The 'screen' utility in versions 3.9.5 and prior has multiple format string vulnerabilities that can be exploited by local users to elevate their privileges. If 'screen' is setuid root, an attacker can alter the contents of the variable storing the user id.
An attacker can control the output of the message retrieval functions that get feed to the printf(3) functions, allowing them to execute arbitrary code as a privileged user (root) using almost any SUID program on the vulnerable systems. On some operating systems, the problem can also be exploited remotely using the environment variable passing options in telnetd.
The locale subsystem in many UNIX operating systems is vulnerable to a format string vulnerability. By manipulating the custom messages database, an attacker can control the output of the message retrieval functions and execute arbitrary code as a privileged user. This vulnerability can be exploited locally or remotely, but remote exploitation requires the ability to place the suitable messages database on the target host.
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms without user interaction. The vulnerabilities are located in the mypage.do or rca.jsp module(s) and the bound vulnerable parameters selectedpageid & resourceid. Successful exploitation of the vulnerability results in dbms & application compromise.
Darxite 0.4 does not do proper bounds checking on user-supplied data during the login process, relying on sprintf() to deliver the data into a 256 character buffer. Therefore, it is possible for an attacker to supply arbitrary code for execution at the privilege level of the Darxite user.
The xlockmore program is vulnerable to a format string vulnerability that can be exploited to execute arbitrary code with root privileges. By supplying format strings in the display value (-d option), an attacker can overwrite values on the stack and gain control of the program. This vulnerability affects all versions of xlock derived from xlockmore, including the version shipped with various operating systems.
A vulnerability exists in the telnet daemon shipped with Irix versions 6.2 through 6.5.8, and in patched versions of the telnet daemon in Irix 5.2 through 6.1, from Silicon Graphics (SGI). The telnetd will blindly use data passed by the user in such a way as to make it possible for a remote attacker to execute arbitrary commands with the privileges of the daemon. In the case of the telnet daemon, this is root privileges.The telnet daemon, upon receiving a request via IAB-SB-TELOPT_ENVIRON request to set one of the _RLD environment variables, will log this attempt via syslog(). The data normally logged is the environment variable name, and the value of the environment variable. The call to syslog, however, uses the supplied variables as part of the format string. By carefully constructing the contents of these variables, it is possible to overwrite values on the stack such that supplied code may be executed as the root user.This vulnerability does not exist in unpatched versions of Irix 5.2 through 6.1. It was introduced in these versions via patches designed to address the vulnerability outlined in CERT advisory CA-95:14. This was addressed in the 1010 and 1020 series of patches. If these patches are not installed, the system is not vulnerable to this specific attack.
Mediahouse Statistics Server LiveStats is susceptible to a buffer overflow attack if a URL in a GET request contains over 2030 bytes. Depending on the data inserted into the request, the application will crash or can be forced to execute arbitrary code.
The Service Control Manager (SCM) in Windows 2000 uses predictable named pipe names for controlling services. Any user process can create a named pipe with the next name and force a service, they can start, to connect to the pipe. Once connected, the user process can impersonate the service, which in most cases runs in the SYSTEM account. This vulnerability allows a local user to gain Administrator account status by crafting an exploit.
The program dmplay in certain versions of IRIX is vulnerable to a buffer overflow attack. The issue arises due to the improper handling of the DISPLAY variable, allowing an attacker to supply a long string and overwrite the buffer.
Services By CQR