The Kodak Color Management System configuration tool 'kcms_configure' is vulnerable to a buffer overflow that could yield root privileges to an attacker. The bug exists in the KCMS_PROFILES environment variable parser in a shared library 'kcsSUNWIOsolf.so' used by kcms_configure. If an overly long KCMS_PROFILES variable is set and kcms_configure is subsequently run, kcms_configure will overflow. Because the kcms_configure binary is setuid root, the overflow allows an attacker to execute arbitrary code as root. Exploits are available against Solaris x86 and Solaris Sparc.
The CDE Session Manager 'dtsession' is vulnerable to a buffer overflow that could yield root privileges to an attacker. The bug exists in dtsession's LANG environment variable parser. If an overly long LANG variable is set and dtsession is subsequently run, dtsession will overflow. Because the dtsession binary is setuid root, the overflow allows an attacker to execute arbitrary code as root. An exploit is available against x86 Solaris installations of CDE.
When a FTP PORT command containing an IP address which differs from the client's is processed by the stateful-inspection module, the occurrance is caught. Despite being detected, the condition is handled erroneously causing an entry for the PORT connection to be inserted into the table of 'RELATED' connections. This temporarily permits traffic through the firewall from the FTP server to the destination included in the PORT command.
A problem in the ftp server included with the Solaris Operating System could allow a local user to recover parts of the shadow file, containing encrypted passwords. Due to a previously known problem involving a buffer overflow in glob(), it is possible to cause a buffer overflow in the Solaris ftp server, which will dump parts of the shadow file to core. This can be done with the CWD ~ command, using a non-standard ftp client.
If a HTTP request with an unusually long path is submitted, the Web Proxy service on a host running MS ISA Server could stop responding. This vulnerability is only exploitable from the internal network unless the Web Publishing service has been enabled, in which case it can be exploited from either internal or external networks. It is disabled by default. A HTML email containing the malicious URL in an image tag or a javascript URL, could invoke a user's browser. An attempt to fulfill this request by the Web Proxy service, could instigate the denial of service condition on an internal users system. This is a potential way a remote attacker could exploit this vulnerability even if Web Publishing is disabled.
This exploit sends a specially crafted udp packet to the triton client which leads to command execution through a buffer overflow. The Triton client does not open the sipxtapi port 5061 by default. The port is open when the client attemps to try any talk session, and stays open for the remainder of the time it is running.
A problem in the Net.Commerce package could allow a remote user to deny service to legitimate users of the service hosted by the Websphere server. This is due to the handling of long strings by the macro.d2w cgi included with a Net.Commerce installation. By supplying a long string of “%0a” characters to the CGI, the Websphere server ceases operation.
NCM Content Management System is vulnerable to SQL injection due to improper checking of input by the content.pl script. This vulnerability can be exploited by appending malicious SQL queries to valid URLs. For example, the following URL can be used to execute arbitrary SQL queries: http://www.TARGET/content.pl?group=49&id=140%20or%20id>0%20or%20ls_id<1000%20or%20kategorie<10000%20or%20kategorie>10%20or%20ls_id>1%20or%20id<10%20or%20kategorie<10%20or%20kategorie>4&shortdetail=1
A problem in the handling of environment variables by the SGID sys program ipcs could lead to local users gaining elevated privileges. Improper bounds checking of the buffer holding the TIMEZONE environment variable by the program could lead to a buffer overflow, and the overwriting of stack variables including the return address. Therefore, it is possible for a local user to execute arbitrary code with the EUID of sys, and potentially gain further elevated privileges.
A format string bug in the logging facility of the cfingerd 'Configurable Finger Daemon' allows remote users to attain root privileges and execute arbitrary code. An attacker can set up a remote machine that returns specific format strings instead of a valid username, and connects to cfingerd from that machine, he can exploit the format string bugs. Because cfingerd runs as root, this means the attacker gains full control of the cfingerd host.
Services By CQR