IE's default security settings allow a malicious webpage to open a new browser, open another site's main frame in that new browser and then set any subframes to a URL of their choosing. This could lead to misappropriation of private information, among other problems.
It is possible to view the entries in /etc/shadow through exploiting a buffer overflow in pkgcat and pkginstall. Though neither of these binaries are setuid, the dacread permissions which are granted in /etc/security/tcb/privs give them the ability read /etc/shadow. When the oversized buffer data is passed to the programs as argv[1], the stack will be corrupted and it is possible to spawn a program which would "cat" /etc/shadow with the dacread privs.
Under certain versions of SCO UnixWare if a user can force a program with SGID (Set Group ID) to dump core they may launch a symlink attack by guessing the PID (Process ID) of the SGID process which they are calling. This is required because the coredump file will be dumped to the directory in which it is being executed from as './core.pid'. The program dumping core does not check for the existence of a symlinked file and will happily overwrite any file which it has permission to do so to. Many SGID binaries under Unixware are in the group 'sgid-sys' a group which has write permission to a large number of system critical files. This attack will most likely result in a denial of service attack, however if the attacker can provide some provide data to the core file she may be able to leverage root access. For example is the intruder were able to get '+ +' into a line of it's own in the core file the intruder could then overwrite root's .rhosts file.
Certain versions of SCO's Unixware (only version 7.1 was tested) ship with a series of package install/removal utilities which due to design issues under the SCO UnixWare operating system may read any file on the system regardless of their permission set. This is due to the package commands (pkginfo, pkgcat, pkgparam, etc.) having extended access due to Discretionary Access Controls (DAC) via /etc/security/tcb/privs. An attacker can use this vulnerability to gain access to sensitive files such as /etc/shadow and then use a password cracker to gain access to the system.
Certain versions of SCO's UnixWare (only 7.1 was tested) ship with the /var/mail/ directory with permission 777(-rwxrwxrwx). This in effect allows malicious users to read incoming mail for users who do not yet have a mail file (/var/mail/username) present. This may be done by simply creating the file in question with a permission mode which is readable to the attacker.
Certain versions of SCO's UnixWare ship with a version of /usr/X/bin/xauto which is vulnerable to a buffer overflow attack which may result in an attacker gaining root privileges. This is exploitable to gain root privileges even though /usr/X/bin/xauto is not setuid root. This is due to a system design issue with SCO Unixware which is discussed in an attached message in the 'Credit' section titled 'UnixWare 7 uidadmin exploit + discussion'.
A buffer overflow vulnerability exists in the RSAREF cryptographic library which may possibly make any software using the library vulnerable. The vulnerability exists in four functions in the rsa.c source file. All these function define a local variable called pkcsBlock of 128 byte length which can be overflowed making it possible to execute arbitrary code. This vulnerability, in conbination with BUGTRAQ ID 797, allows versions of both the SSH client and server linked against the RSAREF2 library to be vulnerable to a remote exploit.
Certain versions of SCO Unixware ship with an exploitable version of the /usr/bin/uidadmin program. The problem lies in that 'uidadmin' runs with root privileges and performs insecure writes to a scratch directory (/tmp/ in this instance). A malicious user may overwrite any existing file on the system with their own data provided the files do not already exist, or they may overwrite existing files with a single string. This symlink attack is not typical due to specific features within the Unixware OS.
The version angband shipped with FreeBSD 3.3-RELEASE is vulnerable to a local buffer overflow attack. Since it is setgid games, a compromise of files and directories owned by group games is possible. The exploit is 1088 bytes of NOP/Shellcode + 4 bytes EIP + 2 bytes garbage. The exploit is written in C language and can be compiled using gcc compiler.
The version of xmindpath shipped with FreeBSD 3.3 can be locally exploited via overrunning a buffer of predefined length. It is possible to gain the effective userid of uucp through this vulnerability. It may be possible, after attaining uucp priviliges, to modify binaries to which uucp has write access to and trojan them to further elevate priviliges.
Services By CQR