Irix 6.3/6.2 /usr/bin/X11/xlock local buffer overflow exploit.
b8d9843b397b57fccaa793ccf840cd9d1975e50c5e927c8e182b01e64aeea9fa
Irix 6.2/5.3 named iquery remote root buffer overflow exploit. Spawns a bindshell.
f5baf76e8d286e7a76ef7459ff65cd0578c8cb1199e6fbd93e2ca3e1a8381a0d
Autofsd remote buffer overflow exploit for Irix 6.4 and 6.5.
2d65722f66dfe721e80274d6c4393ffbad95bf9da27ed4c41994ce16fc1b826f
Irix 6.5/6.4/6.3/6.2 arrayd remote buffer overflow exploit as described in CA-99-09-arrayd.txt.
fb555806421a71e23aaabcc1e1c51b5f2f02c010505be9682fbf9e7b39ebad56
SGI objectserver "export" exploit - Remotely adds new entry to the export list on the IRIX system. See our SGI objectserver "account" exploit for more information. Only directories that aren't supersets of already exported ones can be added to the export list.
4b12bc670104362647c98bc09c33e31bd72cf0907624f171bded34b49558ac77
rpc.ttdbserverd remote root exploit for irix 5.2 5.3 6.2 6.3 6.4 6.5 6.5.2.
013680ab2f18fda2da0613e985b4d69e5e887fe8bfcdd023cd1e22f04cb5343e
Weekly Newsletter from Help Net Security Issue 26 - 21.08.2000 - Covers weekly roundups of security related events. In this issue: Updated perl and mailx packages to address potential local exploit, widespread suseptibility to IIS 4.0/5.0 "Specialized Header" vulnerability, Rapidstream VPN Appliances root compromise, IRIX tenetd vulnerability, Hotmail/Microsoft Instant Messanger issue, Watchguard Firebox Authentication DOS, OS/2 WARP 4.5 FTP Server DOS, IMAIL web service remote DOS attack v.2, and a paper presented at the Black Hat briefings titled, "A Stateful Inspection of Firewall-1."
ded3256ac231b285a673d0b7adbc6383d0cfb5fa6f0f6a35ad476c8a66bea282
ISS Security Alert Summary July 1, 2000 - 77 new vulnerabilities were reported last month. This document has links to more information and full advisories on each. Includes: win2k-telnetserver-dos, win2k-cpu-overload-dos, fw1-resource-overload-dos, sybergen-routing-table-modify, ircd-dalnet-summon-bo, win-arp-spoofing, imesh-tcp-port-overflow, ie-active-setup-download, ftgate-invalid-user-requests, winproxy-get-dos, firstclass-large-bcc-dos, winproxy-command-bo, boa-webserver-file-access, ie-access-vba-code-execute, ie-powerpoint-activex-object-execute, fortech-proxy-telnet-gateway, xwin-clients-default-export, sawmill-file-access, sawmill-weak-encryption, netscape-virtual-directory-bo, netscape-enterprise-netware-bo, proxyplus-telnet-gateway, glftpd-privpath-directive, irc-leafchat-dos, openbsd-isc-dhcp-bo, debian-cups-malformed-ipp, jetadmin-network-dos, wuftp-format-string-stack-overwrite, jrun-read-sample-files, redhat-secure-locate-path, redhat-gkermit, weblogic-file-source-read, netscape-ftpserver-chroot, linux-kon-bo, dmailweb-long-username-dos, dmailweb-long-pophost-dos, aix-cdmount-insecure-call, irix-workshop-cvconnect-overwrite, blackice-security-level-nervous, linux-libice-dos, xdm-xdmcp-remote-bo, webbbs-get-request-overflow, nettools-pki-http-bo, nettools-pki-unauthenticated-access, panda-antivirus-remote-admin, dragon-telnet-dos, dragon-ftp-dos, small-http-get-overflow-dos, mdaemon-pass-dos, simpleserver-long-url-dos, win2k-desktop-separation, zope-dtml-remote-modify, pgp-cert-server-dos, antivirus-nav-fail-open, antivirus-nav-zip-bo, kerberos-gssftpd-dos, sol-ufsrestore-bo, tigris-radius-login-failure, webbanner-input-validation-exe, smartftp-directory-traversal, antisniff-arptest, weblogic-jsp-source-read, websphere-jsp-source-read, freebsd-alpha-weak-encryption, mailstudio-set-passwords, http-cgi-mailstudio-bo, mailstudio-view-files, kerberos-lastrealm-bo, kerberos-localrealm-bo, kerberos-emsg-bo, kerberos-authmsgkdcrequests, kerberos-free-memory, openssh-uselogin-remote-exec, mailstudio-cgi-input-vaildation, ceilidh-path-disclosure, ceilidh-post-dos, and nt-admin-lockout.
56bdbd85738f9ce23d025f2bb8e258e5ea88fba4f6c6be7083dc0867aabe88e2
USSR Advisory #43 - Remote dos attack against Real Networks Real Server version 7, 7.01, and G2 1.0. Sending malformed packets to the RealServer HTTP port (default 8080) will cause the service to stop responding. Exploit URL included. Affects Windoows NT/2000, Solaris 2.x, Linux, Irix, Unixware, and FreeBSD.
fb3235de31d91f9fe6c72377f127e585ee0a820398fcdfdb7ff9898b18eeb010
ISS Security Alert Summary for May 1, 2000. 35 new reported vulnerabilities this quarter, including: eudora-warning-message, icradius-username-bo, postgresql-plaintext-passwords, aix-frcactrl-file-modify, cisco-ios-http-dos, meetingmaker-weak-encryption, pcanywhere-tcpsyn-dos, piranha-passwd-execute, piranha-default-password, solaris-lp-bo, solaris-xsun-bo, solaris-lpset-bo, zonealarm-portscan, cvs-tempfile-dos, imp-wordfile-dos, imp-tmpfile-view, suse-file-deletion, qpopper-fgets-spoofing, adtran ping-dos, emacs-local-eavesdrop, emacs-tempfile-creation, emacs-password-history, irix-pmcd-mounts, irix-pmcd-processes, irix-pmcd-dos, iis-myriad-escape-chars, freebsd-healthd, beos-syscall-dos, linux-trustees-patch-dos, pcanywhere-login-dos, beos-networking-dos, win2k-unattended-install, mssql-agent-stored-pw, and webobjects-post-dos.
6d59eba0abd44501049acfa5e821123af34e918e7a66fc7f61eef2851fad52c7
Phrack Magazine Issue 56 - Shared Library Redirection via ELF PLT Infection, writing IRIX shellcode, subtle backdooring techniques, Bypassing StackGuard and StackShield, the Phrack Prophile, and more
d4f49f9260edf5b745cd4416f6356f315a9364592830c2a900a874ca7988e437
IRIX Login Security - In this paper you will learn a bit about logins, and the seriousness of what could happen if you don't take certain precautions. You will have found out some options you can take with your logins, certain restrictions, and a lot more.
35daa4e31eadc2e9835852cb680f16c18c3d63d83c32a3c93afa078dcdfd4718
ISS Security Alert Summary 5.3 - Summary of vulnerabilities discovered in March, 2000. Contains 33 reported vulnerabilities - windmail-pipe-command, windmail-fileread, simpleserver-exception-dos, linux-domain-socket-dos, linux-gpm-root, outlook-manipulate-hidden-drives, vqserver-dir-traverse, vqserver-passwd-plaintext, iis-chunked-encoding-dos, nav-email-gateway-dos, netscape-server-directory-indexing, mercur-webview-get-dos, officescan-admin-pw-plaintext, officescan-admin-access, linux-kreatecd-path, win-dos-devicename-dos, wmcdplay-bo, nt-registry-permissions, staroffice-scheduler-fileread, staroffice-scheduler-bo, iis-root-enum, mssql-query-abuse, clipart-cil-bo, oracle-installer, linux-rpm-query, thebat-mua-attach, irix-infosrch-fname, linux-dosemu-config, coldfusion-reveal-pathname, netscape-enterprise-command-bo, nmh-execute-code, htdig-remote-read, and ie-html-shortcut.
73a4d14101964f3e30048066a698907d3a3a447cd3fd69d5e08ddd23f575d71c
SGI IRIX objectserver remote exploit - Remotely adds account to the IRIX system. Patched February, 1998. Tested on IRIX 5.2, 5.3, 6.0.1, 6.1 and even 6.2.
50cc9680c224be9e0219d599f01be7fd1deae2ff3856942ef92ade8bb1049054
SGI Security Advisory - A remote vulnerability in the objectserver(1M) daemon has been discovered which can lead to unauthorized non-privileged user accounts being created. IRIX operating systems versions 5.1 through 6.2 are vulnerable. SGI Security page here.
62bd2d1d51a462ebca4fd8887d85a6f4a333ec705b12f8d65fdd2ccbeaaecfbf
IRIX 5.3 and 6.2 remote bind iquery overflow.
b801143c1ce4d17ed2fa72ee309b8de04aca3c0a8f28c3d870db447f3237d770
Irix 6.5 InfoSearch is a web-based interface to books, manpages, and relnotes, distributed by SGI. infosrch.cgi can execute commands remotely.
eba4d77a802d260631abb020810e7f15fba73aa9ed4f550a8086a00d34d95608
CGI vulnerability scanner version 2.00. Checks for 173 CGI vulnerabilities. Tested on linux, freebsd, and irix.
0431b7efce10152b2d33936031b456224a8417c3e9dd186c96dad485ee727526
Universal login trojan - Login trojan for pretty much any O/S. Tested on Linux, BSDI 2.0, FreeBSD, IRIX 6.x, 5.x, Sunos 5.5,5.6,5.7, and OSF1/DGUX4.0. Works by checking the DISPLAY environment variable before passing the session to the real login binary.
fb412b9239e72a75c7f47ba4a4785c5cbfc7665494372801af49f21457eed13d
Sentinel is a fast file/drive scanning utility similar to the Tripwire and Viper.pl utilities available. It uses a database similar to Tripwire, but uses a RIPEMD-160bit MAC checksumming algorithm (no patents) which is more secure than the patented MD5 128 bit checksum. It should run on most unixes (tested on redhat linux v6.0 & v5.2, slackware linux v3.x & 4.xb and IRIX (v5.2 and v6.x). Several other utilities which are used for Sentinel development are also posted here. Most utilities are included with the sentinel tarball. gSentinel is a graphical front-end to sentinel. Newbies should download gSentinel as it comes with a very simple rpm based installation and offers a friendly interface. Beware that gSentinel is currently under development and may be fairly crude compared to most GUI packages.
9f6315a4b007336f2bc225ce16208ad6f75590dbbc6f0a043a40652e4ee1b013
The IRIX setuid root binary midikeys can be used to read any file on the system using its gui interface. It can also be used to edit anyfile on the system.
03bb247d0172ed1737bba3d4e4230b04f38a9de92fd5b0752da235aba0b587e5
Subject SGI IRIX fam service Vulnerability Date 04-Mar-2000
3a685c2152f1609cdf7391e4dc4908c29f12b4a263a1e61ef96bf63c005e82b6
Subject "IRIX" lp Vulnerability Date 10-apr-92
3b1db849f06da2831daa078df249feaeafe33e84e8f6faac3cd339f8863eefc6
Subject SGI IRIX configuration vulnerabilities Date 25-Oct-93
c6e9600ebedab27ae7c88459328ea9ed71be2811852d8f15bba5485c8615482c
Subject SGI IRIX Help Vulnerability Date 12-aug-94
0b7596c50ed421fca21fc8b739259d28fcbbc4ce6cc43eda34ef1ad5a9719e36