It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
The 'whodo' utility shipped with Sun Microsystems' Solaris provides a listing of users online and their activities. It is installed setuid root because it reads from the 'utmp' log as well as from the process table. 'whodo' contains a buffer overflow which can be exploited to gain root privileges.
Solaris 8 ships with a shared library that implements LDAP functionality called 'libsldap'. This library is linked to by a number of system utilities, many of them installed setuid or setgid. Libsldap contains a buffer overflow vulnerability in it's handling of the 'LDAP_OPTIONS' environment variable. Local attackers can exploit this vulnerability in setuid/setgid programs linked to libsldap to elevate privileges.
A remote local user can write arbitrary files on the Samba server, as the smb daemon does not sufficiently check NetBIOS name input. It is possible to overwrite files on the Samba server, and if a user has local access, potentially gain elevated privileges.
A race condition vulnerability exists in the swap file mechanism used by the 'vim' program. The error occurs when a swap file name for a file being opened is symbolically linked to a non-existent file. By conjecturing the name of a file to be edited by another user, it may be possible for a local user to create a malicious symbolic link to a non-existent file. This could cause the new target file to be created with the permissions of the user running vim.
AIX ships with a diagnostic reporting utility called 'diagrpt'. This utility is installed setuid root by default. When 'diagrpt' executes, it relies on an environment variable to locate another utility which it executes. This utility is executed by 'diagrpt' as root. An attacker can gain root privileges by having 'diagrpt' execute a malicious program of the same name in a directory under their control.
A buffer overflow in cfingerd makes it possible for a local user to gain elevated privileges. Due to insufficient validation of input, a user can execute arbitrary code through the .nofinger file.
A buffer overflow in cfingerd makes it possible for a local user to gain elevated privileges. Due to insufficient validation of input, a user can execute arbitrary code through the .nofinger file.
KTVision works with frame-grabber cards and KDE (Unix K Desktop Environment) to support TV video display on the PC screen. KTVision is vulnerable to symbolic link attacks. It is possible for an attacker to anticipate the expected name of a KTVision config file. A local attacker can then create a symbolic link with the anticipated filename pointing to files on the system writable by ktvision, (which is frequently suid root). This could allow an attacker to overwrite any file on the filesystem, completely undermining the the security of the exploited system.
ntping is a component of scotty, a Tcl interpreter used to retrieve status and configuration information for TCP/IP networks. The utility, which runs with root privileges, contains a locally exploitable buffer overflow vulnerability. A local attacker can supply a long string as a command line argument to ntping, which, if the argument is of sufficient length (approximately 9000 characters) will induce a segfault. If the input is carefully constructed, a local attacker can exploit this vulnerability to execute arbitrary code on the target host.
Services By CQR