A vulnerability has been discovered in the nsd service, as included by SGI in Irix 6.5.x. The vulnerability allows remote users to access potentially sensitive pieces of information, including, but not limited to, NIS map information, shadow password files, and remote connections. With IRIX 6.5, SGI has moved all name services, NIS services, and DNS lookups into a userland process called nsd, which exports the results of the queries it fields into a virtual filesystem. The virtual filesystem is normally mounted onto the directory /ns by the program /sbin/nsmount, which is invoked by nsd on startup. The nsd daemon itself is exporting the filesystem via NFS3 over a dynamically bound UDP port -- rather than a well-known or settable one -- typically in the 1024-1029 range. On a desktop system, 1024 is a good bet, since nsd is usually the first RPC/UDP service to be started. The NFS filesystem is not registered with mountd, so there is no way to query mountd for a mount filehandle. But because the NFS port is fairly easy to discover throug a port scan, it is possible to mount the filesystem without knowing the filehandle.
It is possible to cause a denial of service (remote and local) through generating old, obscure kernel messages (not terminated with ) in klogd. The problem exists because of a buffer overflow in the klogd handling of kernel messages. It is possible to gain local root access through stuffing shellcode into printk() messages which contain user-controllable variables (eg, filenames).
A vulnerability exists in the netprint program, shipping with Irix 6.x and 5.x by Silicon Graphics. The netprint program calls the "disable" command via a system() call, without specifying an explicit path. Therefore, any program in the path named disable can be executed as user lp. However, one can go further if BSD printing subsystem is installed. /usr/spool/lpd is owned by lp, and it's the place where lpd writes lock file. lpd is also root/suid. So one replaces /usr/spool/lpd/lpd.lock with a symlink to /etc/passwd and runs lpd, passwd gets nuked. Then one repeats netprint trick, and, voila, disable now runs as root, because lp is not found in passwd. Kinda neat.
A buffer overrun exists in the /bin/mailx program. By supplying a long, well crafted buffer as the username argument, an attacker can use it to execuate arbitrary code. On some systems, this will result in the ability to execute code as group mail.
A buffer overflow exists in the /bin/login program supplied by Silicon Graphics, as part of their Irix operating system. By supplying a carefully crafted, log buffer to the -h option of login, a local user can obtain root privileges.
The i_count member in the Linux inode structure is an unsigned short integer. It can be overflowed by mapping a single file too many times, allowing for a local user to possibly gain root access on the target machine or cause a denial of service. Below is a short example of how this vulnerability can be exploited: #include <unistd.h> #include <fcntl.h> #include <sys/mman.h> void main() { int fd, i; fd = open("/lib/libc.so.5", O_RDONLY); for(i = 0; i < 65540; i++) { mmap((char*)0x50000000 + (0x1000 * i), 0x1000, PROT_READ, MAP_SHARED | MAP_FIXED, fd, 0); } }
A buffer overflow condition exists in some versions of /usr/sbin/ping under AIX. Given that ping is SUID root, this overflow allows malicious users to gain root from it. This exploit is designed for AIX 4.x on PPC platform.
AIX version 4.2.1 introduced a new command titled 'portmir'. This new program had two notable vulnerabilites. First it contained a buffer overflow which allowed malicious users to obtain root privileges. Secondly it wrote it's log files to a world readable directly thereby exposing security relavent information.
A buffer overflow exists in the version of msgchk shipped with RedHat Linux 5.0. The vulnerability allows a user to execute arbritrary commands as root to compromise superuser access.
The inpview utility, included by SGI in its Irix operating system, contains a vulnerability that will allow any local user to obtain root access. inpview is part of the InPerson dektop video conferencing package. As it needs to access a video capture device, it is setuid root, and attempts to run the "ttsession" utility using the system() library call. It does not specificy an explicit path, and as such will execute the first program or script named "ttsession" in the users path. By setting /tmp to be first in the user's path, creating a shell script in /tmp call ttsession, and making it executable, this shell script will be executed as root.
Services By CQR