TFS Gateway 4.0, when configured in a specific non-default manner, is vulnerable to a remotely exploitable denial of service attack. If 'return entire message to sender' is enabled for failed send attempts, and an email is sent to the TFS Gateway with 1: the From: address set to an invalid address on a remote machine and 2: an invalid To: address on the target machine, the gateway will attempt to return the complete message once every 10 seconds until an administrator manually stops it. If enough emails of sufficient size of this nature are sent it can lead to a degradation or denial of service.
The version of Vixie cron that ships with RedHat versions 4.2, 5.2 and 6.0 is vulnerable to a local buffer overflow attack. By utilizing the MAILTO environment variable, a buffer can be overflown in the cron_popen() function, allowing an attacker to execute arbitrary code. Vixie cron daemon is installed setuid root by default, allowing for a local root compromise.
Ircd hybrid-6 (up to beta 58) has a vulnerability which can allow remote access to the irc server (ircd). In most cases this attack results in the attacker gaining the privileges of the user 'irc'. This vulnerability is in the invite handling code (m_invite). In a channel with operators (ops) and modes +pi (paranoid + invite-only), a channel invitation is reported to all other operators. The buffer used to store the invitation notice can be overflown by up to 15 bytes.
The encryption algorithm in MacOS system is simple and the password can be easily decoded. Password is stored in Users & Groups Data File in Preferences folder. Offset is different on each system and depends on Users & Groups configuration, but it always lie after owner's username. It's not so difficult to find it using a hex editor, even if we don't know owner's username. An example of the decryption process is given in the text. Dawid adix Adamski wrote an apple script to break passwords.
The IMail ldap service has an unchecked buffer, resulting in a classic buffer overflow vulnerability. An attacker can exploit this vulnerability by telnetting to the target machine on port 389 and sending a string of 2375 characters followed by the letter 'Y' twice. This will cause the ldap service to consume 90% of the system resources, rendering the system unusable.
Netscape's Fasttrack server is vulnerable to a directory listing attack, even when an index file is present in the directory. An attacker can telnet to the httpd port and type 'get/' to get a root directory listing.
The xfsdump program shipped with Irix 5.x and 6.x from SGI contains a vulnerability which could lead to root compromise. By creating a log file in /usr/tmp called bck.log, a user could create a symbolic link from this file to any file they wish to be created as root. This is turn could be used to compromise the system.
A vulnerability exists in both the Systour and OutOfBox subsystems included with new installs of IRIX 5.x and 6.x from SGI. This vulnerability allows users on the system to run arbitrary commands as root. An attacker can exploit this vulnerability by creating a malicious .exitops file in the $HOME/var/inst directory and then running the RemoveSystemTour command. This will execute the malicious .exitops file as root, allowing the attacker to gain root privileges.
A vulnerability in rsh exists that can allow a regular user to modify a root owned socket descriptor. The consequences of this are a possible denial of service due to interfaces being manipulated by malicious users. The exploit involves compiling a C program called solarisuck.c and running it with rsh.
The System Data Repository (SDR) subsystem in IBM SP multi-machine parallel processing environments is vulnerable to an arbitrary file retrieval attack. The SDR daemon 'sdrd' does not properly authenticate users, allowing unauthenticated users to pull any file off SDR hosts.
Services By CQR