A buffer overflow in libc's handling of the LC_MESSAGES environment variable allows a malicious user to exploit any suid root program linked agains libc to obtain root privileges. This problem is found in both IBM's AIX and Sun Microsystem's Solaris. This vulnerability allows local users to gain root privileges.
A buffer overflow in libc's handling of the LC_MESSAGES environment variable allows a malicious user to exploit any suid root program linked agains libc to obtain root privileges. This problem is found in both IBM's AIX and Sun Microsystem's Solaris. This vulnerability allows local users to gain root privileges.
A malicious user can create a malformed like ',1' entry in the counter.log file by requesting a URL of the form 'http://www.example.com/scripts/counter.exe?%0A'. Any further attempt for request will result in an Access Violation in counter.exe. A similar vulnerability exists if a user requests a URL of the form 'http://www.example.com/scripts/counter.exe?AAAAA' with over 2200 A's. All further requests for counter.exe are queued and are not processed until the error messages are cleared at the console. System memory may be decremented each time a request for counter.exe is queued.
The setuid root 'midikeys' executable can be used to edit arbitrary files via its graphical user interface, granting malicious users root access to the system. Running the midikeys application, clicking in sounds, and then songs will bring up a file dialog. By entering a filename of a known file it will be opened for editing with root privileges. People have reported trouble reproducting the vulnerability when the editor is vi. Alternatively, the WINEDITOR environment variable can be changed to be any command executed as root. Under Irix 6.2, this can be done by going to Toolchest -> Desktop -> Customize -> Desktop -> Default Editor: Other, or under Irix 6.5 in Toolchest -> Desktop -> Customize -> Utilities -> Test Editor: Other. The midikeys window can be opened by running 'midikeys -display remotehost:0'. Under the midikeys window, clicking sounds and then midi songs will open a file manager type interface. The path and filename of files can be entered, including root owned with group/world read/write permissions unset. If a file like '/usr/share/data/music/README' is selected, it will appear in a text editor. The text editor can be used to open /etc/passwd and make modifications at will.
A vulnerability in Microsoft Site Server's Ad Server Sample directory allows the retrieval of a site's configuration file (SITE.CSC) which contains sensitive information pertaining to an SQL database. The AdSamples directory is a part of the Ad Server component of Site Server which can be installed optionally. If the sample directory is installed and access controls are not applied, any user can read the site's SITE.CSC file. This file can may contain the DSN, username and password to access the Site Server's SQL database. The URL below contains the syntax to view the SITE.CSC file in a default installation: http://sitename/adsamples/config/site.csc A text editor may be used to view the contents of the SITE.CSC file. This file may contain the DSN, username, and password used to access the related SQL database.
A stack buffer overflow vulnerability in the handling of the "-a" command in the lpset program allows arbitrary execution of code with root privileges. The lpset utility sets printing configuration information in the system configuration databases. lpset can be used to create and update printing configuration in /etc/printers.conf or Federated Naming System (FNS). Only a superuser or a member of Group 14 may execute lpset. There has been mixed results as to whether the applications exits with the message "Permission denied: not in group 14." before the overflow can be exploited, and thus the vulnerability can only be exploited by members of group 14.
A stack based buffer overflow in the handling of the "-p" option of the dtprintinfo command allows the execution of arbitrary code as root. This vulnerability is in the CDE 1.2 and CDE 1.3 subsystem of Solaris 2.6 and Solaris 7 respectively. Before executing the ex_dtprintinfo exploit, the DISPLAY environment variable must be set correctly and a dummy lpstat command must be created.
A buffer overflow condition has been found in the rlogin program that may allow an unauthorized user to gain root access. The overflow in particular is in the rlogin code that handles the TERM enviroment variable. Similar bugs have been known to exist in some telnetd implementations.
The libXt library is part of the X Windows system. There are several buffer overflow conditions that may allow an unauthorized user to gain root privileges through setuid and setgid programs that are linked to libXt. This exploit is a buffer overflow in xterm which allows an attacker to gain root privileges.
The libXt library is part of the X Windows system. There are several buffer overflow conditions that may allow an unauthorized user to gain root privileges through setuid and setgid programs that are linked to libXt. These problems were openly discussed on the Bugtraq mailing list in 1996, this discussion led the OpenGroup (maintainers of the X-Windowing System) to release a new version of X Windows which was more thoroughly audited and which hopefully addressed a series of buffer overflows.
Services By CQR