Real Name | Larry W. Cashdollar |
---|---|
Email address | private |
Website | vapid.dhs.org |
First Active | 1999-11-14 |
Last Active | 2020-07-15 |
The Sun Update Manager suffers from a /tmp clobbering vulnerability.
9ed3d1ea271454d9da6b06fca58387916ec1c5bb71e3b0bd7e332c3cde7b3960
This Metasploit module abuses a metacharacter injection vulnerability in the diff.php script. This flaw allows an unauthenticated attacker to execute arbitrary commands as the www-data user account.
80e3ce82a2d97fa36f0665883aecc56cc126a901567bd0c4251832c7ded7ffe7
Proof of concept crash exploit for Safari on iOS that leverage a denial of service vulnerability.
b7aed7d45d2d8c141f4d038fb1e6bb148bd5d8c687b4740e140f2b04997e86d9
Oracle Exadata Infiniband Switch suffers from default logins and a world readable shadow file.
7e5478fdcf18712f433486ced03cd8f6db6de63a872fcfdbfc813aea0e823206
Mambo CMS version 4.6.5 suffers from denial of service, poor permission use and path disclosure vulnerabilities.
726b0757aee41d55186a299fbe523c06e0d0e6dd07c151e1821f7b9f1fcbbbba
bzexe suffers from a /tmp race condition that allows for local root compromise.
6e68fae43ebf644c85b61c5d338cdd51e5d73299d4c2a58f508e21a2c155b364
Perl Cache-Cache version 1.06 suffers from an insecure permission vulnerability.
37ffab0c7b687666bcf779dfc51ce9d345e58e91e512e603ede4b5e82c37b6b5
Solaris Update manager and Sun Patch Cluster suffer from a symlink vulnerability.
2c5e6fb72b5483c114e659a98e04e40c8239612c494aab80a6f8827baed220f6
The PatchLink Update Unix Client suffers from multiple file clobbering vulnerabilities allowing for privilege escalation.
9edd2c3dea0e2f04c171d8980ce2fe3f0ec1fc649d996bba22558f6b5207870c
IBM Informix (IDS) V10.0 suffers from several flaws that could allow an attacker to overwrite any file on the system or inject commands into the installer scripts.
e299b03aa62557f2b9a2a6bba84f0efdb77c22a8264d634d77e8361c2c039429
The htpasswd program shipped with thttpd-2.25b can be tricked into executing arbitrary programs.
abdda0f4558def730529de9345400a2e8dcfde31ef1b3602b6dde851b696f909
It appears that the new Apache release 1.3.33 still is susceptible to a local buffer overflow discovered in htpasswd under release 1.3.31.
e6a9149037f4b1d66672b62767ea68f40b7ee59f1984ddb9aa2e324192efe4ef
iDEFENSE Security Advisory 03.19.04: Exploitation of default file permissions in Borland Interbase can allow local attackers to gain database administrative privileges. The vulnerability specifically exists due to insecure permissions on the admin.ib user database file. Local attackers can add or modify existing accounts to gain administrative privileges.
b71f1e19f5d04a562354ac69ff0c4e4809b8054067ce74ebf7ae83fa5306c438
Vapid Labs Security Note - The PrimeBase SQL Database Server 4.2 stores passwords in clear text. Depending on the installation user's umask settings, it may be readable by all local users.
43002c694b892879a9fefb2c4763eaa0435c8018f79e132da7c50c1395f81a57
SNAP Innovation's PrimeBase Database 4.2 employs a poor use of file creation and default file permissions that could allow a local attacker to gain administrative privileges.
126d4fc6faa462a7f475dbaf8949f35c75b0233ca041cf7689ed0d082e73ec95
Further information and research in regards to the InterSystems Cache vulnerabilities discussed here. Two new vulnerabilities have been discovered and exploits are included.
728fbb24e98602c5fe921cab33d49eb861a834a80b0d955bc059096191267f54
iDEFENSE Security Advisory 07.01.03: InterSystems Corp. Cache installs with insecure file and directory permissions, thereby allowing local attackers to gain root access by manipulating items in the main package tree. The vulnerability specifically exists because files and directories are open to all users for read, write, and execute operations.
a94ec4e715dbd55bc4d0dfb19dc4102c0d75702736bfe3b8af0e08165f59aa3a
SAP DB is vulnerable to a race condition during installation. The installer creates a world writable file that gets compiled and then is setuid to root. If a local attacker can overwrite the file in the alloted time-frame they will be able to escalate their privileges.
133ef0c808730e0896b10d01e7b0daaaf775415dcf0f90ca80ffebe268a51845
Solaris 2.8 patchadd local exploit. Takes advantage of a symlink vulnerability to clobber files with output from patchadd. Tested on Solaris 2.8 Sparc with the current patch cluster applied.
a8745334e41a751bc67512da3ab3617e9e543b283f76da7d9a5b2496eef89fec
Solaris 2.7/2.8 /usr/bin/catman allows local users to clobber root owned files by symlinking temporary files. Includes catman-race.pl and ctman-race2.pl for proof of concept.
9a29d9929df3618598e1b73b8901c5d5026303418322bac348f2cc5417e8cef6
Voyant Technologies Sonata Conferencing Software v3.x on Solaris 2.x comes with the setuid binary doroot which executes any command as root.
66e1e97f64c7220d0c49571196c3c0b688f31aa0b1d4177776bcaca25289e18f
Voyant Technologies Sonata Conferencing vulnerability report - Local and remote vulnerabilities have been found in both the Solaris and OS/2 hosts, including reused default passwords, poor file permissions, a lack of host hardening, account enumeration, and an insecure X console.
a8e729c47d2cec5776df25793904a78c510a9d33109cf09b1c50ec0743406e0e
PocketC program to dehash the admin password for FlowerFire's Sawmill 5.0.21 log analysis package. This has been written, compiled and tested on my palm IIIxe. Takes a few seconds since the hash is so weak.
0aa155e7517924fa800b7c6c2d61993936bdde7128b24b1b64a1311803519fd9
Sawmill 5.0.21 is a site log statistics package for UNIX, Windows and MacOS which has remote vulnerabilities. Any file on the system can be read, and password is stored with a weak hash algorithm and can be decrypted using the included C program. This is dangerous because the previous security hole will allow you to read the hash and decrypt the admin password.
2c2c58f021857e688f36ad471178bf0306d758fc5829abf90f77a22c58174057
/usr/local/games/xsoldier local root exploit. Tested under Mandrake 7.0.
2efbf7e734506a09a852e6b3154a6163a11aff489a05f01d6c99f70a70026d5b