cmctl_exp

! /usr/bin/ksh cmctl is installed setuid to Oracle by default. See BugTraq ID 170 and Oracle bug id 701297 and 714293. This script will create a setuid Oracle shell, /tmp/.sh redirect environment variables export ORACLEHOME=/tmp export ORAHOME=/tmp mkdir /tmp/bin chmod a+rx /tmp/bin create cmadmi...

[SECURITY] New version of mailx released

Package : mailx Problem type : local exploit Debian-specific: no mailx is a often used by other programs to send email. Unfortunately mailx as distributed in Debian GNU/Linux 2.1 has some features that made it possible to execute system commands if a user can trick a privileged program to send...

IRIX 5.2/5.3/6.x - TelnetD Environment Variable Format String

// source: https://www.securityfocus.com/bid/1572/info A vulnerability exists in the telnet daemon shipped with Irix versions 6.2 through 6.5.8, and in patched versions of the telnet daemon in Irix 5.2 through 6.1, from Silicon Graphics SGI. The telnetd will blindly use data passed by the user in...

Дырка в DBMAN

db.cgi позволяет получить атакующему некоторые переменные окружения...

Black Watch Labs Vulnerability Alert

Dear Security Professional, The following vulnerability: "Environment and Setup Variables Can Be Viewed Through DBMan db.cgi Script" is in the text of the message below and has just been posted to the Black Watch Labs Web site at http://www.perfectotech.com/blackwatchlabs/ Thank you, Black Watch...

PT-2000-1324 · Gossamer Threads · Gossamer Threads Dbman

Name of the Vulnerable Software and Affected Versions: Gossamer Threads DBMan version db.cgi Description: The issue allows remote attackers to view environmental variables and setup information. This is achieved by referencing a non-existing database in the db parameter. Recommendations: For...

CVE-1999-1587

/usr/ucb/ps in Sun Microsystems Solaris 8 and 9, and certain earlier releases, allows local users to view the environment variables and values of arbitrary processes via the -e option...

PT-1999-1002 · Sun Microsystems · Solaris

Name of the Vulnerable Software and Affected Versions: Sun Microsystems Solaris versions 8 and 9, and certain earlier releases Description: The issue is related to insufficient protection of sensitive data in the /usr/ucb/ps component of the Solaris operating system. This allows local users to vi...

CVE-1999-0073

Telnet allows a remote client to specify environment variables including LDLIBRARYPATH, allowing an attacker to bypass the normal system libraries and gain root access...

CVE-1999-0073

CVE-1999-0073 describes a vulnerability where a remote Telnet client can specify environment variables, including LD_LIBRARY_PATH, allowing an attacker to bypass normal system libraries and gain root access. The connected Red Hat, CVE, EUVD, and CVE list entries corroborate this description. The ...

unsetenv.txt

o unsetenv off-by-one error: The unsetenv function in glibc 2.1.1 suffers from a problem whereby when running through the environment variables, if the name of the variable being unset is present twice consecutively, the second is not destroyed. unsetenv is sometimes used by programs that depend ...

cron_bof.txt

Subject: Re: RHSA-1999:030-01 Buffer overflow in cron daemon To: [email protected] On Wed, 25 Aug 1999, Bill Nottingham wrote: To the best of our knowledge, no known exploits exist at this time. Also, it was possible to use specially formatted 'MAILTO' environment variables to send comman...

netscape-cache-exploit.txt

Below is source code for the two versions of the Netscape Cache exploit that was recently discovered by Dan Brumleve , as found on his web site at http://www.shout.net/nothing/cache-cow/index.html First version , and then second version listed. -----snip----- !/usr/bin/perl cache-cow.cgi -- Dan...

Solaris 2.5.0/2.5.1 ps / chkey - Data Buffer

cat psexpl.po psexpl.c include include include define BUFLENGTH 632 define EXTRA 256 int mainint argc, char argv char bufBUFLENGTH + EXTRA; / ps will grok this file for the exploit code / char envp="NLSPATH=/tmp/foo",0; ulong longp; uchar charp; / This will vary depending on your libc / ulong...

CVE-1999-0073

Telnet allows a remote client to specify environment variables including LDLIBRARYPATH, allowing an attacker to bypass the normal system libraries and gain root access...

PT-1995-1001

Name of the Vulnerable Software and Affected Versions Telnet affected versions not specified Description The issue allows a remote client to specify environment variables, including LD LIBRARY PATH, which can be exploited by an attacker to bypass the normal system libraries and gain root access...

SunOS 4.1.3 - LD_LIBRARY_PATH LD_OPTIONS

SunOS 4.1.3 - LDLIBRARYPATH LDOPTIONS source: https://www.securityfocus.com/bid/43/info There exists a vulnerability involving environment variables and setuid/setgid programs under SunOS 4.0 and higher. A dynamically-linked program that is invoked by a setuid/setgid program has access to the...

SunOS 4.1.3 - LD_LIBRARY_PATH / LD_OPTIONS

source: https://www.securityfocus.com/bid/43/info There exists a vulnerability involving environment variables and setuid/setgid programs under SunOS 4.0 and higher. A dynamically-linked program that is invoked by a setuid/setgid program has access to the caller's LD environmental variables if th...

PT-2014-9085 · Openbsd +10 · Openssh Sshd +11

Name of the Vulnerable Software and Affected Versions: bash versions prior to 4.3 bash-3.0 bash-3.2 bash-4.1.2 bash-4.2.45 bash-debuginfo bash-debuginfo-3.2 bash-debuginfo-4.1.2 bash-debuginfo-4.2.45 bash-debugsource bash-devel bash-doc bash-doc-4.1.2 bash-doc-4.2.45 bash-loadables...