The 2.0.x kernels have a quirk in the TCP implementation that have to do with the accept() call returning after only a syn has been recieved (as opposed to the three way handshake having been completed). Sendmail, which is compiled on many unices, makes the assumption that the three way handshake has been completed and a tcp connection has been fully established. This trust in a standard tcp implementation is seen in the following section of code <src/daemon.c>: It's possible to cause a denial of service here if a RST is sent after the initial SYN to the sendmail smtpd on port 25. If that were to be done, the sendmail smtpd would be caught in a loop (above) accepting, testing the socket [yes, the one which accept returned on listening on port 25], sleeping, and closing the socket for as long as the syns and following rsts are sent. It is also completely possible to do this with spoofed packets.
xosview is an X11 system monitoring application that ships with RedHat 5.1 installed setuid root. A buffer overflow vulnerability was found in Xrm.cc, the offending code listed below: char userrfilename[1024]; strcpy(userrfilename, getenv("HOME")); The userfilename can be overflowed and arbritrary code executed to gain root access locally.
Multiple vulnerabilities exist in the fsdump program included with Silicon Graphics Inc's IRIX operating system. Each of these holes can be used to obtain root privlilege. Variant 1: An attacker can use the fsdump command to create a dump file of the /etc/passwd file. The attacker can then use the tail command to view the last 8 lines of the file, which includes the encrypted root password. The attacker can then use the vi command to remove the encrypted root password and then use the chgrp and chown commands to change the group and owner of the file. The attacker can then use the su command to gain root access. Variant 2: An attacker can use the fsdump command to create a dump file of the /etc/passwd file. The attacker can then use the cp command to copy the file to the /tmp directory and then use the ln command to create a symbolic link to the /etc/passwd file. The attacker can then use the fsdump command to create a dump file of the /etc/passwd file. Variant 3: An attacker can use the ln command to create a symbolic link to the /.rhosts file. The attacker can then use the fsdump command to create a dump file of the /.rhosts file. The attacker can then use the ls command to view the contents of the /.rhosts file and then use the rm command to remove the dump file.
IdeaBox version 1.1 and below is vulnerable to a remote file include vulnerability. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. This request contains a URL in the 'gorumDir' parameter which points to a malicious file on a remote server. This malicious file is then included and executed on the vulnerable server.
Abuse is a game that is included with RedHat Linux 2.1 in the games package. The console version, abuse.console, is suid-root and will load the program sndrv as root without checking for an absolute pathname. This means that sndrv can be substituted in another directory by a regular user and used to locally execute arbitrary code on the target machine. Consequences are a root compromise. The exploit creates a suid root shell /tmp/abuser on a Linux Red Hat 2.1 system with the games package installed.
Certain versions of AIX and HP/UX contained a bug in the way the OS handled the connect system call. The connect call is used to initiate a connection on a socket. Because of the flaw in the handling code under AIX certain versions will reboot when given two connects, one to a fixed port (a number of different ports were found to trigger this behaviour) and then another random port connection immediately thereafter.
A vulnerability exists in the eject program shipped with Irix 6.2 from Silicon Graphics. By supplying a long argument to the eject program, it is possible to overwrite the return address on the stack, and execute arbitrary code as root. Eject is normally used to eject removeable media from the system, and as such is setuid root to allow for any user at the console to perform eject operations.
A vulnerability exists in the eject program shipped with Irix 6.2 from Silicon Graphics. By supplying a long argument to the eject program, it is possible to overwrite the return address on the stack, and execute arbitrary code as root. Eject is normally used to eject removeable media from the system, and as such is setuid root to allow for any user at the console to perform eject operations.
A vulnerability exists in the datman/cdman program, as included with Irix 6.2 and 5.3 from Silicon Graphics Inc. The vulnerability would allow arbitrary users to execute commands as root. The datman/cdman program will search for the existance of a .cdplayerrc in the users home directory. If it is found, and no .cddb directory is found, cdman will run the cddbcvt program. This program is invoked with the names of both the old and new databases via a system() call. Because of this, it is possible to substitute the names of the database with a command to be executed.
A buffer overflow exists in IRIX 5.x and 6.x 'df' utility, from Silicon Graphics Inc. By supplying a long argument to the -f option of df, a user can crash the df program. By carefully crafting a buffer containing machine executable code, an attacker can run arbitrary commands as root.
Services By CQR