An attacker can create a symbolic link from /tmp/tmpmsg to any file and wait for root to run the program. This will clober the target file.
The named daemon in BIND 8.0.x will dump the named database to /var/tmp/named_dump.db when it receives a SIGINT signal and append named statistics to /var/tmp/named.stats when it receives a SIGIOT signal. It does not check for symbolic links while doing so and can be made to overwrite or append to any file in the system.
makebootdisk creates the file /tmp/return insecurely and follows symbolic links. An attacker can create a symbolic link from /tmp/return to any file and wait for root to run the program. This will clober the target file.
Digital UNIX 4.0 will follow symlinks while writting core files if two setuid programs dump core in sucession. The core file is owned by root but with the user's groud id. The core file permissions are 0600. This can be used to create root owned file anywhere in the filesystem.
liloconfig-color creates the file /tmp/reply insecurely and follows symbolic links. An attacker can create a symbolic link from /tmp/reply to any file and wait for root to run the program. This will clober the target file.
Under normal operation LicenseManager(1M) is a program used to view and manage FLEXlm and NetLS software licenses. Unfortunately, a set of vulnerabilities has been discovered that allows LicenseManager(1M) to arbitrary manipulate root-owned files allowing root access. To exploit this vulnerability, an attacker must create a directory, set the environment variable LICENSEMGR_FILE_ROOT to the directory, create a license.dat file, create a symbolic link from license.dat.log to /.rhosts, and then run LicenseManager. When the attacker clicks on Update, fills in the four fields with any information and clicks on Apply, LicenseManager will report an error. Ignoring the error and exiting will allow the attacker to access the root-owned file /.rhosts.
LicenseManager(1M) is a program used to view and manage FLEXlm and NetLS software licenses. A vulnerability has been discovered that allows LicenseManager(1M) to overwrite root-owned files, such as /.rhosts, with arbitrary content. This can be exploited to gain root access if remote root logins are enabled.
CesarFtp 0.99g is vulnerable to a buffer overflow vulnerability. This vulnerability can be exploited by sending a specially crafted MKD command with an overly long string. This can allow an attacker to execute arbitrary code on the vulnerable system.
A vulnerability exists in inetd which allows a remote user to crash inetd if the tcpmux service is not commented out of /etc/inetd.conf. The tcpmux service is defined in RFC1078. It is also claimed inetd will die if the Windows 95/NT program postscan.exe, made by 7thsphere, is run againts the host.
The vulnerability exists in the pfdisplay.cgi program distributed with IRIX. It allows an attacker to inject arbitrary commands into the program, which are then executed with the privileges of the web server. This can be exploited by sending a specially crafted HTTP request to the vulnerable CGI program.
Services By CQR