418 matches found
Netscape FastTrack Server 2.0.1a - GET Buffer Overflow
// source: https://www.securityfocus.com/bid/908/info The version of Netscape FastTrack server that ships with UnixWare 7.1 is vulnerable to a remote buffer overlow. By default, the httpd listens on port 457 of the UnixWare host and serves documentation via http. If you pass the server a GET...
CVE-2000-0003
Buffer overflow in UnixWare rtpm program allows local users to gain privileges via a long environmental variable...
unixware.rtpm.txt
Greetings, OVERVIEW Any local users can exploit a bug in rtpm to gain "sys" privileges. A root compromise is then trivial. BACKGROUND As usual, I've only tested UnixWare 7.1, all others should be assumed vulnerable. UnixWare has a slightly different system of managing the password database than...
unixware.pis.txt
Greetings, OVERVIEW A vulnerability in "/usr/local/bin/pis" on SCO UnixWare will allow any user to create arbitrary files with group "sys" privileges. A full root compromise is then trivial. BACKGROUND As usual, I've only tested UnixWare 7.1. DETAILS By creating a symlink between /tmp/pisdata and...
unixware.netstation.txt
Greetings, OVERVIEW A vulnerability in IBM's Network Station Manager will allow any local user to gain root privileges. BACKGROUND Though I only tested NetStation on UnixWare 7.1, I would imagine that this vulnerability is present on most NetStation implementations. This daemon is installed/runni...
CVE-2000-0029
UnixWare pis and mkpis commands allow local users to gain privileges via a symlink attack...
i2odialogd.txt
Greetings, OVERVIEW Anyone can gain remote root access to a UnixWare 7.1 system by exploiting a vulnerability in the i2odialogd daemon. This daemon is installed and running by default. BACKGROUND I've only tested UnixWare 7.1. OpenServer doesn't feature this particular daemon, so it is not...
SCO Unixware 7.1 - i2odialogd Remote Buffer Overflow
SCO Unixware 7.1 - i2odialogd Remote Buffer Overflow // source: https://www.securityfocus.com/bid/876/info UnixWare is a variant of the Unix operating system originally written by SCO, and distributed and maintained by Caldera. i20dialogd is a daemon which provides a front-end for controlling the...
SCO Unixware 7.1 - i2odialogd Remote Buffer Overflow
// source: https://www.securityfocus.com/bid/876/info UnixWare is a variant of the Unix operating system originally written by SCO, and distributed and maintained by Caldera. i20dialogd is a daemon which provides a front-end for controlling the i20 subsystem. It is shipped with SCO Unixware and...
SCO UnixWare i2odialogd daemon Username Authorization String Overflow
If a user sends a too long login/password combination to this i2odialogd server, then he will overflow the server's buffers. An attacker can use this flaw to execute arbitrary code on the remote system. C Tenable Network Security, Inc. Based on G2 server exploit Original exploit code : see...
CVE-2000-0026
Buffer overflow in UnixWare i2odialogd daemon allows remote attackers to gain root access via a long username/password authorization string...
SCO Unixware 7.0/7.0.1/7.1/7.1.1 - Privileged Program Debugging
// source: https://www.securityfocus.com/bid/869/info Unixware's security model includes the concept of privileges. These can be assigned to processes and allow them to perform tasks that otherwise could only be performed by the root user. They allow programs to run with the minimum required...
SCO Unixware 7.07.0.17.17.1.1 - Privileged Program Debugging
SCO Unixware 7.07.0.17.17.1.1 - Privileged Program Debugging // source: https://www.securityfocus.com/bid/869/info Unixware's security model includes the concept of privileges. These can be assigned to processes and allow them to perform tasks that otherwise could only be performed by the root...
unixware7.fundamental.txt
OVERVIEW A flaw in SCO UnixWare's security model will allow any user to gain root, read system files, etc. RANT I'm sure many of you are wondering what the response from the people from SCO has been regarding all of these UnixWare problems. Nil. First, a little background. Back when I began my...
unixware7.mail.txt
Greetings, OVERVIEW Any user can read/modify others' mail. BACKGROUND Only UnixWare 7.1 was tested. DETAILS Imagine my suprise when I saw that /var/mail was mode 777. As such, any user may create a file called /var/mail/ with a mode readable by him and trap all incoming mail. Afraid of getting...
unixware.pkg.txt
Greetings, OVERVIEW Any user may read any file on the system. BACKGROUND Only UnixWare 7.1 has been tested. DETAILS As previously stated, UnixWare binaries gain additional privileges via standard suid/sgid AND /etc/security/tcb/privs. The majority of the UnixWare "pkg" command, such as pkginfo,...
SCO Unixware 7.1 pkgcat - Local Buffer Overflow
// source: https://www.securityfocus.com/bid/853/info It is possible to view the entries in /etc/shadow through exploiting a buffer overflow in pkgcat and pkginstall. Though neither of these binaries are setuid, the dacread permissions which are granted in /etc/security/tcb/privs give them the...
SCO Unixware 7.1 pkginstall - Local Buffer Overflow
SCO Unixware 7.1 pkginstall - Local Buffer Overflow // source: https://www.securityfocus.com/bid/853/info It is possible to view the entries in /etc/shadow through exploiting a buffer overflow in pkgcat and pkginstall. Though neither of these binaries are setuid, the dacread permissions which are...
SCO Unixware 7.1 pkgcat - Local Buffer Overflow
SCO Unixware 7.1 pkgcat - Local Buffer Overflow // source: https://www.securityfocus.com/bid/853/info It is possible to view the entries in /etc/shadow through exploiting a buffer overflow in pkgcat and pkginstall. Though neither of these binaries are setuid, the dacread permissions which are...
SCO Unixware 7.1 pkginstall - Local Buffer Overflow
// source: https://www.securityfocus.com/bid/853/info It is possible to view the entries in /etc/shadow through exploiting a buffer overflow in pkgcat and pkginstall. Though neither of these binaries are setuid, the dacread permissions which are granted in /etc/security/tcb/privs give them the...