A buffer overflow vulnerability in sscw's handling of the HOME environment variable allows local users to gain root privileges. An exploit code is provided which builds two C programs in /tmp, sccwx.c and sccwuid.c. The sccwx.c program sets the HOME environment variable to a buffer of NOP instructions and the address of the sccwuid.c program. The sccwuid.c program sets the user ID to the effective user ID and launches a root shell. The exploit code then launches the sccwx program.
A vulnerability in Solaris TCP/IP stack may allow remote users to panic the system. If the nmap network mapping utility is used with the OS fingerprinting option ('-O') against an active listening port and the server listening on that port is then killed the system will panic because of recursive calls to mutex_enter within the TCP streams driver.
A vulnerability exists in FreeBSD's new VFS cache introduced in version 3.0 that allows a local and possibly remote user to force the kernel to consume large quantities of wired memory thus creating a denial of service condition. The new VFS cache has no way to purge entries from memory while the file is open, consuming wired memory and allowing for the denial of service (memory that cannot be swapped out).
On systems that support it ProFTPD will attempt to modify the name of the program being executed (argv[0]) to display the command being executed by the logged on user. It does this by using snprintf to copy the input of the user into a buffer. Since proftpd will pass on user input data to snprintf, argument attacks are easy. Logging in as an anonymous user, you are still restricted as to some of the things you can do. But with a local login, root compromise at this point is trivial. And it is possible to modify this exploit for other systems, and for remote attacks.
Any authenticated NT user can modify the pathname for the RASMAN binary in the Registry. The next time the RAS Service is started, the (trojan) service referenced by the RASMAN pathname will be executed with system privileges. This trojan service may allow the User to execute commands on the target server as an administrator, including elevating the privileges of their own account to that of Administrator. A modified (UNC) pathname may be used to point to an executable existing on another host on the network. 19502-1.exe is a binary pathname that will modify the RASMAN/ImagePath key in the Registry with the service executable to be run in its place. 19502-2.exe is a sample trojan service that may be run. This executable runs a service which launches a netcat listener on tcp port 123.
A buffer overflow vulnerability in the shared X library may allows local users to obtain higher privileges. Any setuid applications linked against the library are possibly vulnerable. The vulnerability is in the handling of the '-bg' command line parameter. Setuid root applications known to be vulnerable inclue xload, xmcd, xterm, and scoterm. Setuid bin applications known to be vulnerable include scosession. An exploit code is provided which can be used to gain root access.
Under some distributions of CDE Common Desktop Environment, the dtaction program has a locally exploitable buffer overflow condition. The buffer overflow condition exists in the argument parsing code for the -u (user) function. Any information provided by the user over 1024 bytes may overwrite the buffer and in return be exploited by a malicious user.
There is a buffer overflow in the FuseMail POP service (long USER,PASS) that may allow an intruder to execute arbitrary code on the target server.
There is a buffer overflow in the CMail SMTP service (long MAIL FROM:) that may allow an attacker to execute arbitrary code on the target server.
There is a buffer overflow on the SmartServer3 SMTP service (long MAIL FROM:) that may allow an intruder to execute arbitrary code on the target server.
Services By CQR