to increase the flood). I also appended an NT port. |
| Exploit & full info: | Available here |
| Overflow in cgiwrap-3.5 and 3.6beta1 | |
|---|---|
| Description: | Standard overflow |
| Author: | Duncan Simpson <dps@IO.STARGATE.CO.UK> |
| Compromise: | Run arbitrary commants with the UID of the webserver process owner |
| Vulnerable Systems: | Those running vulnerable versions of cgiwrap |
| Date: | 7 December 1997 |
| Exploit & full info: | Available here |
| BSD Termcap overflow | |
|---|---|
| Description: | This program creates a malicous termcap file which can cede root access. |
| Author: | Bug originally discovered by Theo de Raadt <deraadt@CVS.OPENBSD.ORG> exploit written by Written by Joseph_K the 22-Oct-1997 |
| Compromise: | Theoretically this may allow you to become root remotely You can definately become root locally. |
| Vulnerable Systems: | BSDI, probably FreeBSD/NetBSD/OpenBSD prior to October 1997 |
| Date: | 1 December 1997 |
| Exploit & full info: | Available here |
| NT RAS Point to Point Tunneling Protocol hole | |
|---|---|
| Description: | You can crash NT boxes running RAS PPTP by sending a pptp start session request with an invalid packet length specified in the header. |
| Author: | Kevin Wormington <kworm@SOFNET.COM> |
| Compromise: | crash NT machines remotely |
| Vulnerable Systems: | Windows NT 4.0 with RAS PPTP running |
| Date: | 26 November 1997 |
| Exploit & full info: | Available here |
| Solaris Statd exploit | |
|---|---|
| Description: | Solaris 2.5.1 x86 remote overflow for statd. There is apparently an earlier patch which doesn't fix the problem. |
| Author: | Anonymous |
| Compromise: | root (remote) |
| Vulnerable Systems: | Solaris 2.5.1 x86 is what this exploit is written for. According to a later CERT advisory, vulnerable systems include Digital UNIX (4.0 through 4.0c), AIX 3.2 and 4.1, Solaris 2.5, 2.51 and SunOS 4.1.* for both X86 and SPARC |
| Date: | 24 November 1997 |
| Exploit & full info: | Available here |
| Security hole in iCat Carbo Server 3.0 | |
|---|---|
| Description: | Another pathetic hole, this one allows people to view any file on the web server (which the web server process owner can view) |
| Author: | Mikael Johansson <Mikael.Johansson@ABC.SE> |
| Compromise: | View files on remote web servers, maybe even filch credit card numbers! |
| Vulnerable Systems: | Those running iCat Carbo Server (ISAPI, Release) Version 3.0.0 |
| Date: | 8 November 1997 |
| Exploit & full info: | Available here |
| in.telnetd tgetent buffer overflow | |
|---|---|
| Description: | By specifying an alternate terminal capability database with huge entries, you can overflow programs (like telnet, possibly xterm in some cases) which call tgetent() expecting a reasonable-length buffer. |
| Author: | Secure Networks, INC |
| Compromise: | In some cases, root (remote) |
| Vulnerable Systems: | BSD/OS v2.1,Theo de Raadt mentions that you might be able to attack the suid xterm program locally with this hole to gain root access (possibly Linux, as well as other BSDs) |
| Date: | 21 October 1997 |
| Notes: | I have appended an exploit for BSDI in the addendum section. |
| Exploit & full info: | Available here |
| PHP mlog.html and mylog.html vulnerabilities | |
|---|---|
| Description: | Trivially read any file on the remote system by exploiting these cgi scripts |
| Author: | bryan berg <km@UNDERWORLD.NET> |
| Compromise: | remotely read any httpd-readable file on the remote system |
| Vulnerable Systems: | Those running vulnerable versions of the PHP distribution. |
| Date: | 19 October 1997 |
| Exploit & full info: | Available here |
| Count.cgi remote overflow | |
|---|---|
| Description: | standard buffer overflow, this time in Count.cgi |
| Author: | Nicolas Dubee <dube0866@eurobretagne.fr> |
| Compromise: | local or remote execution of arbitrary code |
| Vulnerable Systems: | Those running a vulnerable version of Muhammad A. Muquit's wwwcount |
| Date: | 16 October 1997 |
| Exploit & full info: | Available here |
| Overflow in Seattle Lab Sendmail v2.5 | |
|---|---|
| Description: | Overflow in the username given to this program when sending mail |
| Author: | David LeBlanc <dleblanc@ISS.NET> (Who is a loser, BTW) |
| Compromise: | Lame DoS, possible remote execution of commands |
| Vulnerable Systems: | Windoze NT running Version 2.5 (probably earlier also) of Seattle Lab Sendmail for NT |
| Date: | 14 October 1997 |
| Exploit & full info: | Available here |
| Micro$oft's attempt at FrontPage 98 server-side extensions for Apache | |
|---|---|
| Description: | The setuid root program (fpexe) which comes with the FrontPage extensions is a pathetic joke security-wise, as Marc Slemko demonstrates. |
| Author: | Marc Slemko <marcs@ZNEP.COM> |
| Compromise: | root (remote) |
| Vulnerable Systems: | Those using the Micro$oft FrontPage extensions to Apache under UNIX. |
| Date: | 11 October 1997 |
| Exploit & full info: | Available here |
| Count.cgi hole | |
|---|---|
| Description: | You can read any .gif or .jpg on a server (readable by httpd daemon, of course) by giving a "image=../../../../path" type argument |
| Author: | Razvan Dragomirescu <drazvan@kappa.ro> |
| Compromise: | read protected .gif and .jpeg files (remote) |
| Vulnerable Systems: | Those running version 2.3 of Muhammad A. Muquit's wwwcount |
| Date: | 10 October 1997 |
| Exploit & full info: | Available here |
| Security problems in the lpd protocol | |
|---|---|
| Description: | The protocol for lpd (Line Printer Daemon, RFC 1179) seems to have a number of insecurities, as discussed in this post |
| Author: | Bennett Samowich <a42n8k9@REDROSE.NET> |
| Compromise: | root (remote) |
| Vulnerable Systems: | Those running a vulnerable version of lpd, many Linux and *BSD versions are vulnerable |
| Date: | 2 October 1997 |
| Exploit & full info: | Available here |
| mSQL authentication holes | |
|---|---|
| Description: | mSQL has a number of problems in its attempts at authentication, as well as another serious problem if the user doesn't use ACLs |
| Author: | "John W. Temples" <john@KUWAIT.NET> |
| Compromise: | remotely manipulate a mSQL database |
| Vulnerable Systems: | Those running vulnerable versions of mSQL, many Linux boxes run this |
| Date: | 27 September 1997 |
| Exploit & full info: | Available here |
| Samba Remote buffer overflow | |
|---|---|
| Description: | Samba reads in a user's password into a fixed length buffer, allowing execution of arbitrary code on the target machine |
| Author: | ADM |
| Compromise: | root (remote) |
| Vulnerable Systems: | Those running the SAMBA SMB server versions earlier than 1.9.17p2. The exploit is for Linux/X86 |
| Date: | 26 September 1997 |
| Notes: | ADM send me this before it went out on Bugtraq, and then they sent me a newer version (appended). Thanks! |
| Exploit & full info: | Available here |
| Uploader.exe insecurity | |
|---|---|
| Description: | pathetic insecurity in uploader.exe that comes with O'reilly's webserver 'website' |
| Author: | Herman de Vette <herman@info.nl> |
| Compromise: | run arbitrary commands on the web server (by placing arbitrary cgi scripts there) |
| Vulnerable Systems: | Those running O'reilly's webserver, website. Mostly Windoze NT and W95 boxes. Some versions of 1.1 and 2.0beta have this vulnerability. |
| Date: | 4 September 1997 |
| Exploit & full info: | Available here |
| Hole in the vacation program | |
|---|---|
| Description: | The standard UNIX vacation program doesn't do enough checking on its input (specifically the From: line in the mail) before sending it to other programs (sendmail) for processing |
| Author: | bukys@CS.ROCHESTER.EDU apparently reported it to CERT & SUN on June 1, 1994 but nothing happened. This vulnerability report is from "Secure Networks Inc." <sni@SILENCE.SECNET.COM> |
| Compromise: | Run arbitrary commands remotely as the user running vacation |
| Vulnerable Systems: | At least some versions of AIX, FreeBSD, NetBSD, and OpenBSD. Other systems if they have installed the vacation program themselves or a different version of sendmail. |
| Date: | 1 September 1997 |
| Exploit & full info: | Available here |
| Hole in the vacation program | |
|---|---|
| Description: | The standard UNIX vacation program doesn't do enough checking on its input (specifically the From: line in the mail) before sending it to other programs (sendmail) for processing |
| Author: | bukys@CS.ROCHESTER.EDU apparently reported it to CERT & SUN on June 1, 1994 but nothing happened. This vulnerability report is from "Secure Networks Inc." <sni@SILENCE.SECNET.COM> |
| Compromise: | Run arbitrary commands remotely as the user running vacation |
| Vulnerable Systems: | At least some versions of AIX, FreeBSD, NetBSD, and OpenBSD. Other systems if they have installed the vacation program themselves or a different version of sendmail. |
| Date: | 1 September 1997 |
| Exploit & full info: | Available here |
| Security problems in CVS | |
|---|---|
| Description: | If CVS is run as root with pserver as suggested in the info page, any user can access any account (with the possible exception of root) |
| Author: | Elliot Lee <sopwith@REDHAT.COM> |
| Compromise: | access any nonuser account (remote) |
| Vulnerable Systems: | Those running a vulnerable version of CVS pserver as suggested in the CVS info page. CVS 1.9.14 has this fixed |
| Date: | 29 August 1997 |
| Exploit & full info: | Available here |
| syslogd spoofing | |
|---|---|
| Description: | remote syslogd uses udp and is easily spoofable, as Yuri demonstrates in this excellent paper. Also, there isn't an easy way to turn off remote listening from AIX boxes. |
| Author: | Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU> |
| Compromise: | spoof syslogd, add fake log messages, overflow it, etc. |
| Vulnerable Systems: | Those that have syslogd listening for remote messages, AIX is especially vulnerable. |
| Date: | 27 August 1997 |
| Exploit & full info: | Available here |
| Check for existance of files on systems runninng mountd | |
|---|---|
| Description: | Some mountd implementations apparently give different error messages depending on whether the mountpoint requested exists or not. |
| Author: | Peter <deviant@UNIXNET.ORG> |
| Compromise: | query for existance of arbitrary files (by name). This could help determine security flaws present on a remote system. |
| Vulnerable Systems: | Those running vulnerable mountd. This includes at least some versions of AIX, Linux, *BSD, SunOS, Solaris, etc. |
| Date: | 24 August 1997 |
| Exploit & full info: | Available here |
| A perl eval error in majordomo allows remote execution of arbitrary commands | |
|---|---|
| Description: | A Perl eval() in Majordomo is not quite paranoid enough, allowing user commands to slip through with clever use of IFS. |
| Author: | Razvan Dragomirescu <drazvan@KAPPA.RO> |
| Compromise: | Run commands as whatever Majordomo runs as (often group daemon). (remote) |
| Vulnerable Systems: | Those running a vulnerable version of majordomo |
| Date: | 24 August 1997 |
| Exploit & full info: | Available here |
| DG/UX in.fingerd hole | |
|---|---|
| Description: | Apparently (and amazingly) current dgux ships with a finger daemon that allows remote users to pipe commands. IE you can 'finger "|/bin/id@host'. This is made worse because many of these systems apparently run in.fingerd as root (!). |
| Author: | George Imburgia <gti@HOPI.DTCC.EDU> |
| Compromise: | remotely run arbitrary programs with UID that is running in.fingerd. Sometimes this means you can remotely become root . |
| Vulnerable Systems: | dgux, versions unknown. |
| Date: | 11 August 1997 |
| Notes: | If this is true it is rather pathetic! |
| Exploit & full info: | Available here |
| The VERY popular imapd remote overflow | |
|---|---|
| Description: | A buffer overflow in popular imapd packages allows remote root access. This has been very widely exploited on the internet. |
| Author: | I am not sure who discovered it, savage@apostols.org wrote the Linux/Intel exploit I have put first. I have appended another exploit to that. |
| Compromise: | root ( remote ) (Ohhhh, shit!) |
| Vulnerable Systems: | This exploit is for linux, but a lot of other systems using the vulnerable IMAP are susceptible. |
| Date: | 7 August 1997 |
| Exploit & full info: | Available here |
| Remote INND buffer overflow exploit | |
|---|---|
| Description: | Standard overflow, nice exploit |
| Author: | Method <method@arena.cwnet.com> |
| Compromise: | root (remote) |
| Vulnerable Systems: | Systems running INND versions < 1.6, the exploit seems to be for Linux x86 |
| Date: | 1 August 1997 |
| Exploit & full info: | Available here |
| mSQL overflow and poor hostname authentication checks | |
|---|---|
| Description: | mSQL has several buffer overflows which allow intruders to remotely execute arbitrary code. msql2d and msqld are specific vulnerable programs. Also, mSQL doesn't do a forward lookup after resolving an IP->hostname, so it is trivial to spoof authentication by having your DNS return the hostname of an actual host. |
| Author: | "Secure Networks Inc." <sni@SILENCE.SECNET.COM> |
| Compromise: | run arbitrary commands remotely. Spoof access to an mSQL server. |
| Vulnerable Systems: | Those running the mSQL server software, msqld or msql2d. Version 2.0 is vulnerable, probably earlier versions. |
| Date: | 27 July 1997 |
| Exploit & full info: | Available here |
| campus cgi hole | |
|---|---|
| Description: | A hole very similar to the standard phf hole alows people to execute arbitrary commands through the campus cgi. |
| Author: | Francisco Torres <ftorres@CASTOR.JAVERIANA.EDU.CO> |
| Compromise: | Execute arbitrary commands remotely as the owner of the cgi-running process (commonly nobody or daemon). |
| Vulnerable Systems: | Those running a vulnerable version of the campus cgi. Version 1.2 is vulnerable. It may be distributed with the NCSA server. |
| Date: | 15 July 1997 |
| Exploit & full info: | Available here |
| L0phtcrack 1.5 Lanman / NT password hash cracker | |
|---|---|
| Description: | The Lanman password hash is used by NT for authenticating users locally and over the network (MS service packs are now out that allow a different method in both cases). L0phtcrack can brute-force these hashes (taken from network logs or progams like pwdump) and recover the plaintext password. l0phtcrack 1.5 also breaks the new NT style password hashes. |
| Author: | Mudge <mudge@l0pht.com> |
| Compromise: | Compromise account passwords (remotely if you can sniff a server challenge. |
| Vulnerable Systems: | NT 4.0, 3.51. I believe NT4 Service Pack 3 SYSKEY fix will defeat pwdump style utilities. MS also has a fix out to disable Lanman authentication over the network, but this breaks compatibility w/W95 and 3.11. |
| Date: | 12 July 1997 |
| Notes: | First comes a very interesting message from mudge about M$ "authentication", then comes the readme file for l0phtcrack 1.5. Next comes the source distribution in uuencoded form. You can get executables at their webpage, www.l0pht.com. |
| Exploit & full info: | Available here |
| WebGais forgot to strip single quotes in query string ... Oops! | |
|---|---|
| Description: | Webgais takes a query string, and quotes it in the perl code. But you can just close the quotes yourself, as it doesn't strip them from your query! |
| Author: | Razvan Dragomirescu <drazvan@KAPPA.RO> |
| Compromise: | run arbitrary commands remotely as the owner of the cgi running process. |
| Vulnerable Systems: | Anything running a vulnerable version of WebGais |
| Date: | 10 July 1997 |
| Notes: | Remember to change the email address in the exploit! |
| Exploit & full info: | Available here |
| websendmail cgi hole | |
|---|---|
| Description: | websendmail, a cgi-bin that comes with WEBgais, doesn't make any real attempts to check its input in some cases. Thus you can execute arbitrary commands. |
| Author: | Razvan Dragomirescu <drazvan@kappa.ro> |
| Compromise: | Run arbitrary commands as the user who owns the webserver cgi proccess. (remote) |
| Vulnerable Systems: | Any runnning an unpatched version of websendmail in their cgi directory. |
| Date: | 4 July 1997 |
| Exploit & full info: | Available here |
| Glimps HTTP evil inadequate evil char filter | |
|---|---|
| Description: | Glips HTTP, a web interface to the Glimps search program, doesn't adequately check its input for evil characters. By tricking it to open a pipe instead of a file, you can remotely execute arbitrary commands on the server. |
| Author: | Razvan Dragomirescu <drazvan@kappa.ro> |
| Compromise: | Execute arbitrary commands on a server running Glimps HTTP (remote). |
| Vulnerable Systems: | Anything running a vulnerable and unmodified version of Glimpse HTTP. Runs on most systems. |
| Date: | 2 July 1997 |
| Notes: | Razvan Dragomirescu claims that he is getting "angry" at all the idiots who send him passwd files by not modifying his example exploit. But *I* wouldn't mind! So I've modified the exploit to use my address instead of his. DON'T FORGET TO CHANGE IT! |
| Exploit & full info: | Available here |
| IRIX fails to correctly patch /cgi-bin/handler exploit | |
|---|---|
| Description: | In an apparent attempt to prevent breakins through the common handler cgi technique, IRIX changed the code. They now check the end of a string for a pipe (trying to make sure perl opens the file as a plain file), but you can still get away with putting tabs after the pipe, to hide it. |
| Author: | Razvan Dragomirescu <drazvan@kappa.ro> |
| Compromise: | remotely run commands through this pathetic CGI |
| Vulnerable Systems: | IRIX 6.3 and 6.4, the older versions are vulnerable to an even easier version of the same problem. |
| Date: | 19 June 1997 |
| Exploit & full info: | Available here |
| cgi-bin/test-cgi allows arbitrary remote file listing | |
|---|---|
| Description: | If you give test-cgi an argument which includes a *, you can get a directory listing from the SERVER_PROTOCOL field. In other words, it is another pathetic cgi. |
| Author: | Jason Uhlenkott <jasonuhl@usa.net> |
| Compromise: | remotely obtain directory listings |
| Vulnerable Systems: | Systems running Apache/1.2b2, probably earlier versions, many systems that have test-cgi installed. |
| Date: | 6 June 1997 |
| Exploit & full info: | Available here |
| IRIX default guest account | |
|---|---|
| Description: | Apparently, all IRIX systems come by default with a unpassworded guest account. Almost as stupid as HP/UX's staticly passworded uid 0 sam_exec accounts. |
| Author: | well known, but Mike Neuman <mcn@RIPOSTE.ENGARDE.COM> mentioned it on bugtraq |
| Compromise: | remotely obtain local user privileges. |
| Vulnerable Systems: | IRIX, apparently all versions up to 6.3 |
| Date: | 15 May 1997 |
| Exploit & full info: | Available here |
| IRIX webdist CGI vulnerability | |
|---|---|
| Description: | Stupid cgi |
| Author: | Grant Kaufmann <grant@CAPE.INTEKOM.COM> |
| Compromise: | remotely execute arbitrary commands as httpd process owner (usually nobody or daemon) |
| Vulnerable Systems: | IRIX 6.2, 6.3 |
| Date: | 7 May 1997 |
| Exploit & full info: | Available here |
| Narf NT usernames from an untrusted NT Domain Controller | |
|---|---|
| Description: | Through an NT Domain Controller, you can get a full list of usernames on other servers by failing a logon and then examining the target with Explorer. |
| Author: | webroot <webroot@WEBROOT.COM> (Steve Thomas) |
| Compromise: | List usernames of remote server including full names, descriptions, and group memberships. |
| Vulnerable Systems: | NT 4.0, probably 3.51 too. |
| Date: | 19 April 1997 |
| Exploit & full info: | Available here |
| NCSA PHP/FI CGI *2 HOLES* | |
|---|---|
| Description: | First of all, this rather pathetic cgi allows anyone to trivially read any file on the system which is readabl by the owner of the httpd process (usually nobody or daemon). It also has a buffer overflow. |
| Author: | Shamanski <jshaman@M-NET.ARBORNET.ORG> posted the read-any-file exploit, The SNI advisory is by David Sacerdote |
| Compromise: | read files and execute code as the httpd process owner (remote) |
| Vulnerable Systems: | Those with php.cgi 2.0beta10 or earlier, distributed with NCAA httpd, possibly others. |
| Date: | 16 April 1997 |
| Exploit & full info: | Available here |
| Win95 Cleartext SMB authentication hole | |
|---|---|
| Description: | Win95 is that it will connect to SMB servers and try the user's plaintext password first. You can also direct this through a web page with a linke like file://\\server/hackmicrosoft/sploit.gif. You also have to inform it of your name (can be done through SAMBA's nmbd utility). |
| Author: | Steve Birnbaum (sbirn@security.org.il) |
| Compromise: | Grab Win95 Passwords (remote) |
| Vulnerable Systems: | Win95, Internet Explorer to a slight degree |
| Date: | 25 March 1997 |
| Exploit & full info: | Available here |
| Buffer overflow in AOL Instant Messenger 1.7.466 | |
|---|---|
| Description: | Overflow in message <TITLE>. Trivial DOS attack, probably could be exploited for remote access. |
| Author: | Karl Koscher <mrsaturn@TEENCITY.ORG> |
| Compromise: | DOS attack with strong possibility of remotely running arbitrary code. |
| Vulnerable Systems: | People running AOL's Instant Messenger V.1.7.466 or before |
| Date: | 20 March 1997 |
| Exploit & full info: | Available here |
| WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4) | |
|---|---|
| Description: | Win95 will automatically try to authenticate the logged in user to an SMB server. Thus (through a web page, in this example), you can direct people to the server and then grab their username and "encrypted" LANMAN password. |
| Author: | Aaron Spangler <pokee@MAXWELL.EE.WASHINGTON.EDU> |
| Compromise: | Obtain LANMAN hashed passwords (remote) |
| Vulnerable Systems: | Win95, WinNT 3.51 & 4.0 |
| Date: | 14 March 1997 |
| Exploit & full info: | Available here |
| (Another) SOD HP/UX RemoteWatch hole | |
|---|---|
| Description: | pathetic daemon |
| Author: | Colonel Panic of SOD (sod@command.com.inter.net) |
| Compromise: | root or whatever remwatch runs as (remote!) |
| Vulnerable Systems: | HP/UX with vulnerable Remote Watch running, probably 9.x, maybe 10.x |
| Date: | November 1996 |
| Notes: | See the SOD HP Bug of the Week page |
| Exploit & full info: | Available here |
| Microsoft Internet Information Server abracadabra.bat bug | |
|---|---|
| Description: | abracadabra.{bat,cmd} are insecure CGIs |
| Author: | www.omna.com |
| Compromise: | Execute arbitrary commands on the remote IIS Server |
| Vulnerable Systems: | Microsoft IIS http server v.1.0, 2.0b |
| Date: | June 1996 |
| Exploit & full info: | Available here |
| test-cgi vulnerability | |
|---|---|
| Description: | Some of the test-cgi scripts distributed with some http servers are buggy |
| Author: | Mudge <mudge@l0pht.com> |
| Compromise: | remotely obtain directory listings |
| Vulnerable Systems: | systems with vulnerable test-cgi (many web servers) |
| Date: | April 1996 |
| Notes: | If this exact exploit doesn't work, try slightly modified query strings. |
| Exploit & full info: | Available here |
| PC Web site interpretor in cgi-bin directory vulnerability | |
|---|---|
| Description: | A lot of idiots with PC web servers put perl.exe in their cgi-bin directory. |
| Author: | tchrist@perl.com wrote this exploit |
| Compromise: | Execute arbitrary perl code on a PC (remote) |
| Vulnerable Systems: | Mostly PC web servers. Wherever anyone is stupid enough to leave perl.exe in cgi-bin dir |
| Date: | 28 March 1996 |
| Notes: | You can find vulnerable site via altavista. More information on this program available at http://www.perl.com/perl/news/latro-announce.html |
| Exploit & full info: | Available here |
| Microsoft Active Server Pages IIS server hole | |
|---|---|
| Description: | Microsoft really has a problem with clients that send "." don't they? Well here again they let people download asp source by appending a '.' to the url |
| Author: | Mark Joseph Edwards (mark@NTSHOP.NET) |
| Compromise: | Read raw unprocessed asp files which may contain privileged information (remote) |
| Vulnerable Systems: | Systems running M$ IIS web server |
| Date: | 20 February 1996 |
| Exploit & full info: | Available here |
| WebSite v1.1e for Windows NT & 95 buffer overflows | |
|---|---|
| Description: | Cool. Win95/NT Buffer overflows with WebSite v1.1e for Windows NT and '95. |
| Author: | solar@ideal.ru |
| Compromise: | Run arbitrary commands remotely. |
| Vulnerable Systems: | Systems running WebSite v1.1e for Windows NT and '95. |
| Date: | 6 January 1996 |
| Exploit & full info: | Available here |
This page Copyright © Fyodor 1996, 1997, 1998
[Back] to Fyodor's Exploit World main index