The Solaris License Manager that ships with versions 2.5.1 and 2.6 is vulnerable to multiple symlink attacks. License Manager creates lockfiles owned by root and set mode 666 which it writes to regularily. It follows symlinks. An attacker can create a symlink to a target user's .rhosts file, and then wait for the License Manager to write to it, thus allowing the attacker to gain root access locally.
A vulnerability exists in the way rlogind parses arguments passed to it. By passing the -f argument with the value of root, it is possible to gain access to the root account on the target system. CVE-1999-0256 was assigned to this vulnerability.
Solaris 2.6 and many other unices/clones have a serious problem with their unix domain socket implementation that has it's origins in old BSD code. Any unix socket created by any application is set mode 4777. In Solaris versions 2.5 and earlier, the permissions were ignored completely. The applications are vulnerable to being connected to and written to by anyone.
Under older versions of AIX, by changing the IFS environment variable to /, setuid root programs that use system() or popen() can be fooled into running user-provided programs.
A vulnerability in rsh exists that can allow a regular user to modify a root owned socket descriptor. The consequences of this are a possible denial of service due to interfaces being manipulated by malicious users. The exploit involves compiling a C program called solarisuck.c and running it with rsh.
There is an unchecked sprintf() call in the versions of /usr/openwin/bin/kcms_configure shipped with solaris 2.5, 2.5.1 and 2.6. Unfortunately, kcms_configure is installed setuid root, making it possible for an attacker to overflow the buffer and have arbitrary code executed with superuser privileges.
There is an unchecked sprintf() call in the versions of /usr/openwin/bin/kcms_configure shipped with solaris 2.5, 2.5.1 and 2.6. Unfortunately, kcms_configure is installed setuid root, making it possible for an attacker to overflow the buffer and have arbitrary code executed with superuser privileges.
The rpc service rpc.statd, shipped with all major versions of Sun's solaris, is the status monitoring service for NFS file locking. The vulnerability lies in rpc.statd's ability to relay rpc calls to other rpc services without being validated by the access controls of the other rpc services. This can give the attacker the ability to redirect malicious rpc commands through rpc.statd (which runs as root) to services they may not normally have access to.
A buffer overrun exists in the permissions program, as shipped by Silicon Graphics with the 5.x and 6.x Irix operating system. By supplying a long, well crafted buffer as the 4th argument to the program, arbitrary code can be executed as group sys.
A buffer overflow exists in the ordist program, as shipped with Irix 6.x and 5.x from Silicon Graphics. By supplying long arguments to the '-d' option, containing a properly crafted buffer of machine exectuable code, root privilege can be obtained.
Services By CQR