A vulnerability exists in the setxconf utility, as shipped with Corel Linux 1.0. The -T option to setxconf will run xinit, which euid root. xinit, when executed, will invoke the contents on ~/.xserverrc. A malicious user could therefore execute commands as root. cat > ~/.xserverrc echo "+ +" > /.rhosts rsh localhost -l root /bin/sh
By failing to check input to the -f and -x flags, it is possible for an attacker to append to existing files, or create files that previously didn't exist. Using the -f argument, and supplying a filename that does exist, it is possible to append information to a file. Using the -x argument, and a file that does exist, it is possible to replace the first line of any file with the path to the X server selected. Finally, if either flag is passed the name of a file that does not exist, it will create it, with read, write and execute permission available for all users on the system.
RedHat Linux 6.0 does not properly protect the obtaining of a shell by booting single user mode. When booting single user mode, RedHat will prompt for the root password. However, pressing ^C (causing a SIGINT to be sent) immediately results in a root shell being made available.
The Sambar Web/FTP/Proxy Server for Windows NT and 2000 supports DOS-style batch programs as CGI scripts. A remote attacker can use any batch file used by the server in the 'cgi-bin' directory to run any valid command-line program with administrator privileges. This allows the attacker to read, modify, create, or delete any file or directory on the system, including user accounts, etc. Even if the user hasn't enabled or created any batch files, the software ships with two by default: 'hello.bat' and 'echo.bat'.
The Pragma Systems InterAccess TelnetID Server 4.0 can be crashed by sending invalid, unexpected characters in the client's terminal configuration settings. This causes telnetd.exe to GPF, and will cause the server to stop responding.
Misordered handshake sequences sent to a Windows Media Unicast Server via Windows Media Player will cause the server to crash. Restarting the Unicast Service, including any open sessions during the time of the crash, is required in order to regain normal functionality. This is due to the dependency of the application on successfully completing asychronous handshake requests in a proper sequential order between the client and the server.
The 'lit' program, which is used to install licenses for Sun's WorkShop 5.0 compilers and other Sun products which use the FlexLM license management system, insecurely creates files in /var/tmp. This can be used to create files owned by root, with known contents. The file will be created with root's umask, which by default is 0022.
The Pragma Systems InterAccess TelnetID Server 4.0 (Build 4) has an unchecked buffer in the code that handles login commands. Arbitrary code is capable of being executed on the InterAccess TelnetD Server if a string of over 300 characters is used as a login name.
Microsoft's Personal Web Server and Front Page Personal Web Server will follow '/..../' strings in requested URLs, allowing remote users to obtain unauthenticated read access to files and directories on the same logical drive as the web content. Hidden files are viewable via this method, although the Front Page directory itself is not. The name and path of the desired file must be known to the attacker. Note that while these programs support Windows 95, 98 and NT, only the Win9x versions are vulnerable.
In a number of network devices/operating systems, some default communites are world-writeable and therefore allow remote users to configure properties of the device/OS without any authorization (other than knowledge of the community name). The attacks can include manipulating routing tables and corrupting ARP caches, which can lead to further compromise.
Services By CQR