Exploit world!
Solaris Section
[Back] to Fyodor's Playhouse
| Xaw and Xterm vulnerabilities | |
|---|---|
| Description: | There are a number of vulnerabilities in X11R6 xterm(1) and Xaw(3c) libraries. They are mostly all overflows |
| Author: | Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> and the exploit was written by alcuin |
| Compromise: | root (local) |
| Vulnerable Systems: | Those running Xterm or X apps linked to vulnerable Xaw. Virtually all versions of X are vulnerable to the *Keymap hole and the others are mostly X11R6 specific (which virtually everyone uses anyway). Thus it is likely that many Solaris, Linux, HP/UX, and perhaps IRIX and AIX boxes are vulnerable. |
| Date: | 4 May 1998 |
| Notes: | I have also included an exploit sent to me by "M.C.Mar" <emsi@it.com.pl>. This exploit works against Xaw and neXtaw even WITH Solar Designer's non-executable stack patch applied. Check it out! |
| Exploit & full info: | Available here |
| ID games Backdoor in quake | |
|---|---|
| Description: | ID software blatantly put a backdoor in Quake 1/2 and QuakeWorld including both the Linux/Solaris Quake2. RCON commands sent from the subnet 192.246.40.0/24 and containing the password "tms" are automaticly executed on the server without being logged. |
| Author: | Mark Zielinski <markz@repsec.com> |
| Compromise: | root (remote) |
| Vulnerable Systems: | Those running Quake 1, QuakeWorld, Quake 2, Quake 2 Linux and Quake 2 Solaris, all versions. Thus many Windows and UNIX boxes are affected |
| Date: | 1 May 1998 |
| Notes: | Quake was always a horrible security hole, but I never thought Id would stoop to introducing an intentional backdoor to allow them access to systems running Quake. I am surprised this didn't get more publicity. |
| Exploit & full info: | Available here |
| Overflow in kppp -c option | |
|---|---|
| Description: | Standard overflow |
| Author: | "|[TDP]|" <tdp@psynet.net> |
| Compromise: | root (local) |
| Vulnerable Systems: | Those running kppp version < 1.1.3 suid root. This comes with the KDE system (which is pretty neat -- www.kde.org) and runs on Solaris, Linux, IRIX, and HP/UX |
| Date: | 29 April 1998 |
| Notes: | The hole was fixed a while prior to this posting so the (then) current version was not vulnerable. |
| Exploit & full info: | Available here |
| Overflows in Solaris ufsdump and ufsrestore binaries | |
|---|---|
| Description: | Standard buffer overflow (in device name passed as arguments) |
| Author: | Seth McGann <smm@WPI.EDU> |
| Compromise: | Get UID of tty (local) |
| Vulnerable Systems: | Solaris 2.6/SPARC, opinions differed on whether 2.6/X86 is vulnerable. |
| Date: | 23 April 1998 |
| Exploit & full info: | Available here |
| lprm Linux/BSD/Solaris Overflow | |
|---|---|
| Description: | The lprm program on some machines has a standard overflow in the name you feed it to remove a job from a remote printer |
| Author: | Chris Evans <chris@FERRET.LMH.OX.AC.UK> posted this problem to BugTraq, it turns out the the OpenBSD folks (probably Theo De Raadt) fixed the problem in 1996. |
| Compromise: | root (local) |
| Vulnerable Systems: | RedHat Linux 4.2 and 5.0, Solaris 2.6, Some *BSD variants vulnerable, but most fixed it 6 months to two years prior to this notice |
| Date: | 18 April 1998 |
| Exploit & full info: | Available here |
| MGE UPS serious security holes | |
|---|---|
| Description: | Standard security holes are plentiful in the MGE UPS software |
| Author: | Ryan Murray <rmurray@PC-42839.BC.ROGERS.WAVE.CA> |
| Compromise: | root (local) |
| Vulnerable Systems: | Those running vulnerable versions of MGE UPS software. It apparently runs on Solaris, AIX, SCO, etc. |
| Date: | 12 April 1998 |
| Exploit & full info: | Available here |
| Majordomo tmpfile bug | |
|---|---|
| Description: | Standard tmpfile problem |
| Author: | Karl G - NOC Admin <ovrneith@tqgnet.com> |
| Compromise: | Any user on a system running majordomo can append arbitrary data to any file owned by the majordomo account. |
| Vulnerable Systems: | Those running majordomo. This runs on a ton of systems (Solaris, Linux, IRIX, etc.). |
| Date: | 26 March 1998 |
| Exploit & full info: | Available here |
| Another MSIE 4.0 overflow | |
|---|---|
| Description: | Standard overflow, this one can almost certainly be exploited by a malicious page to run arbitrary code on a user's system. |
| Author: | Georgi Guninski <guninski@hotmail.com> |
| Compromise: | Run arbitrary code on the machines of Windows users connecting to your web page. |
| Vulnerable Systems: | Windows 95/NT running MSIE 4.0. Perhaps even the Solaris version is vulnerable, though I've never seen anyone run it. |
| Date: | 20 March 1998 |
| Exploit & full info: | Available here |
| Solaris 2.6 printd tmpfile problem | |
|---|---|
| Description: | Standard insecure tmpfile hole |
| Author: | Silicosis <sili@l0pht.com> |
| Compromise: | unprivileged users can overwrite and create system files and print files they shouldn't be able to read. |
| Vulnerable Systems: | Solaris 2.6 |
| Date: | 11 March 1998 |
| Exploit & full info: | Available here |
| updatedb on Redhat | |
|---|---|
| Description: | RedHat Linux updatedb/sort insecure tmpfiles |
| Author: | viinikala <kala@DRAGON.CZ> |
| Compromise: | become user 'nobody' via updatedb (or root on a really old distro of RedHat) (local) |
| Vulnerable Systems: | Redhat Linux (presumably 5.0) is very vulnerable due to updatedb calling sort regularly, many other systems (such as Solaris) have an insecure sort. Also FreeBSD 2.2.2 is apparently vulnerable to the same updatedb problem. |
| Date: | 28 February 1998 |
| Notes: | Dave Goldsmith may have found this first, although I cannot currently access his website for more info. |
| Exploit & full info: | Available here |
| Solaris /usr/dt/bin/dtappgather symlink problem. | |
|---|---|
| Description: | Standard symlink problem allows arbitrary files to be chowned the the attacker's UID. |
| Author: | Mastoras <mastoras@PAPARI.HACK.GR> |
| Compromise: | root (local) |
| Vulnerable Systems: | Solaris 2.5,2.5.1 running CDE version 1.0.2 with suid /usr/dt/bin/dtappgather |
| Date: | 23 February 1998 |
| Exploit & full info: | Available here |
| Exploit for the gcc tempfile issue | |
|---|---|
| Description: | gcc 2.7.2.x (and earlier as far as I know) creates temporary files in /tmp which will follow symlinks and allows you to clobber the files of the person running gcc |
| Author: | "Micha=B3 Zalewski" <lcamtuf@boss.staszic.waw.pl> |
| Compromise: | Overwrite files owned by the user running gcc (possibly root ) |
| Vulnerable Systems: | Those running gcc 2.7.2.x this includes most linux, and *BSD boxes. Many admins of Solaris boxes have also added gcc. This problem is finally fixed in gcc 2.8.0 |
| Date: | 16 January 1998 |
| Notes: | This has been mentioned before on Bugtraq but this is the first actual exploit I've seen. |
| Exploit & full info: | Available here |
| Sun ^D DOS attack | |
|---|---|
| Description: | By connecting to the telnet port of a Solaris 2.5.1 box, sending some bogus telnet negotiation option and then flooding the channel with ^D, you can (temporarily) slow the machine to a near halt. |
| Author: | Jason Zapman II <zapman@CC.GATECH.EDU> |
| Compromise: | remote DOS attack |
| Vulnerable Systems: | Solaris 2.5.1, 2.6 |
| Date: | 13 December 1997 |
| Notes: | I appended a better version after the first (the second forks extra processes to increase the flood). I also appended an NT port. |
| Exploit & full info: | Available here |
| Solaris 2.5.1 automound hole | |
|---|---|
| Description: | standard popen() hole |
| Author: | Anonymous |
| Compromise: | root (local) |
| Vulnerable Systems: | Solaris 2.5.1 without patch 10465[45] applie |
| Date: | 26 November 1997 |
| Exploit & full info: | Available here |
| Solaris Statd exploit | |
|---|---|
| Description: | Solaris 2.5.1 x86 remote overflow for statd. There is apparently an earlier patch which doesn't fix the problem. |
| Author: | Anonymous |
| Compromise: | root (remote) |
| Vulnerable Systems: | Solaris 2.5.1 x86 is what this exploit is written for. According to a later CERT advisory, vulnerable systems include Digital UNIX (4.0 through 4.0c), AIX 3.2 and 4.1, Solaris 2.5, 2.51 and SunOS 4.1.* for both X86 and SPARC |
| Date: | 24 November 1997 |
| Exploit & full info: | Available here |
| Terminal hijacking via pppd | |
|---|---|
| Description: | pppd offers read/write access to any tty. This allows a man in the middle attack for trojan terminals as well as other mischief. Also it allows users to freely dial out with the modem (often not a good idea). |
| Author: | David Neil <theoe@EUROPA.COM> |
| Compromise: | Hijack terminals, dial arbitrary numbers with the modem, other mischief. |
| Vulnerable Systems: | Those running pppd. Many linunx boxes, perhaps some BSD, solaris. |
| Date: | 15 November 1997 |
| Exploit & full info: | Available here |
| Overflow in suidperl 5.003 | |
|---|---|
| Description: | Overflow (via sprintf()) in the mess() function in suidperl |
| Author: | Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> |
| Compromise: | root (local) |
| Vulnerable Systems: | Thos running suid-perl 5.003, this includes many Linux, *BSD, Solaris and UNIX boxes in general. |
| Date: | 13 November 1997 |
| Exploit & full info: | Available here |
| Security Dynamics FTP server core problem | |
|---|---|
| Description: | It is possible to cause this server to dump core while ftping in. The core file will clobber files and also contains crypt(3)ed passwords. |
| Author: | sp00n <sp00n@COUPLER.300BAUD.COM> |
| Compromise: | root (local) |
| Vulnerable Systems: | Solaris 2.5 running Security Dynamics' FTP server (Version 2.2) perhaps other versions. |
| Date: | 12 November 1997 |
| Exploit & full info: | Available here |
| Core bug in the Security Dynamics ftp server | |
|---|---|
| Description: | typical core file bug |
| Author: | sp00n <sp00n@COUPLER.300BAUD.COM> |
| Compromise: | root (local) |
| Vulnerable Systems: | Those running the Security Dynamics FTP server (Version 2.2). This is available at least for solaris boxes. |
| Date: | 12 November 1997 |
| Exploit & full info: | Available here |
| BRU (Backup and Recovery Utility) poor permissions | |
|---|---|
| Description: | This commercial UNIX backup program creates the /usr/local/lib/bru directory mode 777. This directory apparently contains sources. Enough said. |
| Author: | Kyle Amon <amonk@GNUTEC.COM> |
| Compromise: | root (local) |
| Vulnerable Systems: | Any running vulnerable version of BRU (There is a Linux version, probably also Solaris and other *NIX). |
| Date: | 8 November 1997 |
| Exploit & full info: | Available here |
| Intel "f00f" Pentium bug | |
|---|---|
| Description: | A bug in the Intel Pentium (and Pentium + MMX) chips allows usermode processes to crash the system by executing the invalid instruction 0xf00fc7c8 |
| Author: | Sent through an anonymous remailer |
| Compromise: | Users who can run code on the system can totally freeze the system |
| Vulnerable Systems: | Those running on a Pentium including versions of Linux, Dos, WinNT, Win95, SolarisX86, etc. |
| Date: | 8 November 1997 |
| Exploit & full info: | Available here |
| ftp mget vulnerability | |
|---|---|
| Description: | If the nlist caused by a mget returns a file like /etc/passwd , most ftp clients seem to (try to) overwrite/create it without signaling anything wrong. You can also use files with names like "|sh" to execute arbitrary commands. |
| Author: | I don't recall who found it first, in the appended post af@c4c.com gives an example of the bug using Linus slackware |
| Compromise: | ftp servers can compromise clients who use mget to d/l files |
| Vulnerable Systems: | ftp clients on Linux, AIX, HP/UX, Solaris 2.6, and probably many other systems |
| Date: | 3 November 1997 was when this example was posted (the bug was found a while back) |
| Exploit & full info: | Available here |
| Kill syslogd remotely on solaris boxes | |
|---|---|
| Description: | There is a problem where syslogd will crash if it can't do a DNS lookup on the source IP it get the message from. |
| Author: | lb - STAFF <lb@POSH.INEXWORKS.NET> |
| Compromise: | Kill syslogd (I'm sure hackers would love to do that before launchign a real attack) |
| Vulnerable Systems: | Solaris 2.5, 2.51 both Sparc and x86 |
| Date: | 21 October 1997 |
| Exploit & full info: | Available here |
| SunOS rlogin overflow | |
|---|---|
| Description: | Aparrently an overflow in parsing argv |
| Author: | I have no clue, _PHANTOM_ <phantom@lhab-gw.soroscj.ro> sent it to me |
| Compromise: | root (apparently) (local) |
| Vulnerable Systems: | SunOS |
| Date: | 8 September 1997 |
| Notes: | Someone confirmed to me that this works with Solaris 2.5.1 but not 2.6. Anyoen care to try SunOS 4.x? |
| Exploit & full info: | Available here |
| Check for existance of files on systems runninng mountd | |
|---|---|
| Description: | Some mountd implementations apparently give different error messages depending on whether the mountpoint requested exists or not. |
| Author: | Peter <deviant@UNIXNET.ORG> |
| Compromise: | query for existance of arbitrary files (by name). This could help determine security flaws present on a remote system. |
| Vulnerable Systems: | Those running vulnerable mountd. This includes at least some versions of AIX, Linux, *BSD, SunOS, Solaris, etc. |
| Date: | 24 August 1997 |
| Exploit & full info: | Available here |
| Solaris dtlogin core vulnerability | |
|---|---|
| Description: | Dtlogin apparently explicityly sets its umask 027 and when it dumps core it can leave both encrypted and UNENCRYPTED passwords of remote users available via 'strings'. |
| Author: | Arve Kjoelen <akjoele@SIUE.EDU> |
| Compromise: | Narf passwords from dtlogin /core |
| Vulnerable Systems: | Solaris 2.5.1 CDE with vulnerable dtlogin. |
| Date: | 24 July 1997 |
| Exploit & full info: | Available here |
| ld-linux.so.1.9.2 overflow | |
|---|---|
| Description: | Error handling code in ld.so has a buffer overflow problem. This exploit uses LD_PRELOAD to get by various problems with other methods. |
| Author: | Was originally a KSR[T] Advisory (#2), exploit written by Dan McGuirk <mcguirk@INDIRECT.COM> |
| Compromise: | root (local) |
| Vulnerable Systems: | Linux boxes running ld-linux.so.1.9.2. Various people have suggested that the solaris /usr/lib/libdl.so may have a similar vulnerability. If anyone has any info on this, please mail me. |
| Date: | 19 July 1997 |
| Notes: | I've put another exploit in the addendum |
| Exploit & full info: | Available here |
| Overflow in solaris passwd (and yppasswd and nispasswd) | |
|---|---|
| Description: | Standard overflows |
| Author: | Cristian SCHIPOR (skipo@SUNDY.CS.PUB.RO) |
| Compromise: | root (local) |
| Vulnerable Systems: | Solaris 2.X, including 2.4 and 2.5 |
| Date: | 12 July 1997 |
| Notes: | I somehow missed this in my collection, thanks to the fellow (who wishes to be anonymous) who reminded me of this beauty! |
| Exploit & full info: | Available here |
| SunOS 4.x overflows! This example is for xterm | |
|---|---|
| Description: | Willy has created SunOS 4.x buffer overflow code, and gives the appended example, which overflows the X libraries. |
| Author: | Willy TARREAU <tarreau@AEMIAIF.LIP6.FR> |
| Compromise: | root (local) |
| Vulnerable Systems: | SunOS 4.x for this particular exploit. Many other systems are vulnerable (see my other pages on the topic). |
| Date: | 8 July 1997 |
| Notes: | This is in uuencoded form. Be sure to copy & paste, don't save as a file because it has html codez in it. |
| Exploit & full info: | Available here |
| Solaris local ping DOS attack | |
|---|---|
| Description: | You can reboot solaris boxes with ping -sv -i 127.0.0.1 224.0.0.1 |
| Author: | Adam Caldwell <adam@ATL.ENI.NET> |
| Compromise: | Stupid DOS attack, plus you need to be a local user. |
| Vulnerable Systems: | Apparently all versions of Solaris up to (but not including) 2.6 |
| Date: | 26 June 1997 |
| Exploit & full info: | Available here |
| Solaris root socket descriptor bug | |
|---|---|
| Description: | You can swipe control of a root owned socket descriptor from user-owned inetd processes like rshd. |
| Author: | Alan Cox (alan@LXORGUK.UKUU.ORG.UK) |
| Compromise: | control of a root owned socket |
| Vulnerable Systems: | Solaris 2.5.1, probably earlier versions. I hear that 2.6 if fixed. Sun doesn't seem interested in fixing this, for some reason. |
| Date: | 19 June 1997 was the data of this post, although Alan has been complaining about the bug for ages. |
| Notes: | You may have to change your interface to le0, hme0, or whatever to make it work. |
| Exploit & full info: | Available here |
| Solaris rpcbind listens on undocumented high UDP port | |
|---|---|
| Description: | rcpbind for solaris, which belongs on UDP port 111, is also found on a UDP port above 32770. Thus many packet filters aren't effective. |
| Author: | Oliver Friedrichs <oliver@silence.secnet.com> (Secure Networks Inc.) |
| Compromise: | Access rcpbind, even from sites that filter it at their firwall or packet filter. |
| Vulnerable Systems: | Unpatched Solaris 2.X up to 2.5.1 |
| Date: | 4 June 1997 |
| Notes: | Apparently rpcbind also lists on high solaris *TCP* ports sometimes. I've included a a hacked rcpinfo client below the secnet advisory. |
| Exploit & full info: | Available here |
| SunOS 4.1.4 crashes when (l)users read /dev/tcx0 | |
|---|---|
| Description: | Sparcstations running 4.1.4 (probably other versions too) crash when users read /dev/tcx0 with something like 'cat'. Not that this is a VERY generall problem. There are a lot of devices on many devices that will crash if you do wierd things to them. Especially cat'ing binary files to them. I am not going to write up a page on each. |
| Author: | Dixon Ly <dly@BAYNETWORKS.COM> mentioned this particular problem. |
| Compromise: | DOS attack, obviously annoy people. You could also do more devious thing, taking down the machine so you can IP spoof "from" it without it sending thos damn RST's! |
| Vulnerable Systems: | Sparc 5,10,20,etc. running SunOS 4.1.4 probably other versions. |
| Date: | 19 May 1997 |
| Exploit & full info: | Available here |
| Data Buffer overrun in Solaris 2.5.1, 2.5.0 in ps and chkey | |
|---|---|
| Description: | The solaris ps (both /usr/bin and /usr/ucb) and chkey programs are insecure, and it is possible to exploit them via a rather complicated data buffer overrun. This overrun is probably present in many other programs. |
| Author: | Joe Zbiciak <jzbiciak@DALDD.SC.TI.COM> wrote the ps exploit. Adam Morrison <adam@MATH.TAU.AC.IL> provided a lot of information and mentioned that chkey was also vulnerable. Adam also posted a cool stdio overflow program which will get its own entry. |
| Compromise: | root (local) |
| Vulnerable Systems: | Solaris 2.5.1, 2.5.0, possibly earlier versions. |
| Date: | 19 May 1997 |
| Notes: | There were a bunch of interesting postings on this topic which help to exploit the vulnerability. I've included the best ones below. |
| Exploit & full info: | Available here |
| Program for exploiting data overrun conditions | |
|---|---|
| Description: | This isn't an exploit per se, (although, as mentioned in another exploit, it works for chkey and ps). Now you can exploit these overruns when you find them yourself! |
| Author: | adam@math.tau.ac.il (Adam Morrison), Joe Zbiciak <jzbiciak@DALDD.SC.TI.COM> also contributed a useful script for finding the proc_link value for an overflow. |
| Compromise: | root (local) |
| Vulnerable Systems: | This program works for Solaris on SPARC. Other OSes are vulnerable to similar overflows, although this program obviously won't work. |
| Date: | 19 May 1997 |
| Notes: | I've included Adam Morrison's original post as well as Joe Zbiciak's supplimentary script below. |
| Exploit & full info: | Available here |
| Failure of Solaris and old BSD versions to honor the filesystem permissions of unix domain sockets. | |
|---|---|
| Description: | Solaris (including SunOS) and old (4.3 and earlier) versions of BSD don't honor permissions on the filesystem representations of unix domain sockets. A lot of programmers might not realize that anyone can send data to their programs by writing to the "file". |
| Author: | Thamer Al-Herbish <shadows@whitefang.com> posted this to bugtraq, but it was somewhat well known. |
| Compromise: | write malicious data to unsuspecting applications |
| Vulnerable Systems: | Solaris 2.5 and earlier (not sure about 2.5.1). Version 2.6 will supposedly not be vulnerable. |
| Date: | 17 May 1997 |
| Exploit & full info: | Available here |
| Soaris lp and lpsched symlink vulnerabilities | |
|---|---|
| Description: | A typical symlink-to-.rhosts exploit |
| Author: | Chris Sheldon (csh@viewgraphics.com) |
| Compromise: | root (local) |
| Vulnerable Systems: | Solaris 2.51, possibly others |
| Date: | 3 May 1997 |
| Exploit & full info: | Available here |
| Solaris /bin/fdformat overflow sploit | |
|---|---|
| Description: | Buffer overflow in find_media() in /bin/fdformat |
| Author: | Cristian Schipor (skipo@Math.PUB.Ro) |
| Compromise: | root (local) |
| Vulnerable Systems: | Solaris 2.4, 2.5 |
| Date: | 23 March 1997 |
| Exploit & full info: | Available here |
| Solaris chkperm vulnerability | |
|---|---|
| Description: | Solaris 2.4's /usr/vmsys/bin/chkperm creates $VMSYS/.facerc in a laughably insecure fashion. |
| Author: | Duncan Simpson <dps@IO.STARGATE.CO.UK> |
| Compromise: | bin, which trivially leads to root (local) |
| Vulnerable Systems: | Solaris 2.4, NOT 2.5 or 2.5.1, the author is apparently wrong about this. |
| Date: | 5 December 1996 |
| Exploit & full info: | Available here |
| Solaris gethostbyname() exploit | |
|---|---|
| Description: | gcc 2.7.2.x (and earlier as far as I know) creates temporary files in /tmp which will follow symlinks and allows you to clobber the files of the person running gcc |
| Author: | Jeremy Elson (jelson@helix.nih.gov) |
| Compromise: | Overwrite files owned by the user running gcc (possibly root ) |
| Vulnerable Systems: | Solaris 2.5 and 2.5.1 |
| Date: | 18 November 1996 |
| Notes: | See addendum |
| Exploit & full info: | Available here |
| Ping of Death | |
|---|---|
| Description: | gazillions of machines can be crashed by sending IP packets that exceed the maximum legal length (65535 octets) |
| Author: | The page included was created by Malachi Kenney. The programs have attribution. |
| Compromise: | Stupid DOS |
| Vulnerable Systems: | I have heard that NT and 95 can actually lock up hard from the programs below. Also, early 2.0.x Linux, Solaris x86, and Macintosh systems are often vulnerable. |
| Date: | 21 October 1996 was when this page came up. |
| Notes: | The Ping O' Death page is included first, then comes BSD source code, then comes a version of the above which is modified to compile on Linux 2.X. I also appended jolt.c, which IP spoofs to. Woop! |
| Exploit & full info: | Available here |
| Solaris /usr/bin/solstice bug | |
|---|---|
| Description: | /usr/bin/solstice is setgid bin and gives this privilege away freely. |
| Author: | Unknown (it was known before the attached post) |
| Compromise: | group bin, which leads quickly to root (local) |
| Vulnerable Systems: | Systems with vulnerable /usr/bin/solstice (Solaris 2.5, 2.5.1) |
| Date: | 18 October 1996 (known prior to this) |
| Notes: | See addendum. |
| Exploit & full info: | Available here |
| Solaris (and others) ftpd core dump bug | |
|---|---|
| Description: | Solaris ftpd (as well as others) can be made to core dump and divulge shadowed passwords |
| Author: | Unknown |
| Compromise: | Can obtained crypt()ed root password |
| Vulnerable Systems: | Solaris (at least 2.5) and others including wu.ftpd. If enclosed doesn't work, try killing the process yourself. |
| Date: | 15 October 1996 |
| Notes: | See addendum |
| Exploit & full info: | Available here |
| setgid Core dumping vulnerability in Solaris 2.4 | |
|---|---|
| Description: | Solaris 2.4 prior to kernel jumbo patch 35 in many circumstances allows setgid programs to dump core which is especially bad since Solaris has WAY too many group-writable files. |
| Author: | Jungseok Roh <beren@cosmos.kaist.ac.kr> |
| Compromise: | It is easy to overwrite files writeable by group bin, which leads quickly to root access (local) |
| Vulnerable Systems: | Solaris 2.4 prior to kernel jumbo patch -35 |
| Date: | 3 August 1996 |
| Exploit & full info: | Available here |
| Solaris admintool and /usr/openwin/bin/kfcs_* tmpfile vulnerabilities | |
|---|---|
| Description: | Standard insecure tempfile creation, symlink to /.rhosts exploit |
| Author: | Jungseok Roh (beren@cosmos.kaist.ac.kr) posted the kcms_* stuff, Leif Hedstrom (leif@netscape.com) posted that admintool had the same problem. |
| Compromise: | root (local) |
| Vulnerable Systems: | Solaris 2.5.[01] |
| Date: | 26 July 1996 |
| Exploit & full info: | Available here |
| Rdist buffer overrun (BSD Code) | |
|---|---|
| Description: | Another vulnerability in rdist, standard buffer overflow |
| Author: | found in [8lgm]-Advisory-26.UNIX.rdist.20-3-1996, *BSD exploit written by Brian Mitchell (brian@saturn.net) |
| Compromise: | root (local) |
| Vulnerable Systems: | Solaris 2.x, Sunos 4.*, some *BSD systems. Included exploit only for *BSD. |
| Date: | 10 July 1996 |
| Exploit & full info: | Available here |
| Solaris /bin/eject Buffer overflow | |
|---|---|
| Description: | Solaris /bin/eject takes a device name (floppy, etc) for argv[2] which can be overflowed via standard techniques. |
| Author: | Cristian SCHIPOR (skipo@SUNDY.CS.PUB.RO) |
| Compromise: | root (local) |
| Vulnerable Systems: | Unpatched Solaris 2.4, 2.5 |
| Date: | 13 March 1996 |
| Exploit & full info: | Available here |
| Solaris 2.5.1 sdtcm_convert hole | |
|---|---|
| Description: | sdtcm_convert is kind enough to watch the permissions of your calendar file and if you change them it will change them back ... even following symlinks ;) |
| Author: | Cristian SCHIPOR (skipo@SUNDY.CS.PUB.RO) |
| Compromise: | root (local) |
| Vulnerable Systems: | Solaris at least 2.5.1 |
| Date: | 22 February 1996 |
| Exploit & full info: | Available here |
| Insecure Solaris default nissetup password table permissions! | |
|---|---|
| Description: | The nissetup.sh program for setting up NIS+ databases leaves insecure permissions on the password table. This allows you to, for example, use nistbladm to change your UID! |
| Author: | Well known |
| Compromise: | root (local) |
| Vulnerable Systems: | Unpatched Solaris 2.5.1 systems (possibly earlier versions of Solaris). |
| Date: | 10 February 1996 |
| Notes: | Here is an anonymous posting reminding us of the problem. Also, Casper Dik (casper@HOLLAND.SUN.COM) mentioned that just installing the Solaris patch doesn't fix the problem. You need to manually reset the bad permissions. How many people do you think forgot to do that? |
| Exploit & full info: | Available here |
| Telnetd Environmental variable passing problem | |
|---|---|
| Description: | A "feature" of most telnetd programs is that they will pass environmental variables (like TERM, DISPLAY, etc) for you. Unfortunately this can be a problem if someone passes LD_PRELOAD and causes /bin/login to load trojan libraries! |
| Author: | Well known, squidge (squidge@onyx.infonexus.com) wrote this, but I doubt you can reach him. Isn't he in jail now? |
| Compromise: | root REMOTELY! |
| Vulnerable Systems: | Older Linux boxes, I think SunOS systems, probably others. |
| Date: | January 1996 maybe? Quite old but lives forever like phf. |
| Notes: | Appended is a uuencoded version of squidge's telnetd_ex.tar.gz |
| Exploit & full info: | Available here |
This page Copyright © Fyodor 1996, 1997, 1998
[Back] to Fyodor's Exploit World main index