A vulnerability exists in Oracle 8.1.5 for UN*X which may allow any user to obtain root privileges. Local root exploit shell script included.
17d374afd2a8378ded9bbbbbe17182f77ee586f2c4da4eb247fb052a192da311
A vulnerability in Netscape FastTrack 2.01a will allow any remote user to execute commands as the user running the httpd daemon (probably nobody). I've only tested the version of Netscape FastTrack that comes with SCO UnixWare 7.1, 2.01a. I'm not sure what other platforms, if any, are vulnerable. Unixware exploit included.
d75d7676e9ba884cae00eb12d442f7c46825fe70ae4746948d00b7756b541383
A vulnerability in majordomo allows local users to gain elevated privileges.
792d59158dadd36a7ada42e732b5f076be51ac1491f09ece77427d758fc24205
A vulnerability in IBM's Network Station Manager will allow any local user to gain root privileges.
aac4438238668b605585d43fcc4b4f4ebe45a72c09a4cd9071962bc28a93d82b
A vulnerability in "/usr/local/bin/pis" on SCO UnixWare will allow any user to create arbitrary files with group "sys" privileges. A full root compromise is then trivial.
6bb80262134ac8ffccd94ff0c09ebbb892bf91d48a90d119fec119e35aea2470
Anyone can gain remote root access to a UnixWare 7.1 system by exploiting a vulnerability in the i2odialogd daemon. This daemon is installed and running by default.
036bfe31c03c92e9bc94b4a442b735a8cb7fd6fd7607cdb68240709bed19aff3
Several holes in the Solaris 2.7 SPARC/x86 dmispd daemon will allow malicious users to do various local and remote DoS attacks and probably more.
f473b55e73cc713bf480a073d0ec58518887e272f350177275f1a0e6bf9202b6
A vulnerability in FreeBSD 3.3's xsoldier will allow any user to gain root access. This user does not have to have a valid $DISPLAY to exploit this.
411e25fa4d0f8f1546ae437eca6b7cd89ef9c9556cec361f9418db59086b8ed4
A fundamental flaw in SCO UnixWare's security model will allow any user to gain root, read system files, etc. Any process that gets extra privledges from /etc/security/tcb/privs is vulnerable. Exploit included.
e43f1d71568f42ead69639f27b46f790fcc45e7e0ab1b76a9ed368206e498a62
Most of UnixWare's pkg commands can be exploited to print /etc/shadow, leading to a probable root compromise. Tested on Unixware 7.1. Contains exploits for pkgtrans, pkginfo, pkginstall, pkgcat, and pkgparam.
0bda77b4bfd4fb0d530fdbb0f125b2437e75b360b862295fcd5fbc49d7944cba
The majority of the UnixWare "pkg" command, such as pkginfo, pkgcat, pkgparam, etc, are vulnerable to a bug which will allow any user to read any file on the system as a result of their additional "dacread" permission in the privs file.
eed02a6b7a86a7d3af4ec8b75523b340d16c847a4c9f0c75df048402aa31a77e
/var/mail is mode 777 on unixware. As such, any user may create a file called /var/mail/ with a mode readable by him and trap all incoming mail. Afraid of getting caught? chown the file to (see my advisory on this subject), leaving it still world-readable.
46ae8ff88d8e772a92c9ba19350af2ed03967745531fb28c4fa5017049596f5c
Although UnixWare's /usr/X/bin/xauto is NOT suid/sgid, we can still overflow a buffer within it and gain root privileges. Exploit included.
1c1b11b96493a0a6c636a63b841987b7379e3ca31f6adcf1fb5f261a46c6bd93
Unixware allows regular users to use chown to give files away to other users. Tested on Unixware 7.1.
6a4b1a07cc91d4a9530defc0981f88a0f28de02c2709b9e4a672624b2b3113a4
A serious bug exists in UnixWare 7.1's libc. A buffer overflow in gethostbyname() will allow any user to obtain elevated privileges. My demonstration exploit happened to be "arp", but any program calling this function will do.
33ff95b3f628171302cc481f7d84bd468b39f1cbee5eefe342b2237ec3c91cdd
SCO UnixWare 7.1's sgid-sys /usr/bin/uidadmin will allow any user to gain root privileges as a result of it's ability to write *ANY* file, not just those traditionally writable by gid-sys. Exploit for 7.1 included, 7.0 is vulnerable as well.
e3601c95a78b23bc230de20b8d8323da8152ce4edc6999c9572c383340376a25
Seyon, shipped with FreeBSD 3.3-RELEASE has several vulnerabilities. The problem is that seyon is still installed setgid dialer in FreeBSD, allowing a local user can grant himself priviliges which allow access to anything that requires group dialer, including modem devices.
a9642539381b9b2c0b68f11b82b75f51cf840c23814a843007b8cb83175e7c42
/usr/vmsys/bin/chkperm and /usr/sbin/arp can be used to read bin-owned files. Tested on Solaris 2.6 and 2.7, sparc edition.
f90b3fcc752af63f6b5d54d3b5905eca70e3ace2ce6af776755dca4e9c75ee57
The version of xmindpath shipped with FreeBSD 3.3 has a local buffer overflow. Exploit gives euid uucp.
5d52e1a5419ac5a1c0569f83febf0226fe7e2f7a12ae55f4a5ede2a4ea222568
The version angband shipped with FreeBSD 3.3-RELEASE has a buffer overflow vulnerability. Exploit yields egid of group games.
44b73b99876799ae46c66c8fa966417aafad596ff1a5346c51c0eae2a3e456e5
gdc exploit for gated-3.5.11 included on Freebsd-3.3 instalation CD yields euid=0(root). By default, only group wheel (or whatever your trusted gated group is) and root can run gdc.
daf532f5a241b630b4257fee36d298e5ae539656328096a75c7b55b9f5f48468
A vulnerability exists in "faxalter", part of the hylafax-4.0.2 package which will allow any user gain uucp and possibly root privs. Includes FreeBSD exploit.
68696f6c129b8107698b0a9eed8e8c03714dd4c57913fef0990702c86d7d68a3
The Amanda backup package has a several vulnerabilities which will allow any user to gain root privs. Includes exploit for FreeBSD. Other OS's that are probably vulnerable include RedHat ?.?, TurboLinux, PowerTools CD, and SuSE 6.2.
cd4b43d16583bbc925d634ec7e84deded1e5b3df2fcd67705805e29ebc0e2505
Any user may overwrite any file with group auth (i.e. /etc/shadow, /etc/passwd) using /etc/sysadm.d/bin/userOsa.
efdff100c4986b360fdb21f715839b67fb3d8d0b39aa721df77706513060b1a7
An overflow in /opt/K/SCO/Unix/5.0.5Eb/.softmgmt/var/usr/bin/cancel which will allow any user to gain lp privs.
9a4e597b84c8c1eb31bb630c9cc574cac8e99b62e17a606be42a39e44a6790f1