A number of vulnerabilities exist in Hewlett Packard's rlpdaemon under HPUX 9.x and 10.x. These vulnerabilities may allow for a remote attacker to access the system under the lp user account, as well as execute arbitrary commands remotely, also as user lp. There are three vulnerabilities: (culled from RSI Advisory RSI.0006.06-25-98.HP-UX.RLPDAEMON) #1: The argument in the Unlink Data File section of the control file gets passed to /bin/rm by a system () call. This argument should normally be a filename, however, a semi-colon and an arbitrary command can be appended allowing you to execute commands as user lp. #2: When the client passes a file to the rlpdaemon, no sanity checks are performed to ensure the validity of the filename. This allows for a remote attacker to send any file s/he wants and have it stored in the user lp's home directory. #3: The rlpdaemon will allow remote connections from any source port. This violates the lpd behavior recommended in RFC-1179 which explicitly states that only source ports of 721-731 should be allowed to access the daemon.
Microsoft IIS and other NT webservers contain a vulnerability that allows remote users to obtain the source code for an ASP file. When one appends ::$DATA to an asp being requested, the ASP source will be returned, instead of executing the ASP. For example: http://xyz/myasp.asp::$DATA will return the source of myasp.asp, instead of executing it.
A vulnerability exists within Microsoft's Telnetd daemon which allows a denial of service condition. The popular scanning tool, Nmap 2.01 or later can crash telnetd services when using the SYN scanning flag (-sS).
A buffer overflow exists in certain versions of BIND, the nameserver daemon currently maintained by the Internet Software Consortium (ISC). BIND fails to properly bound the data recieved when processing an inverse query. Upon a memory copy, portions of the program can be overwritten, and arbitrary commands run on the affected host.
A number of buffer-overflow issues reside in versions prior to 2.5 of Qualcomm's 'qpopper' program. Exploiting this issue allows a remote attacker to execute arbitrary commands on hosts that are running a vulnerable version. To determine if you are vulnerable, telnet to port 110 on the possibly vulnerable host. If any version prior to 2.5 is reported, including 2.5 beta, you should upgrade immediately to the latest version.
A number of buffer-overflow issues reside in versions prior to 2.5 of Qualcomm's 'qpopper' program. Exploiting this issue allows a remote attacker to execute arbitrary commands on hosts that are running a vulnerable version. To determine if you are vulnerable, telnet to port 110 on the possibly vulnerable host. A banner appears, informing you of the version of the pop server. If any version prior to 2.5 is reported, including 2.5 beta, you should upgrade immediately to the latest version.
Due to improper checking of ownership, the dtappgather utility shipped with the Common Desktop Environment allows arbitrary users to overwrite any file present on the filesystem, regardless of the owner of the file. dtappgather uses a directory of permissions 0777 to create temporary files used by each login session. /var/dt/appconfig/appmanager/generic-display-0 is not checked for existence prior to the opening of the file by dtappgather, and as such, if a user were to create a symbolic link from this file to another on the filesystem, the permissions of this file would be changed to 0666. An additional bug exists whereby dtappgather blindly uses the contents of the DTUSERSESSION environment variable. By setting this variable to point to a file on the filesystem, its permissions can also be changed. As this command takes place relative to the /var/dt/appconfig directory, a series of '..' are required to establish the root directory, after which any file can be altered.
A vulnerability exists in certain imapd implementations that allow an attacker to execute arbitrary code remotely. In certain instances, the code to be executed will be run with root privilege. Imap supports a command 'AUTHENTICATE' which specifies the type of authentication mechanism to be used to open a mailbox. The value passed to the authenticate command is copied into a buffer of size 1024. The maximum size of this value, however, it 8192 characters. A failure to bound the read value to 1024 results in a buffer overflow.
Rdist is a program to maintain identical copies of files over multiple hosts. It is vulnerable to a buffer overrun from user supplied data. Given that rdist is setuid root in some enviroments the attacker can excecute this buffer overflow with the resulting commands they craft being executed as root.
Statd is the RPC NFS status daemon. It is used to communicate status information to other services or host. The version of statd shipped with many unix implementations contains a buffer overflow condition. This overflow condition exists in the handling of 'SM_MON' RPC requests. Any attacker to successfully exploit this vulnerability would gain root privileges on the target host.
Services By CQR