The vulnerability appears while stress testing a server running the Apache web server and 32 or more process are concurntly doing HTTP GET request to a CGI script in a loop. The system will panic and display a stack trace with ipc_task_init.
A vulnerability in the whois_raw.cgi program of CdomainFree allows remote malicious users to run any executable already existing to the machine. The vulnerability is due to the program passing user input to the shell without proper filtering.
The vulnerability is the result of the kernel freeing a socket buffer when it shouldn't while sending an ICMP Parameter Problem error message in response to an IP packet with a malformed IP option. This results in the buffer being freed twice and in memory corruption.
When viewing messages with attachments KMail creates a directory under /tmp in which to store the attachments with a predictable name of the form 'kmail<pid of kmail>'. KMail fails to verify whether the directory exists and follows symbolic links. This allows local attackers to create or overwrite files with contents they can select in any directory and/or file writable by the user running KMail.
The full physical path name for the IIS web server root directory may be obtained by attempting to view a non-existent .IDC file. The web server will return an error message that lists the absolute pathname of the 'missing' .IDC file.
NT Workstations and Servers must have unique hostnames if they reside on the same network. Should an NT host attempt to use an existing hostname, the second server (with the new duplicate name) will fail to start its workstation and server services. A situation has been noted wherein a Win95 host may register the victim hostname (with a WINS server) by setting the Win95 workgroup name equal to the victim's hostname. The next time the victim host is rebooted, it will fail to start the workstation and server services as the WINS server will report that the hostname is claimed by the Win95 host.
NTMail v3.X is susceptible to being used as a mail relay for SPAM or other unsolicited email. Connecting to the mail server (tcp25) and issuing a 'mail from' command with <> as the data will allow an unathorized user to relay email via this server.
There is a vulnerability in the way Solaris 2.4 pre Jumbo Kernel Patch -35 (for SPARC) dumps core files. Under normal operation the operating system writes out a core image of a process when it is terminated due to the receipt of some signals. The core image is called core and is written in the process's working directory (provided it can be; normal access controls apply). A process with an effective user ID different from the real user ID will not produce a core image. The problem in this instance is that because certian directories under Solaris 2.4 are 'group bin' writable you can force programs which are in the bin group to dump core. Then by using a symlink attack you can overwrite files in directories owned by bin. A series of system critical directories under Solaris 2.4 are writable by group bin.
Solaris 2.4, 2.5, and 2.5.1 have a package called FACE (Framed Access Command Environment) installed. Included in the package is a program called chkperm which checks a file to see if the user has permission to use the FACE interface. This program is installed suid and sgid bin, and is trivially exploitable to compromise the bin account under Solaris 2.4. Running chkperm in a directory that has world write privilege or in a directory that belongs to bin. chkperm on Solaris 2.5 seems to create a file called <gibberish characters> in the directory from where you execute it. chkperm needs write access for user bin (or group bin) to the directory from which you execute it. It also works the same with just 'chkperm -l', you can set the environment variable VMSYS to anything. You could then create the link (to .rhosts in the example) using the <gibberish characters> file name created by chkperm and accomplish the same result.
A buffer overrun condition was discovered in Solaris 2.6 X_86 in /usr/bin/cancel. This buffer overflow is apparently present in the SPARC version as well although it is thought to be unexploitable. Previous versions of Solaris did not ship with /usr/bin/cancel as SUID root, so while the buffer overflow was present it was harmless. Solaris 7.0 fixes this problem by changing the vulnerable function call.
Services By CQR