This advisory presents an analysis of several vulnerabilities in the TACACS+ protocol. Unfortunately, only some of the vulnerabilities can be fixed without breaking the interoperability. Thus, the main purpose of this advisory is to identify the weaknesses, to allow for a conscious decision to be made on how much trust to place into the encryption offered by TACACS+.
072ddc2bf221d5c240f48441f527c417d20180f2dd0752f271db6be05c4d6be2
Delphis Consulting Plc Security Team Advisory DST2K0003 - Buffer Overrun in NAI WebShield SMTP v4.5.44 Management Tool for Microsoft Windows NT v4.0 Server (SP6). Any user who can connect to tcp port 9999 can obtain a copy of the configuration. Secondly, if you pass an oversized buffer of 208 bytes or more within one of the configuration parameters the service will crash overwriting the stack but and the EIP with what ever was passed within the parameter.
5230eece683fd72a6c2495b32df00a21a3efe154506ea65502fe723b503ba75a
Delphis Consulting Plc Security Team Advisory DST2K0007 - Buffer Overrun in ITHouse Mail Server v1.04 for Microsoft Windows NT v4.0 Workstation (SP6). Sending an email via SMTP to an IT House Mail Server with a recipient's name in excess of 2270 bytes causes the IT House Mail Server to buffer overrun overwriting the EIP, allowing an attacker to execute arbitrary code on the the server.
04158d4a5fa3738aa4bbf98b226f6ad9e374d75fe9a62e42b5df8f4909473a59
Delphis Consulting Plc Security Team Advisory DST2K0008 - Buffer Overrun in Sambar Server 4.3 (Production). By using the default finger script shipped with Sambar server it is possible to cause an Buffer overrun in sambar.dll overwriting the EIP allowing the execution of arbitry code.
05b6dfa2ec29e75514de7fa8cbc730fb79c63434ccf49ad1b6c49e7cedffd1cb
xterm denial of service attack - By sending the VT control characters to resize a window it is possible to cause an xterm to crash and in some cases consume all available memory. This is a problem because remote users can inject these control characters into your xterm in many different ways. This sample exploit injects these control characters into a web get request. If an admin were to cat this log file, or happened to be doing a "tail -f access_log" at the time of attack they would find their xterm crashed. Tested against rxvt v2.6.1 and xterm (XFree86 3.3.3.1b(88b).
e795174a235a3f5459e6a457c90c55832ca2987bccf1247db19929754e389a0e
Windows Media Encoder 4.0 and 4.1 is vulnerable to a remote denial of service attack. This source causes the Windows Media Encoder to crash with a "Runtime Error". Tested on version 4.1.0.3920. This is the vulnerability described in ms00-038.
2ed47a5509b2f1b80d55fd6418bff28abd5d3f4d1ccef95b325aedc8176ceead
Security Auditor's Research Assistant (SARA) is a security analysis tool based on the SATAN model. It is updated frequently to address the latest threats. Checks for common old holes, backdoors, trust relationships, default cgi, common logins.
b9e878d60975e8423fe2f6fd111af65627f5ad6761a8ae20153c699859a24004
Tcpdump2ascii version 2.10 - Takes the hexadecimal output from tcpdump(8) and produces the ASCII equivalent side by side.
c06763c61879d769de62d6811f0ed8d7e74faf1172022eda699969c8ea307ca1
motion uses a video4linux device as a motion detector. It will make snapshots of the movement it sees, making it usable as an observation or security system. It can send out email, SMS messages, or invoke an external command when detecting motion.
55bad078b3619a9594e28d0cfdb8e3dbf579327d1876a270f6e8daa9a669a3ec
USSR Advisory #43 - Remote dos attack against Real Networks Real Server version 7, 7.01, and G2 1.0. Sending malformed packets to the RealServer HTTP port (default 8080) will cause the service to stop responding. Exploit URL included. Affects Windoows NT/2000, Solaris 2.x, Linux, Irix, Unixware, and FreeBSD.
fb3235de31d91f9fe6c72377f127e585ee0a820398fcdfdb7ff9898b18eeb010
MDBMS v0.99b5 remote root exploit - tested on Redhat 6.0. Shellcode runs an interactive shell on port 30464.
a37ea7852b725a2b014dd84e51b418b4f973791e412512e52b44f2d86f61fd6c