Setuid proggie /usr/bin/lp has an easily exploitable buffer overflow.
This exploit is for Solaris 7 x86 version, no sparc exploit is available
to my knowledge.
later,
DiGiT
/*
*
* solaris 2.7 /usr/bin/lp local exploit, i386.
*
* discovered by DiGiT.
* try offset 150-250 if sploit fails
*
/* (c) 2000 babcia padlina / buffer0verfl0w security (www.b0f.com) */
/* freebsd mtr-0.41 local root exploit */
#include
#include
#include
#include
#define NOP 0x90
#define BUFSIZE 1
#define ADDRS 1200
long getesp(void)
{
__asm__("movl %esp, %eax\n");
}
IC Radius version .14, and possibly earlier versions, contain a buffer
overflow that occurs when trying to authenticate with a valid username
longer than 24 characters.
The culprit is in mysql.c, in the function sql_getvpdata. This function is
normally run 4 times during authentication. The secon
For the sake of full disclosure an exploit for the MANPAGER environment
variable:
- snip -
/*
* MAN-Exploit for MANPAGER environmental variable.
* rh 6.x, tested on rh 6.1
* written by psychoid/tCl
* gives egid man.
*
* Originally discovered by lcamtuf.
* educational. yes.
*
*/
#includ
There exists an overflow in /usr/openwin/bin/Xsun setuid root program on
solaris 7 x86 version, I'm not sure about sol 8. This bug was discovered
and exploited sometime in '98.
The program comes default setgid root on the sparc version of solaris.
I haven't checked wether this is exploitable on s
Topic:
unsafe fgets() in sendmail's mail.local
Description:
There are 4 problems:
1. Possibility to insert LMTP commands into e-mail message
2. Possibility of deadlock between sendmail and mail.local
3. Possibility to corrupt user's mailbox
4. Possibility to ch
It seems many people have found my explanation too long to be read.
This is a shorter summary of what it is not and what it is.
Netkill is not a connect() flood. The latter establishes connections
and holds them open, making t
I've had it use ~/.pop3.lock for quite some time (since 1995). I'm sure
this won't work for people who don't provide users w/ home directories,
but it has worked for us.
Jason
On Thu, 20 Apr 2000, spoon spoon wrote:
> Date: Thu, 20 Apr 2000 18:23:28 +0200
> From: spoon spoon <[EMAIL PROTECTED]
Solaris 7 x86 /usr/bin/lpset overflow, there is a small overflow(32 bytes)
in lpset which will yield root access if properly exploited.
There is a sparc version avail for this bug, the bug was discovered by
duke some time ago.
I am releasing this exploit because of a copy-cat exploit on hack.co.
Hi,
I've just found annoying bug in cvs-1.10.7 (probably others too). Let's assume
you've decided to make your remote cvs repository available to several trusted
people. Therefore you need to edit your /etc/inetd.conf file and add line
similar to presented below:
cvspserver stream tcp nowait
On Fri, 21 Apr 2000, [ISO-8859-1] Peter Münster wrote:
> If MAX_DAYS_IN_TMP > 0 in /etc/rc.config on a SuSE-Linux system, a local
> user can delete arbitrary files by doing some commands like these:
> mkdir -p "/tmp/hhh /somedirectory"
> touch -t some-early-date "/tmp/hhh /somedirectory/somefile"
Hi,
While migrating some postgres databases to a different server (including
user accounts) i noticed the following problem in the way postgres stores
user passwords:
SmellyCat:/var/postgres/data# strings pg_shadow
someaccountname
someaccountpassword
anotheraccountname
anotheraccountpassword
Sme
_
b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 3
Advisory Name: libncurses buffer overflow
Date: 24/4/00
I made a mistake in my Advisory #10 - Scripting of Java applets does not
stop neither a little modification of my exploit nor execution of Active
Scripting if it is disabled.
Before writing my advisory I tested one time an exploit with Scripitng
of Java Applets disabled and it did stop the exploit
Georgi Guninski security advisory #11, 2000
Hotmail security hole - injecting JavaScript in IE using "@import
url(http://host/hostile.css)"
Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fac
Hello!
As reported before, the "gpm-root" daemon in gpm-1.19.0 and earlier lets
the user execute any command with uid=0. gpm-1.19.1 fixed half of the
security hole by calling setuid() and setgid() at the right place but not
calling initgruops().
gpm-1.19.2 is out there, which calls initgroups()
As another data point G.07.19 seems immune to the problem.
-ben
> On Thu, 20 Apr 2000, Alfred Huger wrote:
> > In case anyone is interested, scanning HP printers with
> > tools such as nmap will cause the printer to lock up hard.
> > I discovered this while trying to diagnose a connection
> > p
> Qualcomms POP servers have this problem as well, on linux, solaris, etc.
> Except the lock file gets stored where ever your users mail is stored.
> /var/mail(on a sun) or where ever. I guess a nice solution would be to have a
> subdirectory with mode 700 permissions under /var/mail/locks or some
I found that 98Lite (*) is not vulnerable to this, but my Eudora app was
rendered inaccessible when Zoa_Chien e-mailed me an example. I had to
delete his message from my Eudora spool directory before I was able to load
Eudora again.
(*) 98Lite is a modified Win98. It is a full 98 system without I
> To test this vulnerability we need "htimage.exe" in our "cgi-bin"
> directory (it's installed by default) and premission to execute it.
> That's why only Windows is vulnerable, Unix to execute "htimage.exe" +
> If "htimage.exe" exist). based systems can't execute "*.exe" files.
Incorrect. The F
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I've never seen nmap dos a HP4000 printer but they do die if you toss junk at
the spooler
port. The printer display says 86.00x EIO 1 Error, and the red attention light
goes on. At this
point you have to power the printer back on and off. The rev's
All,
Stanislav mentioned Cisco LocalDirectors and I would like to shed a little
more light on the configurations possible within the LocaLDirector which
would be of use to people on the list. An important point to make is that I
don't work for Cisco but have used both Cisco's and Intel's load bal
Hello,
> First remote FrontPage exploit?
How about this one:
http://server/AA
FP will overflow and someone will see this message:
VHTTPD32 caused an invalid page fault in
module at :41414141.
Registers:
EAX= CS=0167 EIP=41414141 EFLGS=00010212
EBX= SS=016f
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Having tested it, it works on Win95 as well.
- -Original Message-
From: Zoa_Chien <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: April 22, 2000 3:11 AM
Subject: Securax Security Advisory: Windows98 contains a serious
buff
Wally,
Verified, ableit unscientifically. ZoneAlarm does not appear to detect
udp traffic from source port 67.
Additionally, using nmap's -f flag allows you to send traffic past
ZoneAlarm without any alerts.
Wally Whacker wrote:
> ZoneAlarm (http://www.zonelabs.com) is a very popular
> person
> In case anyone is interested, scanning HP printers with
> tools such as nmap will cause the printer to lock up hard.
I attemped to reproduce this and was unable to. When I scanned an HP
LaserJet 4050N with JetDirect firmware revision G.08.03, one of the
ones listed as being vulnerable, the pri
26 matches
Mail list logo
