A vulnerability exists in versions 4.x.x of AIX, from IBM. Any local user can utilize the -Z command to netstat, without needing to be root. This will cause interface statistics to be reset. This could potentially interfere with programs that track statistical information.
EsounD, part of the GNOME desktop environment, is a server process allowing several applications to share the same sound hardware. Versions of esound up to and including 0.2.19 create a world-writable directory (/tmp/.esd) which is also used to store a domain socket used by esound. The unix domain socket is also created world-writeable. A race condition exists when this socket is created such that if an attacker creates a symbolic link in the world-writeable /tmp/.esd directory at the right time, the file pointed to by it will be changed to a world-writeable mode. The target file, of course, would have to be owned by the user running ESound. This vulnerability may have to do with a lack of checking return values when binding the address structure to the domain socket before setting permissions on the file, but this is uncomfirmed as are the exact technical details of this vulnerability.
WebDAV (Web Distributed Authoring and Versioning) is an extension of HTTP which allows users to create, edit and share documents using the HTTP protocol. A particular REQUEST METHOD, PROPFIND, allows users to retrieve resource properties such as displayname, date last modified, and others. Apache web server as installed by SuSE 6.4 has WebDAV enabled for the entire file structure of the server. By making a specific, properly structured request to the Apache web server, it is possible to obtain information which is equivalent to a directory listing.
A number of unchecked static buffers exist in Mobius' DocumentDirect for the Internet program. Depending on the data entered, arbitrary code execution or a denial of service attack could be launched under the privilege level of the corresponding service. Buffer Overflow #1 - Issuing the following GET request will overflow DDICGI.EXE: GET /ddrint/bin/ddicgi.exe?[string at least 1553 characters long]=X HTTP/1.0 Buffer Overflow #2 - Entering a username consisting of at least 208 characters in the web authorization form will cause DDIPROC.EXE to overflow. If random data were to be used, a denial of service attack would be launched against the DocumentDirect Process Manager which would halt all services relating to it. Buffer Overflow #3 - Issuing the following GET request will cause an access validation error in DDICGI.EXE: GET /ddrint/bin/ddicgi.exe HTTP/1.0User-Agent: [long string of characters]
The web server supplied with the QNX Voyager demo disk contains several vulnerabilities. First, Voyager will follow relative paths passed to it in requests. This includes ../ style paths, which will allow Voyager to serve pages outside of the "document root". Another vulnerability is that the web server does not have sufficient security restrictions - this means that the web server can access any file, including protected files and special /dev entries. As well, due to the integration of the web browser and web server, information used by the Photon GUI is easily exposed by requesting files under /.photon/. Additionally, html files generated by the web browser (error messages, for example) and the QNX configuration interface share the same directory as published html files.
The web server supplied with the QNX Voyager demo disk contains a vulnerability in which it will follow relative paths passed to it in requests, including ../ style paths, which will allow Voyager to serve pages outside of the "document root". Additionally, the web server does not have sufficient security restrictions, allowing it to access any file, including protected files and special /dev entries. DoS attacks can be performed by requesting files under /.photon/ and recent PPP passwords can be exposed by requesting files under /etc/ppp/.
CGI Script Center's Auction Weaver does not verify the validity of the value in the variable 'fromfile'. Therefore it is possible to perform arbitrary commands on a remote system under the UID of the http daemon by altering the variable 'fromfile'.
$LPHOME/bin/dccscan is suid-root and can be executed by any user. It is possible for an unprivileged user to print files to which he does not have read access. In testing, this works even for printers to which the user is is not given any access in the LPPlus security configuration.
LPPlus Print Management System contains several files that are installed setuid root by default. These files include dccsched, dcclpdser and dccbkst which start the scheduler, LPD server and network status daemons respectively. By default, all six may be run by a user of any privilege level, allowing any user to start and stop printing services, regardless of userid or group. Additionally, the file $LPHOME/system/lpdprocess is created mode 777. This file contains the process ID of the dcclpdser process. If a user replaces the PID in $LPHOME/system/lpdprocess with the PID of a target process, then runs $LPHOME/bin/dcclpdshut, the combination of this file's permissions, and the fact that dcclpdshut is executable by any user, allows any user to send signal 2 (SIGINT) to, thereby shutting down, any process.
Many UNIX operating systems provide internationalization support according to the X/Open XPG3, XPG4 and Sun/Uniforum specifications using the of the locale subsystem. The locale subsystem comprises a set of databases that store language and country specific information and a set of library functions used to store, retrieve and generally manage that information. In particular a database with messages used by almost all the operating system programs is keep for each supported language. The programs access this database using the gettext(3), dgettext(3), dcgettext(3) C functions (Sun/Uniforum specifications) or catopen(3), catgets(3) and catclose(3) ( X/Open XPG3 and XPG4 specification). Generally a program that needs to display a message to the user will obtain the proper language specific string from the database using the original message as the search key and printing the results using the printf(3) family of functions. By building and installing a custom messages database an attacker can control the output of the message retrieval functions that get feed to the printf(3) functions. Bad coding practices and the ability to feed format strings to the later functions makes it possible for an attacker to execute arbitrary code as a privileged user (root) using almost any SUID program on the vulnerable systems. Alternatively, on some operating systems, the problem can be exploited remotely using the environment variable passing options in telnetd. However, a remote attacker must be able to place the suitable messages database on the target host (i.e. anonymous ftp, NFS, email, etc.) It should be noted under Linux this problem must be exploited in conjunction with a another flaw in glibc. On RedHat systems, it is possible to evade the protection builting in glibc by using the environment variable LD_PRELOAD.
Services By CQR