Username: MDMA   
Password:

Welcome to Adi/OS v6.6.6
Last login: Fri May 2 13:00:45 on ttyp1

bibi:~# cat MDMA-iCal.txt

iCal Multiple Vulnerabilities Advisory
Released by Wizdumb under MDMA (Mexican Dummies Making Advisories)

Anyone with permission to modify an iCal calendar can read any file on the
hard-drive quite simply by pointing their browser to...

http://[hostname]/[name of calendar]/admin/dataload?authenticate=

You will then be prompted to login using HTTP Basic authentication, unless of
course you're playing with the default password-free calendar which is called
- get this - default. :-)

Then, let's import data from... ummm... "..\..\config.sys"

Errors occurred in the load file.

Line # Message Text 
1 Not a valid record type [SDP] required a first character - remdosCDdriverz 
2 Not a valid record type [SDP] required a first character - remDEVICE=C:\CDD\CDM.SYS/D:CD_CDROM/V 
3 Not a valid record type [SDP] required a first character -  
4 Not a valid record type [SDP] required a first character - remEMSstuff 
5 Not a valid record type [SDP] required a first character - DEVICE=C:\WINDOWS\HIMEM.SYS
6 Not a valid record type [SDP] required a first character - DEVICE=C:\WINDOWS\EMM386.EXE

Interesting enough. It coughs up any file we ask for without the spaces -
that's kinda nice - but I would like better - lemme throw it a million
character argument to that POST request...

Access violation at address 00455F83 in module 'ICAL.EXE'. Read of address
61616161

Buffer overflow! And 5000 windows to tell us about it! Ugh, I just forced the
daemon closed in the end. :-)

The vendor has been contacted and hopefully a fix will be available soon.

Later...
Wizdumb

 .|| wizdumb@mdma.za.net || www.mdma.za.net || wizdumb@#MDMA@blabber.net ||.