A problem in the Linux kernel may allow root compromise. The sysctl() call allows a privileged program to read or write kernel parameters. It is possible for underprivileged programs to use this system call to query values within the kernel. The system call accepts signed values, which could allow supplied negative values to reach below the threshold memory address set for system security. This makes it possible for a user with malicious motives to browse kernel space addresses, and potentially gain elevated privileges, including administrative access.
A remote user could gain read access to known files outside of the root directory where SilverPlatter WebSPIRS resides. Requesting a specially crafted URL composed of '../' sequences along with the known filename will disclose the requested file.
It is possible for a remote user to gain read access to directories and files outside the root directory of Carey Internet Services Commerce.cgi by requesting a specially crafted URL composed of '/../%00' along with the known filename or directory.
If Micro Focus Cobol is installed with the 'Apptrack' feature enabled, local users may be able to elevate privileges. A shell script called 'nolicense' that is executed as root is installed with insecure file permissions. As a result, attackers may be able to execute arbitrary commands as root if the script is modified.
An attacker supplying excess data to the USER_AGENT field in vulnerable versions of Linuxconf can overflow the relevant buffer, creating a stack overflow and, properly exploited, allowing remote execution of arbitrary code as root.
IBM's Net.Commerce ecommerce platform supports macros which, by default, do not properly validate requests in user-supplied input. A thoughtfully-formed request to a vulnerable script can cause the server to disclose sensitive system information, including results of arbitrary queries to the Net.Commerce database. This can allow an attacker to obtain an elevation of privileges to that of the DB2INST1 account, and potentially issue arbitrary shell commands as the DB2INST1 user.
An integer-overflow bug in the CRC32 compensation attack detection code may allow remote attackers to write values to arbitrary locations in memory. This would occur in situations where large SSH packets are recieved by either a client or server, and a 32 bit representation of the SSH packet length is assigned to a 16 bit integer. The difference in data representation in these situations will cause the 16 bit variable to be assigned to zero (or a really low value). As a result, future calls to malloc() as well as an index used to reference locations in memory can be corrupted by an attacker. This could occur in a manner that can be exploited to write certain numerical values to almost arbitrary locations in memory.
It is possible for a remote user to gain read access to directories and files outside the root directory of ServerWorx. Requesting a specially crafted URL composed of '../' or '.../' sequences will disclose an arbitrary directory.
A problem with the implementation of the SSH1 daemon could allow an attacker to by-pass numerous attempts at brute force cracking a system. The logging routine in the SSH1 code does not capture failed attempts beyond the fourth attempt. In a brute force attack scenario, there are numerous successive attempts at logging in as a specific user. This danger is escalated by the SSH1 package allowing remote root logins by default. It is possible for a remote user with malicious intent to launch a brute force attack against a system and successfully remain unnoticed by system logging utilities beyond the fourth attempted login. By use of this method, it is possible for the remote user to gain access to any account, and potentially the root account.
Microsoft Windows 2000 and 98 are subject to a denial of service condition. Receiving a maliciously crafted email or visiting a malicious web site could prevent Windows 2000 from DNS resolution and Windows 98 from accepting any new TCP connections. This is due to a lack of restrictions on the allocation of network "sockets" by user applications. A malicious java applet placed on a website could exploit this vulnerability and cause a DoS on victim systems.
Services By CQR