A vulnerability exists in the day5notifier program, shipped with Irix 6.2 from Silicon Graphics Inc. This program will allow any user to run any command as root. day5notifier wisely replaces a number of system() calls with execve() calls. However, the code was translated to run a copy of /bin/sh as the processor in the execve. As such, all the security problems associated with using a system() call in a setuid program remain.
Due to a rare and subtle bug in the 2.2.0 kernel, a linux machine can be forced to reboot by an unpriviliged local user. The reason for this is because of the invalid ELF core layout and the fact that munmap wipes out a vital page table entry.
It is possible to leak kernel memory and render TCP ports above 1024 unusable, locked forever in the CLOSE_WAIT state in linux kernels prior to the late 2.1.x and 2.2.0pre releases. In addition to being intentionally exploited, unix applications compiled on linux that are multithreaded may also cause these problems.
This vulnerability exists when the syslog option is enabled. The overflow is in the file error.c, in the Error() function where the buf[MAXPRINT] buffer is used with no bounds checking. The consequences of this are local root compromise.
Colorview is a utility used to view text files in color. It is vulnerable to an arbitrary file access vulnerability, which allows an attacker to view any file on the system that the user running the utility has access to. This vulnerability is due to the fact that Colorview fails to validate that the user has access to the file supplied to the -text option.
This exploit uses Spreadsheet::WriteExcel to create a malicious Excel file with a link containing 500 'A' characters. When the link is clicked, the malicious payload is executed.
A vulnerability exists in the X libraries as supplied with Silicon Graphics IRIX operating system. By placing a carefully constructed buffer as the argument to the -xrm option, an attacker can execute arbitrary code.
A vulnerability exists in the chost and cimport programs, as shipped with SGI's Irix 5.x operating system. chost is part of the Cadmin package. By failing to validate the real userid, these programs allow any user to edit protected files, such as the passwd file. An attacker can exploit this vulnerability by running the chost or cimport programs and then double-clicking any share resource to bring up the desktopManager running as root. The attacker can then edit the /etc/passwd file.
The at(1) program can be supplied with a -f flag, and an error is access validation can result in the mailing of portions of unreadable files to any user who can run at. At uses seteuid to set the appropriate user id to run under. However, it incorrectly sets its real and effective uid to 0 prior to opening the filename passed to the -f flag. This allows any user to read any file on the filesystem.
SGI's IRIX 5.x and 6.x operating system include a utility called /usr/lib/netaddpr. This program can be used by privledged users to add network printing devices to the system. A race condition exists in this program that could allow any 'privledged' user to obtain root access. The netaddpr program is shipped setuid root. As part of its execution, it creates a file in /var/tmp with the file template printersXXXXXX. Because the creation of the file and the actual opening of the file are independant events, there exists a window, during which time an attacker can replace the file with a symbolic link. By making this link point to, for instance, /.rhosts, an attacker can elevate their privledges to that of root.
Services By CQR