A serious vulnerability has been found in IRIX telnetd which can give remote root access to any IRIX 6.2-6.5.8[m,f] system. The vulnerability occurrs when one of the environment variables contains a format string which is passed on to the syslog() function. Proof of concept exploit included (updated version - compiler and little endian fixes). Fix available here.
f3757ed7c83366e37236fcd1468ac10d93f1b85113d1d44c9616dc8a918135d9
The $from-bug is in the horde library file 'horde.lib', (on debian systems installed in /usr/share/horde/lib/horde.lib) in line 1108 belonging to function "mailfrom". In this file there is a call to "popen" with an unchecked "from:"-line as argument. Bug found and exploited by Jens "atomi" Steube, fixed and documentated by Christian "thepoet" Winter
26f093926bfd1dd43f634cf8d0562c202fcf591bde428c8157fc922d25f3a850
WebSite Pro is a Web Server for Win95/98/NT platforms. The vulnerability (or bad server administration) allows any user to create arbitrary files with arbitrary text on the victim machine, from the Internet web browser. By a default installation, any user can create or uploads files to the victim machine running a vulnerable version of WebSite Pro. The problem is a bad "protection access" of the main directories on the machine.
bd5cdf4a6fed674aba622112ecb317033d101e50f0c57a16cba894aadc40d73e
Packet Storm new exploits for August, 2000.
718ee7d2e3df69fb7f87a6ba8e72c51df427674f5b91539e482479e963c37ccb
/usr/sbin/dmplay local exploit for Irix 6.2 and 6.3.
33878132ba17cb14adacfd7fd63917d631a677b211c06b27f7f324d7f8ae2106
Win2k IIS remote exploit - Retrieves files using the Translate: f bug.
e6689da228eca55eaf015fe6410fad686f0c799a345cd10825bec3dd47b9ddc4
Microsoft Outlook date header remote exploit - executes an arbitrary command on the machine reading mail when new mail is downloaded. Tested against Windows 98, 2000, and NT. Includes Delphi source.
46bf043a86a707fdcb6044e6f52c4702a800b075289eea104956a43cb156cfa9
/usr/lib/InPerson/inpview local exploit for irix 6.5 and 6.5.8.
20de4d5d3536e5a6e5d1f11e4bbfa5569460661e437fac2c091206b9e6a5f703
/usr/sbin/eject local exploit for Irix 6.2.
3a274f0803f6cacbb36ee5488c5bf9157c5233ee43f416c630317941da7f5ffa
libxt.so HOME environment variable local buffer overflow exploit for Irix 6.2 and 6.3.
0fd64a260597d92ddc35ec83625712320142e8d70f5dd3905e921919c3b0948c
/sbin/pset local exploit for Irix 6.2 and 6.3.
8cd67fc2075fb7fa9cdcb4d9c5b2a7e65e9b68ea269c58db2ff38f003c788c73
/usr/sbin/gr_osview local exploit for Irix 6.2 and 6.3.
b7c2bda68db1f2496ae176d7e583399122ba0fa280c6c84c3540a42b21a84999
libc.so NLSPATH local exploit for Irix 6.2.
e85e8187d098ebd688d3477b8b4f2a5c06fecf078ca93a00d0e4689f460e9a32
libgl.so HOME environment variable local exploit for irix 6.2.
91e0d34d930699e2770b4e4644d12dd7899a0c4309cc8a270a5fe0de7e6876aa
/usr/lib/iaf/scheme (login) local exploit for Irix 5.3.
36924fa523d8e0197e9d55131aec3483099b5ec30e51b03798b09634c120ba38
libxaw.so inputmethod local exploit for irix 6.2.
356a8d6b331d9f92665ee9be6d8339e4765c5517109d264bcdafd148614a7dad
/usr/bin/mail local exploit for Irix 6.2 and 6.3.
46d88fde5c1a93b2c29a7b13090d438345edda725b4cb6c5a7f206e0337b0902
Irix 6.3/6.2 /usr/bin/X11/xlock local buffer overflow exploit.
b8d9843b397b57fccaa793ccf840cd9d1975e50c5e927c8e182b01e64aeea9fa
Irix 6.2/5.3 named iquery remote root buffer overflow exploit. Spawns a bindshell.
f5baf76e8d286e7a76ef7459ff65cd0578c8cb1199e6fbd93e2ca3e1a8381a0d
Autofsd remote buffer overflow exploit for Irix 6.4 and 6.5.
2d65722f66dfe721e80274d6c4393ffbad95bf9da27ed4c41994ce16fc1b826f
Irix 6.5/6.4/6.3/6.2 arrayd remote buffer overflow exploit as described in CA-99-09-arrayd.txt.
fb555806421a71e23aaabcc1e1c51b5f2f02c010505be9682fbf9e7b39ebad56
SGI objectserver "export" exploit - Remotely adds new entry to the export list on the IRIX system. See our SGI objectserver "account" exploit for more information. Only directories that aren't supersets of already exported ones can be added to the export list.
4b12bc670104362647c98bc09c33e31bd72cf0907624f171bded34b49558ac77
rpc.ttdbserverd remote root exploit for irix 5.2 5.3 6.2 6.3 6.4 6.5 6.5.2.
013680ab2f18fda2da0613e985b4d69e5e887fe8bfcdd023cd1e22f04cb5343e
/usr/bin/lp local root exploit for solaris 2.7 x86.
91e50dad38c0f5b26fbec37b905e6f3387032bed8f2231d1d4fb8fa1bcc5b1b9
libc.so LC_MESSAGES local exploit for solaris 2.7 x86.
e20a76fc0900cff94fd50888400bdf907aea6c328c5c39db685dd0a9e71bb3c9