Exim 4.42 - Local Privilege Escalation

!/bin/sh Local Lame R00T sploit for exim include int mainint argc, char argv char addrptr; addrptr = getenvargv1; printf"%s @ %p\n", argv1, addrptr; return 0; gcc @env.c -o @env cp @env /usr/bin cd /usr/exim/bin CODE=perl -e 'print...

CVE-2004-1391

The CVE-2004-1391 entry concerns the PPPoE daemon (PPPoEd) in QNX RTP 6.1, where an untrusted execution path allows local users to execute arbitrary programs by manipulating the PATH environment variable to reference a malicious mount program. This describes a local-privilege problem rooted in PA...

CVE-2003-1053

Multiple buffer overflows in XShisen allow attackers to execute arbitrary code via a long 1 -KCONV command line option or 2 XSHISENLIB environment variable...

CVE-2005-0113

inpview in SGI IRIX allows local users to execute arbitrary commands via the SUNTTSESSIONCMD environment variable, which is executed by inpview without dropping privileges...

CVE-2003-1053

Multiple buffer overflows in XShisen allow attackers to execute arbitrary code via a long 1 -KCONV command line option or 2 XSHISENLIB environment variable...

xshisen -- local buffer overflows

Steve Kemp has found buffer overflows in the handling of the command line flag -KCONV and the XSHISENLIB environment variable. Ulf Härnhammer has detected an unbounded copy from the GECOS field to a char array. All overflows can be exploited to gain group games privileges...

CVE-2004-1054

Untrusted execution path vulnerability in invscout in IBM AIX 5.1.0, 5.2.0, and 5.3.0 allows local users to gain privileges by modifying the PATH environment variable to point to a malicious "uname" program, which is executed from lsvpd after lsvpd has been invoked by invscout...

CVE-2004-1028

Untrusted execution path vulnerability in chcod on AIX IBM 5.1.0, 5.2.0, and 5.3.0 allows local users to execute arbitrary programs by modifying the PATH environment variable to point to a malicious "grep" program, which is executed from chcod...

CVE-2004-1329

Untrusted execution path vulnerability in the diag commands 1 lsmcode, 2 diagexec, 3 invscout, and 4 invscoutd in AIX 5.1 through 5.3 allows local users to execute arbitrary programs by modifying the DIAGNOSTICS environment variable to point to a malicious Dctrl program...

CVE-2004-2490

Buffer overflow in IBM Informix Dynamic Server IDS 9.40.xC1 and 9.40.xC2 allows local users to execute arbitrary code via a long GLPATH environment variable...

Solaris 7/8/9 CDE LibDTHelp - Local Buffer Overflow (2)

/ $Id: raptorlibdthelp2.c,v 1.1 2004/12/04 14:44:38 raptor Exp $ raptorlibdthelp2.c - libDtHelp.so local, Solaris/SPARC 7/8/9 Copyright c 2003-2004 Marco Ivaldi Buffer overflow in CDE libDtHelp library allows local users to execute arbitrary code via a modified DTHELPUSERSEARCHPATH environment...

Solaris 2.6/7/8/9 (SPARC) - 'ld.so.1' Local Privilege Escalation

/ $Id: raptorldpreload.c,v 1.1 2004/12/04 14:44:38 raptor Exp $ raptorldpreload.c - ld.so.1 local, Solaris/SPARC 2.6/7/8/9 Copyright c 2003-2004 Marco Ivaldi Stack-based buffer overflow in the runtime linker, ld.so.1, on Solaris 2.6 through 9 allows local users to gain root privileges via a long...

Solaris 789 CDE LibDTHelp - Local Buffer Overflow (1)

Solaris 789 CDE LibDTHelp - Local Buffer Overflow 1 / $Id: raptorlibdthelp.c,v 1.1 2004/12/04 14:44:38 raptor Exp $ raptorlibdthelp.c - libDtHelp.so local, Solaris/SPARC 7/8/9 Copyright c 2003-2004 Marco Ivaldi Buffer overflow in CDE libDtHelp library allows local users to execute arbitrary code...

Solaris 7/8/9 CDE LibDTHelp - Local Buffer Overflow (1)

/ $Id: raptorlibdthelp.c,v 1.1 2004/12/04 14:44:38 raptor Exp $ raptorlibdthelp.c - libDtHelp.so local, Solaris/SPARC 7/8/9 Copyright c 2003-2004 Marco Ivaldi Buffer overflow in CDE libDtHelp library allows local users to execute arbitrary code via a modified DTHELPUSERSEARCHPATH environment...

CVE-2004-1054

CVE-2004-1054 – IBM AIX invscout Local Command Execution involves a local privilege escalation in invscout on AIX 5.1.0/5.2.0/5.3.0 where an untrusted PATH can cause a malicious binary named ‘uname’ to be used by lsvpd, allowing an attacker to gain root. The attack relies on not dropping privileg...

CVE-2004-1028

Untrusted execution path vulnerability in chcod on AIX IBM 5.1.0, 5.2.0, and 5.3.0 allows local users to execute arbitrary programs by modifying the PATH environment variable to point to a malicious "grep" program, which is executed from chcod...

CVE-2004-1329

Untrusted execution path vulnerability in the diag commands 1 lsmcode, 2 diagexec, 3 invscout, and 4 invscoutd in AIX 5.1 through 5.3 allows local users to execute arbitrary programs by modifying the DIAGNOSTICS environment variable to point to a malicious Dctrl program...

AIX 5.1 5.3 - paginit Local Stack Overflow

AIX 5.1 5.3 - paginit Local Stack Overflow / exploit for /usr/bin/paginit tested on: AIX 5.2 if the exploit fails it's because the shellcode ends up at a different address. use dbx to check, and change RETADDR accordingly. cees-bart / define RETADDR 0x2ff22c90 char shellcode = "\x7c\xa5\x2a\x79"...

IBM AIX 5.x - 'Diag' Local Privilege Escalation

source: https://www.securityfocus.com/bid/12041/info diag is reported prone to a local privilege escalation vulnerability. This issue is due to a failure of certain diag applications to properly implement security controls when executing an application specified by the 'DIAGNOSTICS' environment...

Solaris 7/8/9 CDE libDtHelp - Buffer Overflow dtprintinfo Privilege Escalation

Solaris 7/8/9 CDE libDtHelp - Buffer Overflow dtprintinfo Privilege Escalation. CVE-2003-0834. Local exploit for Solaris platform / $Id: raptorlibdthelp.c,v 1.1 2004/12/04 14:44:38 raptor Exp $ raptorlibdthelp.c - libDtHelp.so local, Solaris/SPARC 7/8/9 Copyright c 2003-2004 Marco Ivaldi Buffer...