Exploit world!

*BSD Section

Compiled by Fyodor fyodor@insecure.org
on Thu Jan 13 21:41:31 UTC 2000

[Back] to Fyodor's Playhouse


OpenBSD (and others) lprm overflow
Description:There is a subtle overflow in the pointer arithmetic in copying a command string to a buffer.
Author:Niall Smart <rotel@indigo.ie>
Compromise: root (local)
Vulnerable Systems:OpenBSD 2.2 and earlier, some versions of FreeBSD, NetBSD
Date:23 April 1998
Notes:This is an excellent description of the problem. Also congratulations go to Niall Smart for finding this bug in the heavily audited OpenBSD codebase.
Exploit &amp full info:Available here


qcam overflows
Description:several qcam apps as well as libqcam seem to have rather obvious security holes when installed setuid root.
Author:bst@INAME.COM
Compromise: root (local)
Vulnerable Systems:Thos running qcam, sqcam,xqcam, SANE-0.67. Mostly Linux boxes, perhaps BSD.
Date:20 April 1998
Exploit &amp full info:Available here


lprm Linux/BSD/Solaris Overflow
Description:The lprm program on some machines has a standard overflow in the name you feed it to remove a job from a remote printer
Author:Chris Evans <chris@FERRET.LMH.OX.AC.UK> posted this problem to BugTraq, it turns out the the OpenBSD folks (probably Theo De Raadt) fixed the problem in 1996.
Compromise: root (local)
Vulnerable Systems:RedHat Linux 4.2 and 5.0, Solaris 2.6, Some *BSD variants vulnerable, but most fixed it 6 months to two years prior to this notice
Date:18 April 1998
Exploit &amp full info:Available here


TTCP spoofing problem
Description:Apparently TTCP allows commands to be executed before the full 3-way handshake has been completed. This means an attacker can set up a malicious connection without the trouble of TCP sequence prediction.
Author:Vasim Valejev <vasim@DIASPRO.COM>
Compromise:Exploit trust relationships, avoid logging, all the other benefits that come with "classical" TCP sequencing attacks.
Vulnerable Systems:Those implementing T/TCP (rfc1644). Perhaps FreeBSD allows this attack?
Date:7 April 1998
Exploit &amp full info:Available here


Overflows in the MesaGL OpenGL implementation
Description:There are many overflows in this library, one of which can be used to compromise xlock in some cases
Author:bjorn smedman <bs@ODEN.SE>
Compromise: root (local)
Vulnerable Systems:This exploits is for FreeBSD 2.2.5 although other OSes that use MesaGL are likely to be vulnerable.
Date:24 March 1998
Exploit &amp full info:Available here


Insecure scripts that come with RedHat 5.0 (and other OS's)
Description:The scripts named in this message have standard insecure tmpfile bugs. If someone can predict when these will be run (like if they are in cron) then they can generally overwrite files of the person running the command (could be root).
Author:Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Compromise:Potential for root compromise
Vulnerable Systems:Specifically this list is for RedHat 5 although many other Linux systems and probably some *BSD systems are vulnerable.
Date:14 March 1998
Exploit &amp full info:Available here


Another TMPfile problem in updatedb script
Description:updatedb creates a tmp file in /tmp, moves it to /var/lib/locatedb, then chowns it to root. The race condition is clear.
Author:Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Compromise: root (local)
Vulnerable Systems:RedHat 5.0, perhaps other systems such as FreeBSD using updatedb.
Date:6 March 1998
Exploit &amp full info:Available here


updatedb on Redhat
Description:RedHat Linux updatedb/sort insecure tmpfiles
Author:viinikala <kala@DRAGON.CZ>
Compromise:become user 'nobody' via updatedb (or root on a really old distro of RedHat) (local)
Vulnerable Systems:Redhat Linux (presumably 5.0) is very vulnerable due to updatedb calling sort regularly, many other systems (such as Solaris) have an insecure sort. Also FreeBSD 2.2.2 is apparently vulnerable to the same updatedb problem.
Date:28 February 1998
Notes:Dave Goldsmith may have found this first, although I cannot currently access his website for more info.
Exploit &amp full info:Available here


4.4BSD mmap() vulnerability
Description:A 4.4BSD problem allows a read-only descriptor to a char device to be mmap()ed in RW mode. This can allow group kmem to become root and root to lower the system secure-level.
Author:Theo de Raadt and Chuck Cranor
Compromise:User kmem-> root ->modify secure-level->delete audit trail and load evil kernel mods.
Vulnerable Systems:OpenBSD 2.2 and below, FreeBSD 2.2.5 and below, BSDI 3.0 and NetBSD.
Date:26 February 1998
Notes:This is an excellent advisory, I wish other groups and people would use a full-disclosure, detailed, and well organized format like this.
Exploit &amp full info:Available here


X11R6.3 Xkeyboard hole
Description:X11R6.3 based Xservers with the XKEYBOARD extension that are setuid can be exploited with the -xkbdir option
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Compromise: root (local)
Vulnerable Systems:Those systems running a setuid X11R6.3-based Xserver with XKEYBOARD extension (R6.1 is also probably affected). The XFree86 servers that come with many Linux and *BSD distributions is a good example of this.
Date:3 February 1998
Exploit &amp full info:Available here


OpenBSD mkfifo DOS attack
Description:You can run the *BSD kernel out of non-pageable memory by making a fifo (via mkfifo) and forking a bunch of processes trying to cat it.
Author:Jason Downs <downsj@DOWNSJ.COM>
Compromise:Crash the system (stupid DOS attack)
Vulnerable Systems:OpenBSD, presumably NetBSD, FreeBSD, BSDI
Date:25 January 1998
Exploit &amp full info:Available here


Exploit for the gcc tempfile issue
Description:gcc 2.7.2.x (and earlier as far as I know) creates temporary files in /tmp which will follow symlinks and allows you to clobber the files of the person running gcc
Author:"Micha=B3 Zalewski" <lcamtuf@boss.staszic.waw.pl>
Compromise:Overwrite files owned by the user running gcc (possibly root )
Vulnerable Systems:Those running gcc 2.7.2.x this includes most linux, and *BSD boxes. Many admins of Solaris boxes have also added gcc. This problem is finally fixed in gcc 2.8.0
Date:16 January 1998
Notes:This has been mentioned before on Bugtraq but this is the first actual exploit I've seen.
Exploit &amp full info:Available here


routed trace file exploit
Description:routed has the ability to have trace mode turned on remotely using any arbitrary filename. Thus you can append stuff to arbitrary files remotely.
Author:Rootshell
Compromise:You should be able to leverage this to root remote access.
Vulnerable Systems:Redhat linux; IRIX 5.2-5.3-6.2 is vulnerable, NetBSD 1.2 is vulnerable.
Date:8 January 1998
Exploit &amp full info:Available here


ccdconfig sgid kmem BSD exploit
Description:ccdconfig is sgid kmem and can be exploited to read /dev/mem . It shouldn't be too tough to leverage this into root access.
Author:Niall Smart <rotel@INDIGO.IE>
Compromise: root (local)
Vulnerable Systems:NetBSD, FreeBSD, older version of OpenBSD
Date:31 December 1997
Exploit &amp full info:Available here


BSD Termcap overflow
Description:This program creates a malicous termcap file which can cede root access.
Author:Bug originally discovered by Theo de Raadt <deraadt@CVS.OPENBSD.ORG> exploit written by Written by Joseph_K the 22-Oct-1997
Compromise:Theoretically this may allow you to become root remotely You can definately become root locally.
Vulnerable Systems:BSDI, probably FreeBSD/NetBSD/OpenBSD prior to October 1997
Date:1 December 1997
Exploit &amp full info:Available here


XFree86 (and apparently other X11R6 XC/TOG derived servers) -config insecurity
Description:XFree86 is setuid root in many cases and takes a -config option to use a different config file. Unfortunately it doesn't check permissions on this file so you can (for example) read the first line of /etc/shadow (printed in the warning message)
Author:plaguez <dube0866@eurobretagne.fr>
Compromise:Read files that you shouldn't have permissions for
Vulnerable Systems:Those with a suid root XFree86 X server as well as some other X servers. This affects many Linux (and probably FreeBSD/OpenBSD)boxes.
Date:21 November 1997
Exploit &amp full info:Available here


The LAND attack (IP DOS)
Description:Sending a packet to a machine with the source host/port the same as the destination host/port crashes a lot of boxes.
Author:m3lt <meltman@LAGGED.NET>
Compromise:Remote DOS attack (reboots many systems)
Vulnerable Systems:Windows95, Windows NT 4.0, WfWG 3.11, FreeBSD
Date:20 November 1997
Exploit &amp full info:Available here


Terminal hijacking via pppd
Description:pppd offers read/write access to any tty. This allows a man in the middle attack for trojan terminals as well as other mischief. Also it allows users to freely dial out with the modem (often not a good idea).
Author:David Neil <theoe@EUROPA.COM>
Compromise:Hijack terminals, dial arbitrary numbers with the modem, other mischief.
Vulnerable Systems:Those running pppd. Many linunx boxes, perhaps some BSD, solaris.
Date:15 November 1997
Exploit &amp full info:Available here


Overflow in suidperl 5.003
Description:Overflow (via sprintf()) in the mess() function in suidperl
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Compromise: root (local)
Vulnerable Systems:Thos running suid-perl 5.003, this includes many Linux, *BSD, Solaris and UNIX boxes in general.
Date:13 November 1997
Exploit &amp full info:Available here


BSD color_xterm xlib overflow
Description:Standard buffer overflow, I believe the root of this is in the X libraries
Author:Ladislav Bukvicka <Ladislav.Bukvicka@EUNET.CZ>
Compromise: root (local)
Vulnerable Systems:Many systems vulnerable, but this particular exploit is for BSD
Date:23 October 1997 is when this exploit was published, but the hole is well known.
Exploit &amp full info:Available here


in.telnetd tgetent buffer overflow
Description:By specifying an alternate terminal capability database with huge entries, you can overflow programs (like telnet, possibly xterm in some cases) which call tgetent() expecting a reasonable-length buffer.
Author:Secure Networks, INC
Compromise:In some cases, root (remote)
Vulnerable Systems:BSD/OS v2.1,Theo de Raadt mentions that you might be able to attack the suid xterm program locally with this hole to gain root access (possibly Linux, as well as other BSDs)
Date:21 October 1997
Notes:I have appended an exploit for BSDI in the addendum section.
Exploit &amp full info:Available here


open() on BSD succeeds and cedes valid fd with the argument "-1"
Description:You can't read a file you shouldn't be able to, but by feeding bad args to open, you can get a valid file descriptor and do inappropriate ioctl's to it. This is especially important for certain devices.
Author:explorer@flame.org
Compromise:DoS, possible other uses
Vulnerable Systems:*BSD
Date:17 October 1997
Exploit &amp full info:Available here


Security problems in the lpd protocol
Description:The protocol for lpd (Line Printer Daemon, RFC 1179) seems to have a number of insecurities, as discussed in this post
Author:Bennett Samowich <a42n8k9@REDROSE.NET>
Compromise: root (remote)
Vulnerable Systems:Those running a vulnerable version of lpd, many Linux and *BSD versions are vulnerable
Date:2 October 1997
Exploit &amp full info:Available here


ARP and ICMP redirection games
Description:This excellent article/code from Yuri points out a number of (mostly known) problems with the ARP and ICMP protocols/implementations
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:spoof as a trusted host, redirect trafic through your host, DoS
Vulnerable Systems:Many versions of Linux, numerous hubs/routers. AFAIK, IRIX, HP-UX, *BSD, and probably Windoze can be spoofed with gratuitous ARP
Date:19 September 1997
Exploit &amp full info:Available here


Asynchronous I/O signal handling
Description:Two problems in the Asynchronous I/O handling of many *NIX boxes. The most important ones allows SIGIO, SIGURG, and possiby other signals to be sent to arbitrary processes on the system (from unpriviliged code)
Author:"Thomas H. Ptacek" <tqbf@RDIST.ORG> wrote the advisory, Alan Peakall found the original problem
Compromise:In some cases you can kill or disrupt many system processes
Vulnerable Systems:*BSD, IRIX, probably others
Date:15 September 1997
Exploit &amp full info:Available here


wu_ftpd recursive nlist DOS
Description:An attacker can long into a wu_ftpd server and do a recursive nlist that hogs a tremendous amount of system resources
Author:Josef Karthauser <joe@pavilion.net>
Compromise:lame DOS
Vulnerable Systems:Those running wu_ftpd, most Linux and *BSD systems run this
Date:9 September 1997
Exploit &amp full info:Available here


Hole in the vacation program
Description:The standard UNIX vacation program doesn't do enough checking on its input (specifically the From: line in the mail) before sending it to other programs (sendmail) for processing
Author:bukys@CS.ROCHESTER.EDU apparently reported it to CERT & SUN on June 1, 1994 but nothing happened. This vulnerability report is from "Secure Networks Inc." <sni@SILENCE.SECNET.COM>
Compromise:Run arbitrary commands remotely as the user running vacation
Vulnerable Systems:At least some versions of AIX, FreeBSD, NetBSD, and OpenBSD. Other systems if they have installed the vacation program themselves or a different version of sendmail.
Date:1 September 1997
Exploit &amp full info:Available here


Hole in the vacation program
Description:The standard UNIX vacation program doesn't do enough checking on its input (specifically the From: line in the mail) before sending it to other programs (sendmail) for processing
Author:bukys@CS.ROCHESTER.EDU apparently reported it to CERT & SUN on June 1, 1994 but nothing happened. This vulnerability report is from "Secure Networks Inc." <sni@SILENCE.SECNET.COM>
Compromise:Run arbitrary commands remotely as the user running vacation
Vulnerable Systems:At least some versions of AIX, FreeBSD, NetBSD, and OpenBSD. Other systems if they have installed the vacation program themselves or a different version of sendmail.
Date:1 September 1997
Exploit &amp full info:Available here


Check for existance of files on systems runninng mountd
Description:Some mountd implementations apparently give different error messages depending on whether the mountpoint requested exists or not.
Author:Peter <deviant@UNIXNET.ORG>
Compromise:query for existance of arbitrary files (by name). This could help determine security flaws present on a remote system.
Vulnerable Systems:Those running vulnerable mountd. This includes at least some versions of AIX, Linux, *BSD, SunOS, Solaris, etc.
Date:24 August 1997
Exploit &amp full info:Available here


*BSD procfs forc() mem device hole
Description:Under the *BSD proc filesystem, /proc/#/mem access is controlled by the permissions on the file. Thus you can fork(), have the childe run something suid, and then modify that file's memory.
Author:Brian Mitchell <brian@FIREHOUSE.NET>
Compromise: root (local)
Vulnerable Systems:FreeBSD 2.2.1, probably 3.x. OpenBSD 2.1-RELEASE. Possibly BSDI.
Date:10 August 1997
Exploit &amp full info:Available here


Block reserved ports with XFree86
Description:Unprivileged users can black reserved ports by using a high display number which wraps arround the highest possible port (65535) and causes X to listen on a <1023 port.
Author:Willy TARREAU <tarreau@AEMIAIF.LIP6.FR>
Compromise:Block privileged ports
Vulnerable Systems:Those running XFree86 as an X-server. This probably most affects systems like Linux and {Open,Free,Net}BSD.
Date:6 August 1997
Exploit &amp full info:Available here


Hole in the *BSD implementation of rfork()
Description:The rfork() system call allows the creation of a new process which can share file descriptor tables with its parent. Unfortunately a suid program exec'd by the child still shares those descriptors with the parent! The implecations are rather obvious (and scary).
Author:"Thomas H. Ptacek" <tqbf@enteract.com>,Danny
Compromise:Dulai
Vulnerable Systems:All 4.4BSD operating systems, including OpenBSD 2.1, FreeBSD 3.0, possibly
Date:2 August 1997
Notes:This is another kick-ass advisory! Will CERT ever realize the benefits of providing details and offering credit where it is due??? Also note that plan9 is NOT vulnerable.
Exploit &amp full info:Available here


Overflow in Mailhandler 6.8.3
Description:The suid MH-6.8.3 package has several buffer overflow bugs (among other holes). Also some BSD ruserpass() libc functions have the same hole.
Author:Matt Conover <shok@COBRA.ONLINEX.NET>
Compromise: root (local)
Vulnerable Systems:Redhat Linux 4.1, although you may have to specifically enable something. Also old versions of the *BSD libc function ruserpass().
Date:26 July 1997
Notes:I appended Alan Cox's post about *BSD ruserpass() to the end. I also put some new information from Matt Conover (who sent the original post) in the addendum.. Also note that the vulnerable programs are bbc,inc,mhn,msgchk, and popi. Redhat's package mh-6.8.3-13.i386.rpm installs /usr/bin/mh/inc and /usr/bin/mh/msgchk suid ROOT.
Exploit &amp full info:Available here


Exim ~/.forward :include: overflow
Description:Standard buffer overflow.
Author:djb@koobera.math.uic.edu (D. J. Bernstein)
Compromise: root (local)
Vulnerable Systems:Anything running exim 1.62 (probably earlier). This exploit is for BSD/OS
Date:21 July 1997
Exploit &amp full info:Available here


Another BSD & Linux lpr overflow
Description:Standard overflow. Is this the same as the earlier ones? They did lpr -C <overflow-code>, while this just does lpr <overflow code>. Well, I'll include it incase they are different.
Author:a42n8k9 <a42n8k9@REDROSE.NET>
Compromise: root (local)
Vulnerable Systems:Linux 2.0.0, BSD 4.4 is also vulnerable, although you obviously need a new exploit.
Date:4 July 1997
Exploit &amp full info:Available here


4.4BSD procfs hole
Description:A bug in the procfs filesystem code allows people to modify the (priviliged) init process and reduce the system securelevel.
Author:Alex Nash, exploit by Tim Newsham
Compromise:Lower the security level kernal veriable, allowing to bypass certain restrictions, like the filesystem immuteable flag.
Vulnerable Systems:4.4BSD including OpenBSD 2.0 and 2.1, FreeBSD, NetBSD, probably BSDI.
Date:24 June 1997
Notes:If only all security advisories contained exploit code, the world would be a safer place!
Exploit &amp full info:Available here


sshd and rshd leak usernames.
Description:sshd and rshd leak usernames. A lot of sites security-consious enough to run sshd probably don't want username validation to be this easy
Author:Christophe Kalt <kalt@STEALTH.NET> and David Holland
Compromise:Test validity of suspected system usernames
Vulnerable Systems:Linux, NetBSD, Digital UNIX 4.0, all from rshd, as well as any systems running a vulnerable version of sshd. Remember to use the VERBOSE (-v) flag if you try to exploit sshd.
Date:13 June 1997
Notes:The syntax quoted at the bottom is not correct, you need to give an actual command (like ls) for the rsh problem to be demonstrated.
Exploit &amp full info:Available here


X11R6 library GetDatabase vulnerability
Description:There is a security hole in the GetDatabase function of the X11 libraries, which appears to be present in every distribution of X11. The attached exploit is for Solaris xterm, not that you will only get a shell with your own uid if xterm is not suid
Author:David Hedley <hedley@CS.BRIS.AC.UK>
Compromise: root (local)
Vulnerable Systems:many systems are vulnerable, including Linux and *BSD. This particular exploit is for Soaris 2.5.1 xterm
Date:28 May 1997
Exploit &amp full info:Available here


FreeBSD exploits for the Perl 5.003 (and earlier) overflow bug.
Description:Buffer overflow in Perl, already discussed in another entry. These are FreeBSD exploits for perl4.036, and 5.00X
Author:Deliver <deliver@FREE.POLBOX.PL> wrote the exploits
Compromise: root (local)
Vulnerable Systems:FreeBSD with vulnerable perl (Version <= 5.003) installed.
Date:21 April 1997
Exploit &amp full info:Available here


Linux & *BSD lpr holes
Description:A standard buffer overflow exists Berleley derived lpr
Author:Vadim Kolontsov (vadim@tversu.ac.ru) wrote the exploits at least
Compromise: root (local)
Vulnerable Systems:Systems with vulnerable lpr setuid (many Linux and BSD distributions)
Date:25 October 1996
Exploit &amp full info:Available here


Sendmail gecos buffer overflow vulnerability
Description:A quirk in Sendmail that could potentially be exploited is that usernames like '/etc/passwd' get written into the file of the same name when mail is received for them. This could be a problem on systems where users can specify their username without sysadmin intervention.
Author:mudge@l0pht.com found this hole in a l0pht advisory. This exploit for FreeBSD written by Alexey Zakharov (leshka@chci.chuvashia.su)
Compromise: root (local)
Vulnerable Systems:Any systems using Sendmail ~8.6.12, possibly up to 8.75 that allow user-specified /etc/passwd gecos fields (ie through chfn(1)). This exploit will work for FreeBSD
Date:23 September 1996
Notes:The original L0pht Security Advisory is in addendum
Exploit &amp full info:Available here


Xt library bug xterm exploit
Description:The Xt library has a number of buffer overflow vulnerabilities which can be exploited on the suid root programs linked to it.
Author:"b0z0 bra1n"
Compromise: root (local)
Vulnerable Systems:This exploit will work for FreeBSD and with tweaking other x86 operating systems (eg linux). Most systems running any version of X11 prior to Aug '96 are vulnerable
Date:24 August 1996
Exploit &amp full info:Available here


Linux & *BSD umount holes
Description:A standard buffer overflow exists in Linux and *BSD umount
Author:bloodmask (bloodmask@mymail.com) claims to have found the vulnerability. Paulo Jorge Alves Oliveira (pjao@dux.isec.pt) wrote the freebsd/linux exploits included first.
Compromise: root (local)
Vulnerable Systems:Systems with vulnerable umount setuid (many Linux and BSD distributions)
Date:13 August 1996
Notes:If mount is fixed, try ncpmount/ncpumount and possibly wuftpd. Another mount exploit is in addendum.
Exploit &amp full info:Available here


Linux sliplogin hole
Description:sliplogin does system() as root w/o clearing environment, so you can do things like set IFS='/'.
Author:David Holland <dholland@hcs.HARVARD.EDU>
Compromise: root (local)
Vulnerable Systems:Any with sliplogin older than 2.1.0, mostly linux systems (many BSD distributions have the program, but it apparently can't be exploited to another error).
Date:16 July 1996
Exploit &amp full info:Available here


Rdist buffer overrun (BSD Code)
Description:Another vulnerability in rdist, standard buffer overflow
Author:found in [8lgm]-Advisory-26.UNIX.rdist.20-3-1996, *BSD exploit written by Brian Mitchell (brian@saturn.net)
Compromise: root (local)
Vulnerable Systems:Solaris 2.x, Sunos 4.*, some *BSD systems. Included exploit only for *BSD.
Date:10 July 1996
Exploit &amp full info:Available here


suid_perl 5.001 vulnerability
Description:On systems that support saved set-user-IDs, perl isn't thorough enough in giving up its root priviledges.
Author:Jon Lewis (jlewis@inorganic5.fdt.net) wrote this basic exploit, though it has been modified. It is unclear who found the hole.
Compromise: root (local)
Vulnerable Systems:Systems that support saved set-user-IDs and set-group-IDs and have suid_perl 5.001 (and possibly below) installed. Many linux and *BSD boxes.
Date:June 1996
Exploit &amp full info:Available here


*BSD (and others) SetUID core vulnerabilities
Description:A 4.4BSD problem allows a read-only descriptor to a char device to be mmap()ed in RW mode. This can allow group kmem to become root and root to lower the system secure-level.
Author:Theo de Raadt and Chuck Cranor
Compromise:User kmem-> root ->modify secure-level->delete audit trail and load evil kernel mods.
Vulnerable Systems:OpenBSD 2.2 and below, FreeBSD 2.2.5 and below, BSDI 3.0 and NetBSD.
Date:17 February 1996 for this posting
Exploit &amp full info:Available here



This page Copyright &#169 Fyodor 1996, 1997, 1998
[Back] to Fyodor's Exploit World main index