INND/NNRP is vulnerable to a remote root buffer overflow. The vulnerability is caused due to a boundary error within the handling of the 'Path' header. By sending an overly long string, a stack-based buffer overflow occurs, overwriting the return address and allowing arbitrary code execution. The exploit code uses a NOP sled of 4 bytes followed by the shellcode and the return address.
Due to a flaw in Navigator's security code, all URLs in the about: protocol are considered to be part of the same domain. If arbitrary Javascript code is placed in a GIF's comment field, it is treated like a normal HTML page. The Javascript code will run from the image information page in the internal about: 'domain'. This issue has also been reported in commented JPEG files.
A problem with the handling of a long string of characters by the -F option makes it possible for a local user to gain elevated privileges. Due to the insufficient handling of input by the -F option of mailx, a buffer overflow at 1150 characters makes it possible to overwrite variables on the stack, including the return address.
The Kodak Color Management System configuration tool 'kcms_configure' is vulnerable to a buffer overflow that could yield root privileges to an attacker. The bug exists in the KCMS_PROFILES environment variable parser in a shared library 'kcsSUNWIOsolf.so' used by kcms_configure. If an overly long KCMS_PROFILES variable is set and kcms_configure is subsequently run, kcms_configure will overflow. Because the kcms_configure binary is setuid root, the overflow allows an attacker to execute arbitrary code as root. Exploits are available against Solaris x86 and Solaris Sparc.
SCO OpenServer 5.0.6 (and possibly earlier versions) ships with several suid bin executables used in printer administration and related tasks. This includes lpusers, a component used to set the queue priority of jobs submitted to the LP print service by users. 'lpusers' contains a locally exploitable buffer overflow vulnerability that occurs when commandline arguments are of excessive length. If properly exploited, this can yield root privilege to the attacker.
uStorekeeper Online Shopping System from Microburst Technologies fails to properly validate user-supplied input, allowing remote users to submit URLs containing '/../' sequences and arbitrary filenames or commands, which will be executed or displayed with the privilege level of the webserver user. This permits the remote user to request files and execute commands from arbitrary locations on the host filesystem, outside the script's normal directory scope.
This exploit gives the attacker euid=0(root) on BSDi/3.0 systems. It uses a buffer overflow vulnerability to overwrite the return address of the stack with the address of the malicious code. The malicious code is then executed with root privileges.
FTPFS is a Linux kernel module that allows users to mount remote files from any standard FTP server as a local filesystem. A version of FTPFS is vulnerable to a buffer overflow leading to a denial of service, and potentially execution of arbitrary code. This overflow can be exploited by any local user with access to the mount command on a system with FTPFS installed.
A problem with the network software used with the Symmetra can allow a denial of service to the system, thus preventing administrative access. This problem is due to the handling of the telnet protocol by the firmware of the power supply. The system does not support more than one telnet session at a time, and when it encounters three failed login attempts, discontinues access for a configurable period between 1 and 10 minutes.
A problem with the man command may allow for the elevation of privileges. Due to the handling of format strings by the -l argument of the man command, it may be possible for a local user to pass format strings through the man command, which could allow a user to write to a specific address in the stack and overwrite variables, including the return address of functions on the stack. man, as implemented with some distributions of the Linux operating system, is included as an SUID root binary. It may be possible for a malicious user with local access to execute arbitrary code on the stack, and potentially gain elevated privileges, including administrative access.
Services By CQR