Exploit world!

ULTRIX/Digital UNIX Section

Compiled by Fyodor fyodor@insecure.org
on Thu Jan 13 21:41:31 UTC 2000

[Back] to Fyodor's Playhouse


Solaris Statd exploit
Description:Solaris 2.5.1 x86 remote overflow for statd. There is apparently an earlier patch which doesn't fix the problem.
Author:Anonymous
Compromise: root (remote)
Vulnerable Systems:Solaris 2.5.1 x86 is what this exploit is written for. According to a later CERT advisory, vulnerable systems include Digital UNIX (4.0 through 4.0c), AIX 3.2 and 4.1, Solaris 2.5, 2.51 and SunOS 4.1.* for both X86 and SPARC
Date:24 November 1997
Exploit & full info:Available here


Symlink problems with fstab and advfsd in OSF1
Description:These programs create /tmp files that will follow symlinks and lcobber system files
Author:Efrain Torres Mejia <etorres@POLLUX.JAVERIANA.EDU.CO>
Compromise: root (local)
Vulnerable Systems:Digital Unix OSF1 V4.0
Date:18 November 1997
Exploit & full info:Available here


Core file problem with Digital Unix 4.0
Description:With dbx you can cause suid root programs to core dump and clobber system files
Author:John McDonald <jmcdonal@osprey.unf.edu>
Compromise: root (local)
Vulnerable Systems:Digital Unix 4.0 and 4.0B
Date:16 November 1997
Notes:I wish more people would send me their exploits like John did ... this way I'm less likely to miss them.
Exploit & full info:Available here


Digital Unix xterm overflow
Description:Patch kit 5 includes a replacement xterm which can be forced to dump core and clobber system files. A buffer overflow may also exist.
Author:Tom Leffingwell <tom@sba.miami.edu>
Compromise: root (local)
Vulnerable Systems:Digital Unix 4.0B *with* patch kit 5
Date:12 November 1997
Exploit & full info:Available here


ULTRIX 4.4 dxterm file linking hole
Description:dxterm, which is suid root, allows the user to specify a file to log output too. Unfortunately it will follow a hardlink to append your stuff to files you shouldn't be able to write to.
Author:Trevor Schroeder <tschroed@CHEETAH.WSC.EDU>
Compromise: root (local)
Vulnerable Systems:Ultrix 4.4, probably 4.5
Date:26 June 1997
Exploit & full info:Available here


sshd and rshd leak usernames.
Description:sshd and rshd leak usernames. A lot of sites security-consious enough to run sshd probably don't want username validation to be this easy
Author:Christophe Kalt <kalt@STEALTH.NET> and David Holland
Compromise:Test validity of suspected system usernames
Vulnerable Systems:Linux, NetBSD, Digital UNIX 4.0, all from rshd, as well as any systems running a vulnerable version of sshd. Remember to use the VERBOSE (-v) flag if you try to exploit sshd.
Date:13 June 1997
Notes:The syntax quoted at the bottom is not correct, you need to give an actual command (like ls) for the rsh problem to be demonstrated.
Exploit & full info:Available here


PMDF 5.107 debug mode vulnerability
Description:PMDF 5.1-7 sendmail (NO relation to standard sendmail) has a debugging mode that can be entered by setting environmental variable PMDF_SENDMAIL_DEBUG. This then allows a standard symlink vulnerability in which you can put arbitrary binary data into the pdmf owned file of your choosing.
Author:Jonathan Rozes <jrozes@GUMBO.TCS.TUFTS.EDU>
Compromise:quash files owned by user pmdf with arbitrary data.
Vulnerable Systems:Digital Unix 4.0B reported by the author. Probably any systems running PDMF sendmail
Date:23 May 1997
Exploit & full info:Available here


Digital Unix /usr/tcb/bin/dxchpwd hole
Description:In Digital Unix, /usr/tcb/bin/dxchpwd creates log files in a very insecure manner.
Author:Eric Augustus (augustus@mail.stic.net)
Compromise: root (local)
Vulnerable Systems:at least Digital Unix v3.x with c2 security package installed
Date:17 November 1996
Exploit & full info:Available here



This page Copyright © Fyodor 1996, 1997, 1998
[Back] to Fyodor's Exploit World main index

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]