http://packetstormsecurity.org/ 100 Most Recent Packet Storm File Additions en-us http://packetstormsecurity.org/0809-advisories/PLSA-2008-36.txt Pardus Linux Security Advisory - Multiple memory leaks and buffer overflows have been addressed in ffmpeg. Affected packages are mplayer versions below 0.0_20080825-92-11 and ffmpeg versions below 0.4.9_20080825-46-14. http://packetstormsecurity.org/0809-exploits/wpsimple-xss.txt WordPress Simple Tagging Widget suffers from a cross site scripting vulnerability. http://packetstormsecurity.org/0809-exploits/googlechrome-pwn.tgz Google Chrome Browser version 0.2.149.27 suffers from a SaveAs-related buffer overflow and another denial of service vulnerability. Exploits for both are included in the tarball. PoC-XPSP2.html demonstrates the overflow by launching calc.exe and PoC-Crash.html demonstrates the crash. http://packetstormsecurity.org/0809-advisories/microworld-insecure.txt Multiple MicroWorld products suffer from insecure directory permissions vulnerabilities that allow for privilege escalation. http://packetstormsecurity.org/0809-exploits/devalcms-xssexec.txt devalcms version 1.4a cross site scripting and remote code execution exploit. http://packetstormsecurity.org/0809-exploits/microtik-poc.txt MicroTik RouterOS versions 3.13 and below SNMP write proof of concept exploit. http://packetstormsecurity.org/papers/call_for/xcon2008-cfp.txt Call For Papers for XCon 2008. This conference will take place from November 18th through the 19th in Beijing, China. http://packetstormsecurity.org/0809-exploits/awstats-exec2.txt Remote code execution exploit with an interactive shell for AWStats Totals versions 1.0 through 1.14. Version 2 of this exploit. It now works with magic quotes on or off. http://packetstormsecurity.org/0809-advisories/SSRT080119.txt HP Security Bulletin - A potential security vulnerability has been identified with HP OpenView Select Identity (HPSI) Connectors running on Windows. The vulnerability could result in a local disclosure of information. http://packetstormsecurity.org/0809-exploits/wordpress-xss.txt Wordpress Forum version 1.7.4 suffers from a cross site scripting vulnerability. http://packetstormsecurity.org/0809-exploits/geocar-sql.txt Geocar CMS suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0809-advisories/MDVSA-2008-186.txt Mandriva Linux Security Advisory - Multiple integer overflows were reported by the Google Security Team that had been fixed in Python 2.5.2. The Python packages on Corporate 3 have been updated to the latest version 2.3.7, which corrects this issue. http://packetstormsecurity.org/papers/bypass/aslr-bypass.txt Whitepaper discussing an ASLR bypassing methodology on the Linux 2.6.17/20 kernel. http://packetstormsecurity.org/0809-advisories/glsa-200809-04.txt Gentoo Linux Security Advisory GLSA 200809-04 - Sergei Golubchik reported that MySQL imposes no restrictions on the specification of DATA DIRECTORY or INDEX DIRECTORY in SQL CREATE TABLE statements. Versions less than 5.0.60-r1 are affected. http://packetstormsecurity.org/0809-advisories/glsa-200809-03.txt Gentoo Linux Security Advisory GLSA 200809-03 - Dyon Balding of Secunia Research reported an unspecified heap-based buffer overflow in the Shockwave Flash (SWF) frame handling. Versions less than 11.0.0.4028-r1 are affected. http://packetstormsecurity.org/0809-advisories/glsa-200809-02.txt Gentoo Linux Security Advisory GLSA 200809-02 - Dan Kaminsky of IOActive reported that dnsmasq does not randomize UDP source ports when forwarding DNS queries to a recursing DNS server. Carlos Carvalho reported that dnsmasq in the 2.43 version does not properly handle clients sending inform or renewal queries for unknown DHCP leases, leading to a crash. Versions below 2.45 are affected. http://packetstormsecurity.org/0809-advisories/glsa-200809-01.txt Gentoo Linux Security Advisory GLSA 200809-01 - Aaron Grattafiori reported a format string vulnerability in the window_error() function in yelp-window.c. Versions less than 2.22.1-r2 are affected. http://packetstormsecurity.org/0809-exploits/zencart138a-sql.txt Zen Cart versions 1.3.8a and below suffer from a remote SQL injection vulnerability. http://packetstormsecurity.org/0809-advisories/atheros-overflow.txt The wireless drivers in some Wi-Fi access points (such as the ATHEROS-based Linksys WRT350N) do not correctly parse the Atheros vendor specific information element included in association requests allowing for denial of service or possible code execution. http://packetstormsecurity.org/UNIX/mail/clamav-0.94.tar.gz Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a commandline scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software. http://packetstormsecurity.org/0809-exploits/qwicsitepro-sqlxss.txt Qwicsite Pro suffers from remote SQL injection and cross site scripting vulnerabilities. http://packetstormsecurity.org/0809-exploits/awstats-exec.txt Remote code execution exploit with an interactive shell for AWStats Totals versions 1.0 through 1.14. http://packetstormsecurity.org/0809-advisories/clamav-chm.txt A fuzzing test against ClamAV versions below 0.94 discovered that they suffer from a chm file parsing vulnerability which can possibly be exploited. http://packetstormsecurity.org/0809-advisories/marvell-null.txt The Netgear WN802T (firmware 1.3.16) with the MARVELL 88W8361P-BEM1 chipset suffers from a NULL SSID association request vulnerability that allows for denial of service and possibly code execution. http://packetstormsecurity.org/0809-advisories/marvell-overflow.txt The Netgear WN802T (firmware 1.3.16) with the MARVELL 88W8361P-BEM1 chipset suffers from an overflow vulnerability when parsing malformed EAPoL-Key packets. http://packetstormsecurity.org/0809-exploits/google-chrome-dos2.txt Google Chrome Browser version 0.2.149.27 denial of service exploit that uses javascript. http://packetstormsecurity.org/0809-exploits/google-download1.txt Google Chrome Browser version 0.2.149.27 automatic file download exploit that uses a meta tag to automatically repeat downloading. http://packetstormsecurity.org/0809-exploits/google-chrome-dos1.txt Google Chrome Browser version 0.2.149.27 denial of service exploit that uses javascript. http://packetstormsecurity.org/0809-advisories/USN-640-1.txt Ubuntu Security Notice 640-1 - Andreas Solberg discovered that libxml2 did not handle recursive entities safely. If an application linked against libxml2 were made to process a specially crafted XML document, a remote attacker could exhaust the system's CPU resources, leading to a denial of service. http://packetstormsecurity.org/0809-exploits/xrms-sqlxss.txt XRMS suffers from multiple cross site scripting and SQL injection vulnerabilities. http://packetstormsecurity.org/0809-advisories/FreeBSD-SA-08-09.icmp6.txt FreeBSD Security Advisory - In case of an incoming ICMPv6 'Packet Too Big Message', there is an insufficient check on the proposed new MTU for a path to the destination. When the kernel is configured to process IPv6 packets and has active IPv6 TCP sockets, a specifically crafted ICMPv6 'Packet Too Big Message' could cause the TCP stack of the kernel to panic. http://packetstormsecurity.org/0809-advisories/FreeBSD-SA-08-08.nmount.txt FreeBSD Security Advisory - Various user defined input such as mount points, devices, and mount options are prepared and passed as arguments to nmount(2) into the kernel. Under certain error conditions, user defined data will be copied into a stack allocated buffer stored in the kernel without sufficient bounds checking. If the system is configured to allow unprivileged users to mount file systems, it is possible for a local adversary to exploit this vulnerability and execute code in the context of the kernel. http://packetstormsecurity.org/0809-advisories/FreeBSD-SA-08-07.amd64.txt FreeBSD Security Advisory - If a General Protection Fault happens on a FreeBSD/amd64 system while it is returning from an interrupt, trap or system call, the swapgs CPU instruction may be called one extra time when it should not resulting in userland and kernel state being mixed. A local attacker can by causing a General Protection Fault while the kernel is returning from an interrupt, trap or system call while manipulating stack frames and, run arbitrary code with kernel privileges. http://packetstormsecurity.org/0809-advisories/MDVSA-2008-185.txt Mandriva Linux Security Advisory - A cross-site request forgery vulnerability was discovered in Django that, if exploited, could be used to perform unrequested deletion or modification of data. Updated versions of Django will now discard posts from users whose sessions have expired, so data will need to be re-entered in these cases. The versions of Django shipping with Mandriva Linux have been updated to the latest patched versions that include the fix for this issue. In addition, they provide other bug fixes. http://packetstormsecurity.org/0809-advisories/MDVSA-2008-184.txt Mandriva Linux Security Advisory - Drew Yaro of the Apple Product Security Team reported multiple uses of uninitialized values in libtiff's LZW compression algorithm decoder. An attacker could create a carefully crafted LZW-encoded TIFF file that would cause an application linked to libtiff to crash or potentially execute arbitrary code. The updated packages have been patched to prevent this issue. http://packetstormsecurity.org/0809-advisories/cisco-sa-20080903-asa.txt Cisco Security Advisory - Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential information. http://packetstormsecurity.org/0809-advisories/cisco-sr-20080903-csacs.txt Cisco Security Advisory - A specially crafted Remote Authentication Dial In User Service (RADIUS) Extensible Authentication Protocol (EAP) Message Attribute packet sent to the Cisco Secure Access Control Server (ACS) can crash the CSRadius and CSAuth processes of Cisco Secure ACS. Because this affects CSAuth all authentication requests via RADIUS or TACACS+ will be affected during exploitation of this vulnerability. http://packetstormsecurity.org/0809-advisories/cisco-acs.txt Cisco Secure ACS does not correctly parse the length of EAP-Response packets which allows remote attackers to cause a denial of service and possibly execute arbitrary code. A remote attacker (acting as a RADIUS client) could send a specially crafted EAP Response packet against a Cisco Secure ACS server in such a way as to cause the CSRadius service to crash (reliable). This bug may be triggered if the length field of an EAP-Response packet has a certain big value, greater than the real packet length. http://packetstormsecurity.org/UNIX/IDS/distack-1.1.0-dev.tar.gz Distack is a framework for local and distributed attack detection and traffic analysis. It can run on live interfaces or traces files, as well as in simulation environments. Therefore it provides easy ways to develop attack detection mechanisms and evaluate them on a large-scale in simulated networks. http://packetstormsecurity.org/0809-exploits/livinglocal-sql.txt Living Local Website suffers from a SQL injection vulnerability in listtest.php. http://packetstormsecurity.org/0809-exploits/moodle-exec.txt Moodle versions 1.8.4 and below remote code execution exploit. http://packetstormsecurity.org/0809-exploits/uploader6-xss.txt Uploader version 6.1 suffers from a cross site scripting vulnerability. http://packetstormsecurity.org/0809-advisories/secunia-iprintboundary.txt Secunia Research has discovered a vulnerability in Novell iPrint Client, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the IppCreateServerRef() function in nipplib.dll. This can be exploited to cause a heap-based buffer overflow by passing an overly long, specially crafted string as argument to either GetPrinterURLList() , GetPrinterURLList2() , or GetFileList2() as provided by the Novell iPrint ActiveX control (ienipp.ocx). Successful exploitation may allow execution of arbitrary code. http://packetstormsecurity.org/0809-exploits/google-download.txt Google Chrome Browser version 0.2.149.27 automatic file download exploit. http://packetstormsecurity.org/0809-exploits/google_chrome.tgz Google Chrome Browser version 0.2.149.27 suffers from a denial of service crash vulnerability when mishandling a malicious link. Proof of concept code included. http://packetstormsecurity.org/UNIX/IDS/samhain-2.4.6.tar.gz Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris. http://packetstormsecurity.org/0809-exploits/spice-sql.txt Spice Classifieds suffers from a remote SQL injection vulnerability in index.php. http://packetstormsecurity.org/0809-exploits/translucid-upload.txt TransLucid version 1.75 suffers from a remote arbitrary file upload vulnerability. http://packetstormsecurity.org/0809-exploits/aspwebalbum-sqlxssupload.txt aspWebAlbum version 3.2 suffers from cross site scripting, SQL injection, and upload vulnerabilities. http://packetstormsecurity.org/shellcode/alphanumeric-shellcode.txt 67 byte Win32 PEB Kernel32.dll ImageBase Finger Alphanumeric shellcode. http://packetstormsecurity.org/shellcode/imagebase-shellcode.txt 49 byte Win32 PEB Kernel32.dll ImageBase Finger shellcode. http://packetstormsecurity.org/0809-advisories/DDIVRT-2008-13.txt PageR versions below 5.0.l7 from AVTECH suffer from a directory traversal vulnerability. http://packetstormsecurity.org/0809-advisories/DDIVRT-2008-14.txt The 3Com Wireless 8760 Dual Radio 11a/b/g PoE Access Point is susceptible to a denial of service condition via the web management interface. http://packetstormsecurity.org/UNIX/audit/sqlmap-0.6.tar.gz sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more. http://packetstormsecurity.org/0809-advisories/SSRT080044-080045.txt HP Security Bulletin - Potential vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). The vulnerabilities could be exploited remotely to create a Denial of Service (DoS). http://packetstormsecurity.org/0809-exploits/elitecms-sql.txt elite CMS version 1.0 suffers from a remote SQL injection vulnerability in index.php. http://packetstormsecurity.org/0809-advisories/MDVSA-2008-183.txt Mandriva Linux Security Advisory - Chaskiel M Grundman found that OpenSC would initialize smart cards with the Siemens CardOS M4 card operating system without proper access rights. This allowed everyone to change the card's PIN without first having the PIN or PUK, or the superuser's PIN or PUK. Please note that this issue can not be used to discover the PIN on a card. If the PIN on a card is the same that was always there, it is unlikely that this vulnerability has been exploited. As well, this issue only affects smart cards and USB crypto tokens based on Siemens CardOS M4, and then only those devices that were initialized by OpenSC. Users of other smart cards or USB crypto tokens, or cards that were not initialized by OpenSC, are not affected. After applying the update, executing 'pkcs15-tool -T' will indicate whether the card is fine or vulnerable. If the card is vulnerable, the security settings need to be updated by executing 'pkcs15-tool -T -U'. The updated packages have been patched to prevent this issue. http://packetstormsecurity.org/0809-advisories/MDVSA-2008-182.txt Mandriva Linux Security Advisory - Rob Holland found several programming errors in WordNet which could lead to the execution or arbitrary code when used with untrusted input. The updated packages have been patched to prevent these issues. http://packetstormsecurity.org/0809-exploits/cscart-sql.txt CS-Cart versions 1.3.5 and below suffer from a remote SQL injection vulnerability. http://packetstormsecurity.org/0809-advisories/SSRT080113.txt HP Security Bulletin - Potential security vulnerabilities have been identified in HP-UX running Netscape / Red Hat Directory Server. These vulnerabilities could be exploited remotely to allow Cross Site Scripting (XSS) or to create a Denial of Service (DoS). http://packetstormsecurity.org/0809-advisories/softalk-dos.txt The Softalk IMAP server version 8.5.1 is susceptible to a denial of service vulnerability. http://packetstormsecurity.org/UNIX/penetration/psbot.py.txt Psbot is an IRC bot written in Python that allows for remote command execution, connectback functionality, and backdoors to be spawned. http://packetstormsecurity.org/papers/database/mysql-injection-newbies.txt A tutorial written for newbies who wants to explore the m4d l33t world of SQL injection and have yet to even learn basic SQL commands. http://packetstormsecurity.org/0809-exploits/ajhyipacmereadarticle-sql.txt AJ HYIP ACME suffers from a SQL injection vulnerability in readarticle.php. http://packetstormsecurity.org/0809-exploits/ajhyipacmecomment-sql.txt AJ HYIP ACME suffers from a SQL injection vulnerability in comment.php. http://packetstormsecurity.org/0809-exploits/kyocera-ftp-bounce.txt Using Nmap, it is quite simple to perform a FTP bounce attack to port scan using the ftpd in Kyocera's printer model FS-118MFP. http://packetstormsecurity.org/0809-advisories/USN-639-1.txt Ubuntu Security Notice 639-1 - Drew Yao discovered that the TIFF library did not correctly validate LZW compressed TIFF images. If a user or automated system were tricked into processing a malicious image, a remote attacker could execute arbitrary code or cause an application linked against libtiff to crash, leading to a denial of service. http://packetstormsecurity.org/0809-exploits/reciprocal-sql.txt Reciprocal Link Manager version 1.1 suffers from a SQL injection vulnerability. http://packetstormsecurity.org/0809-exploits/coupon-sql.txt Coupon Script version 4.0 suffers from a SQL injection vulnerability. http://packetstormsecurity.org/0809-advisories/postfix24-dos.txt Postfix versions 2.4 and above when used on the Linux 2.6 kernel suffer from a denial of service vulnerability. http://packetstormsecurity.org/papers/general/draft-gont-opsec-ip-security-01.txt This is the IETF Internet-Draft entitled Security Assessment of the Internet Protocol version 4 , which is heavily based on the Security Assessment of the Internet Protocol . http://packetstormsecurity.org/papers/general/draft-ietf-tsvwg-port-randomization-02.txt This document describes a simple and efficient method for random selection of a client port number, such that the possibility of an attacker guessing the exact value is reduced. While this is not a replacement for cryptographic methods, the described port number randomization algorithms provide improved security/obfuscation with very little effort and without any key management overhead. The mechanisms described in this document are a local modification that may be incrementally deployed, and that does not violate the specifications of any of the transport protocols that may benefit from it, such as TCP, UDP, SCTP, DCCP, and RTP. http://packetstormsecurity.org/0809-exploits/bizdir-xss.txt BizDirectory versions 2.04 and below suffer from a cross site scripting vulnerability. http://packetstormsecurity.org/UNIX/penetration/rootkits/evilshell.c 3vilsh3ll is a remote backdoor that shuffles a shell back to a remote host when hit with an ICMP packet that has special settings. http://packetstormsecurity.org/0809-advisories/dsa-1634-1.txt Debian Security Advisory 1634-1 - Rob Holland discovered several programming errors in WordNet, an electronic lexical database of the English language. These flaws could allow arbitrary code execution when used with untrusted input, for example when WordNet is in use as a back end for a web application. http://packetstormsecurity.org/0809-advisories/dsa-1633-1.txt Debian Security Advisory 1633-1 - It has been discovered that Slash, the Slashdot Like Automated Storytelling Homepage suffers from two vulnerabilities related to insufficient input sanitation, leading to execution of SQL commands (CVE-2008-2231) and cross-site scripting (CVE-2008-2553). http://packetstormsecurity.org/UNIX/mail/mimedefang-2.65.tar.gz MIMEDefang is a flexible MIME email scanner designed to protect Windows clients from viruses. Includes the ability to do many other kinds of mail processing, such as replacing parts of messages with URLs. It can alter or delete various parts of a MIME message according to a very flexible configuration file. It can also bounce messages with unacceptable attachments. MIMEDefang works with the Sendmail 8.11 and newer Milter API, which makes it more flexible and efficient than procmail-based approaches. http://packetstormsecurity.org/0809-exploits/myphpnukepfp-sql.txt myPHPNuke versions below 1.8.8_8rc2 suffer from a remote SQL injection vulnerability in printfeature.php. http://packetstormsecurity.org/0809-exploits/e107be-sql.txt e107 BLOG Engine plugin version 2.2 remote SQL injection exploit. http://packetstormsecurity.org/0809-exploits/webid-upload.txt WeBid version 0.5.4 remote arbitrary file upload exploit. http://packetstormsecurity.org/0809-exploits/cmsbright-sql.txt CMSbright suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0809-exploits/webid054-sql.txt WeBid version 0.5.4 suffers from a SQL injection vulnerability in item.php. http://packetstormsecurity.org/0809-exploits/plesk-auth.txt Plesk 8.6.0 suffers from an authentication flaw that allows an attacker to gain virtual user privileges. http://packetstormsecurity.org/0809-advisories/wordnet-overflow.txt The WordNet Unix library and command-line interface version 3.0 suffers from a number of stack overflow vulnerabilities. http://packetstormsecurity.org/0809-exploits/jobsitepro-xsrf.txt JobSitePro suffers from a cross site request forgery vulnerability. http://packetstormsecurity.org/0809-exploits/vtigercrm-xss.txt vtigerCRM version 5.0.4 suffers from multiple cross site scripting vulnerabilities. http://packetstormsecurity.org/0809-advisories/PLSA-2008-35.txt Pardus Linux Security Advisory - A vulnerability has been reported in Ruby, which can be exploited by malicious people to cause a DoS (Denial of Service). http://packetstormsecurity.org/0809-advisories/PLSA-2008-34.txt Pardus Linux Security Advisory - A vulnerability was reported in GNU ed. A remote user can cause arbitrary code to be executed on the target user's system. http://packetstormsecurity.org/0808-exploits/0808-exploits.tgz Packet Storm new exploits for August, 2008. http://packetstormsecurity.org/0809-exploits/easyclassifieds-sql.txt EasyClassifieds version 3.0 suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0808-exploits/mimocms-sql.txt Mimo Multimedia CMS suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0808-exploits/rs_pocfix.txt Proof of concept exploit for the local root vulnerability in Postfix. Original discovery by Sebastian Krahmer. http://packetstormsecurity.org/0808-advisories/dsa-1627-2.txt Debian Security Advisory 1627-2 - The previous security update for opensc had a too strict check for vulnerable smart cards. It could flag cards as safe even though they may be affected. This update corrects that problem. http://packetstormsecurity.org/0808-exploits/atmail542-xss.txt @mail version 5.42 suffers from multiple cross site scripting vulnerabilities. http://packetstormsecurity.org/0808-advisories/PLSA-2008-33.txt Pardus Linux Security Advisory - A security issue has been reported in OpenSC, which can be exploited by malicious people to bypass certain security restrictions. http://packetstormsecurity.org/0808-advisories/PLSA-2008-32.txt Pardus Linux Security Advisory - Juraj Skripsky has reported a vulnerability in Mono, which can be exploited by malicious people to conduct HTTP header injection attacks. http://packetstormsecurity.org/0808-advisories/dsa-1597-2.txt Debian Security Advisory 1597-2 - In DSA-1597-1, an update was announced for multiple vulnerabilities in the mt-daapd audio server. One of the fixes introduced a regression preventing successful authentication to the administration interface. An updated release is available which corrects this problem. http://packetstormsecurity.org/0808-advisories/VMSA-2008-0014.txt VMware Security Advisory - Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues. http://packetstormsecurity.org/0808-exploits/osp-sqlxssxsrf.txt OpenSharePoint version 0.4.0 RC3 suffers from remote SQL injection, cross site scripting, and cross site request forgery vulnerabilities. http://packetstormsecurity.org/0808-exploits/omcd-xssxsrf.txt Open Media Collectors Database version 1.0.6 suffers from cross site scripting and cross site request forgery vulnerabilities.