EXPLOITS
"In other general security news, there has been a lot of discussion about a new type of Web browser 'attack' nicknamed CSRF, or Cross-Site Request Forgeries, which are similar in concept to Cross-Site Scripting. Basically, it's possible for a malicious Web site or e-mail to embed URLs that will be automatically navigated by the user's browser. This could cause many unwanted side effects. Read all the details at:"
Site 1
Site 2
From a Network Computing newsletter
NEW SunOS Exploit!!!
The printer daemon that controls printer requests from remote users has a bug that will give a hacker root access.
ln.lpd is the file.
Versions affected: Solaris 2.6, 2.6x86, 7, 7x86, 8, 8x86
Cisco Internetwork Operating system (IOS) Exploit:
Hackers can gain full control over virtually all Cisco routers and switches through the HTTP server of the IOS software. By requesting a particular URL from the server(which I'm not sure of), a malicious user can bypass the authentication controls and execute commands on the device at the highest privilege level, Level 15. It is hard to find a HTTP server on IOS that is configured for remote management of the router or switch, it depends on the admin. By default, the HTTP server is NOT enabled, so this wont work on any out of the box systems. Cisco has patches available already.
Versions affected: All IOS system starting with 11.3
Microsoft IIS 4.0/5.0 Exploit
It involves a buffer overflow in the handling of particular Index Server-related Web requests. The indexing service included with IIS 4 and 5 installs ISAPI handlers for .ida and .idq files. It's possible for remote attackers to invoke this ISAPI handler and cause a buffer overflow, allowing them to execute arbitrary code with local system privileges.
FAQ and Patch at: This site
Here's a nice one for FreeBSD systems. If you know the computer is running FreeBSD, dont go for the /etc/passwd file, its a fake, get the /etc/master.passwd file, that the file with the encrypted passwords. I'm not sure if this works on any other flavor of UNIX, but give it a try. If your logged on as guest chances are you can't access the /etc/master.passwd file, so try getting an account in the wheel group.
Links you should go to for exploits:
Win NT Exploits
SecuriTeam
The older, but still might work PHF Exploit:
This exploit used a hole in the CGI program to show the passwd file to someone that isn't even logged on to the system. It was very popular at first but now the problem has been fixed. Even if you did find a site that this worked, chances are that the passwords are shadowed.
http://www.whatever.com/cgi-bin/phf?Qalias=j00%ffcat%20/etc/passwd
http://www.whatever.com//cgi-bin/phf?Qalias=x%oa/bin/cat%20/etc/passwd
*Replace whatever.com to the target site
Windows NT/2000 Null Session Exploit:
Windows NT/2000 default settings for CIFS/SMB and NetBIOS include APIs that can show information via TCP port 139. If TCP port 139 is listening on an NT/2000 OS, chances are you can set up a null session connection. This allows an unauthenticated user to connect to their system. Here's the command:
net use \\127.0.0.1\IPC$ "" /u:""
*Replace 127.0.0.1 with the IP of the target
Miscosoft IIS Exploit:
A Superfluous Decoding Operation in IIS Allows Command Execution, a security vulnerability in IIS allows remote attackers to escape the bounding directories by using a HTML string replacement (Replacing twice the characters used for '.'). Below is an exploit code written in PERL that can be used to test for this problem.
Perl Script for this exploit is here
C++ Source Code for this exploit is here
