If you connect to the SMTP port and issue a HELO command with a large string (several hundred bytes) for a hostname the server, and possibly MacOS, will crash.
If a user connects to the SMTP port and issues a HELO command with a large string (500 bytes or more) for a hostname, the server, and possibly the whole machine, will crash.
The /etc/crash program was installed with setgid kmem and was executable by anyone. This allowed any user to use the ! shell command escape to execute commands with group set to kmem.
There exists a vulnerability involving environment variables and setuid/setgid programs under SunOS 4.0 and higher. A dynamically-linked program that is invoked by a setuid/setgid program has access to the caller's LD_* environmental variables if the setuid/setgid program sets the real and effective UIDs to be equal and the real and effective GIDs to be equal before the dynamically-linked program is executed. A vulnerability exists if the UIDs and GIDs are not equal to those of the user that invoked the setuid/setgid program. In particular, SunOS /usr/lib/sendmail, /usr/bin/login, /usr/bin/su, and /usr/5bin/su are vulnerable to this problem. In-house and third-party software can also be impacted by this vulnerability. For example, the current versions of rnews, sudo, smount, and npasswd are known to be vulnerable under SunOS. This or similar vulnerabilities have been found in other unix operating systems. It seems Sun's solution is to call the dynamicly linked programs without both the real and effective uid and gid being the same. This is rather subobtimal as third party programs are left vulnerable. A better solutio is to mark a process as having changed it's uid or gid within the kernel. The dynamic linker can then query this information and use the LD_* variables depending on the results.
The Sun distribution of sources (sunsrc) has an installation procedure which creates the directory /usr/release/bin and installs two setuid root files in it: makeinstall and winstall. These are both binary files which exec other programs: "make -k install" (makeinstall) or "install" (winstall) without a full path or reseting the PATH enviroment variable. This makes it possible for users on that system to become root by copying the shell to a temporary directory, creating an install script, setting the PATH environment variable, and executing the winstall binary.
This vulnerability affects systems that have installed Sun Source tapes, as it allows users to become root by copying a shell to a temporary directory, creating a makefile that sets the permissions of the shell to 4777, setting the PATH environment variable to the temporary directory, and then executing the makeinstall or winstall binary files.
In Ultrix versions 4.0 and 4.1, the /usr/bin/chroot binary is installed with improper permissions, allowing any user to execute it. This can lead to system users gaining unauthorized privileges. An attacker can create a fake root environment in /tmp/etc and /tmp/bin, copy the /bin/sh and /bin/chmod binaries to the fake environment, and then execute the chroot binary to gain root access. The attacker can then use the chmod binary to set the suid bit on the /tmp/bin/sh binary, allowing them to gain root access.
On Sun3 and Sun4 systems, a remote system can read any file that is readable to the user running SunView. On the 386i, a remote system can read any file on the workstation running SunView regardless of protections. Sunview does not kill the selection_svc process when the user quits from Sunview, thus allowing remote systems to read files that were readable to the last user that ran Sunview.
This exploit is a type of command injection attack which allows an attacker to execute arbitrary commands on the vulnerable system. The attacker sends a maliciously crafted email to the victim's mail server, which contains a command in the recipient field. The command is then executed on the server, allowing the attacker to gain access to the system.
RCblog is vulnerable to a remote command execution vulnerability. An attacker can exploit this vulnerability by sending a crafted HTTP request containing malicious PHP code to the vulnerable server. This code will be written to the log file and then executed by the server.
Services By CQR