3702 matches found
Syskey reuses keystream
Overview Versions of SYSKEY in use prior to December, 1999 leave the SAM database vulnerable to cryptanalytic attacks. Description SYSKEY is a utility introduced in Microsoft Windows NT 4.0 service pack 3 to provide strong cryptographic protection to the SAM password database. The protection SYSK...
Eyedog ActiveX control incorrectly marked "safe for scripting"
Overview Versions of the Eyedog ActiveX control current circa August, 1999, are incorrectly marked safe for scripting. Description Eyedog is an ActiveX control that was used to perform diagnostic function in Windows. It was marked as safe for scripting, which means that it could be called from...
Common Desktop Environment (CDE) Subprocess Control Service dtspcd contains buffer overflow
Overview A remotely exploitable buffer overflow exists in the Common Desktop Environment CDE Subprocess Control Service dtspcd. An attacker who successfully exploits this vulnerability can execute arbitrary code as root. Description Internet Security Systems ISS X-Force has reported a remotely...
shadow-utils useradd creates temporary files insecurely
Overview Shadow-utils is an encryption and account management package freely distributed for many Linux implementations. The useradd program in this package creates insecure temporary files with predictable names in a write-protected directory. If this directory is changed to be writable, an...
Weak CRC allows packet injection into SSH sessions encrypted with block ciphers
Overview There is an information integrity vulnerability in the SSH1 protocol that allows packets encrypted with a block cipher to be modified without notice. Description Preconditions: Attacker has a fragment of plaintext and its corresponding ciphertext. Attacker must be able to actively...
WS-FTP Server vulnerable to buffer overflow via long string sent as argument to ftp command
Overview A remotely exploitable buffer overflow exists in the IPSWITCH WSFTP Server. Description Defcom Labs has discovered a remotely exploitable buffer overflow vulnerability in the IPSWITCH WSFTP Server on all platforms that allows intruders to execute arbitrary code with the privileges of the...
Mac OS X executes 'recent items' with privileges of foreground application
Overview The "recent items" feature of MacOS X allows users at the console to trivially obtain root privileges. Description MacOS X includes a feature called recent items. Recent Items is a list of documents and applications that have recently been accessed. An application launched from the Recen...
OpenSSH UseLogin option allows remote execution of commands as root
Overview Versions of OpenSSH prior to 2.1.1 current circa June, 2000 allow a remote attacker to execute arbitrary commands with the privileges of sshd, typically root. Description OpenSSH is a free implementation of versions 1 and 2 of the SSH protocol. If sshd is configured with the UseLogin...
NSI RWhoisd contains format string vulnerability in print_error()
Overview A remotely exploitable format string vulnerability exists in the Referral Whois server daemon RWhoisd. Description As the Internet has grown, the centralized whois database was not able to scale. In order to deal with scaling the whois system, Referral Whois was developed. Referral Whois...
Air Messenger LAN Server (AMLServer) stores usernames and passwords in plaintext
Overview Air Messenger LAN Server AMLServer stores usernames and passwords in plaintext. Description AMLServer for windows is a paging gateway that allows users on a TCP/IP LAN to communicate with mobile devices such as phones and pagers. Access to AMLServer's services is protected by a user...
OpenSSL PRNG contains design flaw that allows a user to determine internal state and predict future output
Overview The pseudorandom number generator PRNG in OpenSSL has a weakness that allows an attacker to determine its internal state and subsequently determine its future output values. Description OpenSSL's PRNG hashes an internal state to produce output values, which are supposed to be pseudorando...
Oracle9iAS Web Cache vulnerable to buffer overflow
Overview A remotely exploitable buffer overflow in the Oracle9iAS Web Cache allows intruders to execute arbitrary code or cause the web cache process to hang or exit. Description Defcom Labs has discovered a remotely exploitable buffer overflow vulnerability in the Oracle9iAS Web Cache on all...
Cisco IOS vulnerable to deferred DoS via SYN scan to certain TCP port ranges
Overview Cisco Internetwork Operating System IOS may reload unexpectedly after being scanned on certain ports. Description Certain versions of Cisco IOS contain a vulnerability that allows the router to enter an unstable state after receiving a connection attempt on any TCP port in the following...
SSH CRC32 attack detection code contains remote integer overflow
Overview There is a remote integer overflow vulnerability in several implementations of the SSH1 protocol that allows an attacker to execute arbitrary code with the privileges of the SSH daemon, typically root. Description There is a remote integer overflow vulnerability in several implementation...
RSA Security ACE/Agent for Windows, ACE/Agent for Windows NT, and ACE/Agent for Windows 2000 do not properly handle URL encoded characters in URL
Overview RSA Security ACE/Agent for Windows, ACE/Agent for Windows NT, and ACE/Agent for Windows 2000 contain a vulnerability in which the ACE/Agent does not properly handle URL encoded characters contained in a URL. A specially crafted request may bypass authentication and expose the contents of...
RSA Security ACE/Agent for Windows, ACE/Agent for Windows NT, and ACE/Agent for Windows 2000 do not properly handle null characters in URL
Overview RSA Security ACE/Agent for Windows, ACE/Agent for Windows NT, and ACE/Agent for Windows 2000 contain a vulnerability in which the ACE/Agent does not properly handle null characters contained in a URL. A specially crafted request may cause ACE/Agent to enter a debugging mode, possibly...
Php variables passed from the browser are stored in global context
Overview Php is a dynamic scripting language used by programmers to develop webservers, message boards, chat applications and a variety of programs. By default php stores variables passed from the URL in a global context. Programmers often fail to change this setting which can allow serious...
lpd hostname authentication bypassed with spoofed DNS
Overview The line printer daemon enables various clients to share printers over a network. There exists a flaw in the authentication method in this daemon that permits remote access to the server. Description A vulnerability exists in the line printer daemon lpd shipped with the lpr package for...
IBM AIX line printer daemon contains a buffer overflow in send_status()
Overview The Line Printer daemon lpd shipped with AIX systems contains a buffer overflow in sendstatus that potentially allow a malicious remote user to gain root privileges. Description A buffer overflow exists in the sendstatus function of the line printer daemon lpd on AIX systems. An intruder...
lpd allows options to be passed to sendmail
Overview The line printer daemon enables various clients to share printers over a network. There exists a vulnerability in this daemon that permits an intruder to send options to sendmail. Description The line printer daemon enables various clients to share printers over a network. There exists a...
IBM AIX line printer daemon contains a buffer overflow in chk_fhost()
Overview The Line Printer daemon lpd shipped with AIX systems contains a buffer overflow in chkfhost that potentially allow a malicious remote user to gain root privileges. Description A buffer overflow exists in the chkfhost function of the line printer daemon lpd on AIX systems. An intruder cou...
HP-UX vulnerable to buffer overflow in line printer daemon (rlpdaemon) via crafted print request
Overview The line printer daemon rlpdaemon on HP-UX systems enable various clients to share printers over a network. There exists a buffer overflow vulnerability in this daemon that permits remote execution of arbitrary commands with elevated privileges. Description A buffer overflow exists in...
IBM AIX line printer daemon contains a buffer overflow in kill_print()
Overview The Line Printer daemon lpd shipped with AIX systems contains a buffer overflow in killprint that potentially allow a malicious remote user to gain root privileges. Description A buffer overflow exists in the killprint function of the line printer daemon lpd on AIX systems. An intruder...
Cisco PIX Firewall Manager stores enable password in plain text
Overview A vulnerability exists in the way the Cisco Pix Firewall Manager stores authentication credentials which could allow local attackers to have read access to the enable password for the Cisco Pix Firewall. Description The PIX Firewall Manager PFM is a software package designed to allow...
OpenView Network Node Manager contains vulnerability allowing for privilege escalation
Overview The HP Network Node Manager contains a vulnerability that may allow an attacker to gain elevated privileges. Description The Network Node Manager is a networked systems software management package distributed by Hewlett-Packard. A vulnerability in this software package may allow an...
Cisco IOS vulnerable to denial of service via Cisco Discovery Protocol
Overview The Cisco IOS contains a denial-of-service vulnerability that allows nearby remote attackers to crash or temporarily disable affected network devices. Description The Cisco Internetwork Operating System IOS contains a vulnerability in its processing of Cisco Discovery Protocol CDP packet...
SCO OpenServer/UnixWare vi creates temporary files insecurely
Overview The implementation of vi, a text editor, provided with SCO Openunix creates insecure temporary files with predictable names. Using a symbolic link attack, an intruder can overwrite any file writable by the user of vi. Description vi is a screen-oriented text editor. The implementation...
diffutils sdiff creates temporary files insecurely
Overview diffutils, a set of utilities distributed with many versions of linux, contains a utility called sdiff, which creates temporary files of predictable names in an insecure fashion. Using a symbolic link attack, an intruder can cause overwrite of any file writable by the user executing sdif...
Redhat Linux diskcheck.pl creates predictable temporary file and fails to check for existing symbolic link of same name
Overview Diskcheck.pl is a PERL script, part of Red Hat's powertools suite, that alerts a system administrator if any file system approaches capacity. In creating email alerts, diskcheck.pl creates insecure temporary files in a world-writable directory, which may permit an attacker to corrupt any...
Microsoft PowerPoint and Excel fail to properly detect macros thereby automatically executing malicious code via crafted document (MS01-050)
Overview A malformed Microsoft Excel or PowerPoint document can bypass macro checking thereby allowing arbitrary code to be run on the target system. Description Microsoft Excel and PowerPoint scan documents when they are opened and check for the existence of macros. If the document contains...
Check Point VPN-1/FireWall-1 4.1 on Nokia IPXXX firewall appliance retransmits original packets
Overview A vulnerability in Check Point VPN-1/FireWall-1 running on Nokia IPXXX Appliances can allow an attacker to pass traffic allowed by the security policy through the firewall while retaining the external untranslated destination IP address. Description Nokia IPXXX Appliances are security...
Solaris rpc.yppasswdd does not adequately check input allowing users to execute arbitrary code
Overview A remotely exploitable buffer overflow exists in the 'rpc.yppasswd' service on Solaris 2.6, 2.7, and 2.8. Description Network Information Service NIS provides a simple network lookup service consisting of databases and processes. Its purpose is to provide information, that has to be know...
Common Desktop Environment (CDE) ToolTalk RPC Server rpc.ttdbserverd contains format string vulnerability
Overview A vulnerability exists in CDE ToolTalk that may allow a remote attacker to execute arbitrary code with root privileges. Description Internet Security Systems ISS X-Force has discovered a format string vulnerability in the Common Desktop Environment CDE ToolTalk Remote Procedure Call RPC...
mgetty creates temporary files insecurely
Overview mgetty, a replacement for getty designed to support modem and fax use, creates files of a predictable name in a world-writable directory without checking for the prior existence or ownership of the file. Using a symbolic link attack, an intruder might cause the overwrite of arbitrary fil...
getty_ps creates temporary files insecurely
Overview gettyps is an open-source software package designed to support logons to the console and terminals. Some implementations create temporary files insecurely with predictable names, leading to corruption of arbitrary files via symbolic link attack. Description Under certain circumstances,...
IBM AIX setclock buffer overflow in remote timeserver argument
Overview There is a buffer overflow in the IBM AIX setclock command that may allow local attackers to gain root privileges. Description The setclock command sets the system's clock from a remote time server. This command contains a buffer overflow in the handling of the remote timeserver hostname...
Apache web server performs case sensitive filtering on Mac OS X HFS+ case insensitive filesystem
Overview The Apache 1.3.14 web server's file access protection scheme can be bypassed for the Mac OS X HFS+ filesystem. Description The Apache web server's file access protection scheme i.e., file request "filtering" assumes that the filesystem being protected is case sensitve. For example, in a...
Weaknesses in the SSH protocol simplify brute-force attacks against passwords typed in an existing SSH session
Overview There is a vulnerability in the SSH protocol that can simplify brute force attacks against passwords typed within an existing SSH session. Description Researchers at the University of California at Berkeley have determined that by monitoring the delays between SSH packets transmitted...
IBM AIX setsenv buffer overflow
Overview There is a buffer overflow in the IBM AIX setsenv command that may allow local attackers to gain root privileges. Description The setsenv command is used to set protected state environment variables. There is a buffer overflow in a variable value parameter to the setsenv command on IBM A...
IBM AIX digest buffer overflow in filename argument to command
Overview There is a buffer overflow in the digest command that may allow a local attacker to gain root privileges. Description The digest command is intended to be run by the qdaemon to generate a binary version of the queue configuration daemon information stored in /etc/qconfig. The digest...
IBM AIX enq buffer overflow in -M argument
Overview There is a buffer overflow in the enq command that may allow a local attacker to gain root privileges. Description The enq command is used to add entries to a queue, usually for printing. There is a buffer overflow in the -M argument to the enq command. --- Impact An attacker with access...
Beck GmbH IPC@Chip TelnetD service ships with inadequately protected default account
Overview There is a vulnerability in the Beck IPC@CHIP that may allow an attacker to gain access to the device. Description The Beck IPC@CHIP is a single chip embedded webserver. This device also contains a telnet server that ships with an account named "Default". This account essentially grants...
Microsoft Windows Index Server discloses sensitive configuration information via crafted request to SQLQHit.asp sample application
Overview Microsoft Windows Index Server ships with an optional sample package. A component of this package, SQLQHit.asp, can disclose sensitive information when sent crafted requests. Description The Microsoft Windows Index Server ships with optional sample files. While these files should never b...
ISC inn creates temporary files insecurely
Overview inn, a network news agent, may be configured on some operating systems to use a publically-writeable directory for its temporary files. This may be exploited to gain access to the news account. Description inn is distributed on a variety of Linux platforms. The program is written under t...
Sun Solaris catman creates temporary files insecurely
Overview catman, the unix manual display utility, creates insecure temporary files with predictable names in a world-writable directory. Since catman executes with system administration privileges, a symbolic link attack could overwrite arbitrary files. Description There is a vulnerability in...
IBM AIX portmir buffer overflow
Overview There is a buffer overflow vulnerability in the AIX portmir command that may allow local attackers to gain root privileges. Description There is a buffer overflow in the AIX portmir command. This problem was described in IBM ERS security bulletin: ERS-SVA-E01-1997:006.1. --- Impact...
IBM AIX portmir vulnerable to buffer overflow via echo_error
Overview There is a buffer overflow in the IBM AIX portmir command that may allow local users to gain root privileges. Description There is a buffer overflow in the echoerror routine of the IBM AIX portmir command. An attacker may be able to corrupt lock files in the "/etc/locks" directory. ---...
Beck GmbH IPC@Chip TelnetD vulnerable to brute-force password attack
Overview There is a vulnerability in the Beck IPC@CHIP that may allow an attacker to gain access to the device. Description The Beck IPC@CHIP is a single chip embedded webserver. This device contains a telnet server that "leaks information". That is, when an attacker connects to the telnet daemon...
IBM AIX nslookup buffer overflow in lex routines
Overview There is a problem with the nslookup program related to the handling of long strings. Description This problem is reported to be the result of incorrect bounds checking on the part of the lex routines used in nslookup. This vulnerability is mentioned in an IBM advisory as being exploited...
IBM AIX nslookup fails to drop root privileges
Overview The nslookup command fails to drop privileges, allowing local attackers to gain root privileges. Description The nslookup program fails to drop the privileges it gains from being setuid. This access appears to be needed to read the "/etc/resolv.conf" file. This problem was described in I...