excite for web servers: a service for the people
Web sites running "Excite for Web Servers" (EWS) beware!
The installation installs many files world-writable, including the file
with the encrypted password (so anyone can change it). The encrypted
password is used for authentication, so anyone can administrate your EWS
also, by merely passing along the encrypted password. So it sounds
like once you install EWS, anyone on your machine can take it over.
In light of this, not much work has been done to figure out how to decrypt
the password, but apparently the first two letters of the encrypted password
are the same as the first two letters of the decrypted password.
the iparty's over
iParty is an audio/text chat program for Windows (www.bumpkinland.com).
The server listens on a port (6004 by default) for client requests.
If you connect to this port and send a bunch of 0xFF (255) bytes, the server
shuts down and disconnects everyone who was on. Nothing is logged
and nobody else will know what happened.
exceed logs your password
Exceed (a utility to add X functionality to Windows) versions prior
to 6.1 were accidentally distributed with a special debugging version of
one of the libraries. If you use the remote tools (like rexec) it
will log your username and password into "test.log". You can fix
this by wiping test.log and marking it read-only, or by upgrading to 6.1.
platinum pcm crash
Platinum's Policy Compliance Manager (PCM) is a product that performs
checks on a system, making sure security policies are enforced. (I
assume this is an NT product, since no platform info was given.)
It can be installed on a bunch of different machines, and then a user can
use the PCM client to connect to these machines and initiate remote checks.
If you send too much data to the PCM agent port (1827), it will crash.
It may also be possible to cause it to execute code this way (buffer overflow).
This is an interesting "Who will guard the guardians?" type of situation.
(Or as some of us at Netscape put it: "Who will purify Purify?" -- after
one of our servers caused Purify to coredump.)
solaris x86 want cookie
The 'mkcookie' program (setuid root) on Solaris x86 copies the HOME environment
variable into a constant-sized buffer, causing yet another buffer overflow.
Quirky compiling causes this to not show up on Solaris sparc. 'mkcookie'
is used by X.
bootpd hole
Bootp is a slightly aged protocol for letting unconfigured machines
boot up and retreive their network configuration (and possibly their kernel)
from a local bootp server. The bootpd server that comes with many
Linux and BSD distributions has a bug where a client machine can give an
"htype" value much higher than any supported. It'll use that value
to jump into memory which may not exist. On most distributions, all
you can do with this is crash the bootpd server. On a few (OpenBSD
and BSDI), you could possibly run code.
What? No browser bugs this time?! Whoa...