NMRC Advisories

This is a list of formal NMRC security advisories. Starting in September of 1998, we began formalizing our advisories. Here are a list of advisories issued since that time. We've also got a disclosure policy.

Microsoft Windows Silent Adhoc Network Advertisement CVE-2006-0376

20060114: After a 3 1/2 year lull, an advisory is released! Pity it is a lame Windows wireless bug. By Simple Nomad.

Web Traversal in Critical Path inJoin V4.0 and Cross-Site Scripting in Critical Path inJoin V4.0 CVE-2002-0786 CVE-2002-0787

20020510: Cyberiad finds a couple of problems in Critical Path inJoin V4.0 Directory Server.

KeyManager Issue in ISS RealSecure on Nokia Appliances CVE-2002-0480

20020319: Oops. ISS left in a default account in RealSecure on Nokia appliances which allows for remote manipulation. hellNbak finds it first, ISS gets pissed off (per usual).

OpenFile Win32 API Log Overwriting/Rewriting CVE-2002-1694 CVE-2002-1695

20020114: Cyberiad finds both Microsoft's IIS 4 and Symantec's Norton Internet Security 2001 are vulnerable to log files being rewritten via Windows APIs.

Numerous Issues with Valicert Enterprise VA CVE-2001-0947 CVE-2001-0948 CVE-2001-0949 CVE-2001-0950

20011204: Cyberiad and Phuzzy L0gik have some fun exploring Valicert's CGI program, including finding numerous buffer overflows, info leaking, and even weak random numbers.

Sun's NetDynamics Reuseable Session ID

20011126: Phuzzy L0gik plays with some Sun products and turns up a bug. NetDynamics session IDs can be reused, allowing session hijacking.

NetWare Enterprise Web Server and GroupWise WebAccess CVE-2001-1232 CVE-2001-1233

20010814: Adept finds some GroupWise issues, and NMRC helps him publicize it.

Specter IDS DoS and Other Issues CVE-2001-0790

20010527: hellNbak has found a number of problems with the Specter IDS, including DoS (a simple port scan can cause CPU usage problems) and remote identification of its honeypot nature (you see, it really isn't an IDS to begin with...).

File Sniffing in Netware

19991122: It has always been trivial to sniff file transfers between a server and a workstation. NMRC now automates the process in the latest version of Pandora.

HackerShield Service User

19990910: Bindview's product HackerShield is a security scanner with a number of impressive automation features that make use of a Service User to allow HackerShield to run unattended. Unfortunately, the Service User is not machine specific, making anyone who has downloaded the product including the demo vulnerable to potential attack. By Simple Nomad. Here's Bindview's response.

NetWare 5 Hijack Vulnerability CVE-1999-1086

19990715: Originally reported 13 months ago, some of the same spoof and hijack tricks that worked on Netware 4 work on Netware 5. This advisory simply points that fact out, as the new Pandora v4 simplifies the spoof and hijack tricks. By Jitsu-Disk and Simple Nomad.

NetWare 4.x TTS Problem CVE-1999-0805

19990512: Netware 4.x servers not running the latest patches are vulnerable to a nasty Denial of Service bug that can potentially crash multiple servers simultaneously. Confirmed by Simple Nomad.

NAI AntiVirus Update Problem CVE-1999-1195

19990505: Simple Nomad finds under certain conditions Network Associates VirusScan NT will not properly update the virus definition file, leaving the NT server or workstation vulnerable to viral attack.

"Decryption" of RCONSOLE Password

19981006: If an intruder recovers the encrypted password used during the loading of REMOTE.NLM, it can be easily decrypted on another Netware server. By Simple Nomad.

Lame NT Token Ring DoS CVE-1999-1132

19980930: If you have Token Ring packets with bad data in them, you can crash NT servers and workstations. All four sites running Token Ring should apply the RIF Hot Fix from Microsoft (ask them for it, it's not on their FTP site). Confirmed by Simple Nomad.

GroupWise Buffer Overflow

19980923: Jitsu-Disk finds you can overflow the POP3 and LDAP ports causing the server to crash. Unlike the last advisory, this one has generated lots of thank-yous. Hmmm, revealing user account names is bad, but crashing servers is good. At least with the latest patches only the affected NLM goes south, but we advise to simply not use it. UPDATE 06Oct98 - Novell has released a patch, look for gwia551.exe at The patch is for GroupWise 5.5 only, so you are forced to upgrade before you can apply the patch.

Default NDS Rights CVE-1999-1020

19980916: Most Netware installers are unaware or uncaring about how much info is revealed from a standard install. Lots of flames on this one from disgruntled sys admins having to fix things because their boss read about it. Sorry folks, some OSes (such as Unix) actually go to some trouble to keep intruders from learning account names. Netware should be this way too. By Simple Nomad.


Other Advisories

This is a list of advisories from NMRC members whose research work was performed as a part of employment by some corporation. A few of these advisories are no longer available on the web, so they've been archived here.

Milwaukee ONE-KEY Power Drill CVE-2017-3214 CVE-2017-3215

19Jun2017: Simple Nomad hacks a power drill. Okay mainly the phone app, but here you have it.

Blast from the Past: Two Bugs, One Email CVE-2009-1490 CVE-2009-1491

Mid-to-late 2004: Sendmail Heap Overflow/McAfee Groupshield Anti-Virus Detection Bypass. While at BindView, Simple Nomad finds two bugs while experimenting with SMTP. In 2009 he spills the beans and pisses off Red Hat.

Unauthorized Remote Control Access via Funk Software Proxy v3.x CVE-2002-0064 CVE-2002-0065 CVE-2002-0066

08apr2002: Cask3t finds some flaws in Funk Proxy's software.

Object Enumeration in Novell Environments

08Nov2000: Simple Nomad finds a way to write an enumeration tool that works against Novell Netware 5.