Common Security Exploit and Vulnerability Matrix v2.

0
cfingerd Microsoft JET 3.5X a web document can execute
The Perl fingerd program allows arbitrary fingerd in FreeBSD 4.1.1 allows remote attackers
* .asp
commands on the client workstation IIS IIS 3.0 admin script, later included in IIS 4.0
and 5.0, allows remote attackers to cause a DOS
command execution from remote users to read files by specifying the target file name remote buffer overflow -
Finger Server 0.82 allows remote attackers to execute arbitrary code Remote attackers can read documents outside
execute commands via shell metacharacters Local user can link .forward, Excel CALL statement can script can capture domain passwords of the web root via malformed URLs that contain The CiWebHitsFile component in Microsoft Indexing
cfingerd with ALLOW_EXECUTION enabled doesn't
.plan, or .project and fingerd call any DLL function The default configuration of Cobalt Excel via AUTH_PASSWORD variable UNICODE encoded characters Services for Windows 2000 allows remote attackers
properly drop privileges, allows local users to gain root buffer overflow in cookie
A version of finger is running that exposes valid will read linked file as uid 0 RaQ2 and RaQ3 allows remote attackers Document *.xls to conduct a CSS
user information to any entity on the network (i.e., read /etc/shadow file, etc) Buffer overflow in cfingerd allows local users
to gain root privileges via a long GECOS field Excel Scripting Engine Apache to view contents of a .htaccess file
Excel Scripting Engine
asp dot bug
shows raw source
asp interpreter Vulnerability in NT 4.0 allows remote

uses cleartext
user@host@host redirection /etc/shadow
cfingerd lists all users Excel Document *.xls
The default configuration of Apache 1.3.12 rusers attackers to DOS in IIS by sending it
a series of malformed requests IIS 5.0 allows remote attackers to execute commands
in SuSE Linux 6.4 enables WebDAV
passwords on a system via search Cmail 2.3 via a malformed request whose name is appended
@host reveals users who have never logged in .plan cachemgr.cgi anyform cgi The Apache 1.3.x HTTP server for RPC service will leak remote user user.db pseudoencrypts files not in web root
Buffer overflow in Internet Printing ISAPI
with OS commands
execute any information including source addresses passwords into !(c:\inetpub\wwwroot\*)
reveal logged on users Windows allows remote attackers
GNU fingerd cachemgr_passwd command To list directory contents of remote users. user.db file xtension in Windows 2000 allows remote
attackers to gain root
IIS 5.0 and 4.0 allow remote attackers to

0@ reveals users who have ICQ\NewDB\uin#.dat send user#999999 overflow

Password is stored in formmail cgi from remote
The source.asp example in Apache::ASP 1.93
MDAC RDS asp pages can access files not
read the source code by appending
"%3F+.htr" to the requested URL
will proxy port connections some SSH installations will give potential in web root (allow parent paths)
unauthenticated
fingerd never logged in
Password is sent in cleartext
cleartext and file is
world readable
and earlier allows remote attackers to modify files attackers the SSH version, Key sizes, and DataFactory object Buffer overflow in Internet Printing ISAPI
Encryption method use extension in Windows 2000 allows remote
traffic
/winnt/system32/fm20.dll Wingate guestbook mod_rewrite in Apache 1.3.12 and earlier
allows remote attackers to read files if a Dr. Watson Log File
attackers to gain root Directory traversal vulnerability in IIS 5.0 allows
ODBCJT32.DLL script access permissions virtual site remote attackers to execute commands by
Forms 2.0 Control can paste Stores cleartext password in RewriteRule directive is expanded OpenSSH SSH client before 2.3.0 tunnel ODBC requests through IIS attackers can attack commands as encoding .. (dot dot) and "\" characters twice
Active X user clipboard ICQ\NewDB\uin#.dat can access other virtual sites content
(IIS 3.0 and misconfigured IIS 4.0 phf PHP Apache module 4.0.4 and earlier SSH does not properly disable X11 or
agent forwarding
The default configuration of SSH allows MDAC, bypass firewalls SYSTEM if the server is running as SYSTEM

users allowed FileSystemObject sequence numbers ICQ Buffer overflow in micq client 0.4.6 allows DOS, Overflow filename window to give servers) (Scripting.FileSystemObject, can view any
allows remote attackers to bypass X forwarding, allowing control a client's X access Dr. Watson
and loading an ISAPI extension
easily guessable and possible execution of arbitrary commands user invalid information about file OpenTextFile) .htaccess access restrictions sessions via a malicious xauth program log File (may contain
to bind to alter filesystem file on target CORE SDI SSH1 CRC-32 compensation IIS 4.0 and 5.0 do not properly perform ISAPI extension
extension. Could be used to cause can use shell() VBA command passwords/keys) DOS in IIS 4 with scripts from the ExAir sample site
privileged ports A default configuration of Apache on attack detector allows remote attackers An SSH 1.2.27 server allows a client to processing if a virtual directory is mapped to a UNC share
/winnt/system32/msdxm trojan files to be executed.
test-cgi Debian Linux sets the ServerRoot to /usr/doc to execute commands on an SSH server use the "none" cipher, even if it is not
to execute arbitrary commands
from remote. Get root on server.
list files anywhere allowed by the server policy A buffer overflow in the FTP list (ls) Command
Log in without password by using IIS 4.0 and 5.0 allow remote attackers
ActiveMovie on machine Remote Control in IIS allows remote attackers to conduct a DOS
more than 9 character password kicq IRC client 1.0.0 allows remote attackers to execute Apache httpd cookie buffer overflow The SSH authentication agent follows to obtain fragments of source code by
file:///aux DoS OpenSSH does not properly drop privileges
Buffer overflow in ICQ
commands via shell metacharacters in a URL nph-test-cgi for versions 1.1.1 and earlier symlinks via a UNIX domain socket with UseLogin option, which allows local IIS 4.0 and 5.0 with the IISADMPWD allows a
appending a +.htr to the URL
CIFS challenge Microsoft Scripting Runtime webserver causes crash.
Buffer overflow in logging functions of licq before 1.0.3
users to execute commands remote attacker to cause a DOS via a malformed

/winnt/system32/sccrun.dll
(http://XXX.XXX.XXX.XXX/........
..(and so on..../))
allows DOS, and possible execution of arbitrary commands perl if perl or any other
command interpreter is Carbon Copy request to the inetinfo.exe program FrontPage Server Extensions (FPSE) in
IIS 4.0 and 5.0 allow remote attackers to
Buffer overflow in the kdc_reply_cipher The web administration interface for IBM AS/400 Firewall
run as
interactive user download any file overflow VRFY, denial of service,
Website Server directly located in /cgi-bin
remote users can execute
function allows remote attackers to cause allows remote attackers to cause a DOS via an empty GET request
IIS 4.05 and 5.0 allow remote attackers to cause
cause a DOS via a malformed form
(http://<yourIP>/.html/............/config.sys) execute arbitrary a DOS and possibly execute commands
CIFS challenge possible execute code from remote commands via args.cmd any command a DOS via a long, complex URL that appears to IIS 4.0 buffer overflow allows remote attackers
get ../../* ssh-keygen in ssh 1.2.27 - 1.2.30 with Secure-RPC can contain a large number of file extensions to cause DOS via a malformed request for files
encrypted with users execute remote code as process allow local attackers to recover a SUN-DES-1 magic phrase
password hash
read any file ICQ packet leaks internal IP addresses
on multi-homed machines
read any file http://host/carbo
.dll?icatcommand=..\..\*z (NT/Unix) through numerous buffer Bay Networks Annex read any file on the system
( sendmail -oEfilename_to_read ) A race condition in the authentication
generated by others PC Anywhere with .HTR, .IDC, or .STM extensions
overflows
fpcount.exe <EXCH-VERIFY>: ExchAuthenticate() called with
accounts registry key set world- Terminal Server agent mechanism of sshd 1.2.17 allows
attacker to steal another user's credentials Implementations of SSH version 1.5 allow a remote
The Microsoft MS00-060 patch for IIS introduces
an error which allows attackers to cause a DOS
DOS in IIS 4.0 via a flood of HTTP
dictionary
crack
NTServerName:[KBJV_SRV1]
NTDomainName[KBJV_PERTH]
sendmail writable (HKLM\Software\Seattle
buffer overflow
sendmail -d bug gets root
( sendmail -d3294967296 ) attacker to decrypt and/or alter traffic via a "Bleichenbacher rtools via a malformed request
requests with malformed headers
Lab\SLMail\Users) attack" on PKCS#1 version 1.5
Allaire Forums Alibaba adminMailbox:[xxxxxx]
adminLoginName:[xxxxxx] password:[xxxxxx]
(http://annex.www.server/ping?query=<buffer>) IIS FTP servers may allow a remote attacker
to read or delete files on the server, even if
FTP service allows remote attackers to enumerate
httpd GetFile.cfm
carbo.dll queue files
DOS by sending incomplete
send/vrfy/expn/mail from:/rcpt
buffer overflow in cgi-
shl/win-c-sample.exe -
local user GECOS
overflow, get root
SSH 1.2.25 on HP-UX allows
Stolen credentials from SSH clients via ssh-agent program,
allowing other local users to access remote accounts belonging stores cleartext Guest accounts by preceding the username with they have 'no Access' permissions
access to new user accounts password in test.log a sequence of characters
Read any file http://host/GetFile.cfm? to: commands execute code from remote to the ssh-agent user
FT=Text&FST=Plain&FilePath=C:\*.* Cheyenne inserting newlines into queue files causes groups are not set properly -
systat Race condition in the SSL ISAPI filter in IIS
Cold Fusion CFCACHE tag places arbitrary commands to be run upload and run any
link to a file another owns, get syslog Cisco Catalyst switches allow remote attackers
The RDS DataFactory component of MDAC in and other servers may leak information in plain
allows remote attackers to obtain
The Allaire Spectra Configuration Wizard ArcServe EXPN can be used to find code via uploader.exe
targets groups
to DOS by connecting to the SSH service which
test.log IIS 3.x and 4.x exposes unsafe methods, allowing
sensitive system information
allows DOS by repeatedly resubmitting iCat decode destinationaddresses of aliases & lists generates a protocol mismatch error
emote attackers to execute commands
Servlet examples in Allaire JRun 2.3x allow data collections for indexing via a URL pipe mail through REHUP attack causes any A FreeBSD patch for SSH configures ssh
remote attackers to obtain sensitive Carbo Suite Guest user can
decode alias and create Wizard mode backdoor gives root program to be run as root systat will give away system to listen on port 722, allowing remote attackers to
IIS does not properly canonicalize URLs
information change password state information to an If DNS record doesn't exist for access SSH through port 722
JSP sample files in Allaire JRun 2.3x allow remote attacker, including which In IIS, remote attackers can obtain source code
DEBUG mode allows remote execution of declared host, syslogd crashes
sendmail allows attackers to access files or obtain config information Wingate has blank commands as root
aliases piped to programs
may allow common attacks
software is running named in BIND 8.2 through sdr for ASP files by appending "::$DATA" to the URL IIS allows users to execute arbitrary
mail relaying password Sendmail
MIME buffer overflow - get root
Outlook on the machine DOS in Linux syslogd via a large 8.2.2-P6 allows remote
Screen Saver
commands using .bat or .cmd files
Ascend Can force max of 2 session to Has default accounts:monitor,monitor relaying allows
Majordomo 'REPLY TO:' number of connections attackers to cause a SOS FTP service in IIS 5.0 allows remote attackers
../..* Any File
stay open, will no longer manager,manager admin,<blank> Guest account has blank password VRFY can be anonymous
spamming if username is a filename, backtick attack - execute 98/Express (*.scr) Execute remote code as to DOS via a wildcard sequence that generates When IIS is run with a default language of Chinese,
File accept TCP connections security,security used to identify can mail to file arbitrary commands process (NT/Unix) a long string when it is expanded Korean, or Japanese, it allows a remote attacker to
Cisco IOS 12.0 and others can be crashed by
access/execution valid user accounts malicious UDP packets to the syslog port view the source code of certain files
Password/session/audio/
video/keystroke sniffing
Wingate send user#999999 overflow mail can be
Sendmail relaying allows
overflow syslog() function and get root
certain versions of NT run
screensaver under SYSTEM
forged from
3Com Mail to program
any address anonymous spamming
filename field
Solaris syslogd crashes when receiving a
message from a host that doesn't have an
account. Can add normal user
to admin group.
IIS 5.0 allows remote attackers to cause a DOS
via a series of malformed WebDAV requests
The WebHits ISAPI filter in Microsoft Index
Server allows remote attackers to read files
can list files bounced mail with a piped FROM overflow, execute
from remote Can bounce TCP sessions (RCPT TO: |<program>) inverse DNS entry
( MAIL FROM: |/bin/sed'1,/^$/d|/bin/sh ) remote code FSP
link /var/tmp/dead.letter to any Livingston RADIUS IIS 4.0 allows attackers to cause a
Back Orifice ../..* Any File
Can connect to self causing DoS
file, appends data (get root on
FSP is a commonly used tool
DOS by requesting a large buffer
in a POST or PUT command
Denial of service in IIS using long URLs
system locally via /etc/passwd)
Port read any file on system Third packet during setup contains X11R4 An attacker can write to syslog files from any
can sniff radius client/server in the underground to move
Redirection (http://www.server.com:8010/c:/ - NT/Win9x cleartext username/password EHLO command will reveal what
location, causing a DOS by filling up the logs
and hiding activities interaction and recover shared secret Cold Fusion Server illicit files. This is suspicious.
http://www.server.com:8010// - NT/Win9x
Netbus http://www.server.com:8010/..../ - Win9x send XXXXXX issue many PASV in
extended SMTP commands are
accepted by the server.
replace trusted relative
path with Trojan, exec
A misconfiguration in IIS 5.0 with Index IIS 4.0 virtual directory /IISADMPWD contains files that can be
used as proxies for brute force attacks, or to ID valid users
buffer overflow succession and use Execute code as process (CWD overflow reverse name Server enabled and the Index property set
suid, get root upload any file
(~4000 chars) xxxxxxxxxxxx... [155 characters or more]) get remote root access allows remote attackers to list directories
IIS FTPd up all ports
Buffer overflow in WU-FTPD allows remote
lookup field - get root on target
c:\winnt\*
PASV DOS - SITE EXEC command Serv-U FTP 2.5 attacker to gain root via MAPPING_CHDIR Citrix Winframe Buffer overflow in
consume all allows commands to anonymous user can
wu-ftpd syslog utility allows
253 byte password buffer copied
connections executed from remote rename files using RNFR
ftpd Buffer overflow in WFTPD FTP PASV core dump in wu-ftpd daemon when
stores pseudoencrypted password attackers to gain root
into 128 byte stack buffer //CFDOCS/
read or delete any file
insmod RASMAN.EXE
server can get root via a series in /usr/lib/ICAClient/ config mode
attacker uses a QUOTE PASV command
of MKD and CWD commands 777 or in ~/.ICAClient mode 755 klogd in Linux does not properly
FTP Bounce Attack - tar exec chmod
on ftp root
cleanse user-injected format strings crash server through bogus
read any file, bounce http
bounce TCP Dump core and The pt_chown command in Linux allows accounting messages //CFDOCS/expeval If a fully qualified path is not supplied, insmod will search the RAS API has several buffer overruns.
incorrect messages cause DOS
connections see cached copy
directory The reply function in wu-ftpd 2.6.0
and earlier does not properly cleanse local users to modify others' TTY devices dtappgather requests, cause DoS
local and /lib/modules directories for the module—possibly This can cause hostile code to be
Microsoft core of /etc/shadow file QUOTE CWD command to get actual an untrusted format string
wu-ftp with FTP conversion enabled
Balabit syslog-ng allows remote resulting in a non-root module being loaded into memory
(user supplied trojan)
executed. (post SP5 hotfix)
filesystem path to ftp directory /var/dt/appconfig/appmanager/ attackers to cause a DOS via a
Cistron RADIUS
Exchange LDAP Bind Request Buffer Overflow
LIST command dump
Buffer overflow in EFTP allows remote
attackers to cause a DOS by sending
allows attacker to execute commands
via a malformed file name
generic-display-0 malformed log message

Server CWD ~root to get root core - core file has SITE EXEC the tar a string that does not contain a newline /usr/sbin/crond ipop3d
SNMP read community 'public', SNMP write
community 'write' by default
access shadowed password command and execute
HP Jet Direct printers versions allow remote
attackers to cause a DOS via a malformed
doesn't check whether
/var/dt/appconfig/appmanager/generic-
Windows
hashes arbitrary commands IIS FTP servers may servers may allow a remote
can set the 'sysConfigTftp' variables to allow remote ftp incorrectly configured ftp servers will attacker to read or delete files on the server, even
FTP quote command display-0 is a symlink and will chown() it dbsnmp in Oracle Intelligent Agent allows NT SNMP can 'cd...' to unexported
Ascend configuration, including download of telnet password, allow users write access to directories
many FTP servers will open data ports if they have "No Access" permissions Format string vulnerability in OpenBSD
to the user. - local user gets root. local users to gain privileges by setting the
parent filesystem If coredump, it has encrypted

enhanced access passwords, and RADIUS and OSPF

in sequential order, making it easier to
hijack PASV connections
fstat program allows local users to gain ORACLE_HOME environmental variable.
dump all usernames in domain
NFS Local users can get root passwords, if /core already exists,
permissions are retained
keys, and user's numbers/passwords postinst installation script for Proftpd in Debian 2.2 does root via the PWD environmental variable
Buffer overflow in OverView5 CGI program
GUEST account allows liberal access
not properly change the "run as uid/gid root" configuration
/var/adm/SYSLOG in HP OpenView NNM 6.1 allows DOS, and
Exported .rhosts or .rc files The web administration interface for IBM AS/400
specially formed packet to UDP port 9
causes Ascend to lock up
FTP password file may contain hashes FTP service in IIS 5.0 and earlier allows remote
attackers to cause a DOS via a wildcard sequence
possibly execute commands
delete all WINS records Real Media Server Firewall allows remote attackers to cause DOS
via empty GET request
LDAP Buffer export lists create files with '/' slash in filename
NULL password backdoor Format string vulnerability in wu-ftp 2.6.1 allows
Overflow can brute force passwords with out logging SYSLOG contains names The snmpd.conf config file for snmpd default 'public' write larger than 256 can lead to DoS (i.e., tmp file to be Buffer overflow in pop-2d POP daemon in
anonymous FTP Access remote attackers to execute arbitrary commands
ftpd in NetBSD 1.4.2 does not properly parse entries of invalid logins and is in HP-UX 11.0 is world writable community characters deleted is named /etc/passwd ) cleartext password stored in world IMAP package allows remote attackers to
Firewall-1 does not properly restrict PASV Hijacking - steal files in /etc/ftpchroot and does not chroot the specified users world readable. cause everyone readable file /usr/local/rmserver/ gain privileges via FOLD command
& directory listings
Imail 4.06 access to LDAP attributes Get Remote Root via
[AUTHENTICATE] overflow
Buffer overflows in wuarchive
ftpd (wu-ftpd) and ProFTPD
NTP sdtcm_convert
to be able to
mount shared
can supply 32 bit UID to a 16 bit
UID server, get root
rmserver.cfg
Firewall-1 allows remote attackers to bypass port Qpopper 2.53 and earlier allows local users to
Shiva Access Manager 5.0.0 stores the root lead to remote root access Password/hash sniffing directories gain privileges via a formatting string in the From:
access restrictions on an FTP server
DN name and password in cleartext
imapd Any SNMP user can read the NTP will leak internal system
execute local code as B-DASH svgalib header, which is processed by euidl command

community strings of other users, One-byte buffer overflow in replydirname function in information to potential attackers Buffer overflow in POP servers based on
../..* Any File Buffer overflow in Lotus Notes LDAP allows an attacker therefore getting full write access BSD-based ftpd allows remote attackers to gain root L0phtcrack sniffer root (SunOS/Solaris)
BSD/Qualcomm's qpopper allows remote
to conduct a DOS through the ldap_search request to the SNMP database. Buffer overflow in ntpd ntp daemon 4.0.99k attackers to gain root using a long PASS command
Buffer overflow in AIX ftpd in the libc library
and earlier allows remote attackers to cause suid root
Linux OpenLDAP server allows local
The LDAP bind function in Exchange 5.5 has a a DOS and possibly execute commands
can overwrite /etc/shadow amd does not honor the nodev option
for NFS file systems buffer overflow Buffer overflow in University of Washington's
users to modify files via a symlink attack
buffer overflow allowing DOS or execute commands
Firewall-1 3Com HiPer and get root (Solaris)
implementation of IMAP and POP servers
nss_ldap earlier than 121, when run with nscd,
allows remote attackers to cause a DOS via a
Ascend Max Arc cards
flood of LDAP requests
by default - all ICMP (except echo chargen admin-v1.2 follows symlinks in /usr/lib/fs/ufs/ufsdump
redirect), RIP (UDP 520), and
PIX Private Link rpc.bootparamd /tmp, munge any file rpcbind
router will identify its symbolic name
DNS (UDP/TCP 53) are
allowed over firewall
ufsrestore
in response to special probe spoofed chargen source to some versions of rpcbind
service can be tricked into
portscanning will fill up 56 bit key VPN solution has only giving out NIS domain name,
localhost's echo port causes DOS X.25 /usr/lib/fs/ufs/ufsrestore will listen on ports other
nfs nsd filesystem can be mounted via NFS. connection buffers Execute local code
as root (Solaris) an effective 48 bit key and attackers can use this to
Cisco Resource
than 111, and possibly defeat
any firewall port filtering
This directory can leak passwords and state get NIS password maps
information about NIS requests.
Manager 1.0/1.1 /dev/hd[abcd...]
rpc.admind rpc.mountd disk devices world
X.25 gateways are often targets
of attack. X.25 PADS should have
local user gets root
can be used to find
NFS mknod bug readable (get any file) access controls vulnerable RPC services
Remote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access lis
/bin/eject lack of authentication allows by analyzing error codes, /var/adm/CSCOpx/files/schedule/ Firewall-1
NFS allows users to use a "cd .." command to access other directories besides the exported file system remote access to target attacker can enumerate files job-id/swim_swd.log Cisco
rpc.pcnfsd in HP on the remote host Cisco IOS bnc Session Agent
gives remote root Buffer overflow in NFS server on Linux allows attackers to execute commands via a long pathname local users can chmod C:\Program Gigabit Switch rstatd
by changing the execute local code
permissions on the as root (SunOS) arbitrary directories rpc.pcnfsd Files\CSCOpx\files\schedule\
job-id\swim_swd.log
broken CHAP authentication,
communications are not encrypted,
protocol can be replayed - no
main printer spool directory The knfsd NFS server in Linux kernel 2.2.x allows remote attackers to cause a DOS via a negative size value established unauthorized PPP connection leaks information
access-list parser does not authentication on modules
remote users can execute about system configuration
pr_cancel buffer overflow—execute work—may allow all tcp buffer overflow
FreeBSD allows local users to conduct a DOS by creating a hard link from a device special file to a file on an NFS file system arbitrary commands as root /tmp/dbi_debug.log traffic over firewall
arbitrary commands from remote "service password-encryption" uses Firewall-1 allows remote attackers to
trivial encryption, can be decrypted bypass port access restrictions on an FTP
The portmapper may act Linux rpc.statd does not properly cleanse untrusted format strings, allowing remote attackers to gain root
as a proxy and redirect mapid() call reveals list
C:\Program autofs server by misinterpreting client's PASV attempt
service requests from
In SunOS, NFS file handles could be guessed, giving access to the exported file system rpc.rexd
of users on system
Files\CSCOpx\temp\ Cmail 2.3 long password string causes reload Firewall-1 3.0 and 4.0 leaks packets
an attacker
Pseudo random file handles can be guessed,
dbi_debug.log
with private IP address information SunOS
can brute force passwords buffer overflow in
remote access gained Cisco IOS 12.0 and others can be crashed
without logging directory name
.cshrc
portmapper remote use can impersonate
any user except root
/tmp/DPR_*
Cmail 2.3 pseudoencrypts by malicious UDP packets to the syslog port FireWall-1 4.1 with a limited-IP license allows
remote attackers to cause a DOS by sending UDP packets with strange
ident su UDP spoofing allows attacker to passwords into user.db file
By default, IIS 4.0 has a virtual directory a large number of spoofed IP packets options can cause reboot
when su is successful, the shells dot
register/unregister services from portmapper
rpc.ttbdserver C:\Program /IISADMPWD allowing brute force password tcsh bash
Files\CSCOpx\temp\DPR_* attacks, or to identify valid users on the system
attacker can use ident to file (i.e., .cshrc) will be executed. If a portmapper can be used to find vulnerable rpc.rquotad
determine which account
processes are running under
user can write to another user's dot file,
then it is possible to get elevated
rpc services automountd The IOS HTTP service in Cisco routers and
switches allows DOS by requesting a URL PS1 Environment variable had '\w',
SIGINT overflow stack and execute
privileges (even root) Stores logins/passwords in that contains a %% string can be used to get local root
pmap_call to bounce remove/add requests, the quota service will give a potential attacker commands as root
lack of trapping of SIGINT results fsdump can be used to change the permissions world readable file
HP Printer in no logging of invalid su attempts on any file to that of a local user. Hence, get root
bypass security information about NFS mounted file systems
execute commands
NETBIOS client in Windows 95 and 98 allows a remote
attacker to DOS by changing a file sharing service
(must send ^C before syslog occurs) via passwd file. (/var/rfindd/fsdump -L/etc/passwd
from remote as root
-F/tmp/dump /) rpc.ugidd Cisco Secure PIX Firewall does

multivariable snmp
not properly identify forged TCP
Reset (RST) packets
automountd allows users File and Print Sharing service in Windows allows IP Packet ICMP
getnext request causes crash /var/rfindd/fsdump arrayd.auth rpc.selection_svc to gain privileges via shell
metacharacters
remote attackers to bypass share access controls
can get usernames from remote Mailguard in Cisco Secure PIX Firewall
By default, arrayd does not
repeated connection attempts 5.2(2) and earlier does not properly Classic Cisco IOS 9.1 and later allows attackers
authenticate, allowing any remote rpc.statd allows remote attackers
lock out other sessions
midikeys is setuid and can
user to become root on the host. Remote attacker can read
restrict access to SMTP commands
to forward RPC calls to the local to obtain portions of the command history of previous users ConSeal
midikeys be used to read any file on
Irix arrayd
any file on system
rpc.walld
OS via the SM_MON and SM_NOTIFY
Gauntlet
send raw postscript to printer -
cause printing the system
Cisco Secure PIX Firewall 5.2(2) allows
remote attackers to determine the real IP
commands Cisco Gigabit Switch routers running IOS PC Firewall
address of a target FTP server
allow forwarding of unauthorized packets
dtprintinfo Firewall 5.0
PS1 environment variable
../..* Any File Remote attacker can flood Directory traversal vulnerability in dtappgather Cisco IOS 11.x and 12.x allows DOS by sending
the ENVIRON option before it is ready to accept it, flood overloads
users with messages PHPix Photo Album 1.0.2 allows
a buffer overflow in the font path can causing reboot machine
remote attackers to read files via execute local code ICMP_PARAMPROB packets
lead to a root compromise a .. (dot dot) attack Doesn't check whether The HTTP server in Cisco IOS 12.0 through as root (Solaris) with invalid IP protocol & options
fdformat execute local code as root /var/dt/appconfig/appmanager/
(SunOS) bash rpc.sprayd generic-display-0 is a symlink
12.1 allows local users to cause a DOS via a will cause firewall to hang
rpc.ypupdated Cisco PIX firewall manager on Windows NT and will chown() it to the user—
URL containing a "?/" string
eeprom PIX Firewall
allows attackers retrieve any file whose name local user gets root. Cisco switches and routers producing
ff.core /usr/bin/lpstat Llocal user gets root \377 serves as unintended and location is known
predictable TCP ISNs, which allows remote
Tripwire® data integrity assurance
(lpstat -c <buffer>) '\w' causes command separator
(defeat cgi filters)
Sprayd will help an attacker build
a denial of service attack
execute commands attackers to spoof or hijack TCP connections Firewall-1
buffer overflow as root from remote /var/dt/appconfig/app
solutions establish a baseline of data FIN fragments can
default no password on user manager/generic-
in its desired state, detect and report The prompt parsing in bash allows a
any changes to the baseline, and enable ffbconfig local user to execute commands as
display-0
Cisco WCCP expreserve DOS over firewall doesn't perform stateful

rapid discovery and remediation when

another user by creating a directory rpc.pcnfsd rpc.cmsd inspection on ICMP
(attackers can inject ICMP
IP sequence numbers are with the name of the command to execute
default password of 'NetICs' into target network)
an undesired change occurs. In this easily guessed
executes /bin/mail as root, change
way Tripwire provides the foundation
User can request any IP address,
Bash treats any character with a
value of 255 as a command separator
Local users can chmod arbitrary directories
remote users can execute arbitrary
execute remote code as root (SunOS) Cisco Catalyst no authentication in web caching allows
intruder to intercept all HTTP requests
IFS environment variable (IFS=/) to
for data security and ensures a safe, cause your own file to be run ICMP can be used to determine
productive and stable IT environment.
Login larger than 256 characters will be rebroadcast into routing commands as root
Switch (/bin/mail becomes ./bin ./mail ) IP Header internal netmasks
Tripwire detects change, whether
Bay Networks causes reboot table, can take out DNS server,
router, whatever. Also exploit IP
accidental or malicious, from outside
Ascend Max based trust relationships and Execute arbitrary code from remote can redirect rpc calls through

or within, and is the only way you can

possibly cause the indirect ipop2d rpc.statd rpc.statd and bypass security
of other rpc services sending CR causes reboot /sbin/suid_exec ICMP can be used to determine
inetd Ascend
poisoning of BGP routing table
Citrix Winframe Linux Kernel the system time on a remote machine
know for certain that your data is safe
and your systems remain uncompro-
midikeys Can redirect rpc calls through rpc.statd in the nfs-utils package in
/hw/tape
rpc.statd and bypass security
mised. Tripwire software is used for: MAX4002, Get Remote Root via [FOLD] overflow
of other rpc services
various Linux distributions does not suid_exec will execute shell dot

intrusion detection, file integrity assess-

SYN followed by RST properly cleanse untrusted format strings
tape device under lrix will
files (i.e., .cshrc), enabling user TCP packet
causes inetd to crash midikeys is setuid and
MAX4004, stores pseudoencrypted password in to get root on system
invalid IP options
ment, damage discovery, change/ can be used to read any
file on the system
netstat Program Files/Microsoft rpc.ypupdated Delete or create a file via
often be mode 666, enabling
any user to restore any file
/usr/lib/ICAClient/config mode 777 or
in ~/.ICAClient mode 755 cause seg fault
configuration management, system MAX4048 Contains cleartext passwords
BackOffice/Reboot.ini rpc.statd, due to invalid information from the tape (and possibly
auditing and policy compliance. the /etc/shadow file)
../..* Any File
and MAX 4072 netstat will give away network state
information to an attacker
Remote user execute tcpip stack
commands as root Invalid fragmentation
Buffer overflow in statd allows causes network stack to fail

Syn Flooding

What is a trojan horse?
An attacker may be able to replace certain
programs and shared libraries. The replace-
ment program is usually called a trojan horse.
The trojan horse may emulate the original
program so that the replacement goes
undetected. The trojan may be able to sniff
passwords, provide back door access, and
even hide other programs from the system.
TPEVM02
©2002 Tripwire, Inc. Tripwire is a registered trademark of
Tripwire, Inc. Many of the vulnerabilities described in this
poster are derived from the amazing CVE database, at
http://cve.mitre.org. All other product and company names
are property of their respective owners. All rights reserved.
What is a rootkit?
A rootkit is a set or trojan horse
programs that can be installed on
a computer. These programs allow
the attacker to hide processes, files,
and logins from the system admin-
istrator. Furthermore, these programs
usually leave back doors within the
system. It is important to use integrity
assessment tools to make sure that
files have not been replaced, otherwise
a rootkit can be very hard to detect.
What is a buffer overflow?
Software bugs exist which allow user-supplied
buffers to overwrite the process stack. In this
case, the program either crashes, or executes
code contained in the user's buffer. In the latter
case it is possible to trick the computer into
executing arbitrary code and obtaining remote
root access. This is perhaps the most common
type of bug, and potentially the most deadly.
Buffer overflows are difficult to detect or prevent
during software design. While the demand for
more and varied software is ever increasing,
the chance of software bugs also increases.
What is hijacking?
Because of the weaknesses of TCP/IP,
it is vulnerable to spoofing and hijacking.
Hijacking describes a special type of
spoofed IP attack. Normal TCP commun-
ications take place over a 'session.' If the
session can be sniffed, or the sequence
numbers can be guessed, the session
can be 'hijacked.' The attacker can insert
spoofed packets into the session stream
and cause commands to be run as the
original user.
What is spoofing?
The TCP/IP protocol has no authentication
mechanisms. What this means is that anyone
can create a 'fake' packet and impersonate
someone else. Specifically, this means creating
a fake IP address. Many attacks can be executed
using spoofed packets. Even if a victim logs all of
the packets and uses intrusion-detection software,
the source of a spoofed packet is next to impossible
to determine. This makes catching the attacker
very difficult. Additionally, some software relies
upon the source address of the IP packet for
authentication. Because IP can be spoofed, the
program in question can sometimes be fooled into
allowing access, running commands, etc.
What is excess privilege?
Sometimes software will be installed or run with
too much power. An example might be a public
server daemon running as 'root' (or SYSTEM in
the case of Windows NT). Since processes are
complex and always have the potential of being
exploited, administrators should 'close the window
of trust' and give processes only the power that they
need to function. Anything in excess only increases
the risk of total system compromise if the process
is exploited.
What is change control?
Often, the largest threats to system stability and
security are introduced by unauthorized changes,
or the unexpected side effects of authorized changes.
Change control is a compensating control to reduce or
restrict these risks. In mission-critical environments,
change control is often based on a workflow that
requires documenting requested changes, getting
authorization from an authorized party and then
implementing the authorized work order. However,
change control can be as simple as announcing
changes before you make them, and archiving those
announcements.
What are 'repeatable builds'? What is a loadable kernel module? What is 'compensating control'? RIP
Mission-critical functions must be able to survive the Loadable kernel modules are intended as an easier way of Procedures for management to periodically verify existence RIP will give up routing
failure or destruction of the infrastructure that runs them. adding kernel functionality, to avoid having to recompile the of segregation of duties. Whenever a computer-based process tables to potential attackers.
Unfortunately, years of undocumented and uncontrolled kernel every time new functionality is added. The problem is involves sensitive, valuable, or critical information, the system This information can be
changes often make it impossible to reconstruct critical that most kernel modules are loaded and run merely by copying must include controls involving a separation of duties. used to design attacks.
servers, routers, databases, etc. Worse, the only time the object file into a specified directory, with full privilege and
you learn this is when that system has been irrevocably control. Malicious code is often injected into kernels by adding
compromised, corrupted, or degraded and no source of new kernel modules and rebooting the machine.
the "known good state" exists. Repeatable builds ensure
that all servers can be duplicated and provisioned from
scratch. Many organizations never make changes directly
on production systems, but make changes to the build
process, ensuring that changes jeopardize repeatable
Matrix Key Service or Application Information Exploit or weakness File
builds. (Also often called "provisioning.")