Versions of GNU groff prior to release 1.11a and standard troff contain vulnerabilities that can possibly lead to a local root compromise if the conditions are right and circumstances are somehow met. A malicious user can, in theory, embed t/g|roff macros inside of man pages that will execute with the uid of the unknowing reader. A groff example of this is a manpage that, once read as root, will add another user to /etc/passwd with uid0 and no password. To execute a command and display the output, the macro .pso can be used. While troff has fixed some of these, or at least disabled them by default, old vulnerabilities still exist such as .sy and .pi which respectively execute commands a la system() and pipe output to a program.
Rational Software's ClearCase product includes a vulnerability whereby an unprivileged user can have any readable executable set to SUID root. A 1.5 meg file is copied and then chmod'ed to SUID, and during the time this file is being copied it can be unlinked and replaced with another.
There were a number of vulnerabilities in the Samba package pre-2.0.5. The first is a possible denial of service in nmbd (the netbios name service daemon), which resulted in nmbd spinning until killed. The second vulnerability known is a possible buffer overflow problem in smbd which is not exploit in the default install/configuration. A function in the messaging system could be exploited and arbitrary code executed as root if the "message command" was set in smb.conf. There was also a race condition vulnerability which could possible allow an attacker to mount arbitrary points in the filesystem if smbmnt was setuid root (which it is not by default). The code does not do range checking when copying a username from the environment variables USER or LOGNAME. To get this far into the code we need to execute with dummy arguments of a server and a mountpoint to use (./a in this case). The user will need to create the ./a directory and then execute smbexpl to gain root. This code is also setup to use /tmp/sh as the shell as bash-2.01 appears to do a seteuid(getuid()) so /bin/sh on my system won't work. Finally a "-Q" (an invalid commandline argument) causes smbmount to fail when parsing args and terminate, thus jumping into our shellcode.
At Ease 5.0 is vulnerable to an access control vulnerability that allows a user to access any user's volume on the server through a web browser. By logging in as any user that has access to Netscape Communicator and typing in the file path, it is possible to browse through any user's files and download them.
The vulnerability allows any web user to obtain unauthorized access to unpublished files on the IIS server and use MDAC to tunnel ODBC requests through to a remote internal or external location, thereby obtaining access to non-public servers or effectively masking the source of an attack on another network.
The DataFactory object in RDS allows remote access via the internet to database objects through IIS. If the Microsoft JET OLE DB Provider or Microsoft DataShape Provider are installed, a user could use the shell() VBA command on the server with System privileges. This vulnerability combined with the Microsoft JET Database Engine VBA Vulnerability can allow an attacker on the Internet to run arbitrary commands with System level privileges on the target host.
Operating systems with a shared memory implementation based on or influenced by the 4.4BSD code may be vulnerable to a denial of service attack. The problem exists because you can mmap() or shmget() as much memory as you'd like bypassing rlimits. When you trigger pagefaults, the system will begin allocating the memory (it's not actually allocated at first) and run out. With System V IPC the memory remains allocated even after the process has stopped running.
Patrol 3.2, installed out of the box, allows for a local root compromise or denial of service. The vulnerability lies in the creation of a file by snmpagnt that is owned by the owner of the parent directory of the file and possibly world writeable. A local user can specify any file (/.rhosts) and create it / set the permissions according to the user's umask.
This vulnerability has to do with the division of the address space between a user process and the kernel. Because of a bug, if you select a non-standard memory configuration, sometimes user level processes may be given access upto 252Mb of memory that are really part of the kernel. This allows the process to first search for its memory descriptor and then extend it to cover the rest of the kernel memory. It can then search for a task_struct and modify it so its uid is zero (root). This vulnerability is very obscure, only works on that version of linux, and only if you select a non-standard memory configuration.
The Windows 98 and Windows 2000 TCP/IP stacks were not built to reliably tolerate malformed IGMP headers. When one is received, the stack will sometimes fail with unpredictable results ranging from a Blue Screen to instantaneous reboot.
Services By CQR