Certain versions of FreeBSD (3.3 Confirmed) and Linux (Mandrake confirmed) ship with a vulnerable binary in their X11 games package. The binary/game in question, xsoldier, is a setuid root binary meant to be run via an X windows console. The binary itself is subject to a buffer overflow attack (which may be launched from the command line) which can be launched to gain root privileges. The overflow itself is in the code written to handle the -display option and is possible to overflow by a user-supplied long string.
Certain versions of FreeBSD (3.3 Confirmed) and Linux (Mandrake confirmed) ship with a vulnerable binary in their X11 games package. The binary/game in question, xsoldier, is a setuid root binary meant to be run via an X windows console. The binary itself is subject to a buffer overflow attack (which may be launched from the command line) which can be launched to gain root privileges. The overflow itself is in the code written to handle the -display option and is possible to overflow by a user-supplied long string.
A vulnerability in the Linux kernel's TCP/IP allows local users to crash, hang or corrupt the system. A local user can crash, hang or currupt the system by sending out a packet with options longer than the maximum IP packet length. An easy way to generate such packet is by using the command 'ping -s 65468 -R ANYADDRESS'. The -R option is for the IP record route option. Under kernel versions 2.2.X the command will fail with an message of 'message too long'. The vulnerability seems to be the result of the kernel not checking aif packet with options is longer than the maximum packet size. A long packet seems to lead to memory corruption.
Certain versions of Solaris ship with a version of sadmind which is vulnerable to a remotely exploitable buffer overflow attack. sadmind is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations such as adding users. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received. Under vulnerable versions of sadmind (2.6 and 7.0 have been tested), if a long buffer is passed to a NETMGT_PROC_SERVICE request (called via clnt_call()), it is possible to overwrite the stack pointer and execute arbitrary code. The actual buffer in questions appears to hold the client's domain name. The overflow in sadmind takes place in the get_auth() function, part of the /usr/snadm/lib/libmagt.so.2 library. Because sadmind runs as root any code launched as a result will run as with root privileges, therefore resulting in a root compromise.
Xshipwars is a graphical 'star battle' client/server based game which runs a variety of platforms. Certain versions of the server which facilitates this game (versions before 1.25) had a remotely exploitable buffer overflow. The exploit would result in the execution of arbitrary commands as the UID of the server process. The exploit involves sending a maliciously crafted buffer to the server, which then overflows a buffer and allows the attacker to execute arbitrary code.
A remotely exploitable buffer overflow attack exists in certain versions of Solaris which ship with a vulnerable version of sadmind. sadmind is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations such as adding users. The overflow in sadmind takes place in the get_auth() function, part of the /usr/snadm/lib/libmagt.so.2 library. If a long buffer is passed to a NETMGT_PROC_SERVICE request (called via clnt_call()), it is possible to overwrite the stack pointer and execute arbitrary code. Because sadmind runs as root any code launched as a result will run as with root privileges, therefore resulting in a root compromise.
GoodTech Telnet Server NT 2.2.1 is vulnerable to a remote denial of service attack due to an unchecked buffer. If 23870 or more characters are entered at the username prompt, the software will crash. GoodTech's Telnet Server 95/98 may also be vulnerable to this overflow.
Internet Explorer can handle URLs of type vnd.ms.radio: for streaming audio content. If a URL with 360 or more characters after 'vnd.ms.radio' is specified, a buffer in the file MSDXM.OCX gets overwritten, allowing arbitrary code to be run on the client machine.
If the Serv-U FTP server receives an overly long argument to the SITE PASS command, it will crash. To issue this command, an attacker must be already logged in as an authenticated user, including an 'anonymous' user.
If a solaris machine is running snoop in verbose mode, it may be possible to compromise its security remotely by exploiting a buffer overflow in snoop. The problem is a buffer with a predefined length of 1024 that can be overflowed in the print_domain_name function. The priviliges granted to arbitrary code which could be executed would be those of the user running snoop, root.
Services By CQR