hi,
this is a simple code for exploiting the cfingerd 1.4.3 and prior vuln
recently posted by Steven Van Acker [EMAIL PROTECTED],
which may lead to a local root compromise. Read the comments in the code
for more detailed info.
bye
--
/* qitest1 http://qitest1.cjb.net *
*
Çäðàâñòâóéòå, Przemyslaw.
Âû ïèñàëè âòîðíèê, 10 èþëÿ 2001 ã., 21:12:30:
FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows
PF This problem was already reported to FreeBSD Security Officer about two
PF months ago, but it was totally ignored.
This problem has fixed and the
Przemyslaw Frasunek wrote:
FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows
This problem was already reported to FreeBSD Security Officer about two
months ago, but it was totally ignored.
If this is the case I don't understand why you did not go public then -
2 months
The original advisory
(http://www.inside-security.de/advisories/fw1_rdp.html) says that a
workaround is to Deactivate implied rules in the Check Point policy editor
(and build your own rules for management connections).. I've not been able
to find any changes in the INSPECT code generated to
Well, after a bunch of tests I've found only two suids which gave me
suid shell:
/usr/bin/passwd
/usr/local/bin/ssh1
/usr/bin/su also works for me:
riget:venglin:~ egrep -e execl vvfreebsd.c
if(!execl(/usr/bin/su,su,szymon,0))
riget:venglin:~ ./v
vvfreebsd. Written by Georgi Guninski
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Trustix Secure Linux Security Advisory #2001-0012
Package name: OpenSSL
Date: 2001-07-11
Affected versions: TSL 1.01, 1.1, 1.2
This problem has fixed and the exploit didn't work for last
4.3-RELEASE FreeBSD.
Exploit *works* even for 4.3-STABLE, before correction date (2 Jul 2001):
riget:venglin:~ ./v
vvfreebsd. Written by Georgi Guninski
shall jump to bfbffe72
child=57660
Password:done
# id
uid=0(root)
Hi everybody.
IBM DB2 for Windows (98/NT/2000) run 2 services : db2ccs.exe (listening on
port 6790) and db2jds.exe (port 6789).
I may be wrong but these services are used to access data remotely and to
remotely manage the database.
Both can be crashed remotely: just telnet on their port, send
On Wed, Jul 11, 2001 at 11:41:23AM +0200, Johan Lindqvist wrote:
The original advisory
(http://www.inside-security.de/advisories/fw1_rdp.html) says that a
workaround is to Deactivate implied rules in the Check Point policy editor
(and build your own rules for management connections).. I've
- Begin Hush Signed Message from [EMAIL PROTECTED] -
-=[ SECURITY ADVISORY ]=-
McAfee ASaP Virusscan - myCIO HTTP Server Directory Traversal
Vulnerabilty
Date:28 June 2001
Impact: HIGH
Not sure what the exploit is, but there is a patch for it.
_
Macromedia Product Security Bulletin (MPSB01-07)
Macromedia releases patch that addresses ColdFusion Server
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
++
| EnGarde Secure Linux Security Advisory July 11, 2001 |
| http://www.engardelinux.org/ ESA-20010711-01
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
++
| EnGarde Secure Linux Security Advisory July 11, 2001 |
| http://www.engardelinux.org/ ESA-20010711-02
-BEGIN PGP SIGNED MESSAGE-
Cisco Security Advisory: Vulnerabilities in Cisco SN 5420 Storage Routers
Revision 1.0
For Public Release 2001 July 11 08:00 (UTC -0800)
_
Remotish / localish exploit.
I wrote this last night, unaware someone else was going to post something
today.
Here is another exploit for the format string problem in cfingerd=1.4.3,
using a slightly different method for exploiting it. Anti script-kiddied
by me being lazy.
Exploit redirects
Dear bugtraq readers,
This is another exploit for the flaw found by Steven Van Acker.
http://www.securityfocus.com/archive/1/192844
In order to allow for more nops, I have constructed the payload
like this:
82 nopsjmp 0x4retaddrshellcode
[teleh0r@localhost teleh0r]$ ./cfingerd-exploit.pl -s 1
-BEGIN PGP SIGNED MESSAGE-
-
Debian Security Advisory DSA-066-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Wichert Akkerman
July 11, 2001
-
17 matches
Mail list logo