Microsoft Windows 2000/Internet Information Server (IIS) 5.0 Internet Printing Protocol (IPP) ISAPI contains buffer overflow (MS01-023)

Overview A vulnerability exists in Microsoft IIS 5.0 running on Windows 2000 that allows a remote intruder to run arbitrary code on the victim machine. Description Windows 2000 includes support for the Internet Printing Protocol IPP via an ISAPI extension. According to Microsoft, this extension i...

Multiple networking devices allow SNMP objects to be viewed/modified via ILMI community string

Overview There is a vulnerability in the remote management architecture for Asynchronous Transfer Mode ATM networking devices that permits unauthorized access to configuration information. An attacker who gains access to an affected device can read and modify its configuration, creating a...

Hewlett-Packard HP-UX newgrp command does not function properly

Overview A security vulnerability exists in thenewgrp command on certain Hewlett-Packard systems. Description HP9000 servers running HP-UX release 11.11 contain a security vulnerability allowing users to gain increased capability. No further details are available. See HP document HPSBUX0103-147...

Cisco IOS/X12-X15 has default SNMP read/write string of "cable-docsis"

Overview There is a vulnerability that permits unauthorized access to several switch and router products manufactured by Cisco Systems. An attacker who gains access to an affected device can read and modify its configuration, creating a denial-of-service condition, an information leak, or both...

Microsoft Windows 2000 Workstation in mixed-mode domain may ignore domain account lockout restriction due to flaw in NTLM authentication

Overview A flaw in certain configurations of Windows 2000 can allow an intruder to make an unlimited number of guesses to attempt to determine a password, despite policies intended to limit the number of guesses. Description Domain administrators can set policies governing certain aspects of...

Hewlett-Packard MPE/ix contains vulnerabitily via architected interface facility

Overview A vulnerability in certain Hewlett-Packard systems allows users to gain unauthorized access to user accounts and databases using the architected interface facility. Description HP3000 systems running MPE/iX release 5.5 and newer contain a vulnerability in the architected interface facili...

Cisco IOS creates SNMP read-only community string

Overview There is a vulnerability that permits unauthorized access to several switch and router products manufactured by Cisco Systems. An attacker who gains access to an affected device can read its configuration, creating an information leak. Description Certain versions of the Cisco...

Cisco IOS/CatOS exposes read-write SNMP community string via traversal of View-based Access Control MIB (VACM) using read-only community string

Overview There is a vulnerability that permits unauthorized access to several switch and router products manufactured by Cisco Systems. An attacker who gains access to an affected device can read and modify its configuration, creating a denial-of-service condition, an information leak, or both...

Cisco Content Services Switch (CSS) permits non-privileged user to enter debug mode

Overview A vulnerability in Cisco Content Services Switches Arrowpoint allows a valid user to gain administrative access. Description Cisco CSS switches run Cisco WebNS software. A user with a valid account on a CSS device can gain unauthorized administrative access to the device. See the Cisco...

iPlanet web servers expose sensitive data via buffer overflow

Overview A buffer overflow exists in the iPlanet Web Servers Enterprise and FastTrack Editions that may allow remote attackers to gain read access to sensitive information contained in the memory of the web server process. The information disclosed may include userids, passwords, cookies or...

SGI systems may execute commands embedded in mail messages

Overview Some SGI systems produced circa 1998 allowed an intruder to send mail that would execute commands when the reader opened the message. Description On some SGI systems, Netscape is bundled with IRIX 6.3 and 6.4 and is used as the default web browser and mail reader. On these systems, the...

Alcatel ADSL modems provide unauthenticated TFTP access via physical WAN interface

Overview The San Diego Supercomputer Center SDSC has recently discovered several vulnerabilities in the Alcatel Speed Touch line of Asymmetric Digital Subscriber Line ADSL modems. These vulnerabilities are the result of weak authentication and access control policies and result in one or more of...

Alcatel ADSL modems grant unauthenticated TFTP access via Bounce Attacks

Overview The San Diego Supercomputer Center SDSC has recently discovered several vulnerabilities in the Alcatel Speed Touch line of Asymmetric Digital Subscriber Line ADSL modems. These vulnerabilities are the result of weak authentication and access control policies and result in one or more of...

Multiple ftpd implementations contain buffer overflows

Overview A variety of ftp servers incorrectly manage buffers in a way that can lead to remote intruders executing arbitrary code on the FTP server. The incorrect management of buffers centers around the return from the glob function, and may be confused with a related denial-of-service problem...

Alcatel ADSL modems provide EXPERT administrative account with an easily reversible encrypted password

Overview The San Diego Supercomputer Center SDSC has recently discovered several vulnerabilities in the Alcatel Speed Touch line of Asymmetric Digital Subscriber Line ADSL modems. These vulnerabilities are the result of weak authentication and access control policies and result in one or more of...

Alcatel ADSL modems contain a null default password

Overview The San Diego Supercomputer Center SDSC has recently discovered several vulnerabilities in the Alcatel Speed Touch line of Asymmetric Digital Subscriber Line ADSL modems. These vulnerabilities are the result of weak authentication and access control policies and result in one or more of...

Solaris ufsrestore buffer overflow in command pathname parameters for interactive session

Overview There is a buffer overflow in ufsrestore, a file restoration utility. Description When operating in interactive mode, the pathname parameter of the extract command is not properly bounds checked. When used in conjunction with long pathnames contained in the dump file, an internal buffer...

Compaq web-enabled management software contains buffer overflow in authentication username

Overview The Compaq web-enabled management software contains a buffer overflow in the authentication component of the product. Remote intruders may be able to execute arbitrary code with privileges on affected systems. Many Compaq products are affected, from personal computers to commercial UNIX...

Compaq web-enabled management software acts as generic proxy

Overview Remote attackers may be able to relay connections through systems running the Compaq web-enabled management software. Attackers relaying connection in this way may be able to access restricted portions of the network or disguise their identity while attacking other systems. Many Compaq...

Network Time Protocol ([x]ntpd) daemon contains buffer overflow in ntp_control:ctl_getitem() function

Overview There is a buffer overflow defect in the ctlgetitem function of the Network Time Protocol NTP daemon responsible for providing accurate time reports used for synchronizing the clocks on installed systems. All NTP daemons based on code maintained at the University of Delaware since NTPv2...

Certain MIME types can cause Internet Explorer to execute arbitrary code when rendering HTML

Overview A vulnerability exists in Microsoft Internet Explorer that allows a malicious agent to execute arbitrary code when parsing MIME parts in a document. Any user or program that uses vulnerable versions of Internet Explorer to render HTML in a document for example, when browsing a filesystem...

Unauthentic "Microsoft Corporation" certificates issued by Verisign to an unidentifed person

Overview On January 29 and 30, 2001, VeriSign, Inc. issued two certificates to an individual fraudulently claiming to be an employee of Microsoft Corporation. Any code signed by these certificates will appear to be legitimately signed by Microsoft when, in fact, it is not. Although users who try ...

Sun Solaris DMI to SNMP mapper daemon snmpXdmid contains buffer overflow

Overview There is a buffer overflow in the snmpXdmi daemon, which may allow intruders to gain root privileges on systems running the vulnerable daemon. Description The SNMP-to-DMI mapper daemon snmpXdmi translates Simple Network Management Protocol SNMP events to Desktop Management Interface DMI...

Multiple TCP/IP implementations may use statistically predictable initial sequence numbers

Overview Attacks against TCP initial sequence number generation have been discussed for some time now. It has long been recognized that the ability to know or predict ISNs can lead to TCP connection hijacking or spoofing. What was not previously illustrated was just how predictable one...

RhinoSoft FTP Voyager FtpTree incorrectly marked "safe for scripting"

Overview FTP Voyager is an FTP client implemented as an ActiveX control. It is incorrectly marked as "safe for scripting" allowing malicious web pages or email messages to upload and download files. Description FTP Voyager is an FTP client implemented as an ActiveX control. An ActiveX control may...

Lotus Domino SMTP Server Allows Anonymous Relay of Quoted Addresses

Overview Lotus Domino includes an SMTP server. Under certain configurations, an intruder may be able to relay mail to third parties through the Domino SMTP server. Description An "open" mail server is one that will send mail that is not addressed to and does not originate from a local user. Open...

MySQL client contains buffer overflow

Overview MySQL is a popular open source database package. The MySQL client that ships with the MySQL package contains a buffer overflow. Description The mysql program, part of the MySQL package, contains a buffer overflow in the host parameter. An intruder who invokes mysql using a specially...

MySQL monitor drop database command contains buffer overflow

Overview MySQL is a popular open source database package. It contains a buffer overflow in the code that processes drop database commands. Description The MySQL server, mysqld, contains a buffer overflow in the code used to process drop database requests . By carefully crafting a MySQL drop...

BSD i386_set_ldt syscall does not appropriately validate call gate targets

Overview There are a set of kernel interfaces called "call gates" which are code primitives used to build system-level calls into an operating system's kernel. A subset of these "calls gates" may be able to be manipulated on some operating systems which use improper privilege checking when...

Buffer Overflow in Lotus Domino Mail Server

Overview Lotus Domino R5 SMTP Server Contains a Buffer Overflow Description The Lotus Domino R5 SMTP server allows an administrator to restrict the domains from which the server will accept mail. In versions of Domino R5 prior to version 5.0.6 with domain restrictions enabled an intruder may be...

SSH authentication agent follows symlinks via a UNIX domain socket

Overview Older versions of SSH allow local attackers to to establish ssh sessions as the victim user without authentication. Description The text of this document was originally released on January 20, 1998, as SNI-23, developed by Secure Networks, Inc. SNI. To more widely broadcast this...

Microsoft Windows NT 4.0/TSE Winsock2ProtocolCatalogMutex has insecure permissions (MS01-003)

Overview A mutex controlling access to resources required for networking on Windows NTMicrosoft Windows NT 4.0 and Microsoft Windows NT 4.0, Terminal Server Edition, has inappropriate permissions. Description In general terms, a mutex is an object used to control access to a resource e.g. a...

HP-UX Support Tools Manager vulnerable to denial of service

Overview There is a vulnerability in the Hewlett-Packard Support Tools Manager that allows a local user to create a denial-of-service condition. Description The Hewlett-Packard Support Tools is a collection of diagnostic tools that allow operators of HP-UX systems to test and diagnose hardware...

ISC BIND 4 contains input validation error in nslookupComplain()

Overview The Berkeley Internet Name Domain BIND is an implementation of the Domain Name System DNS by the Internet Software Consortium ISC. There is a format string vulnerability in BIND 4.9.4 that may allow remote intruders to gain access to systems running BIND. Although BIND 4.9.x is no longer...

Queries to ISC BIND servers may disclose environment variables

Overview The Berkeley Internet Name Domain BIND is an implementation of the Domain Name System DNS by the Internet Software Consortium ISC. There is an information leakage vulnerability in BIND 4.9.x and 8.2.x, which may allow remote intruders to obtain information from systems running BIND...

ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code

Overview The Berkeley Internet Name Domain BIND is an implementation of the Domain Name System DNS by the Internet Software Consortium ISC. There is a buffer overflow vulnerability in BIND 8.2.x, which may allow remote intruders to gain access to systems running BIND. DNS servers running BIND 8 a...

ISC BIND 4 contains buffer overflow in nslookupComplain()

Overview The Berkeley Internet Name Domain BIND is an implementation of the Domain Name System DNS by the Internet Software Consortium ISC. There is a buffer overflow vulnerability in BIND 4.9.x, which may allow remote intruders to gain access to systems running BIND. Although BIND 4.9.x is no...

phf CGI Script fails to guard against newline characters

Overview This document describes a vulnerability in a CGI script known as phf which was widely exploited in 1996 and 1997. Description The phf CGI script constructs a partial command line consisting of the ph command and appropriate arguments, and completes the command line based on the input fro...

BIND T_NXT record processing may cause buffer overflow

Overview A vulnerability in BIND, repaired in verison 8.2.2p5, allows remote attackers to execute code with the privileges of the process running named. This vulnerability was widely exploited from November 1999 to December 2000. Description There is a buffer overflow in the processing of NXT...

Older SSH clients do not allow users to disable X11 forwarding

Overview This vulnerability may allow an attacker to make unauthorized connections to affected client machines. Description Older versions of the SSH client do not allow the user to disable X11 forwarding. As a result, if the client connects to a malicious server, the server can open an X11...

Weak CRC allows last block of IDEA-encrypted SSH packet to be changed without notice

Overview There is an information integrity vulnerability in the SSH1 protocol that allows the last block of an IDEA-encrypted session to be modified without notice. Description Preconditions: Session is encrypted using IDEA cipher. Compression is disabled. SSH clients configured to use the IDEA...

HP-UX kermit contains local buffer overflow that allows denial-of-service

Overview The HP-UX version of kermit contains a buffer overflow that allows local users to prevent other users from running kermit. Description Kermit is a file transfer protocol that has been implemented by Hewlett-Packard for use on their systems. On December 21, 2000, HP released a security...

Lotus Domino vulnerable to directory traversal, aka "Domino Server Directory Transversal Vulnerability"

Overview Lotus Domino web server may allow malformed URL requests to access files outside the document root of a vulnerable system. Description A Lotus Domino server running the HTTP task may permit an intruder to read files on file systems or drives that house Lotus Notes databases. By using a...

Seagate Crystal Reports exposes cleartext username/password pairs when embedded in URL or HTTP request

Overview The Seagate Crystal Reports product exposes passwords to back-end databases in certain configurations. In particular, the username and password are transmitted in plaintext from the client browser to the server as part of the URL when using technologies other than Active Server Pages ASP...

Borland/Inprise Interbase SQL database server contains backdoor superuser account with known password

Overview Description Interbase is an open source database package that is distributed by Borland/Inprise. The server contains a compiled-in backdoor account with a known password.In the following interbase code, references are made about a LOCKSMITH user: ./jrd/dyn.e ./jrd/isc.c ./jrd/jrd.c...

Check Point FireWall-1 allows fragmented packets through firewall if Fast Mode is enabled

Overview If any rules include the "Fast Mode" option, Check Point Firewall-1 and VPN-1 will incorrectly allow unauthorized connection attempts to hosts that should be restricted. Description A feature called "Fast Mode" or "FASTPATH", included in Check Point FireWall-1 and VPN-1 is designed to...

Input validation error in quikstore.cgi allows attackers to execute commands

Overview The quikstore shopping cart script contains an input validation error that allows attackers to execute commands on affected web servers. Description The quikstore.cgi script is written in Perl and provides its users with shopping cart software for e-commerce transactions. In November 200...

BSD-derived ftpd replydirname() in ftpd.c contains one-byte overflow

Overview There is a off-by-one vulnerability in several BSD-derived ftpd servers. Description The ftp server in several BSD distributions contains a defect which allows one byte of the program memory allocated within a stack frame to be overwritten with a NUL byte '\0'. The byte in question is...

KTH Kerberos filesystem race condition on tickets stored in /tmp

Overview There may be a race condition during the creation of Kerberos ticket files in the /tmp directory. This race condition may allow intruders with local access to the system to gain root privileges. Description During the creation of ticket files in the /tmp directory, a sequence of calls...

Kerberos client code buffer overflow in kdc_reply_cipher()

Overview There is a buffer overflow is the kdcreplycipher function of KTH Kerberos. This buffer overflow may be exploitable to allow an attacker to gain root privileges, and can be used to deny service. Description The buffer overflow occurs in the parsing of an authentication reply in the...