A problem exists in the creation of /tmp files by patchadd. patchadd creates a variety of files in /tmp while installing the patches on the operating system. The files created in /tmp are mode 0666, and are created with the extension sh<pid of patchadd>.1, sh<pid of patchadd>.2, and so on. Running the program requires administrative access. It is possible to brute force guess the pid of patchadd, and create files in the /tmp directory that are symbolic links to sensitive system files. It is therefore possible for a user with malicious intent to gain elevated privileges, corrupt system files, or execute arbitrary commands.
The ftp daemon derived from 4.x BSD source contains a serious vulnerability that may compromise root access. There exists a one byte overflow in the replydirname() function. The overflow condition is due to an off-by-one bug that allows an attacker to write a null byte beyond the boundaries of a local buffer and over the lowest byte of the saved base pointer. As a result, the numerical value of the pointer decreases (and it thus points to a higher location (or lower address) on the stack than it should) and when the replydirname() function returns, the modified saved base pointer is stored in the base pointer register. When the calling function returns, the return address is read from an offset of where the base pointer points to. With the last byte of the base pointer zero, this will be a location other than where it should be. If this region of the stack is under the control of the attacker, such as the local variable which contained the extra byte in the first place, an arbitrary address can be placed there that will be used as the saved return address by the function.
A buffer overflow exists in parsing aim:// URL parameters. The buffer overflow has to do with the parsing of parameters associated with the "buddyicon" option. The stack overflow will occur If the "Source" parameter, which arguments the buddyicon option, is more than 3000 characters in length. It may be possible to execute arbitrary code. Since this vulnerability manifests itself in an URL, a user needs only to click on the URL (which can be embedded in email, webpages, chatrooms, etc) for the flaw to be exploited.
A buffer overflow vulnerability exists in versions of AOL Instant Messenger (AIM) previous to 4.3.2229. By sending a specially crafted URL, using the 'aim:' protocol, comprised of 'goim' and 'screenname' parameters, it is possible for a remote user to overflow the buffer during a memory copy operation and execute arbitrary code. Even if AIM is not running, if a user clicks or otherwise activates a malicious aim:// url, the overflow will occur.
A denial of service vulnerability exists in Microsoft Windows NT 4.0 up to and including Service Pack 4 running the Point-to-Point-Tunneling Protocol (PPTP) service. This is accomplished by connecting to port 1723 (the PPTP/VPN service's port) and sending garbage (~256 characters) followed by control-d, which causes the target machine to reboot.
It is possible for a remote user to gain read access to various files that reside within the EZShopper directory. By requesting a specially crafted URL utilizing loadpage.cgi' application with a '/' appended, EZShopper will disclose the contents within the EZShopper directory. As a result, it is possible for an attacker to navigate into its subdirectories and view any file. It is also reported that this same CGI application allows directory traversal sequences to be utilized to retrieve the contents of arbitrary Web server accessible files.
An insecure call to the open() function leads to a failure to properly filter shell metacharacters from user supplied input. As a result, it is possible for an attacker to cause this script to execute arbitrary shell commands with the privileges of the webserver.
Secure Computing's SafeWord is a system of authentication services that supports among other authentication methods one-time password. The one-time passwords are generated by the authenticating user via a hardware or software token device from the users PIN number and a Token Key stored in the device. During authentication, a user-generated one-time password, or tokencode, is sent to the authentication server and the user is authenticated if the tokencode was generated from a valid PIN and Token Key. In this sort of authentication system, the security of the shard secret (the user's PIN) is critical. Secure Computing's e.iD Authenticator for Palm is a software token device for the SafeWord system that runs on the Palm Pilot. e.iD Authenticator for Palm uses a palm database (PDB) file called "sceiddb.pdb" containing an encrypted version of the user's PIN as well as the Token Key. The encrypted version of the user's PIN is used when the user attempts to change his PIN. Before the PIN can be changed the user must enter their current PIN. The entered PIN is encrypted and compared to the encrypted PIN. If they don't match the device will display a warning and refuse to change the PIN. PINs are from 2 to 8 digits in length. The encrypted PIN is always 16 bytes. The encrypted PIN is found starting at address 0x7A to address 0x89 in the "sceiddb.pdb" file. As Palm Pilot and related devices are considered general purpose platforms and are not tamper-resistant devices there exist likely scenarios in which an attacker may obtain access to the "sceiddb.pdb" file. An attacker with access to the "sceiddb.pdb" file can obtain the user's PIN by encrypting every possible 8 digit PINs and comparing them with the encrypted PIN in the "sceiddb.pdb" file.
ad.cgi is an ad rotation script freely available, and written by Leif Wright. A problem exists in the script which may allow access to restricted resources. The problem occurs in the method in which the script checks input. Due to insufficent validation of input, the script allows a user to execute programs on the local system by making use of the FORM method. This makes it possible for a malicious users to remotely execute commands on the system with the priviledges inherited by the HTTPD process.
An insecurely-structured call to the open() function leads to a failure to properly filter shell metacharacters from user supplied input. As a result, it is possible for an attacker to cause this script to execute arbitrary shell commands with the privilege of the webserver.
Services By CQR