The truncate() system call on a number of versions of the IRIX operating system (with the xfs file system) does not properly check permissions before truncating a file, making it possible for unprivileged users to damage files to which they would otherwise not have write access.
Certain versions of Network Associates Inc.'s Net Tools PKI (Public Key Infrastructure) server ship with a vulnerability which allows remote attackers to execute arbitrary commands on the system which the PKI server resides. The problem lies within the webserver component of the PKI server (strong.exe) which operates several 'virtual servers' required to operate the PKI server. The first is the Administrative Web Server which listens via TCP port 443, the second is Enrollment Web Server which listens on TCP port 444. Unlike the Administrative Web Server the Enrollment Web Server does not require credentials to be exchanged before a user can talk to the webserver. It is via this virtual server that an attacker can exploit the problem at hand. The user supplied URL's are processed by Strong.exe. If a url with an .XUDA extension is found, the request is forwarded to XUDAD.EXE for further processing. Prior to this 'hand-off' the URL string is parsed, filtered for meta characters and passed to a function that logs the request. Somewhere along the processing path, the user supplied data becomes the format string for a formatted output function similar to the ANSI C sprintf(). This allows a remote attacker to provide data that will force that function into overwriting arbitrary portions of the process memory and cause either a denial of service attack or the execution of arbitrary code.
Certain versions of Network Associates Inc.'s Net Tools PKI (Public Key Infrastructure) server ship with a buffer overflow vulnerability which could lead to a remote compromise of the system running the PKI server. The problem lies within the webserver component of the PKI server (strong.exe) which operates several 'virtual servers' required to operate the PKI server. The first is the Administrative Web Server which listens via TCP port 443, the second is Enrollment Web Server which listens on TCP port 444. Unlike the Administrative Web Server the Enrollment Web Server does not require credentials to be exchanged before a user can talk to the webserver. It is via this virtual server that an attacker can exploit the problem at hand. In particular this problem is located in the PKI servers log generation routines. In order to exploit it, a user must simply connect via an HTTPS connection to port 444 and provide an overly long URL (2965 + characters) which will be mishandled by the log routines resulting in a buffer overflow.
A vulnerability exists in the snoop servlet portion of the Tomcat package, version 3.1, from the Apache Software Foundation. Upon hitting an nonexistent file with the .snp extension, too much information is presented by the server as part of the error message. This information may be useful to a would be attacker in conducting further attacks. This information includes full paths, OS information, and other information that may be sensitive.
A vulnerability exists in the JSP portion of the Tomcat package, version 3.1, from the Apache Software Foundation. Upon hitting an nonexistent JSP file, too much information is presented by the server as part of the error message. This information may be useful to a would be attacker in conducting further attacks.
Certain versions of IRIX ship with a version of inpview that creates files in '/var/tmp/' in an insecure manner and is therefore prone to a race condition. An attacker can create a symlink to a previously created filename and force the SUID 'inpview' to overwrite the file with 'rw-rw-rw' permissions.
Certain versions of IRIX ship with a version of lpstat which is vulnerable to a buffer overflow attack. The program, lpstat, is used to check the status of the printer being used by the IRIX machine. The problem is in the command line parsing section of the code whereby a user can supply an overly long string and overflow the buffer resulting in a possible root compromise.
Certain versions of IRIX ship with a version libgl.so which is vulnerable to buffer overflow attacks. This library, libgl.so, is used in conjunction with graphical programs which use OpenGL. As a result a number of programs which utilize libgl.so can be exploited via this problem. The exploit which is in known public circulation at this time uses both gmemusage and gr_osview to exploit this problem. The buffer overflow itself is in how libgl.so handles the $HOME variable is handled (it is not checked for length). Further the programs which receive this $HOME variable from libgl.so further fail to limit it's size resulting in a buffer overflow attack. Should the receiving programs be SUID root (as are both gr_osview and gmemusage) the attacker will gain root access.
Under certain versions of IRIX, the 'gr_osview' command contains a buffer overflow that local attackers can exploit to gain root privileges. The buffer overflow itself is in the command-line parsing code and can be overflowed via a long user-supplied string.
This exploit is a local privilege escalation vulnerability in the Linux kernel. It affects versions 2.6.13 to 2.6.17.4 and 2.6.9-22.ELsmp. It was tested on Intel(R) Xeon(TM) CPU 3.20GHz with kernel 2.6.9-22.ELsmp. The exploit uses the prctl() system call to set the dumpable flag to 2, which allows the attacker to create a core dump file of the process. The attacker then creates a cron job which runs a setuid shell, allowing the attacker to gain root privileges.
Services By CQR