Tickling CGI Problems is a whitepaper that focuses on the security of Tcl CGI scripts.
1298ddc346dcf21a262702c2826861718c460a4dec46483f991250a955c817bbWhitepaper entitled 'Attacking Automatic Wireless Network Selection'.
0fab76effc4d98fe89fa651a422e69e400fe3ac37312fd2e5b3e468409306386SCO OpenServer v5.0.5 /usr/bin/mscreen local exploit.
46e2112f1ac589a1dd162f6987291786829b758ff1f0dcfb9a92ed98a4c809baTru64 (OSF/1) /usr/bin/su local exploit - Works if executable stack is on.
f67306c7d5e8a80b0d9dd9ec31f5862dc99315e27b96ffd753df2a04197de25eHP/UX v11.0 /usr/bin/pppd local root buffer overflow exploit.
fe3f5dd4d79deb81bc655988c0acc2f21da6e77fad6cfac1b4dcdac71dd5c744OpenBSD 2.7 local root exploit for /usr/bin/fstat + libutil exploit. Tested against OPenBSD 2.7 i386.
0871c02f9900cd9d31c6b18d39964674456feb034d0b15de1647853203cc0096Solaris Solstice Internet Mail IMAP4 Server x86 exploit.
adcc570a64ad515dee55499942b44fc76607894ebc9c473d4d7a8654c863de59w00w00 Security Advisory - qmail-pop3d may pass an overly long command argument to it's password authentication service. When vpopmail is used to authenticate user information a remote attacker may compromise the privilege level that vpopmail is running, naturally root.
3bd0074f38eb47b414a84c38444aed7fa25ca801a4f14f89d10b39ad7380dd2dRemote exploit for the inter7 supported vchkpw/vpopmail package for (replacement for chkeckpasswd). Tested on Sol/x86,linux/x86,Fbsd/x86 against linux-2.2.1 and FreeBSD 3.[34]-RELEASE, running vpopmail-3.4.10a/vpopmail-3.4.11[b-e]. Unofficial patch here.
96783f06acb089b526184c758e946ec901db1b61ec472cbee7dc24a2094b6765UnixWare 7 exploit for /usr/bin/ppptalk.
10de24aa93dd63689988d573d193dad1b34aff38e4811d4a1f12d1f1b2c411f6[w00giving #8] Here's a new version of my snoop exploit, it seems that it will work on the new patched version of snoop aswell, and actually, the target host dose NOT have to be running with -v. Snoop is a program similar to tcpdump that allows one to watch network traffic. There is a buffer overflow in the snoop program that occurs when a domain name greater than 1024 bytes is logged, because it will overwrite a buffer in print_domain_name. This vulnerability allows remote access to the system with the privileges of the user who ran snoop (usually root, because it requires read privileges on special devices). Remote Solaris 2.7 x86 snoop exploit included.
99717fd62e6c6114deeea939793ba768fffa61af82db1312bc92a5d2d6438cf0The su command on SCO's UnixWare 7 has improper bounds checking on the username passed (via argv[1]), which can cause a buffer overflow when a lengthy username is passed.
2f370cc88cadf6efc7b1f8a55d5ae2f5c3b8ce45ae76e772bf81e939d0b03feb[w00giving '99 #6]: UnixWare 7's Xsco. Due to improper bounds checking, an overflow occurs when a lengthy argument (argv[1]) is passed. Because Xsco runs with superuser privileges, this can be exploited for elevated privileges.
0710e3286329f4ec82f0b43031b6894da9140f1c90cf3c7b571b5b51ad62ad0dWhen patches/fixes are applied to binaries on UnixWare 7, the original, unpatched binary files (with the suid/sgid bits maintained) are stored in /var/sadm. By default, the permissions on this directory is 755. This allows normal users to execute and exploit old binaries leftover from patching.
ddcc3aea580eae13df34903d75ef698ba2a71c314c68aee75fb50df4903aaa5dUnixWare 7's dtappgather runs with superuser privileges, but improperly check $DTUSERSESSION to ensure that the file is readable/writeable or owned by the user running it. Exploit included. w00w00 website here.
f8bee3268bfc608eaab021a68dc06500bce5f3507fc0f6d8f83e6eaa88c360de
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed