Exploit world!
HP/UX Section
[Back] to Fyodor's Playhouse
| Xaw and Xterm vulnerabilities | |
|---|---|
| Description: | There are a number of vulnerabilities in X11R6 xterm(1) and Xaw(3c) libraries. They are mostly all overflows |
| Author: | Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> and the exploit was written by alcuin |
| Compromise: | root (local) |
| Vulnerable Systems: | Those running Xterm or X apps linked to vulnerable Xaw. Virtually all versions of X are vulnerable to the *Keymap hole and the others are mostly X11R6 specific (which virtually everyone uses anyway). Thus it is likely that many Solaris, Linux, HP/UX, and perhaps IRIX and AIX boxes are vulnerable. |
| Date: | 4 May 1998 |
| Notes: | I have also included an exploit sent to me by "M.C.Mar" <emsi@it.com.pl>. This exploit works against Xaw and neXtaw even WITH Solar Designer's non-executable stack patch applied. Check it out! |
| Exploit & full info: | Available here |
| Overflow in kppp -c option | |
|---|---|
| Description: | Standard overflow |
| Author: | "|[TDP]|" <tdp@psynet.net> |
| Compromise: | root (local) |
| Vulnerable Systems: | Those running kppp version < 1.1.3 suid root. This comes with the KDE system (which is pretty neat -- www.kde.org) and runs on Solaris, Linux, IRIX, and HP/UX |
| Date: | 29 April 1998 |
| Notes: | The hole was fixed a while prior to this posting so the (then) current version was not vulnerable. |
| Exploit & full info: | Available here |
| Yet ANOTHER hole in the HP/UX Glance program | |
|---|---|
| Description: | Standard symlink-following TMPFILE stupidity |
| Author: | "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES> |
| Compromise: | root (local) |
| Vulnerable Systems: | HP/UX 10.20, perhaps other versions. |
| Date: | 27 April 1998 |
| Exploit & full info: | Available here |
| Nestea "Off By One" attack | |
|---|---|
| Description: | A popular attack against Linux boxes |
| Author: | John McDonald <jmcdonal@UNF.EDU> |
| Compromise: | Stupid remote DOS attack |
| Vulnerable Systems: | Linux 2.0.33 and earlier, PalmOS, HP Jet Direct printer cards, some 3COM routers, Magnum 5000 Ethernet switch, Some Windows boxes, perhaps others |
| Date: | 17 April 1998 |
| Notes: | I have appended the original Linux code, a BSD port, an improved Linux version, and a few other messages on the topic. |
| Exploit & full info: | Available here |
| ftp mget vulnerability | |
|---|---|
| Description: | If the nlist caused by a mget returns a file like /etc/passwd , most ftp clients seem to (try to) overwrite/create it without signaling anything wrong. You can also use files with names like "|sh" to execute arbitrary commands. |
| Author: | I don't recall who found it first, in the appended post af@c4c.com gives an example of the bug using Linus slackware |
| Compromise: | ftp servers can compromise clients who use mget to d/l files |
| Vulnerable Systems: | ftp clients on Linux, AIX, HP/UX, Solaris 2.6, and probably many other systems |
| Date: | 3 November 1997 was when this example was posted (the bug was found a while back) |
| Exploit & full info: | Available here |
| HP/UX newgroup hole | |
|---|---|
| Description: | Standard buffer overflow |
| Author: | Colonel Panic of SOD (sod@command.com.inter.net) |
| Compromise: | root (local) |
| Vulnerable Systems: | HP/UX with vulnerable newgroup,HP 9000 Series 700/800s running versions of HP-UX 9.X & 10.X |
| Date: | 25 September 1997 |
| Notes: | See the SOD HP Bug of the Week page |
| Exploit & full info: | Available here |
| ARP and ICMP redirection games | |
|---|---|
| Description: | This excellent article/code from Yuri points out a number of (mostly known) problems with the ARP and ICMP protocols/implementations |
| Author: | Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU> |
| Compromise: | spoof as a trusted host, redirect trafic through your host, DoS |
| Vulnerable Systems: | Many versions of Linux, numerous hubs/routers. AFAIK, IRIX, HP-UX, *BSD, and probably Windoze can be spoofed with gratuitous ARP |
| Date: | 19 September 1997 |
| Exploit & full info: | Available here |
| Pathetic hole in HP/UX 10.20 CUE | |
|---|---|
| Description: | the cue (character-based User Environment) program that ships with HP/UX 10.20 uses $LOGNAME to verify who the user is!@#$@#!$ and it has an exploitable symlink problem |
| Author: | Leonid S Knyshov <wiseleo@JUNO.COM> |
| Compromise: | root (local) |
| Vulnerable Systems: | HP-UX 10.20, probably others |
| Date: | 1 September 1997 |
| Exploit & full info: | Available here |
| HP/UX 10.X /var/tmp/outdata symlink hole | |
|---|---|
| Description: | Typical symlink problem |
| Author: | David Hyams <nhyamd@ASCOM.CH> |
| Compromise: | Wipe SAM data to arbitrary files, I don't know what happens with existing files. If you can clobber existing files, you can obviously become root. |
| Vulnerable Systems: | HP/UX 10.X |
| Date: | 14 May 1997 |
| Exploit & full info: | Available here |
| HP/UX chfn bug | |
|---|---|
| Description: | Standard buffer overflow |
| Author: | Colonel Panic of SOD (sod@command.com.inter.net) |
| Compromise: | root (local) |
| Vulnerable Systems: | HP/UX with vulnerable chfn (probably 9.x, 10.x) |
| Date: | December 1996 |
| Notes: | See the SOD HP Bug of the Week page |
| Exploit & full info: | Available here |
| More SOD HP/UX RemWatch vulnerabilities | |
|---|---|
| Description: | A number of internal HP/UX RemWatch binaries, including checkcore, rwiDCOM, and showdisk are vulnerabile. Several exploits included |
| Author: | SOD (sod@command.com.inter.net) |
| Compromise: | root (local) |
| Vulnerable Systems: | HP/UX with vulnerable RemWatch binaries, probably 9.x, 10.x |
| Date: | 6 November 1996 and earlier |
| Notes: | See the SOD HP Bug of the Week page |
| Exploit & full info: | Available here |
| SOD HP/UX /tmp/fpkg2swpk bug | |
|---|---|
| Description: | Standard buffer overflow |
| Author: | Dog Catcher |
| Compromise: | root (local) |
| Vulnerable Systems: | HP/UX with vulnerable fpkg2swpk, probably just 10.x |
| Date: | November 1996 |
| Notes: | See the SOD HP Bug of the Week page |
| Exploit & full info: | Available here |
| SOD /usr/diag/bin/[cm]stm buffer overflow | |
|---|---|
| Description: | Standard buffer overflow |
| Author: | Colonel Panic of SOD (sod@command.com.inter.net) |
| Compromise: | root (local) |
| Vulnerable Systems: | HP/UX with vulnerable [cm]stm, probably 9.x 10.x |
| Date: | November 1996 |
| Notes: | See the SOD HP Bug of the Week page |
| Exploit & full info: | Available here |
| (Another) SOD HP/UX RemoteWatch hole | |
|---|---|
| Description: | pathetic daemon |
| Author: | Colonel Panic of SOD (sod@command.com.inter.net) |
| Compromise: | root or whatever remwatch runs as (remote!) |
| Vulnerable Systems: | HP/UX with vulnerable Remote Watch running, probably 9.x, maybe 10.x |
| Date: | November 1996 |
| Notes: | See the SOD HP Bug of the Week page |
| Exploit & full info: | Available here |
| Another hpux ppl bug by SOD | |
|---|---|
| Description: | standard symlink/core vulnerability |
| Author: | Colonel Panic of SOD (sod@command.com.inter.net) |
| Compromise: | root (local) |
| Vulnerable Systems: | HP/UX with vulnerable ppl, probably 9.x 10.x |
| Date: | 15 October 1996 |
| Notes: | See the SOD HP Bug of the Week page |
| Exploit & full info: | Available here |
| swinstall symlink exploit | |
|---|---|
| Description: | Standard symlink hole |
| Author: | "Salty" |
| Compromise: | root (local) |
| Vulnerable Systems: | HP/UX with vulnerable swinstall, mostly 10.x, some 9.x |
| Date: | 6 October 1996 |
| Notes: | See the SOD HP Bug of the Week page |
| Exploit & full info: | Available here |
| HP/UX SOD glance bug | |
|---|---|
| Description: | symlink bug due to poor error file creation |
| Author: | Colonel Panic of SOD (sod@command.com.inter.net) |
| Compromise: | root (local) |
| Vulnerable Systems: | HP/UX with vulnerable /usr/perf/bin/glance , probably just 9.x |
| Date: | October 1996 |
| Notes: | See the SOD HP Bug of the Week page |
| Exploit & full info: | Available here |
| HP/UX ppl symlink problem | |
|---|---|
| Description: | ppl insecurely creates log files in world writeable directory, I'm sure you can see where this is headed. |
| Author: | Colonel Panic of SOD (sod@command.com.inter.net) |
| Compromise: | root (local) |
| Vulnerable Systems: | HP/UX with vulnerable ppl, 9.x 10.x |
| Date: | October 1996 |
| Notes: | See the SOD HP Bug of the Week page |
| Exploit & full info: | Available here |
| Race condition exploit for HP/UX SAM | |
|---|---|
| Description: | standard /tmp symlink race condition with HP/UX SAM |
| Author: | John W. Jacobi (jjacobi@nova.umuc.edu) |
| Compromise: | root (local) |
| Vulnerable Systems: | HP/UX with vulnerable SAM, at least HP-UX 9.04 & 9.05 on 9000/700 & 9000/800 |
| Date: | 25 September 1996 |
| Notes: | for more HP bugs see the SOD HP Bug of the Week page |
| Exploit & full info: | Available here |
| HP/UX Rdist exploit | |
|---|---|
| Description: | SOD HP/UX rdist exploit |
| Author: | Colonel Panic of SOD (sod@command.com.inter.net) |
| Compromise: | root (local) |
| Vulnerable Systems: | HP/UX with vulnerable rdist, probably 9.x 10.x |
| Date: | 10 August 1996 |
| Notes: | See the SOD HP Bug of the Week page |
| Exploit & full info: | Available here |
| HP/UX Remote Watch hole | |
|---|---|
| Description: | Standard /tmp symlink exploit |
| Author: | Colonel Panic of SOD (sod@command.com.inter.net) |
| Compromise: | root (local) |
| Vulnerable Systems: | HP/UX with vulnerable , probably 9.x 10.x |
| Date: | June 1996 |
| Notes: | See the SOD HP Bug of the Week page |
| Exploit & full info: | Available here |
| xrw bug | |
|---|---|
| Description: | shelling from a xrw telnet session cedes EUID 0 |
| Author: | Ess Jay |
| Compromise: | root (local) |
| Vulnerable Systems: | HP/UX with vulnerable xrw, probably 9.x 10.x |
| Date: | 23 May 1996 |
| Notes: | See the SOD HP Bug of the Week page |
| Exploit & full info: | Available here |
| HP/UX sam_exec user vulnerability | |
|---|---|
| Description: | In a particularly dumb move, HP/UX's remote administration program, SAM, adds a user 'sam_exec' with UID 0 and a standard password. |
| Author: | bogus technician (bogus@command.com.inter.net) (apparently it is SOD again) was the first to find the 10.x password. |
| Compromise: | root (local) |
| Vulnerable Systems: | HP/UX 9.x,10.x where SAM has been used |
| Date: | 1996 |
| Notes: | See the SOD HP Bug of the Week page |
| Exploit & full info: | Available here |
| xwcreate/destroy vulnerability | |
|---|---|
| Description: | xwcreate and xwdestroy let you delete any file on system! |
| Author: | Colonel Panic of SOD (sod@command.com.inter.net) |
| Compromise: | delete any file on system, this can lead to root if you take out /etc/passwd, but BE CAREFUL! (local) |
| Vulnerable Systems: | HP/UX with vulnerable xwcreate/xwdestroy 9.x and possibly 10.x |
| Date: | Unknown |
| Notes: | See the SOD HP Bug of the Week page |
| Exploit & full info: | Available here |
| Old HPUX subnetconfig vulnerability | |
|---|---|
| Description: | trojan in path vulnerability in subnetconfig |
| Author: | Colonel Panic of SOD (sod@command.com.inter.net) |
| Compromise: | root (local) |
| Vulnerable Systems: | HP/UX with vulnerable netconfig, possibly just 9.0 |
| Date: | OLD |
| Notes: | See the SOD HP Bug of the Week page |
| Exploit & full info: | Available here |
| More HP/UX glance vulnerabilities | |
|---|---|
| Description: | A couple more old glance vulnerabilities |
| Author: | Colonel Panic of SOD (sod@command.com.inter.net) |
| Compromise: | root (local) |
| Vulnerable Systems: | HP/UX with vulnerable glance, maybe 9.x or 10.x |
| Date: | Unknown |
| Notes: | See the SOD HP Bug of the Week page |
| Exploit & full info: | Available here |
This page Copyright © Fyodor 1996, 1997, 1998
[Back] to Fyodor's Exploit World main index