Due to insecure creation of configuration (rc) files via KApplication-class, local users can modify ownership of arbitrary files when running setuid root KDE-programs. Properly exploited, this can permit a local attacker to change ownership of key system files, then write arbitrary data to them, allowing an elevation of privileges.
A scanf overflow has been discovered in the Simple Network Time Sync daemon and client version 1.0. Currently the buffer overflow has been tested on RedHat 6.1. It may be possible to obtain root, although it appears one only has 50 characters to run code with.
RealServer 7.0 will crash if it receives a request for a specific file with an unspecified variable value.
Sending an email to a Concatus IMate Web Mail Server 2.5 with a server name consisting of over 1119 characters will cause the application to crash. Restarting the program is required in order to regain normal functionality.
Apache HTTP Server 1.3.x (win32) allows people to get a directory listing of a directory, if it is enabled in the config, even if an index file is present that would normally be displayed instead. This can be achieved by sending a number of "/" characters appended to an HTTP request to the server. (eg: http://www.host.com///////////////////////////////////////////////////////...) When apache calls stat() to check if the index.html (for example) exists, Windows will return an error if the path is too long. Apache incorrectly treats this as if the file does not exist. Different numbers of "/"s are required based on the length of the path to the DocumentRoot.
If a specially malformed request is sent to the Windows Media Encoder it could cause the service to crash. The service would need to be restarted in order to regain normal functionality.
A remote user may browse any known directory on a host running Fastraq Mailtraq 1.1.4 by making a URL request that includes the '../' string. In addition, requesting a URL appended with '../' and an unusually long character string will return an error message disclosing the full path of the Mailtraq installation directory.
Buffer overflow vulnerabilities exist in elm (Electronic Mail for Unix). A proof-of-concept exploit was published by xfer of Buffer0verfl0w Security in 2000. The exploit uses a setregid + generic shell code and is tested under Linux Slackware 3.6, 4.0, 7.0. The exploit requires the user to play with the offset to gain access.
A buffer overflow vulnerability exists in elm (Electronic Mail for Unix). This exploit spawns an EGID mail shell on the default Slackware 4 install. It uses a shellcode that sets the gid to 12 and executes /bin/sh. The exploit uses a NOP sled and a return address to the shellcode.
KDE: /usr/bin/kdesud has a DISPLAY environment variable overflow which could allow for the execution of arbitrary code. This script will get you gid = 0. It has been tested on Mandrake 7.0 (Air), for other distros play with argv1 for eip.
Services By CQR