About |
Contact |
Projects |
Publications
This is a list of formal NMRC security advisories. Starting in September of 1998, we began formalizing our advisories. Here are a list of advisories issued since that time. We've also got a disclosure policy.
20060114: After a 3 1/2 year lull, an advisory is released! Pity it is a lame Windows wireless bug. By Simple Nomad.
20020510: Cyberiad finds a couple of problems in Critical Path inJoin V4.0 Directory Server.
20020319: Oops. ISS left in a default account in RealSecure on Nokia appliances which allows for remote manipulation. hellNbak finds it first, ISS gets pissed off (per usual).
20020114: Cyberiad finds both Microsoft's IIS 4 and Symantec's Norton Internet Security 2001 are vulnerable to log files being rewritten via Windows APIs.
20011204: Cyberiad and Phuzzy L0gik have some fun exploring Valicert's CGI program, including finding numerous buffer overflows, info leaking, and even weak random numbers.
20011126: Phuzzy L0gik plays with some Sun products and turns up a bug. NetDynamics session IDs can be reused, allowing session hijacking.
20010814: Adept finds some GroupWise issues, and NMRC helps him publicize it.
20010527: hellNbak has found a number of problems with the Specter IDS, including DoS (a simple port scan can cause CPU usage problems) and remote identification of its honeypot nature (you see, it really isn't an IDS to begin with...).
19991122: It has always been trivial to sniff file transfers between a server and a workstation. NMRC now automates the process in the latest version of Pandora.
19990910: Bindview's product HackerShield is a security scanner with a number of impressive automation features that make use of a Service User to allow HackerShield to run unattended. Unfortunately, the Service User is not machine specific, making anyone who has downloaded the product including the demo vulnerable to potential attack. By Simple Nomad. Here's Bindview's response.
19990715: Originally reported 13 months ago, some of the same spoof and hijack tricks that worked on Netware 4 work on Netware 5. This advisory simply points that fact out, as the new Pandora v4 simplifies the spoof and hijack tricks. By Jitsu-Disk and Simple Nomad.
19990512: Netware 4.x servers not running the latest patches are vulnerable to a nasty Denial of Service bug that can potentially crash multiple servers simultaneously. Confirmed by Simple Nomad.
19990505: Simple Nomad finds under certain conditions Network Associates VirusScan NT will not properly update the virus definition file, leaving the NT server or workstation vulnerable to viral attack.
19981006: If an intruder recovers the encrypted password used during the loading of REMOTE.NLM, it can be easily decrypted on another Netware server. By Simple Nomad.
19980930: If you have Token Ring packets with bad data in them, you can crash NT servers and workstations. All four sites running Token Ring should apply the RIF Hot Fix from Microsoft (ask them for it, it's not on their FTP site). Confirmed by Simple Nomad.
19980923: Jitsu-Disk finds you can overflow the POP3 and LDAP ports causing the server to crash. Unlike the last advisory, this one has generated lots of thank-yous. Hmmm, revealing user account names is bad, but crashing servers is good. At least with the latest patches only the affected NLM goes south, but we advise to simply not use it. UPDATE 06Oct98 - Novell has released a patch, look for gwia551.exe at support.novell.com. The patch is for GroupWise 5.5 only, so you are forced to upgrade before you can apply the patch.
19980916: Most Netware installers are unaware or uncaring about how much info is revealed from a standard install. Lots of flames on this one from disgruntled sys admins having to fix things because their boss read about it. Sorry folks, some OSes (such as Unix) actually go to some trouble to keep intruders from learning account names. Netware should be this way too. By Simple Nomad.
This is a list of advisories from NMRC members whose research work was performed as a part of employment by some corporation. A few of these advisories are no longer available on the web, so they've been archived here.
19Jun2017: Simple Nomad hacks a power drill. Okay mainly the phone app, but here you have it.
Mid-to-late 2004: Sendmail Heap Overflow/McAfee Groupshield Anti-Virus Detection Bypass. While at BindView, Simple Nomad finds two bugs while experimenting with SMTP. In 2009 he spills the beans and pisses off Red Hat.
08apr2002: Cask3t finds some flaws in Funk Proxy's software.
08Nov2000: Simple Nomad finds a way to write an enumeration tool that works against Novell Netware 5.