CVE-1999-1480

1 acledit and 2 aclput in AIX 4.3 allow local users to create or modify files via a symlink attack...

HeliSec: StarOffice symlink exploit

= Helios Security and Administration = - Hi everyone, StarOffice creates a temporary directory in /tmp called soffice.tmp, with permissions 0777. Into this directory other temporary files are creates, with the format: svZZZZ.tmp, where ZZZZ in a four or five digits number. StarOffice not only...

[hacksware]Pine temporary file hijacking vulnerability

Hacksware Bug Report 1. Name: Pine temporary file hijacking vulnerability 2. Release Date: 2000.12.11 3. Affected Application: Pine Version 4.30or maybe other versions 4. Author: [email protected] 5. Type: Local Race Condition 6. Explanation If pine setting is like following: x...

Slackware Linux /usr/bin/ppp-off Insecure /tmp Call Exploit

Exploit for linux platform in category dos / poc =========================================================== Slackware Linux /usr/bin/ppp-off Insecure /tmp Call Exploit =========================================================== !/bin/sh In SlackWare Linux the script /usr/bin/ppp-off writes the...

CVE-2000-0336

Linux OpenLDAP server allows local users to modify arbitrary files via a symlink attack...

HP-UX 10.20/11.0 - man '/tmp' Symlink

source: https://www.securityfocus.com/bid/1302/info The programmers of the 'man' command on various HPUX releases have made several fatal mistakes that allow an attacker to trivially set a trap that could result in any arbitrary file being overwritten on the system when root runs the 'man' comman...

Flying.txt

Vulnerability: Any user can read any file in the system. title=Flying rev. 6.20 author=Helmut Hoenig system=tested on Redhat 5.2, possibly others [email protected] Grampa Elite Overview: Flying is a X-Windows program I have found installed on Redhat 5.2 that is actually a gateway for...

Linbert.txt

Vulnerability: Any user can overwrite any file in the system. title=Linberto v1.0.2 Q-Bert clone [email protected] Diego Javier Grigna system=Linux, svgalib [email protected] Grampa Elite Overview: Linberto under default installation creates screenshots under the /tmp directory wh...

SCO Unixware 7.1/7.1.1 - ARCserver /tmp Symlink

source: https://www.securityfocus.com/bid/988/info A symlink following vulnerability exists in the ARCserve agent, as shipped with SCO Unixware 7. Upon startup, the asagent program will create several files in /tmp. These are created mode 777, and can be removed and replaced by any user on the...

Debian 2.1 - apcd Symlink

source: https://www.securityfocus.com/bid/958/info A vulnerability exists in the apcd package, as shipped in Debian GNU/Linux 2.1. By sending the apcd process a SIGUSR1, a file will be created in /tmp called upsstat. This file contains information about the status of the APC device. This file is...

CVE-1999-0743

Trn allows local users to overwrite other users' files via symlinks...

unixware.pis.txt

Greetings, OVERVIEW A vulnerability in "/usr/local/bin/pis" on SCO UnixWare will allow any user to create arbitrary files with group "sys" privileges. A full root compromise is then trivial. BACKGROUND As usual, I've only tested UnixWare 7.1. DETAILS By creating a symlink between /tmp/pisdata and...

IBM Network Station Manager 2.0 R1 - Race Condition

IBM Network Station Manager 2.0 R1 - Race Condition // source: https://www.securityfocus.com/bid/900/info IBM's Network Station Manager is a client/server application which facilitates management for IBM Network Stations. It is possible to locally gain root priviliges on hosts running the...

IBM Network Station Manager 2.0 R1 - Race Condition

// source: https://www.securityfocus.com/bid/900/info IBM's Network Station Manager is a client/server application which facilitates management for IBM Network Stations. It is possible to locally gain root priviliges on hosts running the NetStation daemon. NetStation which runs as root creates...

CVE-1999-0893

userOsa in SCO OpenServer allows local users to corrupt files via a symlink attack...

Solaris 2.5.1 lp lpsched - Symlink

Solaris 2.5.1 lp lpsched - Symlink !/bin/sh lpNet & temp file exploit: break lp, then use lp priv to break root or bin, etc.... Written by: Chris Sheldon [email protected] Tested on Solaris-2.5.1: SunOS testhost 5.5.1 Generic sun4m sparc SUNW,SPARCstation-20 Caveat: This system is running...

Solaris 2.5.1 lp and lpsched Symlink Vulnerabilities

Exploit for solaris platform in category local exploits ==================================================== Solaris 2.5.1 lp and lpsched Symlink Vulnerabilities ==================================================== !/bin/sh lpNet & temp file exploit: break lp, then use lp priv to break root or bi...

SGI IRIX 6.4 - 'netprint' Local Privilege Escalation

source: https://www.securityfocus.com/bid/395/info A vulnerability exists in the netprint program, shipping with Irix 6.x and 5.x by Silicon Graphics. The netprint program calls the "disable" command via a system call, without specifying an explicit path. Therefore, any program in the path named...