http://packetstormsecurity.org/ 100 Most Recent Packet Storm File Additions en-us http://packetstormsecurity.org/UNIX/scanners/fwknop-1.9.6.tar.gz fwknop implements an authorization scheme that requires only a single encrypted packet to communicate various pieces of information, including desired access through a Netfilter policy and/or specific commands to execute on the target system. The main application of this program is to protect services such as SSH with an additional layer of security in order to make the exploitation of vulnerabilities much more difficult. The authorization server works by passively monitoring authorization packets via libpcap. http://packetstormsecurity.org/0807-exploits/msaccess-activex.txt Microsoft Access ActiveX related remote exploit that makes use of Snapview.ocx version 10.0.5529.0. http://packetstormsecurity.org/0807-exploits/wordpressdm-upload.txt WordPress Download Manager plugin version 0.2 arbitrary file upload exploit. http://packetstormsecurity.org/0807-exploits/ibase-disclose.txt ibase versions 2.03 and below suffer from a remote file disclosure vulnerability in download.php. http://packetstormsecurity.org/0807-exploits/atomphotoblog-sql.txt Atom PhotoBlog version 1.1.5b1 suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0807-advisories/dsa-1616-1.txt Debian Security Advisory 1616-1 - Damian Put discovered a vulnerability in the ClamAV anti-virus toolkit's parsing of Petite-packed Win32 executables. The weakness leads to an invalid memory access, and could enable an attacker to crash clamav by supplying a maliciously crafted Petite-compressed binary for scanning. In some configurations, such as when clamav is used in combination with mail servers, this could cause a system to fail open, facilitating a follow-on viral attack. http://packetstormsecurity.org/0807-exploits/bailiwicked_domain.rb.txt This exploit targets a fairly ubiquitous flaw in DNS implementations which allow the insertion of malicious DNS records into the cache of the target nameserver. This exploit caches a single malicious nameserver entry into the target nameserver which replaces the legitimate nameservers for the target domain. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache. This insertion completely replaces the original nameserver records for the target domain. http://packetstormsecurity.org/linux/firewall/iptables/pkd-1.1.tgz ipt_pkd is an iptables extension implementing port knock detection. This project provides 3 parts: the kernel module ipt_pkd, the iptables user space module libipt_pkd.so, and a user space client knock program. For the knock packet, it uses a UDP packet sent to a random port that contains a SHA-256 of a timestamp, small header, random bytes, and a shared key. ipt_pkd checks the time window of the packet and does the SHA-256 to verify the packet. The shared key is never sent. http://packetstormsecurity.org/0807-exploits/bailiwicked_host.rb.txt This exploit targets a fairly ubiquitous flaw in DNS implementations which allow the insertion of malicious DNS records into the cache of the target nameserver. This exploit caches a single malicious host entry into the target nameserver. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache. http://packetstormsecurity.org/Win/SDTCleaner-v1.0.zip SDT Cleaner is a small laboratory tool that attempts to restore the pointers installed by Anti-Virus and Firewalls in the SSDT (System Service Descriptor Table). http://packetstormsecurity.org/0807-advisories/dsa-1615-1.txt Debian Security Advisory 1615-1 - Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. http://packetstormsecurity.org/0807-advisories/dsa-1614-1.txt Debian Security Advisory 1614-1 - Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. It was discovered that missing boundary checks on a reference counter for CSS objects can lead to the execution of arbitrary code. Billy Rios discovered that passing an URL containing a pipe symbol to Iceweasel can lead to Chrome privilege escalation. http://packetstormsecurity.org/0807-advisories/dsa-1540-3.txt Debian Security Advisory 1540-3 - This update fixes a regression in lighttpd introduced in DSA-1540, causing SSL failures. http://packetstormsecurity.org/0807-advisories/USN-628-1.txt Ubuntu Security Notice 628-1 - Over a dozen vulnerabilities in php5 have been addressed in Ubuntu. http://packetstormsecurity.org/0807-advisories/vimfiletype-exec.txt This advisory discusses the filetype.vim vulnerability in Vim version 7.2b.10 that allows for arbitrary code execution and also notes that the Vim patch 7.1.300 did not fix the vulnerability. http://packetstormsecurity.org/0807-exploits/emc-sql.txt EMC's Centera Universal Access product version CUA4.0_4735.p4 suffers from a SQL injection vulnerability. http://packetstormsecurity.org/0807-advisories/AST-2008-011.txt Asterisk Project Security Advisory - An attacker may request an Asterisk server to send part of a firmware image. However, as this firmware download protocol does not initiate a handshake, the source address may be spoofed. Therefore, an IAX2 FWDOWNL request for a firmware file may consume as little as 40 bytes, yet produces a 1040 byte response. Coupled with multiple geographically diverse Asterisk servers, an attacker may flood an victim site with unwanted firmware packets. http://packetstormsecurity.org/0807-advisories/AST-2008-010.txt Asterisk Project Security Advisory - By flooding an Asterisk server with IAX2 'POKE' requests, an attacker may eat up all call numbers associated with the IAX2 protocol on an Asterisk server and prevent other IAX2 calls from getting through. Due to the nature of the protocol, IAX2 POKE calls will expect an ACK packet in response to the PONG packet sent in response to the POKE. While waiting for this ACK packet, this dialog consumes an IAX2 call number, as the ACK packet must contain the same call number as was allocated and sent in the PONG. http://packetstormsecurity.org/0807-advisories/MDVSA-2008-154.txt Mandriva Linux Security Advisory - A vulnerability in xemacs was found where an attacker could provide a group of files containing local variable definitions and arbitrary Lisp code to be executed when one of the provided files is opened by xemacs. The updated packages have been patched to correct this issue. http://packetstormsecurity.org/0807-advisories/MDVSA-2008-153.txt Mandriva Linux Security Advisory - A vulnerability in emacs was found where an attacker could provide a group of files containing local variable definitions and arbitrary Lisp code to be executed when one of the provided files is opened by emacs. The updated packages have been patched to correct this issue. http://packetstormsecurity.org/0807-advisories/MDVSA-2008-152.txt Mandriva Linux Security Advisory - A vulnerability was found in Wireshark, that could cause it to crash while processing malicious packets. This update provides Wireshark 1.0.2, which is not vulnerable to that. http://packetstormsecurity.org/0807-exploits/joomlamamml-upload.txt The Joomla Mamml component suffers from a remote file disclosure vulnerability. http://packetstormsecurity.org/papers/database/mysql_injection.pdf Whitepaper discussing techniques for MySQL related SQL injection. Written in Spanish. http://packetstormsecurity.org/0807-exploits/oss-bypass.txt Outpost Security Suite Pro version 2009 suffers from multiple bypass vulnerabilities when using special characters. http://packetstormsecurity.org/0807-exploits/PR08-16.txt Moodle versions 1.7.4 and below suffer from a cross site request forgery vulnerability. http://packetstormsecurity.org/0807-exploits/PR08-13.txt A cross site scripting vulnerability exists in Moodle versions 1.7.4 and below. http://packetstormsecurity.org/0807-advisories/CS-2008-2.txt SocialEngine versions below 2.83 suffer from an input validation vulnerability that allows for client take over. http://packetstormsecurity.org/0807-advisories/FGA-2008-16-3.txt EMC Dantz Retrospect 7 Backup Server version 7.5.508 suffers from a weak password hash arithmetic vulnerability in the authentication module. http://packetstormsecurity.org/0807-exploits/presurveypoll-sql.txt Pre Survey Poll suffers from a SQL injection vulnerability in default.asp. http://packetstormsecurity.org/0807-exploits/ezwebalbum-cookie.txt EZWebAlbum suffers from an insecure cookie handling vulnerability that allows anyone to be an administrator. http://packetstormsecurity.org/0807-exploits/minix-dos.txt Minix version 3.1.2a suffers from a tty panic local denial of service vulnerability. http://packetstormsecurity.org/0807-exploits/intellitamper207-exec.txt IntelliTamper version 2.07 server header remote code execution exploit. http://packetstormsecurity.org/0807-exploits/intellitamper207-overflow.c IntelliTamper version 2.0.7 html parser remote buffer overflow exploit. http://packetstormsecurity.org/papers/protocols/dns-writeup.txt Interesting write up discussing DNS cache poisoning then and now. http://packetstormsecurity.org/0807-advisories/USN-627-1.txt Ubuntu Security Notice 627-1 - Dan Kaminsky discovered weaknesses in the DNS protocol as implemented by Dnsmasq. A remote attacker could exploit this to spoof DNS entries and poison DNS caches. Among other things, this could lead to misdirected email and web traffic. http://packetstormsecurity.org/0807-exploits/DSECRG-08-032.txt Claroline eLearning and eWorking Platform version 1.8.10 suffers from cross site scripting vulnerabilities. http://packetstormsecurity.org/0807-advisories/dsa-1613-1.txt Debian Security Advisory 1613-1 - Multiple vulnerabilities have been identified in libgd2, a library for programmatic graphics creation and manipulation. The Common Vulnerabilities and Exposures project identifies the following three issues: http://packetstormsecurity.org/0807-advisories/MDVSA-2008-151.txt Mandriva Linux Security Advisory - A buffer overflow vulnerability in libxslt could be exploited via an XSL style sheet file with a long XLST transformation match condition, which could possibly lead to the execution of arbitrary code. The updated packages have been patched to correct this issue. http://packetstormsecurity.org/sip/sipwitch-0.2.2.tar.gz GNU SIP Witch is a pure SIP-based office telephone call server that supports generic phone system features like call forwarding, hunt groups and call distribution, call coverage and ring groups, holding, and call transfer, as well as offering SIP specific capabilities such as presence and messaging. It supports secure telephone extensions for making calls over the Internet, and intercept/decrypt-free peer-to-peer audio and video extensions. It is not a SIP proxy, a multi-protocol telephone server, or an IP-PBX, and does not try to emulate Asterisk, FreeSWITCH, or Yate. http://packetstormsecurity.org/0807-exploits/shopcartdx-sql.txt ShopCartDx version 4.30 suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0807-exploits/youtubeblog-rfisqlxss.txt YouTube Blog version 0.1 suffers from remote file inclusion, SQL injection, and cross site scripting vulnerabilities. http://packetstormsecurity.org/0807-exploits/intellitamper-overflow.txt IntelliTamper version 2.0.7 html parser remote buffer overflow exploit. http://packetstormsecurity.org/0807-exploits/modjk1219-overflow.txt Apache mod_jk version 1.2.19 remote buffer overflow exploit for win32. http://packetstormsecurity.org/0807-exploits/zdaemonull.zip ZDaemon version 1.08.07 denial of service exploit that makes use of a NULL pointer vulnerability. http://packetstormsecurity.org/0807-advisories/zdaemonull.txt ZDaemon version 1.08.07 suffers from a NULL pointer vulnerability that allows for a denial of service. http://packetstormsecurity.org/0807-advisories/glsa-200807-12.txt Gentoo Linux Security Advisory GLSA 200807-12 - bannedit reported a boundary error when handling overly long IRC MODE messages (CVE-2007-4584). Nico Golde reported an insecure creation of a temporary file within the e_hostname() function (CVE-2007-5839). Versions less than or equal to 1.1-r4 are affected. http://packetstormsecurity.org/0807-advisories/dsa-1612-1.txt Debian Security Advisory 1612-1 - Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: http://packetstormsecurity.org/0807-exploits/DSEGRG-08-31.txt Interact E-Learning System version 2.4.1 suffers from a local file inclusion vulnerability in help/help.php. http://packetstormsecurity.org/0807-advisories/FGA-2008-16-2.txt EMC Dantz Retrospect 7 backup Client 7.5.116 suffers from a NULL pointer reference denial of service vulnerability. http://packetstormsecurity.org/0807-advisories/FGA-2008-16.txt EMC Dantz Retrospect 7 backup Client 7.5.116 suffers from a plaintext password hash disclosure vulnerability. http://packetstormsecurity.org/papers/general/html5whitepaper.pdf Abusing HTML 5 Structured Client-Side Storage - A whitepaper analyzing security implications of this technology and how showing how different attacks can be conducted. http://packetstormsecurity.org/0807-exploits/mojoauto-sql.txt MojoAuto remote blind SQL injection exploit that leverages mojoAuto.cgi. http://packetstormsecurity.org/0807-exploits/mojojobs-sql.txt MojoJobs remote blind SQL injection exploit that leverages mojoJobs.cgi. http://packetstormsecurity.org/0807-exploits/mojopersonals-sql.txt MojoPersonals remote blind SQL injection exploit that leverages mojoClassified.cgi. http://packetstormsecurity.org/0807-exploits/mojoclassifieds-sql.txt MojoClassifieds version 2.0 remote blind SQL injection exploit. http://packetstormsecurity.org/0807-advisories/glsa-200807-11.txt Gentoo Linux Security Advisory GLSA 200807-11 - Nico Golde reported a boundary error in the HTTP::getAuthUserPass() function when processing overly long HTTP Basic authentication requests. Versions less than 0.1218-r1 are affected. http://packetstormsecurity.org/0807-advisories/glsa-200807-10.txt Gentoo Linux Security Advisory GLSA 200807-10 - Matthijs Kooijman reported that the make_catalog_backup script uses the MySQL password as a command line argument when invoking other programs. Versions less than 2.4.1 are affected. http://packetstormsecurity.org/0807-exploits/flip-rfi.txt Flip version 3.0 Final suffers from a remote file inclusion vulnerability. http://packetstormsecurity.org/0807-exploits/arctic-sql.txt Arctic Issue Tracker version 2.0.0 remote SQL injection exploit that leverages index.php. http://packetstormsecurity.org/0807-exploits/ezwebalbum-disclose.txt EZWebAlbum suffers from a remote file disclosure vulnerability. http://packetstormsecurity.org/0807-exploits/hifriend-xploit.txt hifriend.pl from Hibyte Software remote header injection exploit. http://packetstormsecurity.org/0807-exploits/myreview-disclose.txt The MyReview web application versions 1.9.9 and below and 2.0 Beta suffer from a mishandling of submissions allowing for unintended downloads of said data. http://packetstormsecurity.org/0807-exploits/maranphp-xss.txt Maran PHP Blog suffers from a cross site scripting vulnerability. http://packetstormsecurity.org/0807-exploits/hrsmulti-sql.txt HRS Multi blind SQL injection exploit that makes use of picture_pic_bv.asp. http://packetstormsecurity.org/0807-exploits/aproxcms-sql.txt Aprox CMS Engine version 5.1.0.4 suffers from a SQL injection vulnerability in index.php. http://packetstormsecurity.org/0807-exploits/oracleidir-dos.txt Oracle Internet Directory version 10.1.4 remote pre-authentication denial of service exploit. http://packetstormsecurity.org/0807-advisories/oracleuntrust-local.txt Oracle 10g R2 and Oracle 11g suffers from a local root compromise vulnerable via the extjob binary. http://packetstormsecurity.org/0807-exploits/myblog-multi.txt MyBlog versions 0.9.8 and below suffer from information leak and cross site scripting vulnerabilities. http://packetstormsecurity.org/0807-advisories/MDVSA-2008-150.txt Mandriva Linux Security Advisory - Multiple buffer overflows in yaSSL, which is used in MySQL, allowed remote attackers to execute arbitrary code. a denial of service via a special Hello packet. Sergei Golubchik found that MySQL did not properly validate optional data or index directory paths given in a CREATE TABLE statement; as well it would not, under certain conditions, prevent two databases from using the same paths for data or index files. This could allow an authenticated user with appropriate privilege to create tables in one database to read and manipulate data in tables later created in other databases, regardless of GRANT privileges. The updated packages have been patched to correct these issues. http://packetstormsecurity.org/0807-advisories/MDVSA-2008-149.txt Mandriva Linux Security Advisory - Sergei Golubchik found that MySQL did not properly validate optional data or index directory paths given in a CREATE TABLE statement; as well it would not, under certain conditions, prevent two databases from using the same paths for data or index files. This could allow an authenticated user with appropriate privilege to create tables in one database to read and manipulate data in tables later created in other databases, regardless of GRANT privileges. The updated packages have been patched to correct this issue. http://packetstormsecurity.org/0807-exploits/easypublish-sqlxssdisclose.txt EasyPublish 3.0tr remote cross site scripting, SQL injection, and file disclosure exploit. http://packetstormsecurity.org/0807-exploits/easybookmaker-xss.txt EasyBookmarker 40tr suffers from a cross site scripting vulnerability. http://packetstormsecurity.org/0807-exploits/easyecards-sqlxssdisclose.txt EasyECards 310a remote cross site scripting, SQL injection, and file disclosure exploit. http://packetstormsecurity.org/0807-exploits/easydynamicpages-sqlxssdisclose.txt EasyDynamicPages 30tr remote cross site scripting, SQL injection, and file disclosure exploit. http://packetstormsecurity.org/0807-advisories/SSRT080058-2.txt HP Security Bulletin - A potential security vulnerability has been identified with HP-UX running BIND. The vulnerability could be exploited remotely to cause DNS cache poisoning. http://packetstormsecurity.org/0807-exploits/intellitamper-poc.txt IntelliTamper version 2.07 html parser remote buffer overflow proof of concept exploit. http://packetstormsecurity.org/0807-exploits/intellitamper-exec.txt IntelliTamper version 2.07 local arbitrary code execution exploit that spawns calc.exe. http://packetstormsecurity.org/0807-exploits/digileave-sql.txt Digileave version 1.2 blind SQL injection exploit that makes use of info_book.asp. http://packetstormsecurity.org/0807-exploits/phpfootball-sql.txt PHPFootball version 1.6 suffers from a remote SQL injection vulnerability in show.php. http://packetstormsecurity.org/0807-exploits/siteframe-sql.txt Siteframe suffers from a SQL injection vulnerability in folder.php. http://packetstormsecurity.org/Crackers/john-1.7.3.1.tar.gz John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, and BeOS. Its primary purpose is to detect weak Unix passwords, but a number of other hash types are supported as well. http://packetstormsecurity.org/UNIX/IDS/prelude-manager-0.9.14.tar.gz Prelude Manager is the main program of the Prelude Hybrid IDS suite. It is able to register local or remote sensors, let the operator configure them remotely, receive alerts, and store alerts in a database or any format supported by reporting plugins, thus providing centralized logging and analysis. http://packetstormsecurity.org/papers/general/Software.Distribution.Malware.Infection.Vector.pdf This paper presents an efficient mechanism as well as the corresponding reference implementation for on-the-fly infecting of executable code with malicious software. Their algorithm deploys virus infection routines and network redirection attacks, without requiring the modification of the application itself. This allows infection of executables with an embedded signature when the signature is not automatically verified before execution. They briefly discuss countermeasures such as secure channels, code authentication as well as trusted virtualization that enables the isolation of untrusted downloads from other applications running in trusted domains or compartments. http://packetstormsecurity.org/papers/general/HomeSecurityMethodologyVacationGuide.1.2.pdf This is the Home Security Methodology Vacation Guide, written to help secure your home before you go on holiday. http://packetstormsecurity.org/0807-exploits/DSECRG-08-030.txt Claroline eLearning and eWorking Platform version 1.8.9 suffers from cross site scripting, unsigned redirect, and cross site request forgery vulnerabilities. http://packetstormsecurity.org/0807-advisories/lateral-sql-followup.txt Follow up information regarding a whitepaper about lateral SQL injection and how ALTER SESSION privileges are not needed. http://packetstormsecurity.org/0807-exploits/smbclientparser-exec.txt The SmbClientParser perl module suffers from a vulnerability that allows for remote command execution. http://packetstormsecurity.org/0807-exploits/defblog-sql.txt Def Blog version 1.0.3 suffers from multiple SQL injection vulnerabilities. http://packetstormsecurity.org/0807-advisories/MDVSA-2008-148.txt Mandriva Linux Security Advisory - Security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.16. This update provides the latest Firefox to correct these issues. http://packetstormsecurity.org/0807-advisories/vim-filecreation.txt Vim version 5.0 through the current version suffer from an arbitrary code execution vulnerability via an insecure temporary file creation flaw. http://packetstormsecurity.org/0807-exploits/communitycms-rfi.txt Community CMS version 0.1 remote file inclusion exploit. http://packetstormsecurity.org/0807-exploits/artic-sql.txt Artic Issue Tracker version 2.0.0 suffers from a remote SQL injection vulnerability in index.php. http://packetstormsecurity.org/0807-exploits/precms-sql.txt preCMS version 1 suffers from a remote SQL injection vulnerability in index.php. http://packetstormsecurity.org/0807-advisories/ZDI-08-044.txt A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the browser's handling reference counters to the nsCSSValue:Array class. Creating more then 65,535 references will overflow a 16-bit reference counter and therefore result in an erroneous free() while the object still exists. Properly manipulated this can result in arbitrary code execution under the context of the current user. http://packetstormsecurity.org/0807-advisories/ZDI-08-043.txt A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Sun Java Web Start. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the GetVMArgsOption() function used while parsing the java-vm-args attribute of the j2se tag in xml based JNLP files. When a user downloads a malicious JNLP file, the vulnerable attribute is read into a static buffer. If an overly long value is defined by the java-vm-args attribute, a stack based buffer overflow occurs, resulting in an exploitable condition. http://packetstormsecurity.org/0807-advisories/ZDI-08-042.txt A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Sun Java Web Start. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the writeManifest() method of the CacheEntry class. A directory traversal flaw in this method allows the creation of arbitrary files on the target system. After the file has been created, a call to Runtime.getRuntime.exec() can be used to execute the file. http://packetstormsecurity.org/0807-advisories/USN-623-1.txt Ubuntu Security Notice 623-1 - A flaw was discovered in the browser engine. A variable could be made to overflow causing the browser to crash. If a user were tricked into opening a malicious web page, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. Billy Rios discovered that Firefox did not properly perform URI splitting with pipe symbols when passed a command-line URI. If Firefox were passed a malicious URL, an attacker may be able to execute local content with chrome privileges. http://packetstormsecurity.org/0807-advisories/SSRT080097-2.txt HP Security Bulletin - Potential security vulnerabilities have been identified with HP Select Identity Active Directory Bidirectional LDAP Connector . The vulnerabilities could be exploited to allow remote unauthorized access. http://packetstormsecurity.org/0807-exploits/beaweblogic-exec.txt Bea Weblogic Apache Connector code execution and denial of service exploit. http://packetstormsecurity.org/0807-exploits/debopenssh-auth.txt It appears that there may be a privilege escalation vulnerability in OpenSSH under Debian due to how SELinux hands out roles.