http://packetstormsecurity.org/ 100 Most Recent Packet Storm File Additions en-us http://packetstormsecurity.org/groups/uninformed/uninformed-10.tgz Uninformed is pleased to announce the release of its tenth volume which is composed of 4 articles: Can you find me now? Unlocking the Verizon Wireless xv6800 (HTC Titan), Using dual-mappings to evade automated unpacker, Analyzing local privilege escalations in win32k, and Exploiting Tomorrow's Internet Today: Penetration testing with IPv6. http://packetstormsecurity.org/0810-advisories/dsa-1653-1.txt Debian Security Advisory 1653-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. http://packetstormsecurity.org/0810-exploits/indexscript30-sql.txt IndexScript version 3.0 suffers from a remote SQL injection vulnerability in sug_cat.php. http://packetstormsecurity.org/0810-advisories/marvell-association.txt The wireless drivers in some Wi-Fi access points (such as the MARVELL-based Linksys WAP4400N) do not correctly parse some malformed 802.11 frames, allowing for denial of service and possible code execution. http://packetstormsecurity.org/0810-exploits/globsy-rewrite.txt Globsy versions 1.0 and below remote file rewriting exploit. http://packetstormsecurity.org/0810-exploits/createdirectory2sysdba.sql Proof of concept code that demonstrates how an Oracle DB user which has been granted CREATE ANY DIRECTORY can use that system privilege to grant themselves the SYSDBA system privilege by creating a DIRECTORY pointing to the password file location on the OS and then overwriting it with a previously prepared known binary password file using UTL_FILE.PUT_RAW from within the DB. http://packetstormsecurity.org/papers/database/create_any_directory_to_sysdba.pdf An Oracle DB user which has been granted CREATE ANY DIRECTORY can use that system privilege to grant themselves the SYSDBA system privilege by creating a DIRECTORY pointing to the password file location on the OS and then overwriting it with a previously prepared known binary password file using UTL_FILE.PUT_RAW from within the DB. This paper will show how the issue can be exploited and most importantly how to secure against it. http://packetstormsecurity.org/0810-exploits/lokicms034-exec.txt LokiCMS versions 0.3.4 and below remote command execution exploit. http://packetstormsecurity.org/0810-exploits/lokicms-lfi.txt Loki CMS version 0.3.4 create local file inclusion exploit that uses admin.php. http://packetstormsecurity.org/0810-exploits/lokicms-check.txt Loki CMS versions 0.3.4 and below arbitrary check file exploit that uses index.php. http://packetstormsecurity.org/0810-exploits/myphpindexer-download.txt My PHP Indexer version 1.0 suffers from a local file download vulnerability in index.php. http://packetstormsecurity.org/0810-exploits/res-sql.txt Real Estate Scripts 2008 suffers from a remote SQL injection vulnerability in index.php. http://packetstormsecurity.org/0810-exploits/zomplog39-xss.txt Zomplog version 3.9 suffers from a cross site scripting vulnerability. http://packetstormsecurity.org/papers/attack/web_vuln-en.txt Web Vulnerabilities To Gain Access To The System - A paper that goes into detail on the exploitation of local/remote file inclusion and blind SQL injection vulnerabilities. http://packetstormsecurity.org/0810-exploits/phprs-sql.txt phpRS version 2.8.0 suffers from a remote SQL injection vulnerability in kforum.php. http://packetstormsecurity.org/0810-exploits/raiden-dos.txt RaidenFTPD version 2.4 build 3620 remote denial of service exploit. http://packetstormsecurity.org/0810-exploits/newlife-cookiesql.txt NewLife Blogger version 3.0 and below suffer from insecure cookie handling and SQL injection vulnerabilities. http://packetstormsecurity.org/0810-exploits/xmeasy560-dos.txt XM Easy Personal FTP server version 5.6.0 remote denial of service exploit. http://packetstormsecurity.org/0810-exploits/iltaweb-sql.txt Iltaweb Alisveris Sistemi suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0810-advisories/2008-002-lenovornr.txt Lenovo Rescue and Recovery version 4.20 suffers from a heap overflow in the file system filter kernel driver which could allow an attacker to overwrite kernel memory leading to elevation of privilege. http://packetstormsecurity.org/0810-exploits/guildftpd-dos.txt GuildFTPd versions 0.999.8.11 and 0.999.14 heap corruption proof of concept denial of service exploit. http://packetstormsecurity.org/crypt/openca-base-1.0.1.tar.gz The OpenCA Project is a collaborative effort to develop a robust, full-featured and Open Source out-of-the-box Certification Authority implementing the most used protocols with full-strength cryptography world-wide. OpenCA is based on many Open-Source Projects. Among the supported software is OpenLDAP, OpenSSL, Apache Project, Apache mod_ssl. http://packetstormsecurity.org/0810-exploits/emf_MS08-046.rar Microsoft Windows EMR_SETICMPROFILEA heap overflow denial of service exploit. http://packetstormsecurity.org/0810-exploits/minipub03-multi.txt mini-pub versions 0.3 and below suffer from local directory traversal and file disclosure vulnerabilities. http://packetstormsecurity.org/0810-exploits/apm-sql.txt Absolute Poll Manager XE version 4.1 suffers from a remote SQL injection vulnerability in xlacomments.asp. http://packetstormsecurity.org/0810-exploits/cubecartcms-sql.txt This is an old SQL injection vulnerability for CubeCart CMS that has further details on exploitation since the original report surfaced years back. http://packetstormsecurity.org/0810-advisories/dsa-1652-1.txt Debian Security Advisory 1652-1 - Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service and other security problems. http://packetstormsecurity.org/0810-advisories/dsa-1651-1.txt Debian Security Advisory 1651-1 - Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service and other security problems. http://packetstormsecurity.org/0810-advisories/dsa-1650-1.txt Debian Security Advisory 1650-1 - Cameron Hotchkies discovered that the OpenLDAP server slapd, a free implementation of the Lightweight Directory Access Protocol, could be crashed by sending malformed ASN1 requests. http://packetstormsecurity.org/0810-advisories/MDVSA-2008-210-1.txt Mandriva Linux Security Advisory - CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the query string. The updated packages have been patched to fix the issue. This update was too late for inclusion in Mandriva Linux 2009, so it is being released now for that version. http://packetstormsecurity.org/0810-advisories/MDVSA-2008-211.txt Mandriva Linux Security Advisory - A buffer overflow in the SGI image format decoding routines used by the CUPS image converting filter imagetops was discovered. An attacker could create malicious SGI image files that could possibly execute arbitrary code if the file was printed. An integer overflow flaw leading to a heap buffer overflow was found in the Text-to-PostScript texttops filter. An attacker could create a malicious text file that could possibly execute arbitrary code if the file was printed. Finally, an insufficient buffer bounds checking flaw was found in the HP-GL/2-to-PostScript hpgltops filter. An attacker could create a malicious HP-GL/2 file that could possibly execute arbitrary code if the file was printed. The updated packages have been patched to prevent this issue; for Mandriva Linux 2009.0 the latest CUPS version (1.3.9) is provided that corrects these issues and also provides other bug fixes. http://packetstormsecurity.org/0810-advisories/dsa-1646-2.txt Debian Security Advisory 1646-2 - In DSA 1646-1, an update was announced for a denial of service vulnerability in squid, a caching proxy server. Due to an error in packaging and in testing, the updated packages did not correct the weakness. An updated release is available which corrects the error. A weakness has been discovered in squid, a caching proxy server. The flaw was introduced upstream in response to CVE-2007-6239, and announced by Debian in DSA-1482-1. The flaw involves an over-aggressive bounds check on an array resize, and could be exploited by an authorized client to induce a denial of service condition against squid. http://packetstormsecurity.org/0810-exploits/cabrightstor-exec.txt CA BrightStor ARCServe BackUp is an overall data backup solution. The RPC interface of CA BrightStor ARCServe BackUp does not handle user's input exactly that allows anonymous attacker to inject any command, a remote code execution attack may achieved through this way. Details are provided. CA BrightStor ARCServe BackUp version R11.5 is affected. http://packetstormsecurity.org/0810-exploits/joomlajeux-sql.txt The Joomla Jeux component version 1.0.0 suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0810-exploits/joomlavideos-sql.txt The Joomla Videos component version 1.0.0 suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0810-exploits/joomlaphotos-sql.txt The Joomla Photos component version 1.0.0 suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0810-exploits/joomlaflash-sql.txt The Joomla Flash component version 1.0.0 suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0810-exploits/joomlaownbiblio-sql.txt The Joomla ownbiblio component version 1.5.3 suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0810-exploits/eebcms-xss.txt EEB-CMS version 0.95 suffers from a cross site scripting vulnerability. http://packetstormsecurity.org/0810-exploits/slimcms-escalate.txt SlimCMS versions 1.0.0 and below privilege escalation exploit that uses redirect.php. http://packetstormsecurity.org/0810-advisories/ZDI-08-067.txt A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple CUPS. Authentication is not required to exploit this vulnerability. The specific flaw exists in the Hewlett-Packard Graphics Language filter. Inadequate bounds checking on the pen width and pen color opcodes result in an arbitrary memory overwrite allowing for the execution of arbitrary code as the hgltops process uid. http://packetstormsecurity.org/0810-advisories/CVE-2008-3271.txt Apache Tomcat versions 4.1.0 to 4.1.31 and 5.5.0 suffer from an information disclosure vulnerability. http://packetstormsecurity.org/0810-exploits/joomlamad4-sql.txt The Joomla mad4joomla component suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0810-exploits/joomlaignite-sql.txt The Joomla Ignite Gallery component version 0.8.3 suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0810-exploits/easynet4ulink-sql.txt Easynet4u Link Host suffers from a remote SQL injection vulnerability in directory.php. http://packetstormsecurity.org/0810-exploits/easynet4uforum-sql.txt Easyney4u Forum Host suffers from a remote SQL injection vulnerability in forum.php. http://packetstormsecurity.org/0810-exploits/easynet4ufaq-sql.txt Easyney4u FAQ Host suffers from a remote SQL injection vulnerability in faq.php. http://packetstormsecurity.org/0810-advisories/USN-651-1.txt Ubuntu Security Notice 651-1 - A large amount of vulnerabilities have been addressed in Ruby. These issues include integer overflow, bypass, input validation, and various other vulnerabilities. http://packetstormsecurity.org/0810-advisories/nokiaminimap-crash.txt The Nokia Mini Map Browser suffers from a silent crash vulnerability. http://packetstormsecurity.org/0810-advisories/FSC20081009-11.txt A vulnerability has been discovered in the Tape Engine component of CA ARCserve Backup. Insufficient input validation when processing remote procedure call (RPC) requests is the cause of this vulnerability. http://packetstormsecurity.org/0810-advisories/FSC20081009-12.txt A vulnerability has been discovered in the DB Engine component of CA ARCserve Backup. Insufficient input validation when processing remote procedure call (RPC) requests is the cause of this vulnerability. http://packetstormsecurity.org/0810-exploits/ayco-sql.txt Ayco Okul Portali suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0810-exploits/munzursoft-sql.txt MunzurSoft WEP Portal W3 suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0810-exploits/noticeware5122-dos.txt Noticeware Email Server version 5.1.2.2 pre-auth remote denial of service exploit. http://packetstormsecurity.org/UNIX/scanners/scapy-2.0.0.10.tar.gz Scapy is a powerful interactive packet manipulation tool, packet generator, network scanner, network discovery tool, and packet sniffer. It provides classes to interactively create packets or sets of packets, manipulate them, send them over the wire, sniff other packets from the wire, match answers and replies, and more. Interaction is provided by the Python interpreter, so Python programming structures can be used (such as variables, loops, and functions). Report modules are possible and easy to make. It is intended to do the same things as ttlscan, nmap, hping, queso, p0f, xprobe, arping, arp-sk, arpspoof, firewalk, irpas, tethereal, tcpdump, etc. http://packetstormsecurity.org/0810-advisories/caarcserve-dos.txt CA ARCserve Backup contains multiple vulnerabilities that can allow a remote attacker to cause a denial of service or possibly execute arbitrary code. CA has issued patches to address the vulnerabilities. The first vulnerability occurs due to insufficient validation of certain RPC call parameters by the message engine service. An attacker can exploit a directory traversal vulnerability to execute arbitrary commands. The second vulnerability occurs due to insufficient validation by the tape engine service. An attacker can make a request that will crash the service. The third vulnerability occurs due to insufficient validation by the database engine service. An attacker can make a request that will crash the service. The fourth vulnerability occurs due to insufficient validation of authentication credentials. An attacker can make a request that will crash multiple services. Note that these issues only affect the base product. http://packetstormsecurity.org/0810-advisories/glsa-200810-02.txt Gentoo Linux Security Advisory GLSA 200810-02 - A search path vulnerability in Portage allows local attackers to execute commands with root privileges if emerge is called from untrusted directories. The Gentoo Security Team discovered that several ebuilds, such as sys-apps/portage, net-mail/fetchmail or app-editors/leo execute Python code using python -c, which includes the current working directory in Python's module search path. For several ebuild functions, Portage did not change the working directory from emerge's working directory. Versions less than 2.1.4.5 are affected. http://packetstormsecurity.org/0810-exploits/scriptsezid-download.txt ScriptsEz Easy Image Downloader suffers from a local file download vulnerability. http://packetstormsecurity.org/0810-exploits/scriptsezmhp-lfi.txt ScriptsEz Mini Hosting Panel suffers from a local file inclusion vulnerability in members.php. http://packetstormsecurity.org/papers/attack/metasploitSMB.pdf Whitepaper discussing how to exploit vulnerable SMB instances on Microsoft Windows XP using Metasploit. http://packetstormsecurity.org/0810-exploits/stash103exp.txt Stash version 1.0.3 user credential disclosure exploit that leverages a SQL injection vulnerability in admin/login.php. http://packetstormsecurity.org/0810-exploits/mswingdi-poc.txt Microsoft Windows GDI+ proof of concept exploit that takes advantage of the vulnerability listed in MS08-052. http://packetstormsecurity.org/0810-exploits/cameralife-sqlxss.txt Cameralife version 2.6.2b4 suffers from SQL injection and cross site scripting vulnerabilities. http://packetstormsecurity.org/0810-advisories/SSRT080099.txt HP Security Bulletin - A potential security vulnerability has been identified with HP System Management Homepage (SMH) for Linux and Windows. This vulnerability could by exploited remotely to allow cross site scripting (XSS). http://packetstormsecurity.org/0810-advisories/SSRT080046.txt HP Security Bulletin - A potential security vulnerability has been identified with HP OpenView Network Node Manager (OV NNM). The vulnerability could be exploited remotely to create a Denial of Service (DoS). http://packetstormsecurity.org/0810-exploits/aradcenter-sql.txt Arad Center suffers from a remote SQL injection vulnerability in news.php. http://packetstormsecurity.org/0810-exploits/persiantools-sql.txt Persian Tools Gallery suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0810-exploits/PR07-31.txt Remote SQL injection, cross site scripting, and user enumeration vulnerabilities exist in DPSnet Case Progress. http://packetstormsecurity.org/0810-exploits/fc2blog-xss.txt FC2 BLOG suffers from a cross site scripting vulnerability. http://packetstormsecurity.org/0810-exploits/joomlajoomtracker-sql.txt The Joomla Joomtracker component version 1.01 suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0810-exploits/kusaba2-exec.txt Kusaba versions 1.0.4 and below remote code execution exploit. Second version. http://packetstormsecurity.org/0810-exploits/kusaba1-exec.txt Kusaba versions 1.0.4 and below remote code execution exploit. http://packetstormsecurity.org/0810-exploits/gforge46-sql.txt Gforge versions 4.6 rc1 and below suffer from a remote SQL injection vulnerability. http://packetstormsecurity.org/0810-exploits/gforge4519-sql.txt Gforge versions 4.5.19 and below suffer from multiple remote SQL injection vulnerabilities. http://packetstormsecurity.org/fuzzer/bf10BETA.tar.gz BF stands for Browser Fuzzer. BF is a web browser fuzzing tool that fuzzes HTML and Javascript. http://packetstormsecurity.org/0810-advisories/ZDI-08-066.txt A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell eDirectory Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within dhost.exe, the service responsible for directory replication which is bound by default to TCP port 524. Improper parsing within opcode 0x24 via the Netware Core Protocol can result in an arithmetic calculation based on supplied user-input resulting in an under-allocated heap buffer. This fault can be leveraged to result in arbitrary code execution. http://packetstormsecurity.org/0810-advisories/ZDI-08-065.txt A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell eDirectory Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within dhost.exe, the service responsible for directory replication which is bound by default to TCP port 524. Improper parsing within opcode 0x0F via the Netware Core Protocol can result in an arithmetic calculation based on supplied user-input resulting in an integer overflow that will be used to copy into a heap buffer. This fault can be leveraged to result in arbitrary code execution. http://packetstormsecurity.org/0810-advisories/ZDI-08-064.txt A vulnerability allows attackers to execute arbitrary code on vulnerable installations of Novell eDirectory. Authentication is not required to exploit this vulnerability. The specific flaw resides in the web console running on TCP ports 8028 and 8030. The server exposes a web interface and accepts SOAP connections. The service copies the contents of the Accept-Language header within a SOAP request into a fixed-length buffer without any bounds checking. If an attacker sends a specially crafted request it will trigger an overflow during a memory copy operation leading to arbitrary code execution under the context of the SYSTEM user. http://packetstormsecurity.org/0810-advisories/ZDI-08-063.txt A vulnerability allows attackers to execute arbitrary code on vulnerable installations of Novell eDirectory. Authentication is not required to exploit this vulnerability. The specific flaw resides in the web console running on TCP ports 8028 and 8030. The server exposes a web interface and accepts SOAP connections. While parsing the Content-Length header within a SOAP request an integer overflow can occur. This integer overflow triggers a subsequent overflow during a memory copy operation leading to arbitrary code execution under the context of the SYSTEM user. http://packetstormsecurity.org/0810-advisories/dsa-1649-1.txt Debian Security Advisory 1649-1 - Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. http://packetstormsecurity.org/0810-advisories/dsa-1648-1.txt Debian Security Advisory 1648-1 - Dmitry E. Oboukhov discovered that the test.alert script used in one of the alert functions in mon, a system to monitor hosts or services and alert about problems, creates temporary files insecurely, which may lead to a local denial of service through symlink attacks. http://packetstormsecurity.org/0810-advisories/graphviz-overflow.txt A vulnerability exists in Graphviz's parsing engine which makes it possible to overflow a globally allocated array and corrupt memory by doing so. Version 2.20.2 is affected. http://packetstormsecurity.org/0810-exploits/webbiscuits-rfirfd.txt WebBiscuits Modules Controller versions 1.1 and below suffer from remote file inclusion and remote file disclosure vulnerabilities. http://packetstormsecurity.org/0810-exploits/hispahtextlinksads-sql.txt HispaH textlinksads suffers from a remote SQL injection vulnerability in index.php. http://packetstormsecurity.org/wireless/RFIDIOt-Windows-0.1t.zip RFIDIOt is a python library for exploring RFID devices. It currently drives a couple of RFID readers made by ACG, called the HF Dual ISO and the LFX. Includes sample programs to read/write tags and the beginnings of library routines to handle the data structures of specific tags like MIFARE(r). This is the Windows version. http://packetstormsecurity.org/wireless/RFIDIOt-0.1t.tgz RFIDIOt is a python library for exploring RFID devices. It currently drives a couple of RFID readers made by ACG, called the HF Dual ISO and the LFX. Includes sample programs to read/write tags and the beginnings of library routines to handle the data structures of specific tags like MIFARE(r). http://packetstormsecurity.org/0810-exploits/joomlaexchange-sql.txt The Joomla Community Exchange component suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0810-advisories/cisco-sa-20081008-unity.txt Cisco Security Advisory - A vulnerability exists in Cisco Unity that could allow an unauthenticated user to view or modify some of the configuration parameters of the Cisco Unity server. Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available. http://packetstormsecurity.org/0810-exploits/calexpress2-sql.txt Calendar Express version 2 suffers from a remote SQL injection vulnerability in week.php. http://packetstormsecurity.org/0810-exploits/adman-sql.txt AdMan version 1.1.20070907 suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/papers/attack/webapps-attack.txt Fucking the Web Apps - LFI #1. Written in Spanish. http://packetstormsecurity.org/0810-exploits/konqueror-crash.txt KDE's Konqueror version 3.5.9 suffers from multiple crash vulnerabilities. http://packetstormsecurity.org/0810-exploits/phpclass-sql.txt PHP Classifieds suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0810-advisories/advisory_W021008.txt Microsoft Windows Kernel is prone to a local privilege escalation due to an integer overflow error within the IopfCompleteRequest function. This vulnerability may allow attackers to execute arbitrary code in the kernel context, thus allowing to escalate privileges to SYSTEM. http://packetstormsecurity.org/0810-exploits/symantec-sql.txt Symantec.com suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0810-exploits/Churrasco.zip Elevation of privileges proof of concept exploit for Token Kidnapping on Windows 2003. http://packetstormsecurity.org/0810-exploits/mspicturepusher-activex.txt Microsoft PicturePusher Active-X cross site file upload attack proof of concept exploit. http://packetstormsecurity.org/0810-exploits/dffphp-rfi.txt DFF PHP Framework API (Data Feed File) suffers from multiple remote file inclusion vulnerabilities. http://packetstormsecurity.org/0810-exploits/torrenttrader-blindsql.txt TorrentTrader Classic versions 1.04 and below blind SQL injection exploit. http://packetstormsecurity.org/0810-advisories/SSRT080122.txt HP Security Bulletin - A potential security vulnerability has been identified with NFS/ONCplus running on HP-UX. The vulnerability could be exploited remotely to create a Denial of Service (DoS).