A vulnerability exists in PHP Live Helper version 1.5 and last version, which allows a remote attacker to include a file from a remote host. An attacker can send a specially crafted request to the vulnerable application and execute arbitrary code on the server. This can be exploited to compromise the application and the underlying system; other attacks are also possible.
The PLP Line Printer Control program, shipped with S.u.S.E. 5.2 is vulnerable to a local remote buffer overflow. An attacker can exploit this vulnerability to gain root access for a local user. The buffer we're overflowing is 256bytes, and an offset of 0 works just fine. The vulnerable code is in displayq.c and control_ops.c, where an attempt is made to fscanf() the lockfile's contents into a fixed length buffer.
There is a vulnerability in Solaris's ff.core utility which allows normal users to execute the rename command as root. This particular bug when leveraged against a series of other configuration issues in a standard Solaris setup can lead to a root compromise. An example of this attack executed via the ff.core rename attack could be as follows: 1. rename /usr/bin/sh /usr/bin/admintool 2. rename /usr/sbin/swmtool /usr/sbin/in.rlogind 3. telnet localhost login and clean up. CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
There is a symlink vulnerability known to exist under most modern linux and NetBSD distributions. It involves /tmp/.X11-unix and the tendency to follow to/overwrite the file pointed to if a symlink. It may be possible for a regular user to write arbritrary data to a file they normally have no write access to resulting in a root compromise.
A vulnerability in PAM allows local malicious users to brute force passwords via the su command without any logging of their activity. Since su sleeps before logging the failure and does not trap SIGINT a user can try a password and if su does not immediately give him a new shell and before one second hits control-c his attempt will not be logged. He can automate the process to brute force passwords.
Linux gnuplot 3.5 is shipped with S.u.S.E. Linux 5.2 and installed suid root by default. There is a buffer overflow vulnerability present in gnuplot which allows for users to obtain root access locally. The buffer we're overflowing is only 80 bytes, so we're going to have to get our settings just so. If users don't feel like typing in command line offsets and bufsizes, they can make a little shell script. Since gnuplot drops root privs after it inits the svga, users can't just exec /bin/sh, they'll need to use the technique of replacing their saved uid in /dev/mem with '0', then execing whatever they please. They can do this by compiling Nergal's program, mem.c and putting the output file in /tmp/xp. Nergal's program will then make /tmp/sh suidroot, so users don't forget to cp /bin/sh /tmp/sh. They will also have to change line 32 to the correct address of kstat, which can be obtained by doing strings /proc/ksyms | grep kstat. The best fix is chmod -s /usr/bin/gnuplot.
The Debian GNU/Linux 2.1 apache package by default allows anyone to view /usr/doc via the web, remotely. This is because srm.conf is preconfigured with the line: Alias /doc/ /usr/doc/. Boa is also preconfigured this way. An attacker can use the command lynx http://some.host/doc to view all of the information in /usr/doc, which could be used to find vulnerable software on the remote machine.
A vulnerability in tcpdump causes it to enter an infinite loop within the procedure ip_print() from the file print_ip.c when it receives a packet with IP protocol number four and a zero header length and it tries to print it. This may allow remote malicious users to evade network monitoring.
Arthur <pierric@ADMIN.LINUX.ORG> discovered an exploitable buffer overflow vulnerability in xcmail. The bug appears when replying to a message with a long subject line, and only when autoquote is on. The exploit is trivial, but as the buffer is not very large you have to do very precise return address calculation. It is believed it IS remotely exploitable, but you have to know a lot about the machine you want to gain acces to.
A stack buffer overflow vulnerability exists in several DLL's while handling .HTR, .STM or .IDC extensions in Microsoft IIS, which may allow a remote attacker to execute arbitrary code on the target machine.
Services By CQR