Kerberos client code buffer overflow in kdc_reply_cipher()

Overview There is a buffer overflow is the kdcreplycipher function of KTH Kerberos. This buffer overflow may be exploitable to allow an attacker to gain root privileges, and can be used to deny service. Description The buffer overflow occurs in the parsing of an authentication reply in the...

SGI IRIX df buffer overflow in directory argument

Overview Description The df program is used to display statistics about the amount of used and free disc space on a set of mounted file systems. Alternately, it can be used to check on the amount of space available on unmounted block devices which may be specified by some path. Due to insufficien...

Filemaker Pro 5.0v3 and below does not adequately protect web-enabled databases

Overview FileMaker may expose data inadvertently. Description FileMaker Web Companion prior to version 5.0v4 permits unauthorized access to data even if the database manager believes that data is protected by Field Level Security. --- Impact Attackers can read information, including items such as...

Microsoft Internet Explorer vulnerable to file disclosure via code containing GetObject() function

Overview Internet Explorer may disclose files on your computer if you visit a malicious web site or read a mail message with Active Scripting enabled. Description By design, Microsoft Internet Explorer prevents programs on web sites from reading files on your computer without authorization...

Cenroll ActiveX Control allows creation of arbitrary files.

Overview The ActiveX control Cenroll permits unauthorized users to create files on the local system. Description The ActiveX control "Cenroll" clsid: 43F8F289-7A20-11D0-8F06-00C04FC295E1, which is ordinarily marked safe-for-scripting allows callers to create files and write to the registry with t...

Sun Microsystems Keys exposed and revoked

Overview Sun Microsystems uses a variety of X.509 keys signed by VeriSign to securevarious web sites. Among these certificates are two that were revoked on October 19, 2000. The certificate IDs for these revoked certificates are 3181 B12D C422 5DAC A340 CF86 2710 ABE6 and 1705 FB13 A22F 9AF3 C130...

sysback makes call to hostname without a fully qualified path specification

Overview sysback , shipped with AIX systems, allows local users to gain root access because of a failure to use a fully qualified path for a call to hostname. Description sysback includes a call to hostname but does not include a full path specification. Because sysback is set uid root, intruders...

LPRng can pass user-supplied input as a format string parameter to syslog() calls

Overview A popular replacement software package to the BSD lpd printing service called LPRng contains at least one software defect known as a "format string vulnerability" which may allow remote users to execute arbitrary code on vulnerable systems. The privileges of such code will probably be...

Microsoft IIS 4.0 / 5.0 vulnerable to directory traversal via extended unicode in url

Overview A vulnerability exists in Microsoft IIS 4 and 5 such that an attacker visiting an IIS web site can execute arbitrary code with the privileges of the IUSRmachinename account. This vulnerability is referred to as the "Web Server Folder Directory Traversal" vulnerability. This vulnerability...

MS ActiveMovieControl Object downloads arbitrary files

Overview Description This vulnerability is actually the same as the Cache Bypass issue described in VU38950. This document is provided for people looking for information based on publicly available exploits using the Active Movie control. The flaw is not in the Active Movie control per se, but...

Race condition in periodic

Overview A race condition in the 'periodic' script allows local files to be overwritten. We believe that 'periodic' is typically used only with FreeBSD systems, though it may be installed on other systems. Description 'periodic' is a script used in conjunction with cron to execute jobs at specifi...

ISC BIND 8.2.2-P6 vulnerable to DoS via compressed zone transfer, aka the "zxfr bug"

Overview There is a denial-of-service vulnerability in several versions of the Internet Software Consortium's ISC BIND software. This vulnerability is referred to by the ISC as the "zxfr bug." It affects ISC BIND version 8.2.2, patch levels 1 through 6. Description Using this vulnerability,...

Cisco IOS software vulnerable to DoS via HTTP request containing "%%"

Overview There is a denial-of-service vulnerability in several Cisco switch and router products which allows an attacker to force affected devices to crash and reboot. Description A vulnerability exists in multiple versions of Cisco's Internetworking Operating System IOS software which allows an...

Cisco IOS software vulnerable to DoS via HTTP request containing "?/"

Overview A vulnerability exists in multiple versions of Cisco's Internetworking Operating System IOS software that allows an attacker to force affected switches and routers to crash and reboot. Description To exploit this vulnerability, the IOS HTTP interface must be enabled and the attacker must...

Format string vulnerability in libutil pw_error(3) function

Overview There is an input validation vulnerability in the OpenBSD libutil system library that allows local users to gain superuser access via the chpass utility. Description On June 30, 2000, the OpenBSD development team repaired an input validation vulnerability in the pwerror function of the...

SSH-1 allows client authentication to be forwarded by a malicious server to another server

Overview A design flaw in the SSH-1 protocol allows a malicious server to establish two concurrent sessions with the same session ID, allowing a man-in-the-middle attack. The client must accept unknown host keys from the malicious server to enable exploitation of this vulnerability. Description...

Passwords sent via SSH encrypted with RC4 can be easily cracked

Overview Passwords sent using SSH with RC4 encryption can be easily cracked by an attacker who is able to capture and replay the session. This problem occurs for three reasons: SSH sessions can be replayed, the RC4 encryption algorithm has some specific weaknesses, and the SSH daemon provides too...

SystemWizard Launch ActiveX Control lacks authentication

Overview Description The SystemWizard "Launch" ActiveX Control may allow attackers to execute arbitrary commands on systems where the control is installed. This control was shipped on HP Pavilion computers running Windows 98, as part of a diagnostic application named "SystemWizard" produced by...

SystemWizard Registry Object ActiveX Control lacks authentication

Overview Description The SystemWizard "Registry Object" ActiveX Control may allow attackers to modify the registry on systems where the control is installed. This control was shipped on HP Pavilion computers running Windows 98, as part of a diagnostic application named "SystemWizard" produced by...

Adobe Acrobat ActiveX Control buffer overflow in setview method

Overview Description The Adobe Acrobat ActiveX control has a buffer overflow in the setview method. Because the control is marked safe-for-scripting, this vulnerability can be exploited via a web page if the user has the vulnerable control installed.This control is implemtned in the file pdf.ocx...

Adobe Acrobat products have buffer overflow in the CIDFont /Registry and /Ordering entries

Overview By embedding malicious code in a Portable Document Format PDF file, an attacker can cause arbitrary code to execute on the victim's system. Description The Adobe Acrobat PDF file format facility for specifying fonts contains buffer overflows in the /Registry and /Ordering entries. Each o...

Wang/Kodak Image Edit ActiveX control

Overview Description The Image Edit control is incorrectly marked safe for scripting. This control is sometimes identified as from "Kodak" and other times as from "Wang". The Image Edit control is one of several controls used to provide image editting services through a web site. Because the...

Wang/Kodak Image Annotation ActiveX Control

Overview Description The Image Annotation control is incorrectly marked safe for scripting. This control is sometimes identified as from "Kodak" and other times as from "Wang". The Image Annotation control is one of several controls used to provide image editting services through a web site...

Netscape Java Security Manager fails to prevent URLConnections through netscape.net.URLConnection Class

Overview Netscape Communicator and Navigator ship with Java classes that allow an unsigned Java applet to access local and remote resources in violation of the security policies for applets. Description Failures in the netscape.net package permit a Java applet to read files from the local file...

Wang/Kodak Image Scan ActiveX Control

Overview Description The Image Admin control is incorrectly marked safe for scripting. This control is sometimes identified as from "Kodak" and other times as from "Wang". The Image Admin control is one of several controls used to provide image editting services through a web site. Because the...

Wang/Kodak Image Thumbnail ActiveX Control

Overview Description The Image Thumbnail control is incorrectly marked safe for scripting. This control is sometimes identified as from "Kodak" and other times as from "Wang". The Image Thumbnail control is one of several controls used to provide image editting services through a web site. Becaus...

HHOpen ActiveX Control buffer overflow in OpenHelp method

Overview Description The HHOpen ActiveX control hhopen.ocx has a buffer overflow in the OpenHelp method. Because the control is marked safe-for-scripting, an attacker may be able to script this control and exploit the vulnerability when you visit a web page.The classID for the vulnerable control...

Office 2000 UA Control incorrectly marked safe for scripting

Overview The Microsoft Office 2000 UA ActiveX control is incorrectly marked as "safe for scripting". This vulnerability may allow an intruder to disable macro warnings in Office products and, subsequently, execute arbitrary code. This vulnerability may be exploited by viewing an HTML document via...

Wang/Kodak Image Admin ActiveX Control

Overview Description The Image Admin control is incorrectly marked safe for scripting. This control is sometimes identified as from "Kodak" and other times as from "Wang". The Image Admin control is one of several controls used to provide image editting services through a web site. Because the...

rpc.statd vulnerable to remote root compromise via format string stack overwrite

Overview The CERT/CC has begun receiving reports of an input validation vulnerability in the rpc.statd program being exploited. This program is included, and often installed by default, in several popular Linux distributions. Please see the vendors section of this document for specific informatio...

Distributed GL Daemon (DGLD) allows attackers to identify IRIX systems

Overview Attackers are using the presence of the dgld service to identify SGI IRIX systems. Description The CERT/CC has received multiple reports of an apparent vulnerability in the Distributed GL Daemon on SGI IRIX systems. Upon further investigation, it is our belief that no vulnerability exist...

IE 5.01 will execute VBA code contained in Access databases when triggered from HTML code contained in an IFRAME

Overview Under certain conditions, Internet Explorer can open Microsoft Access database or project files containing malicious code and execute the code without giving a user prior warning. Access files that are referenced by OBJECT tags in HTML documents can allow attackers to execute arbitrary...

MIT Kerberos 5 ksu may allow either the '-r' or '-l' time-interval parameter to overflow the stack with the characters ''d', 'h', 'm', or 's'

Overview Description From the reporter: Time-interval parsing for the "-r" and "-l" command-line options calls a library routine which uses sscanf"%d%d" and passes the address of an automatic int variable to correspond to the second %-sequence. But the % sequence needs an arbitrarily large string...

ADK flaw in recent versions of PGP

Overview Additional Decryption Keys ADKs is a feature introduced into PGP Pretty Good Privacy versions 5.5.x through 6.5.3 that allows authorized extra decryption keys to be added to a user's public key certificate. However, an implementation flaw in PGP allows unsigned ADKs which have been...

MS Outlook "Cache Bypass" allows attackers to circumvent Internet Zone security policy

Overview Microsoft has recently released Microsoft Security Bulletin MS00-046, in which they announced a patch for the "Cache Bypass" vulnerability. By exploiting this vulnerability, an attacker can use an HTML-formatted message to read certain types of files on the victim's machine. In addition,...

SSH connections using RC4 and password authentication can be replayed

Overview This vulnerability may allow an attacker to replay a captured SSH1 session. Description Preconditions: Client requests RC4 and the server grants request Client uses password authentication When an SSH1 session using the RC4 cipher is established, the client and server agree upon a sessio...

Format string input validation error in wu-ftpd site_exec() function

Overview A vulnerability involving an input validation error in the "site exec" command has recently been identified in the Washington University ftpd wu-ftpd software package. Sites running affected systems are advised to update their wu-ftpd software as soon as possible. A similar but distinct...

statd bounce vulnerability

Overview statd allows access to RPC services it shouldn't. Description Background rpc.statd and rpc.lockd are designed to work in conjunction with each other to manage NFS lock information in the event of a crash of an NFS client or server. The rpc service rpc.statd is a program designed to...

Weak CRC allows RC4 encrypted SSH1 packets to be modified without notice

Overview There is an information integrity vulnerability in the SSH1 protocol that allows RC4 encrypted packets to be modified without notice. Description Preconditions: Client has requested RC4 and server supports it. Compression is disabled. When using the RC4 stream cipher, SSH1 uses a cyclic...

Denial of Service Attack in NetBIOS Services

Overview The NetBIOS Name Service NBNS provides a means for hostname and address mapping on a NetBIOS-aware network. The NetBIOS over TCP/IP protocols including NBNS are described in the Internet Engineering Task Force IETF Request for Comments RFC1001 and RFC1002. These protocols do not specify ...

telnet and rlogin URLs disclose sensitive information, including Environment variables

Overview Some telnet clients may disclose sensitive information in environment variables Description Web browsers can be configured to respond to certian protocol types through the use of a helper application. In this case, web browsers can respond to telnet: URLs with the use of a helper...

IP Fragmentation Denial-of-Service Vulnerability in FireWall-1

Overview A large stream of IP traffic can monopolize the CPU of a Check Point FireWall-1 firewall, resulting in a denial-of-service condition. Description A denial-of-service vulnerability has been discovered in the FireWall-1 product from Check Point Software Technologies. Check Point has tested...

SSH host key authentication can be bypassed when DNS is used to resolve localhost

Overview This vulnerability allows an attacker to redirect an SSH connection to an arbitary host. Description When making connections to localhost, SSH disables host key checking to provide compatibility with NFS filesystems. As a result, if the victim's machine uses a poisoned DNS server to...

HHControl Object (showHelp) may execute shortcuts embedded in help files

Overview The HHCtrl ActiveX control has a serious vulnerability that allows remote intruders to execute arbitrary code, if the intruder can cause a compiled help file CHM to be stored "locally." Microsoft has released a security bulletin and a patch for this vulnerability, but the patch does not...

Notes default ECL allows execution of unsigned code

Overview Lotus Notes prior to version 5.02, had permissive ECLs that allow for the execution of malicious mail messages. Description A Notes ECL is a list consisting of a Notes Username and a set of permissions from the following list for Notes 4.6.x: Access to file system Access to current...