A vulnerability exists in the 1.2.x releases of scp which, if properly exploited using a modified scp binary on the server end, can permit the remote server to spoof local pathnames and overwrite files belonging to the local user. For example, following the command scp user@remotehost:/somefile /home/user/newfile the modified server on the remote machine maliciously sends the filename as ../../etc/passwd the local user's scp program will then write the data to /home/user/../../etc/passwd (which is the same as /etc/passwd). Note that the target file can only be overwritten if the local user has write access to it. As a result, it remains inadvisable to run scp as root. This vulnerability applies to 1.2.x versions of ssh on the remote machine, irrespective of the version running as the client. ssh-2.x on the remote employs a different protocol and as a result is reportedly not vulnerable to this bug. As a proof of concept, I created trivial scp replacement (put it on remote machine in the place of original scp binary - usually in /usr/local/bin). It will try to exploit any file transfer, creating setuid /tmp/ScpIsBuggy file on client system.
It is possible for an outside attacker to view known files on a remote system if the target user visits a website or opens an email containing a specially formed script containing the JScript function 'GetObject()' and the ActiveX object 'htmlfile'. Microsoft Internet Explorer or Outlook Express will grant full access to the DOM of a HTML document object if the following code is inserted into HTML formatted document.
YaBB.pl, a web-based bulletin board script, stores board postings in numbered text files. The numbered file name is specified in the call to YaBB.pl in the variable num=<file>. Before retrieving the file, YaBB will append a .txt extension to <file>. Due to input validation problems in YaBB, relative paths can be specified in <file>. This includes ../ style paths. Additionally, <file> does not need to be numerical, and the .txt extension can be avoided by appending %00 to <file>. By exploiting these problems in a single request, a malicious user can view any file that the webserver has access to.
WebDAV (Web Distributed Authoring and Versioning) is an extension of HTTP which allows users to create, edit and share documents using the HTTP protocol. A particular REQUEST METHOD, PROPFIND, allows users to retrieve resource properties such as displayname, date last modified, and others. Apache web server as installed by SuSE 6.4 has WebDAV enabled for the entire file structure of the server. By making a specific, properly structured request to the Apache web server, it is possible to obtain information which is equivalent to a directory listing.
This exploit is for the rcvtty of the mh package, which is setgid=4(tty) on BSDi. This exploit gives you egid/group=4(tty) access.
By exploiting a flaw in the faxrunq and faxrunqd programs, it is possible for local users to create arbitrary files, and alter arbitrary files on the filesystem. This can be done by creating a symbolic link named .last_run in /var/spool/fax/outgoing, and running the faxrunqd or faxrunq program.
X-Chat versions 1.4.2 and earlier are vulnerable to command injection attacks. By supplying commands enclosed in backticks (``) in URL's sent to X-Chat, it is possible to execute arbitrary commands should the X-Chat user decide to view the link by clicking on it. This is due to the manner in which X-Chat launches pages for viewing, which does not check for shell metacharacters in the supplied URL, allowing for an attacker to exploit shell expansion capabilities to execute commands as the user running Netscape.
A vulnerability exists in versions of the xlockmore program, originally written by David Bagley. It is believed to affect all versions of xlock derived from xlockmore. This includes the xlock shipped with a number of popular operating systems. Xlock is installed setuid root. Normally, the -d option to xlock is used to set the display it will be locking. This value is normally of the format hostname:portoffset, ie. x.host.com:0, to connect to the X server runnign on x.host.com, listening on port 6000. By supplying format strings in this value, it is possible to cause xlock to output numeric values. Using other format strings, it may be possible for an attacker to overwrite values on the stack. This may make it possible to execute arbitrary code with root privileges.
A lack of authentication checks for certain scripts within the administration interface of AnswerBook2 versions 1.4.2 and prior, for Solaris, allows remote users to create administration accounts. By directly accessing the /cgi-bin/admin/admin script present under the AnswerBook2 dwhttpd web server, it is possible to add users to the administration interface. This will allow the attacker to read log files and manage content.
ntop is a tool that shows the network usage, similar to what the popular top Unix command does. Starting ntop in web mode (with the -w parameter) starts ntop with it's own built in HTTP server, to allow remote access to the functions it provides. ntop does not properly authenticate requests and is vulnerable to a ../../ request whereby unauthorized files can be retrieved, including files which are only readable by root. The default directory ntop serves HTML from is /etc/ntop/html so to retrieve /etc/shadow one can request the following URL: http://URL:port/../../shadow
Services By CQR