AOL Instant Messenger client for Windows contains a buffer overflow while parsing TLV 0x2711 packets

Overview There is a remotely exploitable buffer overflow in AOL Instant Messenger AIM. An exploit has been publicly released. AOL has implemented a server side fix that has largely eliminated the chances of widespread automated exploitation of the vulnerability, but targeted exploitation of...

3Com HomeConnect Cable Modem vulnerable to DoS via long string of characters

Overview Intruders can disrupt the normal operation of a 3Com HomeConnect Cable Modem. Description The 3Com HomeConnect Cable Modem contains a web server. This web server is used to administer the cable modem. By default, this web server is configured to allow any user local or remote to connect ...

Buffer overflows in Microsoft SQL Server 7.0 and SQL Server 2000

Overview There is a buffer overflow in Microsoft SQL Server 2000 and SQL Server 7.0 which could allow an intruder to execute arbitrary code on vulnerable systems. Description Microsoft Windows SQL Server 2000 and SQL Server 7.0 contain a buffer overflow in functions associated with text messages...

IBM AIX login fails to adequately authenticate user when configured to use loadable authentication modules

Overview There is a remotely exploitable flaw in IBM's AIX 5.1L login when using loadable authentication modules. This does not affect AIX 4.3 and earlier. Description IBM AIX 5.1L login, with loadable authentication modules enabled and some non-default configurations, will permit users to login...

Microsoft Internet Explorer does not properly handle document.open()

Overview Microsoft Internet Explorer contains a vulnerability in which a script from one source is permitted to access files on the client's file system. An attacker may be able to read cookies and other files on a target system, and spoof Internet sites by creating believable window titles...

CrushFTP Server does not adequately filter user input thereby permitting directory traversal

Overview CrushFTP allows access to files outside the FTP root directory through directory traversal. Description CrushFTP is a Java-based FTP server available for Linux, Mac OS, and Windows. CrushFTP can be configured to limit access to files under a designated FTP root directory. However, CrushF...

Advanced Poll does not adequately authenticate users

Overview Advanced Poll is a polling system written in PHP for use on web sites. When a flat file database is used, Advanced Poll does not adequately authenticate users, thereby allowing any user to gain Advanced Poll administrative privileges. Description On versions of Advanced Poll older than...

Microsoft Windows Universal Plug and Play (UPNP) service vulnerable to buffer overflow via malformed advertisement packets

Overview A buffer overflow in Universal Plug and Play UPnP service on Microsoft Windows XP, Microsoft Windows ME, and Microsoft Windows 98 permits an intruder to run arbitrary code on vulnerable systems. Description Universal Plug and Play UPnP is a system to allow network devices to operate...

CDE dtprintinfo contains local buffer overflow in Help window via clipboard copy

Overview The CDE Print Viewer program dtprintinfo provides a graphical interface display the status of print queues and print jobs. By using the clipboard to overflow the search field in the Help window of dtprintinfo, a local attacker can execute arbitrary code on the system as root. Description...

Microsoft Windows Universal Plug and Play service (UPNP) fails to limit the data returned in response to a NOTIFY message

Overview Microsoft Windows Universal Plug and Play UPnP is vulnerable to a denial-of-service attack that could negatively affect the performance of vulnerable machines. Description Universal Plug and Play UPnP is a system designed to allow network devices to operate together. One of the UPnP...

Problem with HP r-cmnds

Overview A problem existed with HP versions of the r-commands remshd, rexecd, rlogin, rlogind, remsh, rcp, rexec, rdist in use circa December, 1998. Description See HEWLETT-PACKARD COMPANY SECURITY BULLETIN: 00090, registration required 07 December 1998 for a description of the problem. No other...

Microsoft Internet Explorer download dialog may not display complete filenames

Overview There is a vulnerability in the download dialog box in Internet Explorer versions 5.5 and 6.0. The vulnerability allows an attacker to mislead users, causing them to inadvertently execute arbitrary code on the user's system. Description When downloading files included in web pages, users...

Microsoft Internet Explorer Does Not Respect Content-Disposition and Content-Type MIME Headers

Overview Microsoft Internet Explorer contains a vulnerability in its handling of certain MIME headers in web pages and HTML email messages. This vulnerability may allow an attacker to execute arbitrary code on the victim's system when the victim visits a web page or views an HTML email message...

Hot Standby Router Protocol (HSRP) uses weak authentication

Overview A denial-of-service vulnerability exists in the Hot Standby Router Protocol HSRP . Description HSRP is a protocol designed to provide transparent recovery of routing services when failures occur. Quoting from RFC2281 the RFC describing the Hot Standby Router Protocol:The Hot Standby Rout...

Compaq Tru64 Unix inetd vulnerable to DoS

Overview The inetd service on Compaq's Tru64 UNIX is vulnerable to a denial-of-service. Description The inetd service on Compaq's Tru64 UNIX V5.1 all patch levels is vulnerable to a denial-of-service attack in which inetd will stop accepting new connections. In turn, this would disrupt the normal...

System V derived login contains a remotely exploitable buffer overflow

Overview A remotely exploitable buffer overflow exists in implementations of login , derived from System V. An attacker can use this vulnerability to gain the privileges of the process that invoked login , user root in the cases of in.telnetd, or in.rlogind. We have been able to determine that...

GnuPG format string vulnerability in do_get() in ttyio.c while prompting for a new filename

Overview There is a format string vulnerability in GNU Privacy Guard. By sending a GPG message with a carefully crafted malicious filename, an attacker may be able to execute arbitrary code as the user who decrypts the message. Description GNU Privacy Guard GPG is a free, RFC2440 compliant...

Oracle Database Server vulnerable to DoS via repeated requests to Oracle listener without connecting to redirected port

Overview Oracle Database Server may consume all available memory and crash if clients do not connect completely in the expected manner. Description When a connection request is made to Oracle for Windows NT, Oracle Database Server creates a new thread listening on a new port and redirects the...

OpenSSH fails to properly apply source IP based access control restrictions

Overview OpenSSH is an implementation of the Secure Shell protocol. A user may be able to bypass the IP based access control restriction feature specified in a key when two keys of varying types are specified. Description Versions of OpenSSH between 2.5.x - 2.9.x may fail to enforce the IP based...

OpenSSH does not initialize PAM session thereby allowing PAM restrictions to be bypassed

Overview OpenSSH is an implementation of the Secure Shell SSH protocol. It can be configured to use Linux Pluggable Authentication Modules PAM for added authentication. A vulnerability exists in OpenSSH, and perhaps other implementations of SSH, which can allow to potentially bypass PAM...

Lotus Domino R5 Server vulnerable to DoS via nmap RPC scan on port 443/tcp

Overview Versions earlier than 5.0.9 of Lotus Domino R5 Servers with Secure Socket Layer SSL enabled are vulnerable to a denial of sevice. Description A remote user is able to crash the HTTP serving process on any Lotus Domino R5 Server using the nmap utility. Sending a request to port 443, the...

OpenSSH UseLogin directive permits privilege escalation

Overview OpenSSH is an implementation of the Secure Shell protocol. When OpenSSH is configured with the UseLogin directive equal to "yes", an intruder can execute arbitrary code with the privileges of OpenSSH, usually root. Description OpenSSH contains a vulnerability that permits an intruder to...

Microsoft Internet Explorer (IE) calls telnet.exe with unsafe command-line arguments ("Telnet Invocation")

Overview A telnet client can be invoked with unsafe options by arbitrary HTML "web" pages when rendered by affected Microsoft Internet Explorer clients. Description This vulnerability is also known as the "telnet logging" or "telnet invocation" or "Microsoft IE Telnet Client File Overwrite"...

WU-FTPD configured to use RFC 931 authentication running in debug mode contains format string vulnerability

Overview WU-FTPD contains a format string vulnerability that manifests when WU-FTPD is configured to use RFC 931 authentication and is run in debug mode. A crafted identd response could be used to execute arbitrary code on a vulnerable server. Description A format string vulnerability exists in t...

Cisco IOS Firewall Feature Set fails to check IP protocol type thereby allowing packets to bypass dynamic access control lists

Overview The Cisco IOS Firewall Feature Set also known as Cisco Secure Integrated Software, or Context Based Access Control may allow an intruder to pass traffic through the firewall in violation of implied security policies. Description It is important to note that only configurations that use t...

WU-FTPD does not properly handle file name globbing

Overview SecurityFocus and CORE Security Technologies have reported a vulnerability in WU-FTPD. WU-FTPD does not handle file name globbing properly and may allow an attacker to execute arbitrary code. WU-FTPD is a widely-used FTP daemon that is included in many UNIX and Linux distributions. This...

Microsoft SQL Server and Microsoft Data Engine (MSDE) ship with a null default password

Overview Microsoft SQL Server and Microsoft Data Engine ship with a null default password on the administrative account sa. If the system administrator does not set the password, the system may be vulnerable to attack. Description Microsoft SQL Server MS SQL and Microsoft Data Engine MSDE ship...

MandrakeSoft Mandrake Linux Apache default configuration enables directory indexing

Overview The default installation of Apache on MandrakeSoft Mandrake Linux enables directory indexing on directories that may unnecessarily disclose information about the server. Description MandrakeSoft produces a Linux distribution called Mandrake Linux that includes the Apache web server. The...

MandrakeSoft Mandrake Linux Apache default configuration enables Perl ProxyPass server on 8200/tcp

Overview The default installation of Apache on MandrakeSoft Mandrake Linux configures an instance of the server to run apache-modperl listening on port 8200/tcp. Description MandrakeSoft produces a Linux distribution called Mandrake Linux that includes the Apache web server. The default...

HP-UX Line Printer Daemon Vulnerable to Directory Traversal

Overview A remotely exploitable directory traversal vulnerability exists in the HP-UX line printer daemon. Description The line printer daemon rlpdaemon enables various clients to share printers over a network. By sending a specially crafted print request to an HP-UX host running the rlpdaemon, a...

MandrakeSoft Mandrake Linux Apache default configuration sample programs disclose server information

Overview The default installation of Apache on MandrakeSoft Mandrake Linux includes sample programs which may unnecessarily disclose information about the server. Description MandrakeSoft produces a Linux distribution called Mandrake Linux that includes the Apache web server. The default...

Compaq Insight Manager XE buffer overflow in SNMP and DMI functionality

Overview The Compaq web-enabled management software contains a buffer overflow in the SNMP and DMI functionality. Remote intruders may be able to execute arbitrary code with privileges on affected systems. All versions of Compaq Insight Manager XE are affected, but Compaq Insight Manager windows...

Compaq web-enabled management software buffer overflow vulnerability

Overview The Compaq web-enabled management software contains a buffer overflow. Remote intruders may be able to execute arbitrary code with privileges on affected systems. Many Compaq products are affected, from personal computers to commercial UNIX operating systems. Description The Compaq...

RhinoSoft Serv-U remote administration client transmits password in plaintext

Overview A vulnerability exists in the remote administration client for RhinoSoft Serv-U. During the authentication process, the client ignores the S/KEY one-time password OTP challenge sent by the server and sends the password entered by the user in plaintext. Description RhinoSoft Serv-U is a...

Tripwire vulnerable to arbitrary file overwriting via symlink redirection of temporary file

Overview Tripwire is a file integrity verification utility for Unix and Linux operating systems. In some implementations, tripwire opens insecure temporary files with predictable names in publically-writable directories. Using a symbolic link attack, a local intruder may overwrite or create...

BSCW vulnerable to arbitrary file overwriting via symlink redirection of temporary file

Overview BSCW is a groupware system that runs on a web server. BSCW follows symbolic links in tar files that it extracts into a user's local area. Accessing those links may allow the user to view arbitrary files viewable by the web server, and to overwrite files writable by the web server...

Digital Unix msgchk vulnerable to file contents disclosure via symlink redirection of profile

Overview msgchk, a part of the MH mail system, reads the user's .mhprofile in order to obtain configuration options. If the .mhprofile is linked to another file with illegal format, the first line of that file will be displayed in an error message by msgchk. Description msgchk is the portion of t...

Netscape vulnerable to arbitrary file overwriting via symlink redirection of temporary file

Overview During installation, Netscape 6.0.1 creates a temporary file with insecure options and a predictable name in a world-writable location. By using a symbolic link attack, an attacker could cause overwrite of arbitrary files. Description The installation script for Netscape 6.0.1 creates a...

Cisco IOS and CatOS fail to properly validate ARP packets thereby overwriting device's MAC address in ARP table

Overview There is a denial-of-service vulnerability in specific versions of Cisco IOS or CatOS. Description A denial-of-service vulnerability exists in specific versions of Cisco IOS or CatOS. This vulnerability can cause the device to crash or become unavailable if specially crafted arp packets...

HP Tru64 UNIX "msgchk" contains buffer overflow (SSRT2275)

Overview msgchk, a part of the MH mail system, reportedly suffers from a buffer overflow with respect to the name of the inbox to be checked for new mail. This overflow would allow the user of msgchk to execute arbitrary code. Description msgchk is the portion of the MH mail system that checks fo...

BIND memcpy not bounded in case T_SIG of rrextract()

Overview Version 8.2.2 of BIND current circa November 1999 contained a buffer overflow in the routine that converts records from network format to database format. Description Version 8.2.2 of BIND includes some checks for the correct format of a signature record in DNSSEC that previous versions...

Windows NT SNMP agent leaks memory

Overview The Microsoft SNMP agent, prior to Windows NT 4.0 Service Pack 4.0, will leak memory. Description Microsoft's SNMP agent, snmp.exe, priot to Windows NT 4.0 Service Pack 4.0, will leak memory if the OID cannot be decoded. Quoting from Microsoft KB article Q178381, If SNMP cannot decode an...

Syskey reuses keystream

Overview Versions of SYSKEY in use prior to December, 1999 leave the SAM database vulnerable to cryptanalytic attacks. Description SYSKEY is a utility introduced in Microsoft Windows NT 4.0 service pack 3 to provide strong cryptographic protection to the SAM password database. The protection SYSK...

Eyedog ActiveX control incorrectly marked "safe for scripting"

Overview Versions of the Eyedog ActiveX control current circa August, 1999, are incorrectly marked safe for scripting. Description Eyedog is an ActiveX control that was used to perform diagnostic function in Windows. It was marked as safe for scripting, which means that it could be called from...

XMCD vulnerable to arbitrary file overwriting via symlink redirection of temporary file

Overview xmcd is an x11/motif CD playing utility, in the public domain. cda, the command line interface to xmcd, executes with system administrator privileges. It is vulnerable to a symbolic link attack that may allow a local user to obtain administrator privileges. Description cda, the command...

Common Desktop Environment (CDE) Subprocess Control Service dtspcd contains buffer overflow

Overview A remotely exploitable buffer overflow exists in the Common Desktop Environment CDE Subprocess Control Service dtspcd. An attacker who successfully exploits this vulnerability can execute arbitrary code as root. Description Internet Security Systems ISS X-Force has reported a remotely...

shadow-utils useradd creates temporary files insecurely

Overview Shadow-utils is an encryption and account management package freely distributed for many Linux implementations. The useradd program in this package creates insecure temporary files with predictable names in a write-protected directory. If this directory is changed to be writable, an...

Weak CRC allows packet injection into SSH sessions encrypted with block ciphers

Overview There is an information integrity vulnerability in the SSH1 protocol that allows packets encrypted with a block cipher to be modified without notice. Description Preconditions: Attacker has a fragment of plaintext and its corresponding ciphertext. Attacker must be able to actively...

WS-FTP Server vulnerable to buffer overflow via long string sent as argument to ftp command

Overview A remotely exploitable buffer overflow exists in the IPSWITCH WSFTP Server. Description Defcom Labs has discovered a remotely exploitable buffer overflow vulnerability in the IPSWITCH WSFTP Server on all platforms that allows intruders to execute arbitrary code with the privileges of the...

Mac OS X executes 'recent items' with privileges of foreground application

Overview The "recent items" feature of MacOS X allows users at the console to trivially obtain root privileges. Description MacOS X includes a feature called recent items. Recent Items is a list of documents and applications that have recently been accessed. An application launched from the Recen...