VARIoT IoT vulnerabilities database

Checkpoint Firewall-1 with the RSH/REXEC setting enabled allows remote attackers to bypass access restrictions and connect to a RSH/REXEC client via malformed connection requests. Check Point Firewall-1 is vulnerable to certain unauthorized connections, caused by sending a specially formatted RSH/REXEC connection request from an external RSH/REXEC server to an internal (protected) RSH/REXEC client. This can only be done if the FireWall-1 administrator specifically enabled RSH/REXEC with stderr-port support in the Properties window. The problem has to do with the pending table used to store state information for when rsh connections are initialized with stderr-port support. The pending table is a Firewall-1 internal memory structure used to hold temporary information about the state of a new connection before it is added to the "connection table", where state information (remote, destination ip addresses and ports, protocol type, etc) for permitted connections is stored. Because of the way data from the pending table is interpreted and certain conditions met by the nature of Firewall-1's handling of the rsh/rexec stderr-port (the acceptance of an additional syn packet), it is possible to collide an entry in the pending table before it is written to the connection table as the stderr-port connection. When stderr connections for rsh/rexec are permitted, information from the first data packet of an rsh connection is stored in the pending table so the firewall can anticipate the stderr syn. The stderr port is extracted from the tcp data segment of this initial data packet. In addition, the source, destination ip addresses and ports are stored, as well as a magic number and the IP protocol code. Firewall-1 then waits for a syn for the stderr connection. When one is recieved, another entry is made into the pending table, only the sequence number + 1 is stored in the place where the IP protocol number would go. If a malicious SYN is crafted with a sequence number of 5 and sent to the Firewall-1 that is expecting a rsh/rexec stderr syn, the sequence number will be stored as 6 in the place where the protocol code (which happened to be 6, for TCP) is for the previous entry. The firewall then checks this and allows this connection to be established regardless of what the port is in the malicious syn. It is then possible for an attacker to communicate with an "rsh client' on an arbitrary port behind the firewall. The impact is that if rsh/rexec stderr-port is permitted, back-connections through the firewall can be established. Checkpoint Firewall-1 with valid RSH/REXEC settings has a vulnerability

Norton AntiVirus 5.00.01C with the Novell Netware client does not properly restart the auto-protection service after the first user has logged off of the system. "Auto-Protection" is a feature that comes with Norton Antivirus that automatically scans all files downloaded, executed, etc. It normally remains active from system bootup to shutdown regardless of who logs in and out of the system. This leaves the system vulnerable to attacks which the auto-protect software may have prevented

An administrative script from IIS 3.0, later included in IIS 4.0 and 5.0, allows remote attackers to cause a denial of service by accessing the script without a particular argument, aka the "Absent Directory Browser Argument" vulnerability. Microsoft IIS 3.0 shipped with a number of HTR scripts, one of which could be used to cause a Denial of Service against the hosting machine. Although these scripts were only distributed with IIS 3.0, they would be retained during upgrade to 4.0 or 5.0 and therefore these versions may be vulnerable if they were installed as an upgrade to 3.0. The vulnerable script is used to browse directories and normally expects a directory name as a variable. If a request with this variable blank is received, the script enters an infinite loop resulting in system resource exhaustion. No further details were made available by Microsoft

IIS 4.0 allows remote attackers to obtain the internal IP address of the server via an HTTP 1.0 request for a web page which is protected by basic authentication and has no realm defined. Even if IIS is behind a firewall or NAT, it will disclose the true internal IP address to the remote user. The internal IP address may also be revealed through a HTTP request made with an empty host name. If a PROPFIND HTTP request is made, the message returned will include the IP address as part of the HREF header. The IP address may also be exposed through the WRITE or MKCOL methods, although they would not normally be exposed to the external network. Eg. telnet target 80 Trying target... Connected to target. Escape character is '^]'. HEAD /directory HTTP/1.0[CRLF] [CRLF] HTTP/1.1 401 Access Denied WWW-Authenticate: Basic realm="<Internal IP Address>" Content-Length: 644 Content-Type: text/html

Check Point FireWall-1 4.0 and 4.1 allows remote attackers to cause a denial of service by sending a stream of invalid commands (such as binary zeros) to the SMTP Security Server proxy. The Check Point Firewall-1 SMTP Security Server in Firewall-1 4.0 and 4.1 on Windows NT is vulnerable to a simple network-based attack which can increase the firewall's CPU utilization to 100%. According to Check Point Software this only disables mail relay while allowing other firewall operations to continue normally. Vulnerabilities exist in Check Point FireWall-1 versions 4.0 and 4.1

HTTP server for Cisco IOS 11.3 to 12.2 allows attackers to bypass authentication and execute arbitrary commands, when local authorization is being used, by specifying a high access level in the URL. IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches. It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access. This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. There is a security issue in versions starting with Cisco IOS 11.3, if it opens the web management interface, it will allow any remote attacker to gain full management rights of the device. The attacker only needs to construct a URL as follows: http://<device_addres>/level/xx/exec/.... where xx is an integer from 16-99. For different devices, this value may be different, but the attacker only needs to test 84 times to find the correct value

Buffer overflow in Norton Antivirus for Exchange (NavExchange) allows remote attackers to cause a denial of service via a .zip file that contains long file names. Norton Antivirus for MS Exchange unzip engine improperly handles zip files attached in e-mails. If NAV for Exchange tries to scan a zip archive containing files with long filenames, it will crash and not scan any further emails until the service is restarted. A buffer overflow vulnerability exists in Norton Antivirus for Exchange (NavExchange)

In some cases, Norton Antivirus for Exchange (NavExchange) enters a "fail-open" state which allows viruses to pass through the server. Norton Antivirus for MS Exchange unzip engine improperly handles zip files attached in e-mails. If NAV for Exchange tries to scan a zip archive containing files with long filenames, it will crash and not scan any further emails until the service is restarted

The URLConnection function in MacOS Runtime Java (MRJ) 2.1 and earlier and the Microsoft virtual machine (VM) for MacOS allows a malicious web site operator to connect to arbitrary hosts using a HTTP redirection, in violation of the Java security model. The security model of Apple Mac OS Runtime Java (MRJ) is ignored in the function java.net.URLConnection. Therefore, it is possible to connect directly to any host whereas an applet should only be able to connect to the host that it originated from. Hiromitsu Takagi &lt;takagi@etl.go.jp&gt; illustrates in the following article the dangers of any host being accessed: http://java-house.etl.go.jp/ml/archive/j-h-b/033470.html A malicious website operator could set up applets which could lend itself to download sensitive information in any data format given that the file and path is known. This vulnerability depends on the combination of MRJ and browser version the system is running. To check whether or not your machine is vulnerable, make note of what version of browser and MRJ you are running and visit the following URL: http://java-house.etl.go.jp/ml/archive/j-h-b/033471.html

IBM WebSphere server 3.0.2 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. Many webservers are case-sensitive, but do not have all possible combinations of cases in mapped extensions mapped properly. In that manner, a user is able to access the source code to those specific files. Microsoft IIS 5.0 has a dedicated scripting engine for advanced file types such as ASP, ASA, HTR, etc. files. The scripting engines handle requests for these file types, processes them accordingly, and then executes them on the server. It is possible to force the server to send back the source of known scriptable files to the client if the HTTP GET request contains a specialized header with 'Translate: f' at the end of it, and if a trailing slash '/' is appended to the end of the URL. The scripting engine will be able to locate the requested file, however, it will not recognize it as a file that needs to be processed and will proceed to send the file source to the client. # Title: Cisco Collaboration Server 5 XSS, Source Code Disclosure # Author: s4squatch # Published: 2010-02-11 Cisco Collaboration Server 5 XSS, Source Code Disclosure Discovered by: s4squatch of SecureState R&D Team (www.securestate.com Discovered: 08/26/2008 Note: End of Engineering --> http://www.cisco.com/en/US/products/sw/custcosw/ps747/prod_eol_notice09186a008032d4d0.html Replaced with: http://www.cisco.com/en/US/products/ps7233/index.html and http://www.cisco.com/en/US/products/ps7236/index.html XSS === http://www.website.com/webline/html/admin/wcs/LoginPage.jhtml?oper=&dest="> Java Servlet Source Code Disclosure =================================== The source code of .jhtml files is revealed to the end user by requesting any of the following: Normal File: file.html Modified 1: file%2Ejhtml Modified 2: file.jhtm%6C Modified 3: file.jhtml%00 Modified 4: file.jhtml%c0%80 Cisco Collaboration Server 5 Paths It Works On (list may not be complete) ========================================================================= http://www.website.com/doc/docindex.jhtml http://www.website.com/browserId/wizardForm.jhtml http://www.website.com/webline/html/forms/callback.jhtml http://www.website.com/webline/html/forms/callbackICM.jhtml http://www.website.com/webline/html/agent/AgentFrame.jhtml http://www.website.com/webline/html/agent/default/badlogin.jhtml http://www.website.com/callme/callForm.jhtml http://www.website.com/webline/html/multichatui/nowDefunctWindow.jhtml http://www.website.com/browserId/wizard.jhtml http://www.website.com/admin/CiscoAdmin.jhtml http://www.website.com/msccallme/mscCallForm.jhtml http://www.website.com/webline/html/admin/wcs/LoginPage.jhtml Related Public Info =================== http://www.securityfocus.com/bid/3592/info http://www.securityfocus.com/bid/1578/info http://www.securityfocus.com/bid/1328/info Scott White<mailto:swhite@securestate.com> | Senior Consultant | SecureState 623.321.2660 - office | 480.440.7595 - mobile | 216.927.2801 - fax [cid:image001.png@01CAAB16.BDE852B0]<https://www.securestate.com/>

The default configuration of BEA WebLogic 3.1.8 through 4.5.1 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. Many webservers are case-sensitive, but do not have all possible combinations of cases in mapped extensions mapped properly. In that manner, a user is able to access the source code to those specific files. Microsoft IIS 5.0 has a dedicated scripting engine for advanced file types such as ASP, ASA, HTR, etc. files. The scripting engines handle requests for these file types, processes them accordingly, and then executes them on the server. It is possible to force the server to send back the source of known scriptable files to the client if the HTTP GET request contains a specialized header with 'Translate: f' at the end of it, and if a trailing slash '/' is appended to the end of the URL. The scripting engine will be able to locate the requested file, however, it will not recognize it as a file that needs to be processed and will proceed to send the file source to the client. # Title: Cisco Collaboration Server 5 XSS, Source Code Disclosure # Author: s4squatch # Published: 2010-02-11 Cisco Collaboration Server 5 XSS, Source Code Disclosure Discovered by: s4squatch of SecureState R&D Team (www.securestate.com Discovered: 08/26/2008 Note: End of Engineering --> http://www.cisco.com/en/US/products/sw/custcosw/ps747/prod_eol_notice09186a008032d4d0.html Replaced with: http://www.cisco.com/en/US/products/ps7233/index.html and http://www.cisco.com/en/US/products/ps7236/index.html XSS === http://www.website.com/webline/html/admin/wcs/LoginPage.jhtml?oper=&dest="> Java Servlet Source Code Disclosure =================================== The source code of .jhtml files is revealed to the end user by requesting any of the following: Normal File: file.html Modified 1: file%2Ejhtml Modified 2: file.jhtm%6C Modified 3: file.jhtml%00 Modified 4: file.jhtml%c0%80 Cisco Collaboration Server 5 Paths It Works On (list may not be complete) ========================================================================= http://www.website.com/doc/docindex.jhtml http://www.website.com/browserId/wizardForm.jhtml http://www.website.com/webline/html/forms/callback.jhtml http://www.website.com/webline/html/forms/callbackICM.jhtml http://www.website.com/webline/html/agent/AgentFrame.jhtml http://www.website.com/webline/html/agent/default/badlogin.jhtml http://www.website.com/callme/callForm.jhtml http://www.website.com/webline/html/multichatui/nowDefunctWindow.jhtml http://www.website.com/browserId/wizard.jhtml http://www.website.com/admin/CiscoAdmin.jhtml http://www.website.com/msccallme/mscCallForm.jhtml http://www.website.com/webline/html/admin/wcs/LoginPage.jhtml Related Public Info =================== http://www.securityfocus.com/bid/3592/info http://www.securityfocus.com/bid/1578/info http://www.securityfocus.com/bid/1328/info Scott White<mailto:swhite@securestate.com> | Senior Consultant | SecureState 623.321.2660 - office | 480.440.7595 - mobile | 216.927.2801 - fax [cid:image001.png@01CAAB16.BDE852B0]<https://www.securestate.com/>

IIS 5.0 allows remote attackers to obtain source code for .ASP files and other scripts via an HTTP GET request with a "Translate: f" header, aka the "Specialized Header" vulnerability. Microsoft IIS Is "Translate: f" Header added HTTP GET When a request is received, a flaw exists that locates the correct file but does not recognize it as a file that needs to be processed by the script engine and sends that file to the browser..ASP And .ASA And .HTR You may be able to view source files that have a normal extension that cannot be viewed. Many webservers are case-sensitive, but do not have all possible combinations of cases in mapped extensions mapped properly. By changing the letters in a JSP or a JHTML file extension from lower case to upper case (eg: .jsp or .jhtml becomes .JSP or .JHTML) in a URL the server does not recognize the file extension and sends the file normally. In that manner, a user is able to access the source code to those specific files. Microsoft IIS 5.0 has a dedicated scripting engine for advanced file types such as ASP, ASA, HTR, etc. files. The scripting engines handle requests for these file types, processes them accordingly, and then executes them on the server. # Title: Cisco Collaboration Server 5 XSS, Source Code Disclosure # Author: s4squatch # Published: 2010-02-11 Cisco Collaboration Server 5 XSS, Source Code Disclosure Discovered by: s4squatch of SecureState R&D Team (www.securestate.com Discovered: 08/26/2008 Note: End of Engineering --> http://www.cisco.com/en/US/products/sw/custcosw/ps747/prod_eol_notice09186a008032d4d0.html Replaced with: http://www.cisco.com/en/US/products/ps7233/index.html and http://www.cisco.com/en/US/products/ps7236/index.html XSS === http://www.website.com/webline/html/admin/wcs/LoginPage.jhtml?oper=&dest="> Java Servlet Source Code Disclosure =================================== The source code of .jhtml files is revealed to the end user by requesting any of the following: Normal File: file.html Modified 1: file%2Ejhtml Modified 2: file.jhtm%6C Modified 3: file.jhtml%00 Modified 4: file.jhtml%c0%80 Cisco Collaboration Server 5 Paths It Works On (list may not be complete) ========================================================================= http://www.website.com/doc/docindex.jhtml http://www.website.com/browserId/wizardForm.jhtml http://www.website.com/webline/html/forms/callback.jhtml http://www.website.com/webline/html/forms/callbackICM.jhtml http://www.website.com/webline/html/agent/AgentFrame.jhtml http://www.website.com/webline/html/agent/default/badlogin.jhtml http://www.website.com/callme/callForm.jhtml http://www.website.com/webline/html/multichatui/nowDefunctWindow.jhtml http://www.website.com/browserId/wizard.jhtml http://www.website.com/admin/CiscoAdmin.jhtml http://www.website.com/msccallme/mscCallForm.jhtml http://www.website.com/webline/html/admin/wcs/LoginPage.jhtml Related Public Info =================== http://www.securityfocus.com/bid/3592/info http://www.securityfocus.com/bid/1578/info http://www.securityfocus.com/bid/1328/info Scott White<mailto:swhite@securestate.com> | Senior Consultant | SecureState 623.321.2660 - office | 480.440.7595 - mobile | 216.927.2801 - fax [cid:image001.png@01CAAB16.BDE852B0]<https://www.securestate.com/>

Unify eWave ServletExec allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. Many webservers are case-sensitive, but do not have all possible combinations of cases in mapped extensions mapped properly. In that manner, a user is able to access the source code to those specific files. Microsoft IIS 5.0 has a dedicated scripting engine for advanced file types such as ASP, ASA, HTR, etc. files. The scripting engines handle requests for these file types, processes them accordingly, and then executes them on the server. It is possible to force the server to send back the source of known scriptable files to the client if the HTTP GET request contains a specialized header with 'Translate: f' at the end of it, and if a trailing slash '/' is appended to the end of the URL. The scripting engine will be able to locate the requested file, however, it will not recognize it as a file that needs to be processed and will proceed to send the file source to the client. # Title: Cisco Collaboration Server 5 XSS, Source Code Disclosure # Author: s4squatch # Published: 2010-02-11 Cisco Collaboration Server 5 XSS, Source Code Disclosure Discovered by: s4squatch of SecureState R&D Team (www.securestate.com Discovered: 08/26/2008 Note: End of Engineering --> http://www.cisco.com/en/US/products/sw/custcosw/ps747/prod_eol_notice09186a008032d4d0.html Replaced with: http://www.cisco.com/en/US/products/ps7233/index.html and http://www.cisco.com/en/US/products/ps7236/index.html XSS === http://www.website.com/webline/html/admin/wcs/LoginPage.jhtml?oper=&dest="> Java Servlet Source Code Disclosure =================================== The source code of .jhtml files is revealed to the end user by requesting any of the following: Normal File: file.html Modified 1: file%2Ejhtml Modified 2: file.jhtm%6C Modified 3: file.jhtml%00 Modified 4: file.jhtml%c0%80 Cisco Collaboration Server 5 Paths It Works On (list may not be complete) ========================================================================= http://www.website.com/doc/docindex.jhtml http://www.website.com/browserId/wizardForm.jhtml http://www.website.com/webline/html/forms/callback.jhtml http://www.website.com/webline/html/forms/callbackICM.jhtml http://www.website.com/webline/html/agent/AgentFrame.jhtml http://www.website.com/webline/html/agent/default/badlogin.jhtml http://www.website.com/callme/callForm.jhtml http://www.website.com/webline/html/multichatui/nowDefunctWindow.jhtml http://www.website.com/browserId/wizard.jhtml http://www.website.com/admin/CiscoAdmin.jhtml http://www.website.com/msccallme/mscCallForm.jhtml http://www.website.com/webline/html/admin/wcs/LoginPage.jhtml Related Public Info =================== http://www.securityfocus.com/bid/3592/info http://www.securityfocus.com/bid/1578/info http://www.securityfocus.com/bid/1328/info Scott White<mailto:swhite@securestate.com> | Senior Consultant | SecureState 623.321.2660 - office | 480.440.7595 - mobile | 216.927.2801 - fax [cid:image001.png@01CAAB16.BDE852B0]<https://www.securestate.com/>

Allaire JRun 2.3.3, 3.0 and 3.1 running on IIS 4.0 and 5.0, iPlanet, Apache, JRun web server (JWS), and possibly other web servers allows remote attackers to read arbitrary files and directories by appending (1) "%3f.jsp", (2) "?.jsp" or (3) "?" to the requested URL. Many webservers are case-sensitive, but do not have all possible combinations of cases in mapped extensions mapped properly. By changing the letters in a JSP or a JHTML file extension from lower case to upper case (eg: .jsp or .jhtml becomes .JSP or .JHTML) in a URL the server does not recognize the file extension and sends the file normally. In that manner, a user is able to access the source code to those specific files. Microsoft IIS 5.0 has a dedicated scripting engine for advanced file types such as ASP, ASA, HTR, etc. files. The scripting engines handle requests for these file types, processes them accordingly, and then executes them on the server. It is possible to force the server to send back the source of known scriptable files to the client if the HTTP GET request contains a specialized header with 'Translate: f' at the end of it, and if a trailing slash '/' is appended to the end of the URL. The scripting engine will be able to locate the requested file, however, it will not recognize it as a file that needs to be processed and will proceed to send the file source to the client. Allaire JRun is a development suite with JSP and Java Servlets for developing web applications. Allaire JRun is prone to an information-disclosure vulnerability because it fails to handle malformed URLs properly. A remote attacker could access the contents under the webserver root directory. Submitting a request for 'http://server/%3f.jsp' could cause JRun to reveal the contents within the web root. It's also possible to view the contents of any subdirectories along with ACL-protected resources. The attacker could exploit this issue to obtain the source of known files residing on the host, including ASP files. NOTE: This vulnerability was originally reported to work on Microsoft IIS hosts only, but other webservers (Apache, Jetty) have been reported vulnerable. # Title: Cisco Collaboration Server 5 XSS, Source Code Disclosure # Author: s4squatch # Published: 2010-02-11 Cisco Collaboration Server 5 XSS, Source Code Disclosure Discovered by: s4squatch of SecureState R&D Team (www.securestate.com Discovered: 08/26/2008 Note: End of Engineering --> http://www.cisco.com/en/US/products/sw/custcosw/ps747/prod_eol_notice09186a008032d4d0.html Replaced with: http://www.cisco.com/en/US/products/ps7233/index.html and http://www.cisco.com/en/US/products/ps7236/index.html XSS === http://www.website.com/webline/html/admin/wcs/LoginPage.jhtml?oper=&dest="> Java Servlet Source Code Disclosure =================================== The source code of .jhtml files is revealed to the end user by requesting any of the following: Normal File: file.html Modified 1: file%2Ejhtml Modified 2: file.jhtm%6C Modified 3: file.jhtml%00 Modified 4: file.jhtml%c0%80 Cisco Collaboration Server 5 Paths It Works On (list may not be complete) ========================================================================= http://www.website.com/doc/docindex.jhtml http://www.website.com/browserId/wizardForm.jhtml http://www.website.com/webline/html/forms/callback.jhtml http://www.website.com/webline/html/forms/callbackICM.jhtml http://www.website.com/webline/html/agent/AgentFrame.jhtml http://www.website.com/webline/html/agent/default/badlogin.jhtml http://www.website.com/callme/callForm.jhtml http://www.website.com/webline/html/multichatui/nowDefunctWindow.jhtml http://www.website.com/browserId/wizard.jhtml http://www.website.com/admin/CiscoAdmin.jhtml http://www.website.com/msccallme/mscCallForm.jhtml http://www.website.com/webline/html/admin/wcs/LoginPage.jhtml Related Public Info =================== http://www.securityfocus.com/bid/3592/info http://www.securityfocus.com/bid/1578/info http://www.securityfocus.com/bid/1328/info Scott White<mailto:swhite@securestate.com> | Senior Consultant | SecureState 623.321.2660 - office | 480.440.7595 - mobile | 216.927.2801 - fax [cid:image001.png@01CAAB16.BDE852B0]<https://www.securestate.com/>

Allegro's RomPager is an embedded WEB service product, which is more used to provide WWW management capabilities for network printers, switches and other network devices. If you submit a specially designed exception request, it may crash, often causing problems with the managed device, and the network device or even the entire network is unavailable at this time. All a remote attacker needs is a browser. Versions other than 2.10 may also be affected by this attack. The following is a list of some manufacturers' products known to use Allegro RomPager: 3Com: TotalSwitch LAN switching hubs LANLinker Dual Analog Router Acacia Networks: NovaSwitch Ethernet switches. APC: UPS products with web management Andover Controls Corporation: Infinity automated building controls Bizfon: Bizfon 680 Multifunction communications server D-Link Systems: DES-3225G 24-port 10 / 100Mbps Ethernet switch. DES-3224 + EdgePoint Networks: EdgeStar EdgeStackEdgeSwitch Extreme Networks: Summit Gigabit Switch Foundry Networks: BigIron Switching Routers, FastIron SwitchesNetIron Core Routers. (possibly entire product line ) Interspeed: System 1000 and 500 Central Office ADSL routers LANart Corporation: Segway Adaptive Microsegmentable Ethernet Hub Netopia Communications: Netopia ISDN router products NETsilicon, Inc .: NET + ARM product family Net To Net Technologies: IP DSL Access Multiplexer 12000 Network Peripherals: NuSwitch Ethernet switches and hubs Northern Telecom: Accelar Gigabit Ethernet Osicom: NETPrint 1000 print server various Ethernet switch products Proxim: RangeLAN2 QMS: various networked printers Xerox: DocuPrint laser printers

Check Point Firewall-1 allows remote attackers to cause a denial of service by sending a large number of malformed fragmented IP packets. A large stream of IP traffic can monopolize the CPU of a Check Point FireWall-1 firewall, resulting in a denial-of-service condition. A large stream of IP traffic can monopolize the CPU of a Check Point FireWall-1 firewall, resulting in a denial-of-service condition. The FireWall-1 rulebase cannot prevent this attack and it is not logged in the firewall logs. Check Point Firewall-1 is vulnerable

When configured to store configuration information in an LDAP directory, Shiva Access Manager 5.0.0 stores the root DN (Distinguished Name) name and password in cleartext in a file that is world readable, which allows local users to compromise the LDAP server. The Shiva Access Manager is a solution for centralized remote access authentication, authorization, and accounting offered by Intel. It runs on Solaris and Windows NT. Shiva Access Manager is vulnerable to a default configuration problem in its Solaris version (and possibly for NT as well, though uncomfirmed). It stores this information in a textfile that is owned by root and set world readable by default, $SHIVA_HOME_DIR/insnmgmt/shiva_access_manager/radtac.ini. This file also contains information such as the LDAP server's hostname and server port. This information can be used to completely compromise the LDAP server

ITHouse mail server 1.04 has a remote overflow vulnerability. The attacker will construct a special email. The "recipient" field of the email contains more than 2270 bytes of data, which will cause the ITHouse mail server to overflow and may execute arbitrary code. & lt; * Source: Delphis Consulting Plc Security Team Advisories [30/05/2000] securityteam@delphisplc.com http://www.delphisplc.com/thinking/whitepapers/ *>

A system does not present an appropriate legal message or warning to a user who is accessing it. kernel is prone to a remote security vulnerability. Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks

Buffer overflow in Cisco TACACS+ tac_plus server allows remote attackers to cause a denial of service via a malformed packet with a long length field. A small buffer overrun exists in the free, unsupported implementation of the tacacs+ server, distributed by Cisco. This vulnerability, while a buffer overrun, appears to not be exploitable due to its short nature. While the analysis of the tacacs+ protocol posted to Bugtraq indicated that clients, including IOS, were vulnerable to the above problems, Cisco claims that IOS clients will reject the packets as invalid, and report an error, without any further problems. Attacking the client requires the ability to perform blind TCP sequencing, and as such is difficult to conduct. The first vulnerability, a buffer overflow, is due to the nature in which the tac_plus server allocates memory for the incoming packet. It will read only up to the length of the header in a primary read, allocate the amount of memory indicated in the header, copy the header into the allocated memory, and then read and copy the remaining buffer in. The buffer overrun is caused by it failing to check for an integer overflow in the length field of the header when added to the header length. This can result in an 11 byte overflow. The second vulnerability is due to a lack of sanity checking on the length field. An arbitrarily large number can be sent for the body length. The server or client will malloc whatever the length presented is, and as such may allocate an excessive amount of memory, resulting in the denial of service previously mentioned