5 bugs

From: D4rkGr3y (grey_1999at_private)
Date: Fri Jul 12 2002 - 11:35:31 PDT

Next message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-02:30.ktrace"

Previous message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-02:29.tcpdump"
Next in thread: Kurt Seifried: "Re: [VulnWatch] 5 bugs"
Reply: Kurt Seifried: "Re: [VulnWatch] 5 bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi
I want to advice about some bugs that founded by our team (DHGroup ::
www.dhgroup.org):


1. Eserv/2.97 (www.eserv.ru)
This is shareware http\ftp\pop\smtp\proxy server.
Directory travel vuln was founded in http-server.
Exploit:
www.somehost.com/somedir/?
This url will show content of directory "somedir".
Fix:
U must turn off "directory listing" in properties:
change 12(LR) to 4(read).


2. WinApache for Explorer
Don't confuse with Apache(win32) web server.
This is update for Explorer, that allows it to be web server
(!!). I don't no where you can download it, because i founded this
update on disk.
Exploit:
http://www.anyhost.com/dll/main.dll://test.exe?test=anylocation
This url will freeze the web server and all files & folders become
read-accessable for nobody.
Fix:
Don't use this sh**... and download Apache Web Server.


3. mIRC32 v6.* K.Mardam-Bey
Bug founded in function $exists().
How does it function work?
From mIRC help:

$exists(file/dir)
Returns $true if a file or dir exists and $false if it doesn't.
$exists(c:\mirc\mirc.exe) - returns $true or $false.

How does it bug work?
If the name of checked file\dir will be "aux", function will return $true.
Example:
$exists(c:\mirc\aux.blablabla) - returns $true (but realy it must
be $false, because file does'nt exist)


4. XiRCON v.1.0B4.
Dot bug in sound-requests.
If you want to use this function (play sound-requests), you must turn
it ON in properties and set the "play dir" (directory with ur
music-files). XiRCON's authors thought, that remote user
can't play files from another directoryes. It's fault.
By useing this command:
/ctcp <nick> sound ..\..\..\any.wav
we can play any sound files on remote host.
Example (for XP):
/ctcp <nick> sound ..\..\..\..\..\windows\media\town.mid
Remote user will listen funny song =) (1 min 19 sec).


5. KDE v.3.*
Buffer overflow in file kdeCMD.
Exploits:
./kdeCMD -f [129b] - system crash
./kdeCMD -f [128b] + [shellcode] - local root
Bug exists in all versions, that have file "kdeCMD" (not all versions
have this file).

Thats all, 10x.
-- 
Best regards,                           icq: 540981
  D4rkGr3y                         mailto:grey_1999at_private
                                       www.dhgroup.org

Next message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-02:30.ktrace"
Previous message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-02:29.tcpdump"
Next in thread: Kurt Seifried: "Re: [VulnWatch] 5 bugs"
Reply: Kurt Seifried: "Re: [VulnWatch] 5 bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 14:48:09 PDT