3702 matches found
Sun Solaris sadmind buffer overflow in amsl_verify when requesting NETMGT_PROC_SERVICE
Overview The sadmind program can be used to perform distributed system administration operations remotely using RPC. A stack buffer overflow in sadmind may be exploited by a remote attacker to execute arbitrary instructions and gain root access. Description The sadmind program is installed by...
Dallas Semiconductor iButton DS1991 vulnerable to dictionary attack
Overview The Dallas Semiconductor iButton DS1991 is vulnerable to a dictionary attack, allowing an intruder to recover passwords. Description The Dallas Semiconductor iButton DS1911 stores 1 kilobyte of data in 3 separate password-protected areas. It includes functionality intended to prevent...
Sun Solaris SNMP proxy agent /opt/SUNWssp/bin/snmpd contains buffer overflow
Overview The SNMP proxy agent on certain large Solaris systems contains a buffer overflow. It may be possible, though it is unconfirmed, that an intruder could use this flaw to execute code with root privileges. Description The Sun Enterprise 10000 is monitored and controlled by a systems called ...
NewsDaemon does not adequately filter user input to $user_username
Overview NewsDaemon prior to version 0.21b contains a vulnerability allowing remote attackers to gain administrative access to the web site. Description NewsDaemon is a PHP-based tool used to allow readers to submit and comments on news items and stories over the web. It also allows for...
Hewlett Packard HP-UX text editors contain buffer overflow
Overview A buffer overflow in the text editor on certain Hewlett-Packard systems could compromise system availability. Description Various text editing programs on HP systems that rely upon the same facilities, including e, ex, vi, edit, view, and vedit, contain a buffer overflow that could...
Sun Solaris mailx contains buffer overflow via -F option
Overview A buffer overflow in the mailx program on Solaris systems can allow an intruder to execute code with the privileges of the mail group. Description A buffer overflow in the -F option of the mailx program on Solaris systems may allow an intruder to execute code with the privileges of the...
Microsoft Visual Studio VB-TSQL debugger object vbsdicli.exe contains buffer overflow via NewSPID method
Overview A vulnerability in an object included with Visual Studio 6.0 Enterprise Edition may allow an attacker to execute code with the privileges of an interactively logged in user. Description The VB-TSQL debugger object included in Visual Studio 6.0 Enterprise Edition contains a buffer overflo...
Microsoft Windows 2000/Internet Information Server (IIS) 5.0 Internet Printing Protocol (IPP) ISAPI contains buffer overflow (MS01-023)
Overview A vulnerability exists in Microsoft IIS 5.0 running on Windows 2000 that allows a remote intruder to run arbitrary code on the victim machine. Description Windows 2000 includes support for the Internet Printing Protocol IPP via an ISAPI extension. According to Microsoft, this extension i...
Microsoft Windows 2000 Workstation in mixed-mode domain may ignore domain account lockout restriction due to flaw in NTLM authentication
Overview A flaw in certain configurations of Windows 2000 can allow an intruder to make an unlimited number of guesses to attempt to determine a password, despite policies intended to limit the number of guesses. Description Domain administrators can set policies governing certain aspects of...
Hewlett-Packard HP-UX newgrp command does not function properly
Overview A security vulnerability exists in thenewgrp command on certain Hewlett-Packard systems. Description HP9000 servers running HP-UX release 11.11 contain a security vulnerability allowing users to gain increased capability. No further details are available. See HP document HPSBUX0103-147...
Cisco IOS/CatOS exposes read-write SNMP community string via traversal of View-based Access Control MIB (VACM) using read-only community string
Overview There is a vulnerability that permits unauthorized access to several switch and router products manufactured by Cisco Systems. An attacker who gains access to an affected device can read and modify its configuration, creating a denial-of-service condition, an information leak, or both...
Cisco IOS/X12-X15 has default SNMP read/write string of "cable-docsis"
Overview There is a vulnerability that permits unauthorized access to several switch and router products manufactured by Cisco Systems. An attacker who gains access to an affected device can read and modify its configuration, creating a denial-of-service condition, an information leak, or both...
Hewlett-Packard MPE/ix contains vulnerabitily via architected interface facility
Overview A vulnerability in certain Hewlett-Packard systems allows users to gain unauthorized access to user accounts and databases using the architected interface facility. Description HP3000 systems running MPE/iX release 5.5 and newer contain a vulnerability in the architected interface facili...
Multiple networking devices allow SNMP objects to be viewed/modified via ILMI community string
Overview There is a vulnerability in the remote management architecture for Asynchronous Transfer Mode ATM networking devices that permits unauthorized access to configuration information. An attacker who gains access to an affected device can read and modify its configuration, creating a...
Cisco IOS creates SNMP read-only community string
Overview There is a vulnerability that permits unauthorized access to several switch and router products manufactured by Cisco Systems. An attacker who gains access to an affected device can read its configuration, creating an information leak. Description Certain versions of the Cisco...
Cisco Content Services Switch (CSS) permits non-privileged user to enter debug mode
Overview A vulnerability in Cisco Content Services Switches Arrowpoint allows a valid user to gain administrative access. Description Cisco CSS switches run Cisco WebNS software. A user with a valid account on a CSS device can gain unauthorized administrative access to the device. See the Cisco...
iPlanet web servers expose sensitive data via buffer overflow
Overview A buffer overflow exists in the iPlanet Web Servers Enterprise and FastTrack Editions that may allow remote attackers to gain read access to sensitive information contained in the memory of the web server process. The information disclosed may include userids, passwords, cookies or...
SGI systems may execute commands embedded in mail messages
Overview Some SGI systems produced circa 1998 allowed an intruder to send mail that would execute commands when the reader opened the message. Description On some SGI systems, Netscape is bundled with IRIX 6.3 and 6.4 and is used as the default web browser and mail reader. On these systems, the...
Alcatel ADSL modems contain a null default password
Overview The San Diego Supercomputer Center SDSC has recently discovered several vulnerabilities in the Alcatel Speed Touch line of Asymmetric Digital Subscriber Line ADSL modems. These vulnerabilities are the result of weak authentication and access control policies and result in one or more of...
Multiple ftpd implementations contain buffer overflows
Overview A variety of ftp servers incorrectly manage buffers in a way that can lead to remote intruders executing arbitrary code on the FTP server. The incorrect management of buffers centers around the return from the glob function, and may be confused with a related denial-of-service problem...
Alcatel ADSL modems grant unauthenticated TFTP access via Bounce Attacks
Overview The San Diego Supercomputer Center SDSC has recently discovered several vulnerabilities in the Alcatel Speed Touch line of Asymmetric Digital Subscriber Line ADSL modems. These vulnerabilities are the result of weak authentication and access control policies and result in one or more of...
Alcatel ADSL modems provide EXPERT administrative account with an easily reversible encrypted password
Overview The San Diego Supercomputer Center SDSC has recently discovered several vulnerabilities in the Alcatel Speed Touch line of Asymmetric Digital Subscriber Line ADSL modems. These vulnerabilities are the result of weak authentication and access control policies and result in one or more of...
Alcatel ADSL modems provide unauthenticated TFTP access via physical WAN interface
Overview The San Diego Supercomputer Center SDSC has recently discovered several vulnerabilities in the Alcatel Speed Touch line of Asymmetric Digital Subscriber Line ADSL modems. These vulnerabilities are the result of weak authentication and access control policies and result in one or more of...
Compaq web-enabled management software contains buffer overflow in authentication username
Overview The Compaq web-enabled management software contains a buffer overflow in the authentication component of the product. Remote intruders may be able to execute arbitrary code with privileges on affected systems. Many Compaq products are affected, from personal computers to commercial UNIX...
Compaq web-enabled management software acts as generic proxy
Overview Remote attackers may be able to relay connections through systems running the Compaq web-enabled management software. Attackers relaying connection in this way may be able to access restricted portions of the network or disguise their identity while attacking other systems. Many Compaq...
Solaris ufsrestore buffer overflow in command pathname parameters for interactive session
Overview There is a buffer overflow in ufsrestore, a file restoration utility. Description When operating in interactive mode, the pathname parameter of the extract command is not properly bounds checked. When used in conjunction with long pathnames contained in the dump file, an internal buffer...
Network Time Protocol ([x]ntpd) daemon contains buffer overflow in ntp_control:ctl_getitem() function
Overview There is a buffer overflow defect in the ctlgetitem function of the Network Time Protocol NTP daemon responsible for providing accurate time reports used for synchronizing the clocks on installed systems. All NTP daemons based on code maintained at the University of Delaware since NTPv2...
Certain MIME types can cause Internet Explorer to execute arbitrary code when rendering HTML
Overview A vulnerability exists in Microsoft Internet Explorer that allows a malicious agent to execute arbitrary code when parsing MIME parts in a document. Any user or program that uses vulnerable versions of Internet Explorer to render HTML in a document for example, when browsing a filesystem...
Unauthentic "Microsoft Corporation" certificates issued by Verisign to an unidentifed person
Overview On January 29 and 30, 2001, VeriSign, Inc. issued two certificates to an individual fraudulently claiming to be an employee of Microsoft Corporation. Any code signed by these certificates will appear to be legitimately signed by Microsoft when, in fact, it is not. Although users who try ...
Sun Solaris DMI to SNMP mapper daemon snmpXdmid contains buffer overflow
Overview There is a buffer overflow in the snmpXdmi daemon, which may allow intruders to gain root privileges on systems running the vulnerable daemon. Description The SNMP-to-DMI mapper daemon snmpXdmi translates Simple Network Management Protocol SNMP events to Desktop Management Interface DMI...
Multiple TCP/IP implementations may use statistically predictable initial sequence numbers
Overview Attacks against TCP initial sequence number generation have been discussed for some time now. It has long been recognized that the ability to know or predict ISNs can lead to TCP connection hijacking or spoofing. What was not previously illustrated was just how predictable one...
RhinoSoft FTP Voyager FtpTree incorrectly marked "safe for scripting"
Overview FTP Voyager is an FTP client implemented as an ActiveX control. It is incorrectly marked as "safe for scripting" allowing malicious web pages or email messages to upload and download files. Description FTP Voyager is an FTP client implemented as an ActiveX control. An ActiveX control may...
Lotus Domino SMTP Server Allows Anonymous Relay of Quoted Addresses
Overview Lotus Domino includes an SMTP server. Under certain configurations, an intruder may be able to relay mail to third parties through the Domino SMTP server. Description An "open" mail server is one that will send mail that is not addressed to and does not originate from a local user. Open...
MySQL monitor drop database command contains buffer overflow
Overview MySQL is a popular open source database package. It contains a buffer overflow in the code that processes drop database commands. Description The MySQL server, mysqld, contains a buffer overflow in the code used to process drop database requests . By carefully crafting a MySQL drop...
MySQL client contains buffer overflow
Overview MySQL is a popular open source database package. The MySQL client that ships with the MySQL package contains a buffer overflow. Description The mysql program, part of the MySQL package, contains a buffer overflow in the host parameter. An intruder who invokes mysql using a specially...
BSD i386_set_ldt syscall does not appropriately validate call gate targets
Overview There are a set of kernel interfaces called "call gates" which are code primitives used to build system-level calls into an operating system's kernel. A subset of these "calls gates" may be able to be manipulated on some operating systems which use improper privilege checking when...
Buffer Overflow in Lotus Domino Mail Server
Overview Lotus Domino R5 SMTP Server Contains a Buffer Overflow Description The Lotus Domino R5 SMTP server allows an administrator to restrict the domains from which the server will accept mail. In versions of Domino R5 prior to version 5.0.6 with domain restrictions enabled an intruder may be...
SSH authentication agent follows symlinks via a UNIX domain socket
Overview Older versions of SSH allow local attackers to to establish ssh sessions as the victim user without authentication. Description The text of this document was originally released on January 20, 1998, as SNI-23, developed by Secure Networks, Inc. SNI. To more widely broadcast this...
Microsoft Windows NT 4.0/TSE Winsock2ProtocolCatalogMutex has insecure permissions (MS01-003)
Overview A mutex controlling access to resources required for networking on Windows NTMicrosoft Windows NT 4.0 and Microsoft Windows NT 4.0, Terminal Server Edition, has inappropriate permissions. Description In general terms, a mutex is an object used to control access to a resource e.g. a...
HP-UX Support Tools Manager vulnerable to denial of service
Overview There is a vulnerability in the Hewlett-Packard Support Tools Manager that allows a local user to create a denial-of-service condition. Description The Hewlett-Packard Support Tools is a collection of diagnostic tools that allow operators of HP-UX systems to test and diagnose hardware...
ISC BIND 4 contains input validation error in nslookupComplain()
Overview The Berkeley Internet Name Domain BIND is an implementation of the Domain Name System DNS by the Internet Software Consortium ISC. There is a format string vulnerability in BIND 4.9.4 that may allow remote intruders to gain access to systems running BIND. Although BIND 4.9.x is no longer...
ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code
Overview The Berkeley Internet Name Domain BIND is an implementation of the Domain Name System DNS by the Internet Software Consortium ISC. There is a buffer overflow vulnerability in BIND 8.2.x, which may allow remote intruders to gain access to systems running BIND. DNS servers running BIND 8 a...
ISC BIND 4 contains buffer overflow in nslookupComplain()
Overview The Berkeley Internet Name Domain BIND is an implementation of the Domain Name System DNS by the Internet Software Consortium ISC. There is a buffer overflow vulnerability in BIND 4.9.x, which may allow remote intruders to gain access to systems running BIND. Although BIND 4.9.x is no...
Queries to ISC BIND servers may disclose environment variables
Overview The Berkeley Internet Name Domain BIND is an implementation of the Domain Name System DNS by the Internet Software Consortium ISC. There is an information leakage vulnerability in BIND 4.9.x and 8.2.x, which may allow remote intruders to obtain information from systems running BIND...
BIND T_NXT record processing may cause buffer overflow
Overview A vulnerability in BIND, repaired in verison 8.2.2p5, allows remote attackers to execute code with the privileges of the process running named. This vulnerability was widely exploited from November 1999 to December 2000. Description There is a buffer overflow in the processing of NXT...
phf CGI Script fails to guard against newline characters
Overview This document describes a vulnerability in a CGI script known as phf which was widely exploited in 1996 and 1997. Description The phf CGI script constructs a partial command line consisting of the ph command and appropriate arguments, and completes the command line based on the input fro...
Older SSH clients do not allow users to disable X11 forwarding
Overview This vulnerability may allow an attacker to make unauthorized connections to affected client machines. Description Older versions of the SSH client do not allow the user to disable X11 forwarding. As a result, if the client connects to a malicious server, the server can open an X11...
Weak CRC allows last block of IDEA-encrypted SSH packet to be changed without notice
Overview There is an information integrity vulnerability in the SSH1 protocol that allows the last block of an IDEA-encrypted session to be modified without notice. Description Preconditions: Session is encrypted using IDEA cipher. Compression is disabled. SSH clients configured to use the IDEA...
HP-UX kermit contains local buffer overflow that allows denial-of-service
Overview The HP-UX version of kermit contains a buffer overflow that allows local users to prevent other users from running kermit. Description Kermit is a file transfer protocol that has been implemented by Hewlett-Packard for use on their systems. On December 21, 2000, HP released a security...
Seagate Crystal Reports exposes cleartext username/password pairs when embedded in URL or HTTP request
Overview The Seagate Crystal Reports product exposes passwords to back-end databases in certain configurations. In particular, the username and password are transmitted in plaintext from the client browser to the server as part of the URL when using technologies other than Active Server Pages ASP...