ISS Security Advisory - A format string vulnerability has been found in the tooltalk service (rpc.ttdbserverd) on multiple versions of HP-UX, IBM AIX, IRIX, DG-UX, and Solaris. ToolTalk contains a "syslog()" call that will interpret user-supplied formatting arguments. This call is insecure and allows remote attackers to control formatting and manipulate data at arbitrary locations in the memory of the running executable.
7b3937ec0ff2a6f8ab2b30dddccd69238b157ccf162a4101a1d63bff08da76b8Hhp-temprace6_0.pl is a quick and simple temp race checker for Linux, BSD, Sun/Solaris and IRIX. Put together to eliminate the hassle of manual checking.
3a7b01350b0436ef102a74f1abf29d166c13d069a577ab60fb104dd82412538dTESO Security Advisory #11 - Multiple vendor Telnet Daemon vulnerability. Most current telnet daemons in use today contain a buffer overflow in the telnet option handling. Under certain circumstances it may be possible to exploit it to gain root privileges remotely. Affected systems include BSDI 4.x, FreeBSD, IRIX, Linux with netkit-telnetd < 0.14, NetBSD, OpenBSD 2.x, and Solaris.
4849ac76d26caec6f947c4879fceb873db9d4fbf399d4ebadda0a88587f6c0baUnix Assembly Code Development for Vulnerabilities Illustration Purposes v1.02 - Covers IRIX / MIPS, Solaris, HP-UX, AIX, Ultrix, Linux, BeOS, and BSD. Includes system call invocation information, code specifics, "Zero free" code, ASM functionality, and examples.
62d2e8de6232b3ff6562e6a1ae2a27a030259d2647d85ffb2ae413a70b82d7e1ISS Security Advisory - A buffer overflow has been discovered in IRIX rpc.espd, which is installed by default on all current SGI IRIX installations. Remote attackers without accounts can execute commands as root. Patch available here.
6326566a243bd93810f222cdd5171dd79f90bd2adba15b8689aaae8416431796ISS Security Alert Summary for May 10, 2001 - Volume 6 Number 6. 120 new vulnerabilities were reported this month. This document has links to more information and full advisories on each. Includes: thebat-masked-file-type, php-nuke-url-redirect, orinoco-rg1000-wep-key, navision-server-dos, ustorekeeper-retrieve-files, resin-view-javabean, bpftp-obtain-credentials, ntpd-remote-bo, cisco-css-elevate-privileges, bea-tuxedo-remote-access, ultimatebb-bypass-authentication, bintec-x4000-nmap-dos, firebox-kernel-dos, cisco-pix-tacacs-dos, ipfilter-access-ports, veritas-netbackup-nc-dos, nai-pgp-split-keys, solaris-kcms-command-bo, talkback-cgi-read-files, ftp-glob-implementation, pine-tmp-file-symlink, ftp-glob-expansion, netscape-javascript-access-data, strip-weak-passwords, solaris-xsun-home-bo, compaq-activex-dos, alcatel-expert-account, alcatel-tftp-lan-access, alcatel-tftp-wan-access, oracle-appserver-ndwfn4-bo, alcatel-blank-password, solaris-dtsession-bo, solaris-kcssunwiosolf-bo, lightwave-consoleserver-brute-force, nph-maillist-execute-code, ghost-configuration-server-dos, lotus-domino-device-dos, lotus-domino-header-dos, lotus-domino-url-dos, lotus-domino-corba-dos, ghost-database-engine-dos, cfingerd-remote-format-string, lotus-domino-unicode-dos, mkpasswd-weak-passwords, solaris-ipcs-bo, interscan-viruswall-isadmin-bo, hylafax-hfaxd-format-string, cisco-vpn-ip-dos, ibm-websphere-reveals-path, qpc-ftpd-bo, qpc-ftpd-directory-traversal, qpc-popd-bo, ncm-content-database-access, netscape-smartdownload-sdph20-bo, sco-openserver-accept-bo, sco-openserver-cancel-bo, sco-openserver-disable-bo, sco-openserver-enable-bo, sco-openserver-lp-bo, sco-openserver-lpfilter-bo, sco-openserver-lpstat-bo, sco-openserver-reject-bo, sco-openserver-rmail-bo, sco-openserver-tput-bo, ibm-websphere-macro-dos, sco-openserver-lpmove-bo, reliant-unix-ppd-symlink, exuberant-ctags-symlink, processit-cgi-view-info, isa-web-proxy-dos, ie-clsid-execute-files, cisco-catalyst-8021x-dos, bubblemon-elevate-privileges, dcforum-az-directory-traversal, dcforum-az-file-upload, dcforum-az-expr, linux-netfilter-iptables, xitami-server-dos, samba-tmpfile-symlink, goahead-aux-dos, analogx-simpleserver-aux-dos, viking-hex-directory-traversal, solaris-ftp-shadow-recovery, thebat-pop3-dos, eudora-plain-text-attachment, vmware-mount-symlink, kfm-tmpfile-symlink, cyberscheduler-timezone-bo, ms-dacipp-webdav-access, oracle-tnslsnr80-dos, innfeed-c-bo, iplanet-calendar-plaintext-password, nedit-print-symlink, checkbo-tcp-bo, hp-pcltotiff-insecure-permissions, netopia-timbuktu-gain-access, cisco-cbos-gain-information, ie-xml-stylesheets-scripting, gftp-format-string, bordermanager-vpn-syn-dos, saft-sendfiled-execute-code, mercury-mta-bo, qnx-fat-file-read, viking-dot-directory-traversal, netcruiser-server-path-disclosure, perl-webserver-directory-traversal, small-http-aux-dos, ipswitch-imail-smtp-bo, kerberos-inject-base64-encode, irix-netprint-shared-library, webxq-dot-directory-traversal, raidenftpd-dot-directory-traversal, perlcal-calmake-directory-traversal, icq-webfront-dos, alex-ftp-directory-traversal, webweaver-ftp-path-disclosure, webweaver-web-directory-traversal, winamp-aip-bo, bearshare-dot-download-files, and iis-isapi-bo.
00cf12d8a5a8701f90a38c209a88b00c8028def67321206fa40aca19a90f593dIrix Netprint local root exploit. Exploits netprint's -n option. Tested on IRIX 6.2, but should work on other versions.
e1b15bb0206ea96a407bd99676b571620fc56bbe407ca2fe157fa97b328c6b5bNAI Security Advisory - Multiple FTP server implementations contain buffer overflows that allow local and remote attackers to gain root privileges on affected servers. These vulnerabilities are contingent upon the remote user having the ability to create directories on the server hosting the FTP daemon, with the exception of a few cases noted below. The vulnerabilities presented are all related to the use of the glob() function, and can be divided into the following two categories - glob() expansion vulnerabilities and glob() implementation vulnerabilities. Vulnerable FTP servers include OpenBSD, NetBSD, FreeBSD, Irix, HPUX 11, and Solaris 8.
14a21100e205f31e8a5af8bf40f62968749848f4653fa977060110baa1c23a96CERT Advisory CA-2001-07 - Many FTP servers have remote vulnerabilities in filename expansion due to the glob() function which allow arbitrary code execution. Vulnerable FTP servers include OpenBSD, NetBSD, FreeBSD, Irix, HPUX 11, and Solaris 8.
809c9d0e40e40d5ec796bd833496f52b16bd9671042bef29959a533565d6676bIntroduction to the MIPS architecture and the IRIX operating system, focusing on how to write shellcode for IRIX. Includes 3 sample shell codes. This is an updated version of the article in Phrack 56.
4ae9d1a99adae30ec567bcc47c657eb5fa712b7d9ea625abbd8747f87f01cfaeExploit for the Bind NXT remote root vulnerability, which affects Bind v8.2 - 8.2.1. Compiles on Linux, tested against Irix, BSD, and Linux. Includes Irix shellcode for breaking chroot.
febfc0b34d825bb1fd2b1ea1e96374fa6816966c45c2f8ac101caef72cf4b91bCERT Quarterly Summary for November, 2000 - Since the last regularly scheduled CERT summary, issued in August (CS-2000-03), we have seen continued compromises via rpc.statd and FTPd. We have also seen a number of sites compromised by exploiting a vulnerability in the IRIX telnet daemon. Notable virus activity includes the Loveletter.as worm and the QAZ worm.
e8488c9895d8d674123d6fae983a30e4fa01369e7a25ab353192c987dd4546eeISS Security Alert Summary for September 15, 2000. 87 new vulnerablities were reported this month. This document has links to more information and full advisories on each. Includes: ftp-goodtech-rnto-dos, imail-file-attachment, go-gnome-preinstaller-symlink, mailers-cgimail-spoof, win-netbios-corrupt-cache, news-publisher-add-author, xpdf-embedded-url, intel-express-switch-dos, viking-server-bo, win2k-corrupt-lsp, vqserver-get-dos, mgetty-faxrunq-symlink, money-plaintext-password, wormhttp-dir-traverse, wormhttp-filename-dos, cgi-auction-weaver-read-files, iis-cross-site-scripting, telnetserver-rpc-bo, nai-pgp-unsigned-adk, website-pro-upload-files, account-manager-overwrite-password, subscribe-me-overwrite-password, hp-netinit-symlink, realsecure-frag-syn-dos, sunjava-webadmin-bbs, zkey-java-compromise-accounts, java-vm-applet, darxite-login-bo, gopherd-halidate-bo, phpnuke-pwd-admin-access, becky-imail-header-dos, gnome-installer-overwrite-configuration, gnome-lokkit-open-ports, minicom-capture-groupown, webshield-smtp-dos, netwin-netauth-dir-traverse, xlock-format-d-option, frontpage-ext-device-name-dos, xchat-url-execute-commands, irix-worldview-wnn-bo, os2-ftpserver-login-dos, weblogic-plugin-bo, ie-folder-remote-exe, firebox-url-dos, trustix-secure-apache-misconfig, irix-telnetd-syslog-format, rapidstream-remote-execution, ntop-bo, iis-specialized-header, linux-update-race-condition, etrust-access-control-default, zope-additional-role, list-manager-elevate-privileges, iis-incorrect-permissions, varicad-world-write-permissions, gopherd-gdeskey-bo, gopherd-gdeskey-bo, mediahouse-stats-livestats-bo, linux-umb-scheme, mdaemon-session-id-hijack, tumbleweed-mms-blank-password, ie-scriptlet-rendering-file-access, office-html-object-tag, hp-openview-nnm-password, hp-newgrp, totalbill-remote-execution, solaris-answerbook2-admin-interface, perl-shell-escape, solaris-answerbook2-remote-execution, mopd-bo, java-brownorifice, diskcheck-tmp-race-condition, servu-null-character-dos, pccs-mysql-admin-tool, irix-xfs-truncate, win-ipx-ping-packet, nai-nettools-strong-bo, fw1-unauth-rsh-connection, win2k-named-pipes, sol-libprint-bo, ntop-remote-file-access, irix-grosview-bo, irix-libgl-bo, irix-dmplay-bo, irix-inpview-symlink, nettools-pki-dir-traverse, fw1-localhost-auth.
dbd64db221e040e05a4a342ac92b13566073a9300c9dab57446e955bb03abca1A serious vulnerability has been found in IRIX telnetd which can give remote root access to any IRIX 6.2-6.5.8[m,f] system. The vulnerability occurrs when one of the environment variables contains a format string which is passed on to the syslog() function. Proof of concept exploit included (updated version - compiler and little endian fixes). Fix available here.
f3757ed7c83366e37236fcd1468ac10d93f1b85113d1d44c9616dc8a918135d9/usr/sbin/dmplay local exploit for Irix 6.2 and 6.3.
33878132ba17cb14adacfd7fd63917d631a677b211c06b27f7f324d7f8ae2106/usr/lib/InPerson/inpview local exploit for irix 6.5 and 6.5.8.
20de4d5d3536e5a6e5d1f11e4bbfa5569460661e437fac2c091206b9e6a5f703/usr/sbin/eject local exploit for Irix 6.2.
3a274f0803f6cacbb36ee5488c5bf9157c5233ee43f416c630317941da7f5ffalibxt.so HOME environment variable local buffer overflow exploit for Irix 6.2 and 6.3.
0fd64a260597d92ddc35ec83625712320142e8d70f5dd3905e921919c3b0948c/sbin/pset local exploit for Irix 6.2 and 6.3.
8cd67fc2075fb7fa9cdcb4d9c5b2a7e65e9b68ea269c58db2ff38f003c788c73/usr/sbin/gr_osview local exploit for Irix 6.2 and 6.3.
b7c2bda68db1f2496ae176d7e583399122ba0fa280c6c84c3540a42b21a84999libc.so NLSPATH local exploit for Irix 6.2.
e85e8187d098ebd688d3477b8b4f2a5c06fecf078ca93a00d0e4689f460e9a32libgl.so HOME environment variable local exploit for irix 6.2.
91e0d34d930699e2770b4e4644d12dd7899a0c4309cc8a270a5fe0de7e6876aa/usr/lib/iaf/scheme (login) local exploit for Irix 5.3.
36924fa523d8e0197e9d55131aec3483099b5ec30e51b03798b09634c120ba38libxaw.so inputmethod local exploit for irix 6.2.
356a8d6b331d9f92665ee9be6d8339e4765c5517109d264bcdafd148614a7dad/usr/bin/mail local exploit for Irix 6.2 and 6.3.
46d88fde5c1a93b2c29a7b13090d438345edda725b4cb6c5a7f206e0337b0902
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed