[VIM] discuss: VulnDisco

security curmudgeon jericho at attrition.org
Sat May 14 07:01:49 EDT 2005

Evgeny Demidov of GLEG posted to DailyDave announcing the release of their 
"VulnDisco" pack. This is a pack of exploits for the CANVAS framework, 
released by Aitel & Immunity. According to PDF, this pack contained a wide 
variety of 0day exploits. Since then, he has followed up with three 
updates that include a few more exploits each time.

Before anyone replies, consider this. I mailed Dave Aitel and asked if he 
could verify that this pack of vulnerabilities were legit. Since they are 
a CANVAS framework based set, I figured he of all people could 
authenticate Evgeny's research. Dave replied and said he had not tested 
any of it, and in fact, had not received a copy. While Immunity was a 
reseller of the VulnDisco pack, they were not privileged to a copy of it. 
I found that surprising.

There has been no followup on DailyDave regarding these packs, good nor 
bad. Below you will find a summary of the posts and exploits claimed in 
each pack. That said, how does a vulnerability database handle such 
claims? Should we be creating entries with the details we have? Or does 
this amount of exploit code in one place suggest it may not be fully 

Thoughts from the madmen?


[Dailydave] ANNOUNCE - VulnDisco Pack for CANVAS release

To summarize:

Remotes in this version:


[0day] Ipswitch IMail buffer overflow Vendor URL: http://www.ipswitch.com
Notes: remote exploit for certain IMail service.

[0day] MaxDB WebAgent stack overflow
Vendor URL: http://www.mysql.com
Notes: remote exploit for MaxDB WebTools wahttp service.

[0day] Pragma Fortress buffer overflow
Vendor URL: http://www.pragmasys.com
Notes: remote exploit for Pragma Fortress SSH server.


[0day] Exim 4.43 stack overflow
Vendor URL: http://www.exim.org
Notes: exploit for published AUTH SPA stack overflow.

[0day] ntpd buffer overflow
Vendor URL: http://www.ntp.org
Notes: remote root for certain configurations of ntpd

[0day] Samba buffer overflow Vendor URL: http://www.samba.org
Notes: remote exploit for certain configurations of smbd

[0day] Sun ONE ASP buffer overflow
Vendor URL: http://www.sun.com

[0day] Sun ONE ASP arbitrary file retrieval exploit Vendor URL: 

Denial of service attacks

[0day] FreeBSD/NetBSD/OpenBSD kernel remote DoS
Vendor URL: http://www.freebsd.org, http://www.openbsd.org, 
http://www.openbsd.org Notes: remote crash&reboot for certain configurations of 
*BSD kernel

[0day] fam remote DoS
Vendor URL: http://oss.sgi.com/projects/fam/
Notes: remote crash for certain configurations of fam

[0day] Ipswitch IMail remote DoS
Vendor URL: http://www.ipswitch.com

[0day] Kerio MailServer remote DoS
Vendor URL: http://www.kerio.com
Notes: remote crash in Kerio MailServer

[0day] MDaemon remote DoS
Vendor URL: http://www.altn.com

[0day] LSASS.EXE remote DoS
Vendor URL: http://www.microsoft.com

[0day] MySQL 4.x server remote DoS
Vendor URL: http://www.mysql.com

[Dailydave] VulnDisco Pack for CANVAS v1.1 is available

New remotes in this version:

[0day] Ethereal heap overflow (proof of concept)
[0day] Miranda IM buffer overflow
[0day] MDaemon buffer overflow

[Dailydave] VulnDisco Pack v1.2 for CANVAS is available

New remotes in this version:

[0day] PHP remote DoS
[0day] OpenSSL remote DoS
[0day] NSS heap overflow (proof of concept)**

[Dailydave] VulnDisco Pack v1.3 for CANVAS is available

New remote in this version:

[0day] SIMA - Samba remote root

More information about the VIM mailing list