Exploit world!

Linux Section

Compiled by Fyodor fyodor@insecure.org
on Thu Jan 13 21:41:31 UTC 2000

[Back] to Fyodor's Playhouse


Overflow in Vixie crontab
Description:standard overflow
Author:Dave G. wrote the exploit
Compromise: root (local)
Vulnerable Systems:Some RedHat distributions, a German distribution DLD 5.2, etc. Anyone running vulnerable version of Vixie crontab.
Date:10 May 1998 (actually it is an older problem)
Exploit &amp full info:Available here


Overflows in Minicom
Description:The terminal emulation modem program minicom has a number of blatant overflows.
Author:Tiago F P Rodrigues <11108496@LIS.ULUSIADA.PT>
Compromise:group uucp on some Linux distros (such as RedHat), but if installed from source with default makefile then it allows root access (local)
Vulnerable Systems:Most Linux boxes ship with minicom. Version 1.81 and presumably earlier are vulnerable.
Date:9 May 1998
Exploit &amp full info:Available here


dip 3.3.7o overflow
Description:Standard overflow (in the -l option processing).
Author:Goran Gajic <ggajic@AFRODITA.RCUB.BG.AC.YU>
Compromise: root (local)
Vulnerable Systems:Slackware Linux 3.4, presumably any other system using dip-3.3.7o or earlier suid root.
Date:5 May 1998
Notes:I've included a couple standard exploits and one that works against systems utilizing Solar Designer's excellent non-executable-stack patch.
Exploit &amp full info:Available here


Xaw and Xterm vulnerabilities
Description:There are a number of vulnerabilities in X11R6 xterm(1) and Xaw(3c) libraries. They are mostly all overflows
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> and the exploit was written by alcuin
Compromise: root (local)
Vulnerable Systems:Those running Xterm or X apps linked to vulnerable Xaw. Virtually all versions of X are vulnerable to the *Keymap hole and the others are mostly X11R6 specific (which virtually everyone uses anyway). Thus it is likely that many Solaris, Linux, HP/UX, and perhaps IRIX and AIX boxes are vulnerable.
Date:4 May 1998
Notes:I have also included an exploit sent to me by "M.C.Mar" <emsi@it.com.pl>. This exploit works against Xaw and neXtaw even WITH Solar Designer's non-executable stack patch applied. Check it out!
Exploit &amp full info:Available here


ID games Backdoor in quake
Description:ID software blatantly put a backdoor in Quake 1/2 and QuakeWorld including both the Linux/Solaris Quake2. RCON commands sent from the subnet 192.246.40.0/24 and containing the password "tms" are automaticly executed on the server without being logged.
Author:Mark Zielinski <markz@repsec.com>
Compromise: root (remote)
Vulnerable Systems:Those running Quake 1, QuakeWorld, Quake 2, Quake 2 Linux and Quake 2 Solaris, all versions. Thus many Windows and UNIX boxes are affected
Date:1 May 1998
Notes:Quake was always a horrible security hole, but I never thought Id would stoop to introducing an intentional backdoor to allow them access to systems running Quake. I am surprised this didn't get more publicity.
Exploit &amp full info:Available here


Overflow in kppp -c option
Description:Standard overflow
Author:"|[TDP]|" <tdp@psynet.net>
Compromise: root (local)
Vulnerable Systems:Those running kppp version < 1.1.3 suid root. This comes with the KDE system (which is pretty neat -- www.kde.org) and runs on Solaris, Linux, IRIX, and HP/UX
Date:29 April 1998
Notes:The hole was fixed a while prior to this posting so the (then) current version was not vulnerable.
Exploit &amp full info:Available here


Horrendous suidexec hole
Description:Debian Linux apparently distributes a program called suidexec as part of the suidmanager package. This program is trivially exploitable to run any program on the system as root.
Author:Thomas Roessler <roessler@GUUG.DE>
Compromise: root (local)
Vulnerable Systems:Debian Linux 2.0 (probably won't be in the final 2.0 Hamm release).
Date:28 April 1998
Exploit &amp full info:Available here


cxhextris overflow
Description:Standard overflow
Author:Chris Evans <chris@FERRET.LMH.OX.AC.UK>
Compromise:Local users can obtain uid=games privileges! This allows them to cause chaos by changing the high score table or trojaning various games, etc.
Vulnerable Systems:At least RedHat Linux 5.0
Date:25 April 1998
Exploit &amp full info:Available here


qcam overflows
Description:several qcam apps as well as libqcam seem to have rather obvious security holes when installed setuid root.
Author:bst@INAME.COM
Compromise: root (local)
Vulnerable Systems:Thos running qcam, sqcam,xqcam, SANE-0.67. Mostly Linux boxes, perhaps BSD.
Date:20 April 1998
Exploit &amp full info:Available here


lprm Linux/BSD/Solaris Overflow
Description:The lprm program on some machines has a standard overflow in the name you feed it to remove a job from a remote printer
Author:Chris Evans <chris@FERRET.LMH.OX.AC.UK> posted this problem to BugTraq, it turns out the the OpenBSD folks (probably Theo De Raadt) fixed the problem in 1996.
Compromise: root (local)
Vulnerable Systems:RedHat Linux 4.2 and 5.0, Solaris 2.6, Some *BSD variants vulnerable, but most fixed it 6 months to two years prior to this notice
Date:18 April 1998
Exploit &amp full info:Available here


Nestea "Off By One" attack
Description:A popular attack against Linux boxes
Author:John McDonald <jmcdonal@UNF.EDU>
Compromise:Stupid remote DOS attack
Vulnerable Systems:Linux 2.0.33 and earlier, PalmOS, HP Jet Direct printer cards, some 3COM routers, Magnum 5000 Ethernet switch, Some Windows boxes, perhaps others
Date:17 April 1998
Notes:I have appended the original Linux code, a BSD port, an improved Linux version, and a few other messages on the topic.
Exploit &amp full info:Available here


RedHat 5 metamail hole
Description:Many mail clients, MTA's, etc. are poorly written and can interpret mail in ways that lead to security wholes. One of the bugs in this message demonstrates a way to execute arbitrary commands by sending mail to a Redhat 5 user. The bug is in metamail script processing of MIME messages.
Author:Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Compromise:potential root (remote). The victim must read the mail with Pine (or something else that calls metamail).
Vulnerable Systems:RedHat 5, other linux boxes with vulnerable metamail script.
Date:5 April 1998
Exploit &amp full info:Available here


Another WinGate hole -- this time with the LogFile service
Description:The WinGate Logfile service basically puts up a web server on port 8010 giving full read access to the victim's hard drive(!)
Author:HKirk <hkirk@tech-point.com>
Compromise:Remote read access to a Wingate user's hard drive
Vulnerable Systems:Windows users who run Wingate. This program is a huge security hole, a much better (cheaper, more secure, more robust, better performing) solution is to install a Linux gateway with IP masquerading.
Date:29 March 1998
Exploit &amp full info:Available here


Majordomo tmpfile bug
Description:Standard tmpfile problem
Author:Karl G - NOC Admin <ovrneith@tqgnet.com>
Compromise:Any user on a system running majordomo can append arbitrary data to any file owned by the majordomo account.
Vulnerable Systems:Those running majordomo. This runs on a ton of systems (Solaris, Linux, IRIX, etc.).
Date:26 March 1998
Exploit &amp full info:Available here


LinCity and Conquest Game overflows
Description:Typical buffer overflows
Author:bst@INAME.COM
Compromise: root (local)
Vulnerable Systems:Those running vulnerable versions of LinCity or Conquest setuid (dumb!). This is mostly Linux boxes.
Date:16 March 1998
Exploit &amp full info:Available here


Insecure scripts that come with RedHat 5.0 (and other OS's)
Description:The scripts named in this message have standard insecure tmpfile bugs. If someone can predict when these will be run (like if they are in cron) then they can generally overwrite files of the person running the command (could be root).
Author:Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Compromise:Potential for root compromise
Vulnerable Systems:Specifically this list is for RedHat 5 although many other Linux systems and probably some *BSD systems are vulnerable.
Date:14 March 1998
Exploit &amp full info:Available here


Another TMPfile problem in updatedb script
Description:updatedb creates a tmp file in /tmp, moves it to /var/lib/locatedb, then chowns it to root. The race condition is clear.
Author:Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Compromise: root (local)
Vulnerable Systems:RedHat 5.0, perhaps other systems such as FreeBSD using updatedb.
Date:6 March 1998
Exploit &amp full info:Available here


X11Amp playlist bug
Description:When installed SUID root (as suggested in the README), X11Amp creates ~/.x11amp insecurely with root privs. Oops! There are very likely to be many more security bugs in X11Amp. The performance hit of making it suid is probably not worth the security risk (IMHO).
Author:viinikala <kala@DRAGON.CZ>
Compromise: root (local)
Vulnerable Systems:Those running a vulnerable version of X11Amp (.65 and prior) suid. Mostly Linux boxes.
Date:28 February 1998
Exploit &amp full info:Available here


updatedb on Redhat
Description:RedHat Linux updatedb/sort insecure tmpfiles
Author:viinikala <kala@DRAGON.CZ>
Compromise:become user 'nobody' via updatedb (or root on a really old distro of RedHat) (local)
Vulnerable Systems:Redhat Linux (presumably 5.0) is very vulnerable due to updatedb calling sort regularly, many other systems (such as Solaris) have an insecure sort. Also FreeBSD 2.2.2 is apparently vulnerable to the same updatedb problem.
Date:28 February 1998
Notes:Dave Goldsmith may have found this first, although I cannot currently access his website for more info.
Exploit &amp full info:Available here


Various gaping security holes in QuakeII (and Quake I and QuakeWorld and Quake Client).
Description:These games by ID software are absolutely riddled with glaring security holes and no one should even CONSIDER running them (or any other game for that matter) on a machine that is supposed to be secure. I have stuffed a bunch of quake exploits in this one section although there is one Quake II server hole I will treate separately later.
Author:kevingeo@CRUZIO.COM and others
Compromise: root (remote)
Vulnerable Systems:Those running pretty much any version of quake by id software, the client or server. Quake runs on many Linux boxes as well as Win95/NT.
Date:25 February 1998
Exploit &amp full info:Available here


Poor device permissions on Redhat 4.0/5.0
Description:Lax device perms on RedHat boxes allow unprivileged users to do nasty things such as peeking at the contents of a floppy in your drive or DOS attacks against the system.
Author:Smart List user <slist@cyber.com.au>
Compromise:Local users can read floppy device, be annoying
Vulnerable Systems:RedHat Linux 4.0 and 5.0
Date:4 February 1998
Exploit &amp full info:Available here


X11R6.3 Xkeyboard hole
Description:X11R6.3 based Xservers with the XKEYBOARD extension that are setuid can be exploited with the -xkbdir option
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Compromise: root (local)
Vulnerable Systems:Those systems running a setuid X11R6.3-based Xserver with XKEYBOARD extension (R6.1 is also probably affected). The XFree86 servers that come with many Linux and *BSD distributions is a good example of this.
Date:3 February 1998
Exploit &amp full info:Available here


Coredump hole in imapd and ipop3d in slackware 3.4
Description:When fed an unknown username, imapd and ipop3d will dump core in Slackware 3.4. /etc/shadow can be found in the core file.
Author:Peter van Dijk <peter@ATTIC.VUURWERK.NL>
Compromise:Learn the contents of /etc/shadow (which would allow you to crack the passwords and break into other accounts)
Vulnerable Systems:Slackware Linux 3.4 and the imapd in 3.3. possibly others
Date:2 February 1998
Exploit &amp full info:Available here


Buffer overflow in the Yapp Conferencing System Version 2.2
Description:standard overflow
Author:satan <satan@FREENET.NETHER.NET>
Compromise:Run arbitrary commands as the uid yapp is running under (often 'yapp').
Vulnerable Systems:This exploit is for x86/Linux . Any other platform running Yapp should be vulnerable.
Date:20 January 1998
Exploit &amp full info:Available here


Mail Handler 6.8.4 overflow
Description:standard overflow
Author:Cesar Tascon Alvarez <tascon@enete.gui.uva.es>
Compromise: root (local)
Vulnerable Systems:Those running Mail Hanldler 6.8.4 (and presumably earlier versions). Redhat 5.0 is affected.
Date:19 January 1998
Exploit &amp full info:Available here


Exploit for the gcc tempfile issue
Description:gcc 2.7.2.x (and earlier as far as I know) creates temporary files in /tmp which will follow symlinks and allows you to clobber the files of the person running gcc
Author:"Micha=B3 Zalewski" <lcamtuf@boss.staszic.waw.pl>
Compromise:Overwrite files owned by the user running gcc (possibly root )
Vulnerable Systems:Those running gcc 2.7.2.x this includes most linux, and *BSD boxes. Many admins of Solaris boxes have also added gcc. This problem is finally fixed in gcc 2.8.0
Date:16 January 1998
Notes:This has been mentioned before on Bugtraq but this is the first actual exploit I've seen.
Exploit &amp full info:Available here


DOS against realvideoserver by Progressive Networks
Description:Another DOS attack
Author:Rootshell
Compromise:remotely crash Progressive Networks Real Video Server
Vulnerable Systems:those running Progressive Networks Real Video Server. This includes the Linux version and the NT version
Date:15 January 1998
Exploit &amp full info:Available here


inode count integer overflow in Linux kernel
Description:Member i_count in struct inode of the Linux kernel is an unsigned short, which can be overflowed by mapping one file more than 65535 times.
Author:<Jan.Kotas@acm.org>
Compromise: root (local)
Vulnerable Systems:Linux, probably versions up to 2.0.31 (or so)
Date:14 January 1998
Exploit &amp full info:Available here


Buffer overflow in the 'deliver' mail delivery program
Description:standard overflow
Author:"KSR[T]" <ksrt@DEC.NET>
Compromise: root (local)
Vulnerable Systems:Slackware 2.x, Debian 1.3.1, possibly other Linux distributions. Basically anything running deliver version 2.0.12 and below.
Date:12 January 1998
Exploit &amp full info:Available here


routed trace file exploit
Description:routed has the ability to have trace mode turned on remotely using any arbitrary filename. Thus you can append stuff to arbitrary files remotely.
Author:Rootshell
Compromise:You should be able to leverage this to root remote access.
Vulnerable Systems:Redhat linux; IRIX 5.2-5.3-6.2 is vulnerable, NetBSD 1.2 is vulnerable.
Date:8 January 1998
Exploit &amp full info:Available here


Vsyslog overflow in Linux libc 5.4.38
Description:Standard overflow (although it is pretty sad to see these things in syslog ...)
Author:Posted by Solar Designer <solar@FALSE.COM>
Compromise: root (local)
Vulnerable Systems:Slackware 3.1, Redhat 4.2, possibly other Linux boxes
Date:21 December 1997
Exploit &amp full info:Available here


WordPerfect 7 filepermission problems
Description:Apparently WordPerfect 7 has serious problems with regard to permissions on the files it creates in users directories. It will also follow symlinks when creating them.
Author:Hans Petter Bieker <hanspb@PERSBRATEN.VGS.NO>
Compromise:break into a users account or clobber their files (user could potentially be root )
Vulnerable Systems:Linux boxes running WordPerfect 7 (possibly other *NIXes)
Date:15 December 1997
Exploit &amp full info:Available here


gethostbyname() overflow in glibc
Description:Overflow in glibc gethostbyname() allows overflows in ping, rsh, traceroute, etc.
Author:Wilton Wong - ListMail <listmail@NOVA.BLACKSTAR.NET>
Compromise: root (local)
Vulnerable Systems:Redhat 5, presumably others with glibc (GNU HURD?)
Date:13 December 1997
Exploit &amp full info:Available here


Dillon crontab 2.2 overflow
Description:standard overflow
Author:"KSR[T]" <ksrt@DEC.NET>
Compromise: root (local)
Vulnerable Systems:Slackware Linux 3.4, other systems that runn dillon crontab / crond ( dcron 2.2 )
Date:9 December 1997
Exploit &amp full info:Available here


Long filesystem paths
Description:One thing you can do to be highly annoying is create very long directory paths. These cause *major* problems to many system utilities. This post provides useful one-liners for the purpose.
Author:Zack Weinberg <zack@RABI.PHYS.COLUMBIA.EDU>
Compromise:Annoying DOS
Vulnerable Systems:Those that allow very long directory paths. I just created one 10002 directories deep on my Linux box (I stopped it, it could have gone further). Fortunately Microsoft OS users don't have this problem due to small filesystem depth restrictions ;)
Date:2 December 1997
Exploit &amp full info:Available here


XFree86 (and apparently other X11R6 XC/TOG derived servers) -config insecurity
Description:XFree86 is setuid root in many cases and takes a -config option to use a different config file. Unfortunately it doesn't check permissions on this file so you can (for example) read the first line of /etc/shadow (printed in the warning message)
Author:plaguez <dube0866@eurobretagne.fr>
Compromise:Read files that you shouldn't have permissions for
Vulnerable Systems:Those with a suid root XFree86 X server as well as some other X servers. This affects many Linux (and probably FreeBSD/OpenBSD)boxes.
Date:21 November 1997
Exploit &amp full info:Available here


Kernel Buffer Overflow in the ISDN subsystem
Description:When dialing, the old Linux ISDN drivers copied everything after ATD into a 40 char stack buffer (!).
Author:Andi Kleen <ak@muc.de>
Compromise: root (local)
Vulnerable Systems:Linux 2.0.31, perhaps earlier.
Date:16 November 1997
Exploit &amp full info:Available here


Linux and Windows IP fragmentation (Teadrop) bug
Description:Win* and Linux deal with overlapping IP fragments in an incorrect manner which allows the systems to be crashed remotely.
Author:Apparently datagram in flip.c
Compromise:Remote DOS attack
Vulnerable Systems:Windows NT 4.0, Win95 , Linux up to 2.0.32
Date:15 November 1997
Notes:I also included a program called "syndrop" which is a modified version of teardrop (exploits an M$ SYN sequence bug.
Exploit &amp full info:Available here


Redhat 4.2 X11 /tmp/.X11-unix permissions problem
Description:Any local user can destroy X service by moving (or deleting) the UNIX domain socket redhat puts in /tmp/.X11-unix/X0 . Redhat apparently forgot the sticky bit. I think this works in Redhat 4.0 too.
Author:Carlo Wood <carlo@RUNAWAY.XS4ALL.NL>
Compromise:Screw up X (local)
Vulnerable Systems:Thos running the Redhat 4.2 and 4.0 Linux distributions.
Date:14 November 1997
Exploit &amp full info:Available here


Overflow in suidperl 5.003
Description:Overflow (via sprintf()) in the mess() function in suidperl
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Compromise: root (local)
Vulnerable Systems:Thos running suid-perl 5.003, this includes many Linux, *BSD, Solaris and UNIX boxes in general.
Date:13 November 1997
Exploit &amp full info:Available here


Slackware lizards suid-root problem
Description:The lizards game is NOT intended to be suid root, but Slackware 3.4 sets it that way anyway. This makes it trivial to become root through code like system("clear"), etc.
Author:SUID <suid@BOMBER.STEALTH.COM.AU>
Compromise: root (local)
Vulnerable Systems:Linux boxes using the Slackware 3.4 (earlier?) distributions.
Date:12 November 1997
Exploit &amp full info:Available here


BRU (Backup and Recovery Utility) poor permissions
Description:This commercial UNIX backup program creates the /usr/local/lib/bru directory mode 777. This directory apparently contains sources. Enough said.
Author:Kyle Amon <amonk@GNUTEC.COM>
Compromise: root (local)
Vulnerable Systems:Any running vulnerable version of BRU (There is a Linux version, probably also Solaris and other *NIX).
Date:8 November 1997
Exploit &amp full info:Available here


Intel "f00f" Pentium bug
Description:A bug in the Intel Pentium (and Pentium + MMX) chips allows usermode processes to crash the system by executing the invalid instruction 0xf00fc7c8
Author:Sent through an anonymous remailer
Compromise:Users who can run code on the system can totally freeze the system
Vulnerable Systems:Those running on a Pentium including versions of Linux, Dos, WinNT, Win95, SolarisX86, etc.
Date:8 November 1997
Exploit &amp full info:Available here


ftp mget vulnerability
Description:If the nlist caused by a mget returns a file like /etc/passwd , most ftp clients seem to (try to) overwrite/create it without signaling anything wrong. You can also use files with names like "|sh" to execute arbitrary commands.
Author:I don't recall who found it first, in the appended post af@c4c.com gives an example of the bug using Linus slackware
Compromise:ftp servers can compromise clients who use mget to d/l files
Vulnerable Systems:ftp clients on Linux, AIX, HP/UX, Solaris 2.6, and probably many other systems
Date:3 November 1997 was when this example was posted (the bug was found a while back)
Exploit &amp full info:Available here


Security holes in Metamail
Description:Some metamail scripts (such as sun-audio-file) call innapropriate helper-apps (like uudecode) which allow things like overwriting files on the system.
Author:Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
Compromise:Obtain access to the account running metamail.
Vulnerable Systems:Those running vulnerable versions of metamail (often Elm users). Redhat linux 4.x uses metamail in some cases.
Date:24 October 1997
Exploit &amp full info:Available here


in.telnetd tgetent buffer overflow
Description:By specifying an alternate terminal capability database with huge entries, you can overflow programs (like telnet, possibly xterm in some cases) which call tgetent() expecting a reasonable-length buffer.
Author:Secure Networks, INC
Compromise:In some cases, root (remote)
Vulnerable Systems:BSD/OS v2.1,Theo de Raadt mentions that you might be able to attack the suid xterm program locally with this hole to gain root access (possibly Linux, as well as other BSDs)
Date:21 October 1997
Notes:I have appended an exploit for BSDI in the addendum section.
Exploit &amp full info:Available here


Overfow in the Ideafix development environment
Description:standard overflow, in $TERM
Author:Bst Perez Companc <bst@INAME.COM>
Compromise: root (local)
Vulnerable Systems:Any systems running flawed version of ideafix, this exploit is for Linux
Date:19 October 1997
Exploit &amp full info:Available here


Redhat Linux 4.2 printfilter problems
Description:Redhat 4.2 uses the "printfilter" software package called by lpd to determine the type of a file, unfortunately this program calls others which were not made to handle malicious data (such as groff).
Author:"KSR[T]" <ksrt@dec.net>
Compromise: root (local)
Vulnerable Systems:Redhat Linux 4.2 (maybe earlier)
Date:6 October 1997
Exploit &amp full info:Available here


Security problems in the lpd protocol
Description:The protocol for lpd (Line Printer Daemon, RFC 1179) seems to have a number of insecurities, as discussed in this post
Author:Bennett Samowich <a42n8k9@REDROSE.NET>
Compromise: root (remote)
Vulnerable Systems:Those running a vulnerable version of lpd, many Linux and *BSD versions are vulnerable
Date:2 October 1997
Exploit &amp full info:Available here


mSQL authentication holes
Description:mSQL has a number of problems in its attempts at authentication, as well as another serious problem if the user doesn't use ACLs
Author:"John W. Temples" <john@KUWAIT.NET>
Compromise:remotely manipulate a mSQL database
Vulnerable Systems:Those running vulnerable versions of mSQL, many Linux boxes run this
Date:27 September 1997
Exploit &amp full info:Available here


Samba Remote buffer overflow
Description:Samba reads in a user's password into a fixed length buffer, allowing execution of arbitrary code on the target machine
Author:ADM
Compromise: root (remote)
Vulnerable Systems:Those running the SAMBA SMB server versions earlier than 1.9.17p2. The exploit is for Linux/X86
Date:26 September 1997
Notes:ADM send me this before it went out on Bugtraq, and then they sent me a newer version (appended). Thanks!
Exploit &amp full info:Available here


kerneld auto-load of modules requested by unprivileged users
Description:If an unprivileged user types 'ifconfig <devname>' the system will try to load the kernel module /lib/modules/<kernel ver>/fs/devname.o . Thus any unprivileged user can load any modules in your module directory.
Author:Zygo Blaxell <zblaxell@fiction.org>
Compromise:Could be a DoS, or a more serious security problem, depending on the modules you have available.
Vulnerable Systems:Linux with vulnerable version of kerneld installed
Date:26 September 1997
Exploit &amp full info:Available here


ARP and ICMP redirection games
Description:This excellent article/code from Yuri points out a number of (mostly known) problems with the ARP and ICMP protocols/implementations
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:spoof as a trusted host, redirect trafic through your host, DoS
Vulnerable Systems:Many versions of Linux, numerous hubs/routers. AFAIK, IRIX, HP-UX, *BSD, and probably Windoze can be spoofed with gratuitous ARP
Date:19 September 1997
Exploit &amp full info:Available here


wu_ftpd recursive nlist DOS
Description:An attacker can long into a wu_ftpd server and do a recursive nlist that hogs a tremendous amount of system resources
Author:Josef Karthauser <joe@pavilion.net>
Compromise:lame DOS
Vulnerable Systems:Those running wu_ftpd, most Linux and *BSD systems run this
Date:9 September 1997
Exploit &amp full info:Available here


Linux exploit code for the already known buffer overflow in sperl 5.003
Description:Linux exploit code for the already known buffer overflow in sperl 5.003
Author:ggajic@FREENET.NETHER.NET
Compromise: root (local)
Vulnerable Systems:Those with sperl 5.003 installed suid, the exploit is for linux
Date:2 September 1997
Exploit &amp full info:Available here


Linux setrlimit and sysctl integer overflows
Description:setrlimit() Linux kernel call (up to 2.0.29) does a signed comparison only on the resource changes, which allows users to increase their resource limits by passing negative numbers. Also, a sysctl() problems allows generation of kernel faults by unpriviliged users.
Author:Solar Designer <solar@FALSE.COM>
Compromise:bypass resource limits
Vulnerable Systems:Linux <= 2.0.29
Date:28 August 1997
Exploit &amp full info:Available here


Check for existance of files on systems runninng mountd
Description:Some mountd implementations apparently give different error messages depending on whether the mountpoint requested exists or not.
Author:Peter <deviant@UNIXNET.ORG>
Compromise:query for existance of arbitrary files (by name). This could help determine security flaws present on a remote system.
Vulnerable Systems:Those running vulnerable mountd. This includes at least some versions of AIX, Linux, *BSD, SunOS, Solaris, etc.
Date:24 August 1997
Exploit &amp full info:Available here


lpr LIBC RETURN exploit
Description:Solar Designer has done it again! Here he proves the viability of overflow exploits returning into libc functions. He includes lpr and color_xterm exploits.
Author:Solar Designer <solar@FALSE.COM>
Compromise: root (local)
Vulnerable Systems:Systems running Linux with vulnerable lpr or color_xterm suid. Even if they have stack execution disabled in some cases.
Date:10 August 1997
Notes:Solar Designer is amazing! He comes through again with another neat proof-of-concept sploit.
Exploit &amp full info:Available here


The VERY popular imapd remote overflow
Description:A buffer overflow in popular imapd packages allows remote root access. This has been very widely exploited on the internet.
Author:I am not sure who discovered it, savage@apostols.org wrote the Linux/Intel exploit I have put first. I have appended another exploit to that.
Compromise: root ( remote ) (Ohhhh, shit!)
Vulnerable Systems:This exploit is for linux, but a lot of other systems using the vulnerable IMAP are susceptible.
Date:7 August 1997
Exploit &amp full info:Available here


Block reserved ports with XFree86
Description:Unprivileged users can black reserved ports by using a high display number which wraps arround the highest possible port (65535) and causes X to listen on a <1023 port.
Author:Willy TARREAU <tarreau@AEMIAIF.LIP6.FR>
Compromise:Block privileged ports
Vulnerable Systems:Those running XFree86 as an X-server. This probably most affects systems like Linux and {Open,Free,Net}BSD.
Date:6 August 1997
Exploit &amp full info:Available here


Remote INND buffer overflow exploit
Description:Standard overflow, nice exploit
Author:Method <method@arena.cwnet.com>
Compromise:root (remote)
Vulnerable Systems:Systems running INND versions < 1.6, the exploit seems to be for Linux x86
Date:1 August 1997
Exploit &amp full info:Available here


Overflow in Mailhandler 6.8.3
Description:The suid MH-6.8.3 package has several buffer overflow bugs (among other holes). Also some BSD ruserpass() libc functions have the same hole.
Author:Matt Conover <shok@COBRA.ONLINEX.NET>
Compromise: root (local)
Vulnerable Systems:Redhat Linux 4.1, although you may have to specifically enable something. Also old versions of the *BSD libc function ruserpass().
Date:26 July 1997
Notes:I appended Alan Cox's post about *BSD ruserpass() to the end. I also put some new information from Matt Conover (who sent the original post) in the addendum.. Also note that the vulnerable programs are bbc,inc,mhn,msgchk, and popi. Redhat's package mh-6.8.3-13.i386.rpm installs /usr/bin/mh/inc and /usr/bin/mh/msgchk suid ROOT.
Exploit &amp full info:Available here


request-route script tempfile symlink problem.
Description:The request-route script which is used with kerneld has a serious symlink /tmp file vulnerability. It always uses /tmp/request-route as its lockfile, so you don't even have to predict anything!
Author:Nicolas Dubee <dube0866@EUROBRETAGNE.FR>
Compromise:It is pretty easy to become root on vulnerable hosts.
Vulnerable Systems:Those linux boxes with kerneld/request-route set up. Redhat 4.1 and 3.0.3 are vulnerable if the sysadmin has installed this.
Date:26 July 1997
Exploit &amp full info:Available here


ld-linux.so.1.9.2 overflow
Description:Error handling code in ld.so has a buffer overflow problem. This exploit uses LD_PRELOAD to get by various problems with other methods.
Author:Was originally a KSR[T] Advisory (#2), exploit written by Dan McGuirk <mcguirk@INDIRECT.COM>
Compromise: root (local)
Vulnerable Systems:Linux boxes running ld-linux.so.1.9.2. Various people have suggested that the solaris /usr/lib/libdl.so may have a similar vulnerability. If anyone has any info on this, please mail me.
Date:19 July 1997
Notes:I've put another exploit in the addendum
Exploit &amp full info:Available here


snprintf(3c) redefined by libdb-1.85.4
Description:This idiotic library redefines snprintf() and vsnprintf() to ignore the length parameter! Thus any programs which use *nprintf() for bounds checking and link to libdb.so can be subverted! Sendmail may very well be vulnerable.
Author:Thomas Roessler <roessler@guug.de>
Compromise:subvert programs which use libdb.so
Vulnerable Systems:Linux programs using libdb.so.1.85.4, as well as other versions.
Date:8 July 1997
Exploit &amp full info:Available here


Another BSD & Linux lpr overflow
Description:Standard overflow. Is this the same as the earlier ones? They did lpr -C <overflow-code>, while this just does lpr <overflow code>. Well, I'll include it incase they are different.
Author:a42n8k9 <a42n8k9@REDROSE.NET>
Compromise: root (local)
Vulnerable Systems:Linux 2.0.0, BSD 4.4 is also vulnerable, although you obviously need a new exploit.
Date:4 July 1997
Exploit &amp full info:Available here


Linux smbmount buffer overflow
Description:Standard overflow ...
Author:Gerald Britton <gbritton@NIH.GOV>
Compromise:root, but only if smbmount is suid root (it isn't suid at all in Redhat Linux.
Vulnerable Systems:Linux systems that use default source distributions, probably other linux distributions.
Date:27 June 1997
Exploit &amp full info:Available here


Linux imapd remote overflow
Description:Apparently a remote buffer overflow of imapd for linux. I think this is sort of old, and many other systems are affected.
Author:Akylonius (aky@galeb.etf.bg.ac.yu)
Compromise: root (local)
Vulnerable Systems:The exploit is for Linux, but I believe that many systems using older IMAP daemons are vulnerable.
Date:24 June 1997 was when this was posted, but I think this is much older
Exploit &amp full info:Available here


B-DASH 0.31 $HOME overflow
Description:Standard pathetic suid-for-svgalab-totally-insecure application overflow.
Author:Nicolas Dubee <dube0866@EUROBRETAGNE.FR>
Compromise: root (local)
Vulnerable Systems:Mostly old versions of Linux. Possibly current Slackware. Anything with B-DASH v0.31
Date:21 June 1997 was when he posted his OLD exploit, ignore the date in the header, it is bogus.
Exploit &amp full info:Available here


zgv $HOME overflow
Description:zgv, which is setuid r00t on many systems, takes untrusted environmental information ($HOME) and copies it into an automatic character buffer, thus allowing a standard buffer overflow.
Author:ksrt <ksrt@DEC.NET> sent the advisory, beastmaster wrote the exploit code
Compromise: root (local)
Vulnerable Systems:Linux, Redhat 3.0.3 - 4.1, anything else running zgv setuid root
Date:19 June 1997
Notes:Note that the exploit is appended to the advisory.
Exploit &amp full info:Available here


Seyon calls system(xterm), Krad!
Description:seyon, which is setgid uucp on RedHat 4 at least, calls system(xterm) if it can't find seyon-emu. The exploit is obvious, 'nuff said
Author:Shawn Hillis <shillis@CLCSMAIL.KSC.NASA.GOV>
Compromise:root on some systems, like IRIX. Otherwise join the UUCP group, or whatever seyon is setgid to.
Vulnerable Systems:Redhat Linux 4.0, Irix 6.3, anything else with vulnerable version of seyon installed
Date:17 June 1997
Notes:system(xterm) from a setuid root prog? Is this really 1997???
Exploit &amp full info:Available here


Shotgon 1.1b overflows
Description:Shotgon 1.1b, an svgalib based Linux file manager, apparently has "more than 10 buffer overflows".
Author:PLaGuEZ <dube0866@EUROBRETAGNE.FR>
Compromise: root (local)
Vulnerable Systems:Linux, apparently anything running shotgun, although I suspect that is almost exclusively linux.
Date:16 June 1997 (Ignore his fucked up date)
Exploit &amp full info:Available here


sshd and rshd leak usernames.
Description:sshd and rshd leak usernames. A lot of sites security-consious enough to run sshd probably don't want username validation to be this easy
Author:Christophe Kalt <kalt@STEALTH.NET> and David Holland
Compromise:Test validity of suspected system usernames
Vulnerable Systems:Linux, NetBSD, Digital UNIX 4.0, all from rshd, as well as any systems running a vulnerable version of sshd. Remember to use the VERBOSE (-v) flag if you try to exploit sshd.
Date:13 June 1997
Notes:The syntax quoted at the bottom is not correct, you need to give an actual command (like ls) for the rsh problem to be demonstrated.
Exploit &amp full info:Available here


qmail rcpt DOS attack
Description:qmail lets you send messages to an unlimited number of people, so you can actually run the system out of swap space by feeding recipients until it crashes.
Author:wietse@wzv.win.tue.nl (Wietse Venema)
Compromise:Stupid DOS attack
Vulnerable Systems:Systems running unpatched qmail. This includes a lot of Linux boxes as well as many other systems.
Date:12 June 1997
Exploit &amp full info:Available here


QMAIL DOS attack #1
Description:A denial of service (DOS) attack against QMAIL, which doesn't set a maximum limit on command length.
Author:wietse@wzv.win.tue.nl (Wietse Venema)
Compromise:Stupid DOS attack.
Vulnerable Systems:Systems running unpatched qmail. This includes a lot of Linux boxes as well as many other systems.
Date:12 June 1997
Exploit &amp full info:Available here


X11R6 library GetDatabase vulnerability
Description:There is a security hole in the GetDatabase function of the X11 libraries, which appears to be present in every distribution of X11. The attached exploit is for Solaris xterm, not that you will only get a shell with your own uid if xterm is not suid
Author:David Hedley <hedley@CS.BRIS.AC.UK>
Compromise: root (local)
Vulnerable Systems:many systems are vulnerable, including Linux and *BSD. This particular exploit is for Soaris 2.5.1 xterm
Date:28 May 1997
Exploit &amp full info:Available here


LibXt XtAppInitialize() overflow *xterm exploit.
Description:overflow in libXt from XFree86 allows exploitation of suid *xterm s.
Author:Ming Zhang <mzhang@softcom.net> useful info also contributed by Marcin Bohosiewicz <marcus@venus.wis.pk.edu.pl>
Compromise: root (local)
Vulnerable Systems:Systems running XFree86-3.2-9, probably lower who have suid cxterm, mxterm, xterm, etc. Includes RedHat 4.0, Slackware 3.1 and 3.2
Date:14 May 1997
Notes:I have appended useful info from Marcin Bohosiewicz <marcus@venus.wis.pk.edu.pl>
Exploit &amp full info:Available here


Elm 2.3 and 2.4 curses overflow
Description:Buffer overflow with environmental veriable TERM
Author:Wojciech Swieboda <wojtek@AJAX.UMCS.LUBLIN.PL>
Compromise:GID mail
Vulnerable Systems:Many linux boxes, anything else with vulnerable ELM 2.3, 2.4
Date:13 May 1997
Exploit &amp full info:Available here


Sperl 5.003 hole
Description:Another hole in sperl, this time a buffer overflow.
Author:Willy Tarreau (tarreau@aemiaif.ibp.fr)
Compromise: root (local)
Vulnerable Systems:Systems with Sperl 5.003, this exploit is for Linux x86.
Date:17 April 1997
Notes:I have appended the uuencoded exploit src&bin after this post. Debian is vulnerable if you use offset of 1169 instead of those tried by the exploit, according to David Luyer (luyer@ucs.uwa.edu.au)
Exploit &amp full info:Available here


RedHat 4.1 amd-920824upl102-6.i386.rpm nodev hole.
Description:The above mentioned distribution fails to prevent devices on mounted drives, even if the nodev option is specified.
Author:Bradley M Keryan <keryan@andrew.cmu.edu>
Compromise: root with a little work (local)
Vulnerable Systems:Redhat 4.1, anyone who uses amd-920824upl102-6.i386.rpm, possibly other distributions
Date:7 April 1997
Exploit &amp full info:Available here


/usr/bin/filter NLSPATH buffer overflow
Description:Standard buffer overflow, filter is sometimes setgid mail.
Author:Mikhail Iakovlev <miakovle@SN.NO>. Sploit by "Dmitry E. Kim" <jason@REDLINE.RU>
Compromise:group mail (local)
Vulnerable Systems:Systems with vulnerable /usr/bin/filter setgid mail. Include slackware 3.1, possibly 3.0
Date:6 April 1997
Exploit &amp full info:Available here


Linux inetd port theft vulnerability
Description:Inetd clos()es its sockets sometimes which (if they are unpriviliged) allows a user to just swipe them to put up a trojan service or whatever. Note that users can generally cause inetd to close the port by connecting over and over rapidly to make inetd think there is a loop.
Author:Marc Slemko (marcs@znep.com) posted this, it might have originally been discovered by someone else and I don't have the original post.
Compromise:Steal unpriviliged services from INETD
Vulnerable Systems:Linux, possibly others
Date:28 March 1997
Exploit &amp full info:Available here


ELM NLSPATH overflow
Description:Elm , which is often setgid mail, has a buffer overflow with the NLSPATH variable. This is NOT the same as the libc NLSPATH bug.
Author:"Dmitry E. Kim" <jason@REDLINE.RU>
Compromise:GID mail (local)
Vulnerable Systems:Linux with vulnerable setGID mail ELM
Date:26 March 1997
Notes:Joining group mail *CAN* be very helpful to hackers, some linux boxes allow you to write to mail spool and read other people's mail if you achieve this. Also, if anyone has a working exploit please mail it this way, I don't feel like writing & testing right now.
Exploit &amp full info:Available here


Linux tftpd vulnerability
Description:Linux tftpd doesn't check corectly for requests beginning with ../
Author:Alex Belits (abelits@phobos.illtel.denver.co.us)
Compromise:Access directories beyond permissions REMOTELY
Vulnerable Systems:Idiots on Linux running tftpd
Date:23 March 1997
Exploit &amp full info:Available here


Linux SuperProbe vulnerability
Description:Buffer overflow in SuperProbe, which should NOT be suid root!
Author:Solar Designer
Compromise: root (local)
Vulnerable Systems:Linux with vulnerable SuperProbe SUID root
Date:21 March 1997 (I could have swarn it was known before this)
Exploit &amp full info:Available here


Linux Doom sndserver vulnerability
Description:This one is pathetic. The user can configure a soundserver in .doomrc, and this program that the user chose, runs as root!
Author:Joe Zbiciak <im14u2c@cegt201.bradley.edu>
Compromise: root (local)
Vulnerable Systems:Linux running an insecure version of doom setuid root.
Date:17 December 1996
Exploit &amp full info:Available here


Doom killmouse/startmouse vulnerability
Description:Doom calls insecure shell scripts as root, leading to easy root compromise.
Author:Bo (bo@ebony.iaehv.nl)
Compromise: root (local)
Vulnerable Systems:Linux, including Slackware 3.0. Possibly other distributions.
Date:14 December 1996
Notes:If anyone runs suid root GAMES on a system they want secure, they DESERVE to be hacked! I've appended the obvious exploit to the end of this.
Exploit &amp full info:Available here


Linux & *BSD lpr holes
Description:A standard buffer overflow exists Berleley derived lpr
Author:Vadim Kolontsov (vadim@tversu.ac.ru) wrote the exploits at least
Compromise: root (local)
Vulnerable Systems:Systems with vulnerable lpr setuid (many Linux and BSD distributions)
Date:25 October 1996
Exploit &amp full info:Available here


Ping of Death
Description:gazillions of machines can be crashed by sending IP packets that exceed the maximum legal length (65535 octets)
Author:The page included was created by Malachi Kenney. The programs have attribution.
Compromise:Stupid DOS
Vulnerable Systems:I have heard that NT and 95 can actually lock up hard from the programs below. Also, early 2.0.x Linux, Solaris x86, and Macintosh systems are often vulnerable.
Date:21 October 1996 was when this page came up.
Notes:The Ping O' Death page is included first, then comes BSD source code, then comes a version of the above which is modified to compile on Linux 2.X. I also appended jolt.c, which IP spoofs to. Woop!
Exploit &amp full info:Available here


Linux ldt kernel bug
Description:see exploit.
Author:Marin Purgar - PMC (pmc@asgard.hr) wrote this exploit
Compromise: root
Vulnerable Systems:Unpatched Linux 1.2.* systems (possibly some 1.3.x)
Date:11 October 1996
Exploit &amp full info:Available here


Xt library bug xterm exploit
Description:The Xt library has a number of buffer overflow vulnerabilities which can be exploited on the suid root programs linked to it.
Author:"b0z0 bra1n"
Compromise: root (local)
Vulnerable Systems:This exploit will work for FreeBSD and with tweaking other x86 operating systems (eg linux). Most systems running any version of X11 prior to Aug '96 are vulnerable
Date:24 August 1996
Exploit &amp full info:Available here


Linux & *BSD umount holes
Description:A standard buffer overflow exists in Linux and *BSD umount
Author:bloodmask (bloodmask@mymail.com) claims to have found the vulnerability. Paulo Jorge Alves Oliveira (pjao@dux.isec.pt) wrote the freebsd/linux exploits included first.
Compromise: root (local)
Vulnerable Systems:Systems with vulnerable umount setuid (many Linux and BSD distributions)
Date:13 August 1996
Notes:If mount is fixed, try ncpmount/ncpumount and possibly wuftpd. Another mount exploit is in addendum.
Exploit &amp full info:Available here


Linux sliplogin hole
Description:sliplogin does system() as root w/o clearing environment, so you can do things like set IFS='/'.
Author:David Holland <dholland@hcs.HARVARD.EDU>
Compromise: root (local)
Vulnerable Systems:Any with sliplogin older than 2.1.0, mostly linux systems (many BSD distributions have the program, but it apparently can't be exploited to another error).
Date:16 July 1996
Exploit &amp full info:Available here


suid_perl 5.001 vulnerability
Description:On systems that support saved set-user-IDs, perl isn't thorough enough in giving up its root priviledges.
Author:Jon Lewis (jlewis@inorganic5.fdt.net) wrote this basic exploit, though it has been modified. It is unclear who found the hole.
Compromise: root (local)
Vulnerable Systems:Systems that support saved set-user-IDs and set-group-IDs and have suid_perl 5.001 (and possibly below) installed. Many linux and *BSD boxes.
Date:June 1996
Exploit &amp full info:Available here


Linux NLSPATH libc overflow
Description:Standard Buffer overflow in libc, neat shellcode though
Author:solar@IDEAL.RU posted exploit, libc had already been fixed
Compromise: root (local)
Vulnerable Systems:Linux with libc around or before 5.3.12, 5.4.7 not vulnerable. SOME versions of Redhat 4.0 are vulnerable
Date:14 February 1996
Exploit &amp full info:Available here


sudo.bin exploit for NLSPATH vulnerability
Description:Another NLSPATH exploit, this time for sudo.bin
Author:_Phantom_ <vali@lhab.soroscj.ro>
Compromise: root (local)
Vulnerable Systems:Linux with libc around or before 5.3.12, 5.4.7, and sudo.bin installed (Slackware 3.1 and 3.0 maybe?)
Date:13 February 1996 was when we started seeing this class of exploits
Notes:I wish more people would email me exploits like _Phantom_ did! He has also sent in a bunch of other NLSPATH sploits. If the system doesn't have this particular binary, pick another suid program and just change the execl
Exploit &amp full info:Available here


Telnetd Environmental variable passing problem
Description:A "feature" of most telnetd programs is that they will pass environmental variables (like TERM, DISPLAY, etc) for you. Unfortunately this can be a problem if someone passes LD_PRELOAD and causes /bin/login to load trojan libraries!
Author:Well known, squidge (squidge@onyx.infonexus.com) wrote this, but I doubt you can reach him. Isn't he in jail now?
Compromise:root REMOTELY!
Vulnerable Systems:Older Linux boxes, I think SunOS systems, probably others.
Date:January 1996 maybe? Quite old but lives forever like phf.
Notes:Appended is a uuencoded version of squidge's telnetd_ex.tar.gz
Exploit &amp full info:Available here


Resolv+ Linux library bug
Description:The libresolv+ library can give out too much information and possibly to crash the system
Author:Possibly Jared Mauch (jared@puck.nether.net)
Compromise:users can read first line of any file (ie /etc/shadow) and they can possibly crash the system.
Vulnerable Systems:Many Linux distributions.
Date:1996
Exploit &amp full info:Available here


Linux lilo vulnerabilities
Description:Lilo offers a lot of ways to get root by people who have physical access to the machine. This should be obvious, as these are advertiese features of lilo. If some one has physical access, they can get in somehow anyway. But these make it easy to do inconspicuously.
Author:These are quite well known, though BeastMaster V apparently wrote the textfile.
Compromise: root (local)
Vulnerable Systems:Linux systems running lilo which allow physical access to untrusted users (really dumb!).
Date:Old (very), but still applicable to many systems, as it is a feature and thus hasn't been "patched".
Notes:BeastMaster doesn't mention that you can also boot with "linux single" to get a root single-user-mode shell on many linux boxes. I've added another post about lilo "vulnerabilities" in the addendum section.
Exploit &amp full info:Available here



This page Copyright &#169 Fyodor 1996, 1997, 1998
[Back] to Fyodor's Exploit World main index