SCO OpenServer 5.0.6 (and possibly earlier versions) ships with several suid bin executables used in printer administration and related tasks. This includes lpshut, a component used to shut down the LP print service. 'lpshut' contains a locally exploitable bufffer overflow due to a lack of bounds checking during operations performed on user-supplied data. An attacker may exploit this vulnerability to execute arbitrary code with effective userid 'bin' privileges.
SCO OpenServer 5.0.6 (and possibly earlier versions) ships with several suid 'bin' executables used in printer administration and related tasks. This includes lpadmin, a component used to manage and configure print destinations, devices and printer interface programs. 'lpadmin' contains a locally exploitable buffer overflow condition present in the handling of command-line parameters. If properly exploited, this can yield user 'bin' privileges to the attacker.
PIX firewalls using TACACS+ are vulnerable to a resource starvation attack which results in a denial of service. Upon receiving multiple requests for TACACS+ authentication from an unauthorized user, the firewalls resources can be exhausted. This causes the firewall to crash, requiring power cycling to resume regular service. A user from either the public or private side of the PIX can crash the firewall, and deny service to legitimate users.
The BSD ftp daemon and derivatives (such as IRIX ftpd or the ftp daemon shipped with Kerberos 5) contain a number of buffer overflows that may lead to a compromise of root access to malicious users. During parsing operations, the ftp daemon assumes that there can never be more than 512 bytes of user-supplied data. This is because that is usually how much data is read from a socket. Because of this assumption, certain memory copy operations involving user data lack bounds checking. It is possible for users to use metacharacters to expand file/path names through interpretation by glob() and exploit these overflowable conditions. In order to do so, the attacker's ftp account must be able to either create directories or directories with long enough names must exist already. Any attacker to successfully exploit this vulnerability would gain root access on the target host.
IPFilter is a packet filtering implementation that is in wide use on a variety of Unix systems. There exists a vulnerability in IPFilter that can allow an attacker to communicate with blocked ports on hosts behind an IPFilter firewall. The vulnerability is the result of IPFilter caching the decision to forward or drop a fragment, and applying this decision to other IP fragments with the same IP id. Even when a fragment is an 'initial' fragment (fragment with a fragment offset of 0) which may contain a TCP or UDP header, it will be evaluated based on the decision cache. As a result, an attacker can establish a 'permit' decision cache in an IPFilter firewall and then successfully pass fragments with arbitrary UDP or TCP headers through the firewall bypassing the ruleset.
A querystring can be submitted to an unpatched server which allows the remote user to specify a new destination URL to be opened in a visitor's browser upon clicking a PHP-nuke site's ad banner. By changing the click-through destination of a banner ad, an attacker could interfere with the target's ad-based revenue generation.
A denial of service vulnerability exists in versions of 602Pro Lan Suite. A remote attacker may connect to port 80 of the vulnerable host. Via this connection, the attacker submits a long request composed of at least 1033 characters. This excess input causes an overflows of the server's input buffer and crashes Lansuite.exe and all applicable services.
Many versions of 'ntpd' are prone to a remotely exploitable buffer-overflow issue. A remote attacker may be able to crash the daemon or execute arbitrary code on the host. If successful, the attacker may gain root access on the victim host or may denial NTP service on the affected host.
A user can confirm the existence and location of files and directory structure information, by submitting a 'size' or 'mdtm' command of a file. If the command is carried out by the vulnerable service, the attacker can confirm the location of the file. Submitting a 'size' or 'mdtm' command for a file outside of the FTP root could disclose directory structure information of unpublished filesystems on the host. If the requested command is fulfilled by the vulnerable service, the attacker can confirm the relative path to the file.
uStorekeeper Online Shopping System from Microburst Technologies fails to properly validate user-supplied input, allowing remote users to submit URLs containing '/../' sequences and arbitrary filenames or commands, which will be executed or displayed with the privilege level of the webserver user. This permits the remote user to request files and execute commands from arbitrary locations on the host filesystem, outside the script's normal directory scope.