This vulnerability could allow a web site viewer to obtain the source code for .asp and similar files if the server's default language (Input Locale) is set to Chinese, Japanese or Korean. How this works is as follows: IIS checks the extension of the requested file to see if it needs to do any processing before delivering the information. If the requested extension is not on it's list, it then makes any language-based calculations, and delivers the file. If a single byte is appended to the end of the URL when IIS to set to use one of the double-byte language packs (Chinese, Japanese, or Korean) the language module will strip it as invalid, then look for the file. Since the new URL now points to a valid filename, and IIS has already determined that this transaction requires no processing, the file is simply delivered as is, exposing the source code.
A buffer overflow is present in linux libc 5.4.32 and below that allows a user to obtain local root access under some conditions. The overflow is in the function vsyslog() and exploitable through the suid root program su, which passes the arg that exceeds boundaries directly to the function.
The xfsdump program shipped with Irix 5.x and 6.x from SGI contains a vulnerability which could lead to root compromise. By creating a log file in /usr/tmp called bck.log, a user could create a symbolic link from this file to any file they wish to be created as root. This is turn could be used to compromise the system.
When the computer is idle for the set time period (user definable) Winlogon.exe starts the screensaver. The screen saver process is selectable by the user. Winlogon.exe uses the CreateProcessAPI call to start the screen saver and immediately suspends it. At this point the screen saver is running with the security context of Winlogon.exe (system). Winlogon obtains the process handle, changes the primary security token of the screen saver to match the current user, and resumes the screen saver. Winlogon never verifies that the token change was successful. Therefore, a user could create an executable, set it as the screen saver, and should the security change fail it will run with full system-level privileges.
A vulnerability exists in both the Systour and OutOfBox susbsystems included with new installs of IRIX 5.x and 6.x from SGI. This vulnerability allows users on the system to run arbitrary commands as root. An attacker can exploit this vulnerability by creating a malicious .exitops file in the $HOME/var/inst directory and then running the RemoveSystemTour command. This will execute the malicious .exitops file as root, allowing the attacker to gain root privileges.
The SpaceBall game, shipped with Irix 6.2 from Silicon Graphics contains a security hole which could result in the compromise of the root account. By blindly taking the contents of the $HOSTNAME variable, and not placing quotes around it, the spaceball.sh program can be made to execute commands. An attacker can use this vulnerability to gain root privileges on the system.
A vulnerability exists in the startmidi program from Silicon Graphics. This utility is included with Irix versions 5.x and 6.x with the Iris Digital Media Execution Environment. startmidi is setuid root, and creates a temporary file called /tmp/.midipid. It does not check to see if this file already exists, and is a symbolic link. As such, it can be used to create root owned files, with permissions as set by the user umask.
The sgihelp program, from SGI and included with IRIX 5.1 and 5.2, contains a vulnerability. sgihelp contains an option that allows a user to print to a command. Certain SGI utilities, including PrintStatus, printers, scanners, and a number of others, will call this program without changing their uid to the users, from roots. As such, arbitrary commands can be executed as root using the 'print to command' option of sgihelp.
A vulnerability exists in the 'suid_exec' utility, as shipped by SGI with it's Irix operating system, versions 5.x and 6.x. Suid_exec is part of the Korn shell package, and was originally the mechanism by which ksh executed setuid shell scripts safely. However, it runs using the default shell, and as such will run the configuration files for the shell, such as a .cshrc. By placing malicious code in a .cshrc, and properly running suid_exec, commands can be executed as root.
A race condition exists in the serial_ports administrative program, as included by SGI in the 5.x Irix operating system. This race condition allows regular users to execute arbitrary commands as root. To exploit this vulnerability, an attacker can create a shell script in the /tmp directory, set the PATH variable to include the /tmp directory, and then execute the serial_ports program. After waiting for 10-20 seconds, the attacker can then execute the shell script as root.
Services By CQR