Exploit world!
*BSD Section
[Back] to Fyodor's Playhouse
| OpenBSD (and others) lprm overflow | |
|---|---|
| Description: | There is a subtle overflow in the pointer arithmetic in copying a command string to a buffer. |
| Author: | Niall Smart <rotel@indigo.ie> |
| Compromise: | root (local) |
| Vulnerable Systems: | OpenBSD 2.2 and earlier, some versions of FreeBSD, NetBSD |
| Date: | 23 April 1998 |
| Notes: | This is an excellent description of the problem. Also congratulations go to Niall Smart for finding this bug in the heavily audited OpenBSD codebase. |
| Exploit & full info: | Available here |
| qcam overflows | |
|---|---|
| Description: | several qcam apps as well as libqcam seem to have rather obvious security holes when installed setuid root. |
| Author: | bst@INAME.COM |
| Compromise: | root (local) |
| Vulnerable Systems: | Thos running qcam, sqcam,xqcam, SANE-0.67. Mostly Linux boxes, perhaps BSD. |
| Date: | 20 April 1998 |
| Exploit & full info: | Available here |
| lprm Linux/BSD/Solaris Overflow | |
|---|---|
| Description: | The lprm program on some machines has a standard overflow in the name you feed it to remove a job from a remote printer |
| Author: | Chris Evans <chris@FERRET.LMH.OX.AC.UK> posted this problem to BugTraq, it turns out the the OpenBSD folks (probably Theo De Raadt) fixed the problem in 1996. |
| Compromise: | root (local) |
| Vulnerable Systems: | RedHat Linux 4.2 and 5.0, Solaris 2.6, Some *BSD variants vulnerable, but most fixed it 6 months to two years prior to this notice |
| Date: | 18 April 1998 |
| Exploit & full info: | Available here |
| TTCP spoofing problem | |
|---|---|
| Description: | Apparently TTCP allows commands to be executed before the full 3-way handshake has been completed. This means an attacker can set up a malicious connection without the trouble of TCP sequence prediction. |
| Author: | Vasim Valejev <vasim@DIASPRO.COM> |
| Compromise: | Exploit trust relationships, avoid logging, all the other benefits that come with "classical" TCP sequencing attacks. |
| Vulnerable Systems: | Those implementing T/TCP (rfc1644). Perhaps FreeBSD allows this attack? |
| Date: | 7 April 1998 |
| Exploit & full info: | Available here |
| Overflows in the MesaGL OpenGL implementation | |
|---|---|
| Description: | There are many overflows in this library, one of which can be used to compromise xlock in some cases |
| Author: | bjorn smedman <bs@ODEN.SE> |
| Compromise: | root (local) |
| Vulnerable Systems: | This exploits is for FreeBSD 2.2.5 although other OSes that use MesaGL are likely to be vulnerable. |
| Date: | 24 March 1998 |
| Exploit & full info: | Available here |
| Insecure scripts that come with RedHat 5.0 (and other OS's) | |
|---|---|
| Description: | The scripts named in this message have standard insecure tmpfile bugs. If someone can predict when these will be run (like if they are in cron) then they can generally overwrite files of the person running the command (could be root). |
| Author: | Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL> |
| Compromise: | Potential for root compromise |
| Vulnerable Systems: | Specifically this list is for RedHat 5 although many other Linux systems and probably some *BSD systems are vulnerable. |
| Date: | 14 March 1998 |
| Exploit & full info: | Available here |
| Another TMPfile problem in updatedb script | |
|---|---|
| Description: | updatedb creates a tmp file in /tmp, moves it to /var/lib/locatedb, then chowns it to root. The race condition is clear. |
| Author: | Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL> |
| Compromise: | root (local) |
| Vulnerable Systems: | RedHat 5.0, perhaps other systems such as FreeBSD using updatedb. |
| Date: | 6 March 1998 |
| Exploit & full info: | Available here |
| updatedb on Redhat | |
|---|---|
| Description: | RedHat Linux updatedb/sort insecure tmpfiles |
| Author: | viinikala <kala@DRAGON.CZ> |
| Compromise: | become user 'nobody' via updatedb (or root on a really old distro of RedHat) (local) |
| Vulnerable Systems: | Redhat Linux (presumably 5.0) is very vulnerable due to updatedb calling sort regularly, many other systems (such as Solaris) have an insecure sort. Also FreeBSD 2.2.2 is apparently vulnerable to the same updatedb problem. |
| Date: | 28 February 1998 |
| Notes: | Dave Goldsmith may have found this first, although I cannot currently access his website for more info. |
| Exploit & full info: | Available here |
| 4.4BSD mmap() vulnerability | |
|---|---|
| Description: | A 4.4BSD problem allows a read-only descriptor to a char device to be mmap()ed in RW mode. This can allow group kmem to become root and root to lower the system secure-level. |
| Author: | Theo de Raadt and Chuck Cranor |
| Compromise: | User kmem-> root ->modify secure-level->delete audit trail and load evil kernel mods. |
| Vulnerable Systems: | OpenBSD 2.2 and below, FreeBSD 2.2.5 and below, BSDI 3.0 and NetBSD. |
| Date: | 26 February 1998 |
| Notes: | This is an excellent advisory, I wish other groups and people would use a full-disclosure, detailed, and well organized format like this. |
| Exploit & full info: | Available here |
| X11R6.3 Xkeyboard hole | |
|---|---|
| Description: | X11R6.3 based Xservers with the XKEYBOARD extension that are setuid can be exploited with the -xkbdir option |
| Author: | Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> |
| Compromise: | root (local) |
| Vulnerable Systems: | Those systems running a setuid X11R6.3-based Xserver with XKEYBOARD extension (R6.1 is also probably affected). The XFree86 servers that come with many Linux and *BSD distributions is a good example of this. |
| Date: | 3 February 1998 |
| Exploit & full info: | Available here |
| OpenBSD mkfifo DOS attack | |
|---|---|
| Description: | You can run the *BSD kernel out of non-pageable memory by making a fifo (via mkfifo) and forking a bunch of processes trying to cat it. |
| Author: | Jason Downs <downsj@DOWNSJ.COM> |
| Compromise: | Crash the system (stupid DOS attack) |
| Vulnerable Systems: | OpenBSD, presumably NetBSD, FreeBSD, BSDI |
| Date: | 25 January 1998 |
| Exploit & full info: | Available here |
| Exploit for the gcc tempfile issue | |
|---|---|
| Description: | gcc 2.7.2.x (and earlier as far as I know) creates temporary files in /tmp which will follow symlinks and allows you to clobber the files of the person running gcc |
| Author: | "Micha=B3 Zalewski" <lcamtuf@boss.staszic.waw.pl> |
| Compromise: | Overwrite files owned by the user running gcc (possibly root ) |
| Vulnerable Systems: | Those running gcc 2.7.2.x this includes most linux, and *BSD boxes. Many admins of Solaris boxes have also added gcc. This problem is finally fixed in gcc 2.8.0 |
| Date: | 16 January 1998 |
| Notes: | This has been mentioned before on Bugtraq but this is the first actual exploit I've seen. |
| Exploit & full info: | Available here |
| routed trace file exploit | |
|---|---|
| Description: | routed has the ability to have trace mode turned on remotely using any arbitrary filename. Thus you can append stuff to arbitrary files remotely. |
| Author: | Rootshell |
| Compromise: | You should be able to leverage this to root remote access. |
| Vulnerable Systems: | Redhat linux; IRIX 5.2-5.3-6.2 is vulnerable, NetBSD 1.2 is vulnerable. |
| Date: | 8 January 1998 |
| Exploit & full info: | Available here |
| ccdconfig sgid kmem BSD exploit | |
|---|---|
| Description: | ccdconfig is sgid kmem and can be exploited to read /dev/mem . It shouldn't be too tough to leverage this into root access. |
| Author: | Niall Smart <rotel@INDIGO.IE> |
| Compromise: | root (local) |
| Vulnerable Systems: | NetBSD, FreeBSD, older version of OpenBSD |
| Date: | 31 December 1997 |
| Exploit & full info: | Available here |
| BSD Termcap overflow | |
|---|---|
| Description: | This program creates a malicous termcap file which can cede root access. |
| Author: | Bug originally discovered by Theo de Raadt <deraadt@CVS.OPENBSD.ORG> exploit written by Written by Joseph_K the 22-Oct-1997 |
| Compromise: | Theoretically this may allow you to become root remotely You can definately become root locally. |
| Vulnerable Systems: | BSDI, probably FreeBSD/NetBSD/OpenBSD prior to October 1997 |
| Date: | 1 December 1997 |
| Exploit & full info: | Available here |
| XFree86 (and apparently other X11R6 XC/TOG derived servers) -config insecurity | |
|---|---|
| Description: | XFree86 is setuid root in many cases and takes a -config option to use a different config file. Unfortunately it doesn't check permissions on this file so you can (for example) read the first line of /etc/shadow (printed in the warning message) |
| Author: | plaguez <dube0866@eurobretagne.fr> |
| Compromise: | Read files that you shouldn't have permissions for |
| Vulnerable Systems: | Those with a suid root XFree86 X server as well as some other X servers. This affects many Linux (and probably FreeBSD/OpenBSD)boxes. |
| Date: | 21 November 1997 |
| Exploit & full info: | Available here |
| The LAND attack (IP DOS) | |
|---|---|
| Description: | Sending a packet to a machine with the source host/port the same as the destination host/port crashes a lot of boxes. |
| Author: | m3lt <meltman@LAGGED.NET> |
| Compromise: | Remote DOS attack (reboots many systems) |
| Vulnerable Systems: | Windows95, Windows NT 4.0, WfWG 3.11, FreeBSD |
| Date: | 20 November 1997 |
| Exploit & full info: | Available here |
| Terminal hijacking via pppd | |
|---|---|
| Description: | pppd offers read/write access to any tty. This allows a man in the middle attack for trojan terminals as well as other mischief. Also it allows users to freely dial out with the modem (often not a good idea). |
| Author: | David Neil <theoe@EUROPA.COM> |
| Compromise: | Hijack terminals, dial arbitrary numbers with the modem, other mischief. |
| Vulnerable Systems: | Those running pppd. Many linunx boxes, perhaps some BSD, solaris. |
| Date: | 15 November 1997 |
| Exploit & full info: | Available here |
| Overflow in suidperl 5.003 | |
|---|---|
| Description: | Overflow (via sprintf()) in the mess() function in suidperl |
| Author: | Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> |
| Compromise: | root (local) |
| Vulnerable Systems: | Thos running suid-perl 5.003, this includes many Linux, *BSD, Solaris and UNIX boxes in general. |
| Date: | 13 November 1997 |
| Exploit & full info: | Available here |
| BSD color_xterm xlib overflow | |
|---|---|
| Description: | Standard buffer overflow, I believe the root of this is in the X libraries |
| Author: | Ladislav Bukvicka <Ladislav.Bukvicka@EUNET.CZ> |
| Compromise: | root (local) |
| Vulnerable Systems: | Many systems vulnerable, but this particular exploit is for BSD |
| Date: | 23 October 1997 is when this exploit was published, but the hole is well known. |
| Exploit & full info: | Available here |
| in.telnetd tgetent buffer overflow | |
|---|---|
| Description: | By specifying an alternate terminal capability database with huge entries, you can overflow programs (like telnet, possibly xterm in some cases) which call tgetent() expecting a reasonable-length buffer. |
| Author: | Secure Networks, INC |
| Compromise: | In some cases, root (remote) |
| Vulnerable Systems: | BSD/OS v2.1,Theo de Raadt mentions that you might be able to attack the suid xterm program locally with this hole to gain root access (possibly Linux, as well as other BSDs) |
| Date: | 21 October 1997 |
| Notes: | I have appended an exploit for BSDI in the addendum section. |
| Exploit & full info: | Available here |
| open() on BSD succeeds and cedes valid fd with the argument "-1" | |
|---|---|
| Description: | You can't read a file you shouldn't be able to, but by feeding bad args to open, you can get a valid file descriptor and do inappropriate ioctl's to it. This is especially important for certain devices. |
| Author: | explorer@flame.org |
| Compromise: | DoS, possible other uses |
| Vulnerable Systems: | *BSD |
| Date: | 17 October 1997 |
| Exploit & full info: | Available here |
| Security problems in the lpd protocol | |
|---|---|
| Description: | The protocol for lpd (Line Printer Daemon, RFC 1179) seems to have a number of insecurities, as discussed in this post |
| Author: | Bennett Samowich <a42n8k9@REDROSE.NET> |
| Compromise: | root (remote) |
| Vulnerable Systems: | Those running a vulnerable version of lpd, many Linux and *BSD versions are vulnerable |
| Date: | 2 October 1997 |
| Exploit & full info: | Available here |
| ARP and ICMP redirection games | |
|---|---|
| Description: | This excellent article/code from Yuri points out a number of (mostly known) problems with the ARP and ICMP protocols/implementations |
| Author: | Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU> |
| Compromise: | spoof as a trusted host, redirect trafic through your host, DoS |
| Vulnerable Systems: | Many versions of Linux, numerous hubs/routers. AFAIK, IRIX, HP-UX, *BSD, and probably Windoze can be spoofed with gratuitous ARP |
| Date: | 19 September 1997 |
| Exploit & full info: | Available here |
| Asynchronous I/O signal handling | |
|---|---|
| Description: | Two problems in the Asynchronous I/O handling of many *NIX boxes. The most important ones allows SIGIO, SIGURG, and possiby other signals to be sent to arbitrary processes on the system (from unpriviliged code) |
| Author: | "Thomas H. Ptacek" <tqbf@RDIST.ORG> wrote the advisory, Alan Peakall found the original problem |
| Compromise: | In some cases you can kill or disrupt many system processes |
| Vulnerable Systems: | *BSD, IRIX, probably others |
| Date: | 15 September 1997 |
| Exploit & full info: | Available here |
| wu_ftpd recursive nlist DOS | |
|---|---|
| Description: | An attacker can long into a wu_ftpd server and do a recursive nlist that hogs a tremendous amount of system resources |
| Author: | Josef Karthauser <joe@pavilion.net> |
| Compromise: | lame DOS |
| Vulnerable Systems: | Those running wu_ftpd, most Linux and *BSD systems run this |
| Date: | 9 September 1997 |
| Exploit & full info: | Available here |
| Hole in the vacation program | |
|---|---|
| Description: | The standard UNIX vacation program doesn't do enough checking on its input (specifically the From: line in the mail) before sending it to other programs (sendmail) for processing |
| Author: | bukys@CS.ROCHESTER.EDU apparently reported it to CERT & SUN on June 1, 1994 but nothing happened. This vulnerability report is from "Secure Networks Inc." <sni@SILENCE.SECNET.COM> |
| Compromise: | Run arbitrary commands remotely as the user running vacation |
| Vulnerable Systems: | At least some versions of AIX, FreeBSD, NetBSD, and OpenBSD. Other systems if they have installed the vacation program themselves or a different version of sendmail. |
| Date: | 1 September 1997 |
| Exploit & full info: | Available here |
| Hole in the vacation program | |
|---|---|
| Description: | The standard UNIX vacation program doesn't do enough checking on its input (specifically the From: line in the mail) before sending it to other programs (sendmail) for processing |
| Author: | bukys@CS.ROCHESTER.EDU apparently reported it to CERT & SUN on June 1, 1994 but nothing happened. This vulnerability report is from "Secure Networks Inc." <sni@SILENCE.SECNET.COM> |
| Compromise: | Run arbitrary commands remotely as the user running vacation |
| Vulnerable Systems: | At least some versions of AIX, FreeBSD, NetBSD, and OpenBSD. Other systems if they have installed the vacation program themselves or a different version of sendmail. |
| Date: | 1 September 1997 |
| Exploit & full info: | Available here |
| Check for existance of files on systems runninng mountd | |
|---|---|
| Description: | Some mountd implementations apparently give different error messages depending on whether the mountpoint requested exists or not. |
| Author: | Peter <deviant@UNIXNET.ORG> |
| Compromise: | query for existance of arbitrary files (by name). This could help determine security flaws present on a remote system. |
| Vulnerable Systems: | Those running vulnerable mountd. This includes at least some versions of AIX, Linux, *BSD, SunOS, Solaris, etc. |
| Date: | 24 August 1997 |
| Exploit & full info: | Available here |
| *BSD procfs forc() mem device hole | |
|---|---|
| Description: | Under the *BSD proc filesystem, /proc/#/mem access is controlled by the permissions on the file. Thus you can fork(), have the childe run something suid, and then modify that file's memory. |
| Author: | Brian Mitchell <brian@FIREHOUSE.NET> |
| Compromise: | root (local) |
| Vulnerable Systems: | FreeBSD 2.2.1, probably 3.x. OpenBSD 2.1-RELEASE. Possibly BSDI. |
| Date: | 10 August 1997 |
| Exploit & full info: | Available here |
| Block reserved ports with XFree86 | |
|---|---|
| Description: | Unprivileged users can black reserved ports by using a high display number which wraps arround the highest possible port (65535) and causes X to listen on a <1023 port. |
| Author: | Willy TARREAU <tarreau@AEMIAIF.LIP6.FR> |
| Compromise: | Block privileged ports |
| Vulnerable Systems: | Those running XFree86 as an X-server. This probably most affects systems like Linux and {Open,Free,Net}BSD. |
| Date: | 6 August 1997 |
| Exploit & full info: | Available here |
| Hole in the *BSD implementation of rfork() | |
|---|---|
| Description: | The rfork() system call allows the creation of a new process which can share file descriptor tables with its parent. Unfortunately a suid program exec'd by the child still shares those descriptors with the parent! The implecations are rather obvious (and scary). |
| Author: | "Thomas H. Ptacek" <tqbf@enteract.com>,Danny |
| Compromise: | Dulai |
| Vulnerable Systems: | All 4.4BSD operating systems, including OpenBSD 2.1, FreeBSD 3.0, possibly |
| Date: | 2 August 1997 |
| Notes: | This is another kick-ass advisory! Will CERT ever realize the benefits of providing details and offering credit where it is due??? Also note that plan9 is NOT vulnerable. |
| Exploit & full info: | Available here |
| Overflow in Mailhandler 6.8.3 | |
|---|---|
| Description: | The suid MH-6.8.3 package has several buffer overflow bugs (among other holes). Also some BSD ruserpass() libc functions have the same hole. |
| Author: | Matt Conover <shok@COBRA.ONLINEX.NET> |
| Compromise: | root (local) |
| Vulnerable Systems: | Redhat Linux 4.1, although you may have to specifically enable something. Also old versions of the *BSD libc function ruserpass(). |
| Date: | 26 July 1997 |
| Notes: | I appended Alan Cox's post about *BSD ruserpass() to the end. I also put some new information from Matt Conover (who sent the original post) in the addendum.. Also note that the vulnerable programs are bbc,inc,mhn,msgchk, and popi. Redhat's package mh-6.8.3-13.i386.rpm installs /usr/bin/mh/inc and /usr/bin/mh/msgchk suid ROOT. |
| Exploit & full info: | Available here |
| Exim ~/.forward :include: overflow | |
|---|---|
| Description: | Standard buffer overflow. |
| Author: | djb@koobera.math.uic.edu (D. J. Bernstein) |
| Compromise: | root (local) |
| Vulnerable Systems: | Anything running exim 1.62 (probably earlier). This exploit is for BSD/OS |
| Date: | 21 July 1997 |
| Exploit & full info: | Available here |
| Another BSD & Linux lpr overflow | |
|---|---|
| Description: | Standard overflow. Is this the same as the earlier ones? They did lpr -C <overflow-code>, while this just does lpr <overflow code>. Well, I'll include it incase they are different. |
| Author: | a42n8k9 <a42n8k9@REDROSE.NET> |
| Compromise: | root (local) |
| Vulnerable Systems: | Linux 2.0.0, BSD 4.4 is also vulnerable, although you obviously need a new exploit. |
| Date: | 4 July 1997 |
| Exploit & full info: | Available here |
| 4.4BSD procfs hole | |
|---|---|
| Description: | A bug in the procfs filesystem code allows people to modify the (priviliged) init process and reduce the system securelevel. |
| Author: | Alex Nash, exploit by Tim Newsham |
| Compromise: | Lower the security level kernal veriable, allowing to bypass certain restrictions, like the filesystem immuteable flag. |
| Vulnerable Systems: | 4.4BSD including OpenBSD 2.0 and 2.1, FreeBSD, NetBSD, probably BSDI. |
| Date: | 24 June 1997 |
| Notes: | If only all security advisories contained exploit code, the world would be a safer place! |
| Exploit & full info: | Available here |
| sshd and rshd leak usernames. | |
|---|---|
| Description: | sshd and rshd leak usernames. A lot of sites security-consious enough to run sshd probably don't want username validation to be this easy |
| Author: | Christophe Kalt <kalt@STEALTH.NET> and David Holland |
| Compromise: | Test validity of suspected system usernames |
| Vulnerable Systems: | Linux, NetBSD, Digital UNIX 4.0, all from rshd, as well as any systems running a vulnerable version of sshd. Remember to use the VERBOSE (-v) flag if you try to exploit sshd. |
| Date: | 13 June 1997 |
| Notes: | The syntax quoted at the bottom is not correct, you need to give an actual command (like ls) for the rsh problem to be demonstrated. |
| Exploit & full info: | Available here |
| X11R6 library GetDatabase vulnerability | |
|---|---|
| Description: | There is a security hole in the GetDatabase function of the X11 libraries, which appears to be present in every distribution of X11. The attached exploit is for Solaris xterm, not that you will only get a shell with your own uid if xterm is not suid |
| Author: | David Hedley <hedley@CS.BRIS.AC.UK> |
| Compromise: | root (local) |
| Vulnerable Systems: | many systems are vulnerable, including Linux and *BSD. This particular exploit is for Soaris 2.5.1 xterm |
| Date: | 28 May 1997 |
| Exploit & full info: | Available here |
| FreeBSD exploits for the Perl 5.003 (and earlier) overflow bug. | |
|---|---|
| Description: | Buffer overflow in Perl, already discussed in another entry. These are FreeBSD exploits for perl4.036, and 5.00X |
| Author: | Deliver <deliver@FREE.POLBOX.PL> wrote the exploits |
| Compromise: | root (local) |
| Vulnerable Systems: | FreeBSD with vulnerable perl (Version <= 5.003) installed. |
| Date: | 21 April 1997 |
| Exploit & full info: | Available here |
| Linux & *BSD lpr holes | |
|---|---|
| Description: | A standard buffer overflow exists Berleley derived lpr |
| Author: | Vadim Kolontsov (vadim@tversu.ac.ru) wrote the exploits at least |
| Compromise: | root (local) |
| Vulnerable Systems: | Systems with vulnerable lpr setuid (many Linux and BSD distributions) |
| Date: | 25 October 1996 |
| Exploit & full info: | Available here |
| Sendmail gecos buffer overflow vulnerability | |
|---|---|
| Description: | A quirk in Sendmail that could potentially be exploited is that usernames like '/etc/passwd' get written into the file of the same name when mail is received for them. This could be a problem on systems where users can specify their username without sysadmin intervention. |
| Author: | mudge@l0pht.com found this hole in a l0pht advisory. This exploit for FreeBSD written by Alexey Zakharov (leshka@chci.chuvashia.su) |
| Compromise: | root (local) |
| Vulnerable Systems: | Any systems using Sendmail ~8.6.12, possibly up to 8.75 that allow user-specified /etc/passwd gecos fields (ie through chfn(1)). This exploit will work for FreeBSD |
| Date: | 23 September 1996 |
| Notes: | The original L0pht Security Advisory is in addendum |
| Exploit & full info: | Available here |
| Xt library bug xterm exploit | |
|---|---|
| Description: | The Xt library has a number of buffer overflow vulnerabilities which can be exploited on the suid root programs linked to it. |
| Author: | "b0z0 bra1n" |
| Compromise: | root (local) |
| Vulnerable Systems: | This exploit will work for FreeBSD and with tweaking other x86 operating systems (eg linux). Most systems running any version of X11 prior to Aug '96 are vulnerable |
| Date: | 24 August 1996 |
| Exploit & full info: | Available here |
| Linux & *BSD umount holes | |
|---|---|
| Description: | A standard buffer overflow exists in Linux and *BSD umount |
| Author: | bloodmask (bloodmask@mymail.com) claims to have found the vulnerability. Paulo Jorge Alves Oliveira (pjao@dux.isec.pt) wrote the freebsd/linux exploits included first. |
| Compromise: | root (local) |
| Vulnerable Systems: | Systems with vulnerable umount setuid (many Linux and BSD distributions) |
| Date: | 13 August 1996 |
| Notes: | If mount is fixed, try ncpmount/ncpumount and possibly wuftpd. Another mount exploit is in addendum. |
| Exploit & full info: | Available here |
| Linux sliplogin hole | |
|---|---|
| Description: | sliplogin does system() as root w/o clearing environment, so you can do things like set IFS='/'. |
| Author: | David Holland <dholland@hcs.HARVARD.EDU> |
| Compromise: | root (local) |
| Vulnerable Systems: | Any with sliplogin older than 2.1.0, mostly linux systems (many BSD distributions have the program, but it apparently can't be exploited to another error). |
| Date: | 16 July 1996 |
| Exploit & full info: | Available here |
| Rdist buffer overrun (BSD Code) | |
|---|---|
| Description: | Another vulnerability in rdist, standard buffer overflow |
| Author: | found in [8lgm]-Advisory-26.UNIX.rdist.20-3-1996, *BSD exploit written by Brian Mitchell (brian@saturn.net) |
| Compromise: | root (local) |
| Vulnerable Systems: | Solaris 2.x, Sunos 4.*, some *BSD systems. Included exploit only for *BSD. |
| Date: | 10 July 1996 |
| Exploit & full info: | Available here |
| suid_perl 5.001 vulnerability | |
|---|---|
| Description: | On systems that support saved set-user-IDs, perl isn't thorough enough in giving up its root priviledges. |
| Author: | Jon Lewis (jlewis@inorganic5.fdt.net) wrote this basic exploit, though it has been modified. It is unclear who found the hole. |
| Compromise: | root (local) |
| Vulnerable Systems: | Systems that support saved set-user-IDs and set-group-IDs and have suid_perl 5.001 (and possibly below) installed. Many linux and *BSD boxes. |
| Date: | June 1996 |
| Exploit & full info: | Available here |
| *BSD (and others) SetUID core vulnerabilities | |
|---|---|
| Description: | A 4.4BSD problem allows a read-only descriptor to a char device to be mmap()ed in RW mode. This can allow group kmem to become root and root to lower the system secure-level. |
| Author: | Theo de Raadt and Chuck Cranor |
| Compromise: | User kmem-> root ->modify secure-level->delete audit trail and load evil kernel mods. |
| Vulnerable Systems: | OpenBSD 2.2 and below, FreeBSD 2.2.5 and below, BSDI 3.0 and NetBSD. |
| Date: | 17 February 1996 for this posting |
| Exploit & full info: | Available here |
This page Copyright © Fyodor 1996, 1997, 1998
[Back] to Fyodor's Exploit World main index