A vulnerability exists in Oracle 8.1.5 for UN*X which may allow any user to obtain root privileges. Local root exploit shell script included.
17d374afd2a8378ded9bbbbbe17182f77ee586f2c4da4eb247fb052a192da311A vulnerability in Netscape FastTrack 2.01a will allow any remote user to execute commands as the user running the httpd daemon (probably nobody). I've only tested the version of Netscape FastTrack that comes with SCO UnixWare 7.1, 2.01a. I'm not sure what other platforms, if any, are vulnerable. Unixware exploit included.
d75d7676e9ba884cae00eb12d442f7c46825fe70ae4746948d00b7756b541383A vulnerability in majordomo allows local users to gain elevated privileges.
792d59158dadd36a7ada42e732b5f076be51ac1491f09ece77427d758fc24205A vulnerability in IBM's Network Station Manager will allow any local user to gain root privileges.
aac4438238668b605585d43fcc4b4f4ebe45a72c09a4cd9071962bc28a93d82bA vulnerability in "/usr/local/bin/pis" on SCO UnixWare will allow any user to create arbitrary files with group "sys" privileges. A full root compromise is then trivial.
6bb80262134ac8ffccd94ff0c09ebbb892bf91d48a90d119fec119e35aea2470Anyone can gain remote root access to a UnixWare 7.1 system by exploiting a vulnerability in the i2odialogd daemon. This daemon is installed and running by default.
036bfe31c03c92e9bc94b4a442b735a8cb7fd6fd7607cdb68240709bed19aff3Several holes in the Solaris 2.7 SPARC/x86 dmispd daemon will allow malicious users to do various local and remote DoS attacks and probably more.
f473b55e73cc713bf480a073d0ec58518887e272f350177275f1a0e6bf9202b6A vulnerability in FreeBSD 3.3's xsoldier will allow any user to gain root access. This user does not have to have a valid $DISPLAY to exploit this.
411e25fa4d0f8f1546ae437eca6b7cd89ef9c9556cec361f9418db59086b8ed4A fundamental flaw in SCO UnixWare's security model will allow any user to gain root, read system files, etc. Any process that gets extra privledges from /etc/security/tcb/privs is vulnerable. Exploit included.
e43f1d71568f42ead69639f27b46f790fcc45e7e0ab1b76a9ed368206e498a62Most of UnixWare's pkg commands can be exploited to print /etc/shadow, leading to a probable root compromise. Tested on Unixware 7.1. Contains exploits for pkgtrans, pkginfo, pkginstall, pkgcat, and pkgparam.
0bda77b4bfd4fb0d530fdbb0f125b2437e75b360b862295fcd5fbc49d7944cbaThe majority of the UnixWare "pkg" command, such as pkginfo, pkgcat, pkgparam, etc, are vulnerable to a bug which will allow any user to read any file on the system as a result of their additional "dacread" permission in the privs file.
eed02a6b7a86a7d3af4ec8b75523b340d16c847a4c9f0c75df048402aa31a77e/var/mail is mode 777 on unixware. As such, any user may create a file called /var/mail/ with a mode readable by him and trap all incoming mail. Afraid of getting caught? chown the file to (see my advisory on this subject), leaving it still world-readable.
46ae8ff88d8e772a92c9ba19350af2ed03967745531fb28c4fa5017049596f5cAlthough UnixWare's /usr/X/bin/xauto is NOT suid/sgid, we can still overflow a buffer within it and gain root privileges. Exploit included.
1c1b11b96493a0a6c636a63b841987b7379e3ca31f6adcf1fb5f261a46c6bd93Unixware allows regular users to use chown to give files away to other users. Tested on Unixware 7.1.
6a4b1a07cc91d4a9530defc0981f88a0f28de02c2709b9e4a672624b2b3113a4A serious bug exists in UnixWare 7.1's libc. A buffer overflow in gethostbyname() will allow any user to obtain elevated privileges. My demonstration exploit happened to be "arp", but any program calling this function will do.
33ff95b3f628171302cc481f7d84bd468b39f1cbee5eefe342b2237ec3c91cddSCO UnixWare 7.1's sgid-sys /usr/bin/uidadmin will allow any user to gain root privileges as a result of it's ability to write *ANY* file, not just those traditionally writable by gid-sys. Exploit for 7.1 included, 7.0 is vulnerable as well.
e3601c95a78b23bc230de20b8d8323da8152ce4edc6999c9572c383340376a25Seyon, shipped with FreeBSD 3.3-RELEASE has several vulnerabilities. The problem is that seyon is still installed setgid dialer in FreeBSD, allowing a local user can grant himself priviliges which allow access to anything that requires group dialer, including modem devices.
a9642539381b9b2c0b68f11b82b75f51cf840c23814a843007b8cb83175e7c42/usr/vmsys/bin/chkperm and /usr/sbin/arp can be used to read bin-owned files. Tested on Solaris 2.6 and 2.7, sparc edition.
f90b3fcc752af63f6b5d54d3b5905eca70e3ace2ce6af776755dca4e9c75ee57The version of xmindpath shipped with FreeBSD 3.3 has a local buffer overflow. Exploit gives euid uucp.
5d52e1a5419ac5a1c0569f83febf0226fe7e2f7a12ae55f4a5ede2a4ea222568The version angband shipped with FreeBSD 3.3-RELEASE has a buffer overflow vulnerability. Exploit yields egid of group games.
44b73b99876799ae46c66c8fa966417aafad596ff1a5346c51c0eae2a3e456e5gdc exploit for gated-3.5.11 included on Freebsd-3.3 instalation CD yields euid=0(root). By default, only group wheel (or whatever your trusted gated group is) and root can run gdc.
daf532f5a241b630b4257fee36d298e5ae539656328096a75c7b55b9f5f48468A vulnerability exists in "faxalter", part of the hylafax-4.0.2 package which will allow any user gain uucp and possibly root privs. Includes FreeBSD exploit.
68696f6c129b8107698b0a9eed8e8c03714dd4c57913fef0990702c86d7d68a3The Amanda backup package has a several vulnerabilities which will allow any user to gain root privs. Includes exploit for FreeBSD. Other OS's that are probably vulnerable include RedHat ?.?, TurboLinux, PowerTools CD, and SuSE 6.2.
cd4b43d16583bbc925d634ec7e84deded1e5b3df2fcd67705805e29ebc0e2505Any user may overwrite any file with group auth (i.e. /etc/shadow, /etc/passwd) using /etc/sysadm.d/bin/userOsa.
efdff100c4986b360fdb21f715839b67fb3d8d0b39aa721df77706513060b1a7An overflow in /opt/K/SCO/Unix/5.0.5Eb/.softmgmt/var/usr/bin/cancel which will allow any user to gain lp privs.
9a4e597b84c8c1eb31bb630c9cc574cac8e99b62e17a606be42a39e44a6790f1
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed