xshisen -- local buffer overflows

Steve Kemp has found buffer overflows in the handling of the command line flag -KCONV and the XSHISENLIB environment variable. Ulf Härnhammer has detected an unbounded copy from the GECOS field to a char array. All overflows can be exploited to gain group games privileges...

CVE-2004-1028

Untrusted execution path vulnerability in chcod on AIX IBM 5.1.0, 5.2.0, and 5.3.0 allows local users to execute arbitrary programs by modifying the PATH environment variable to point to a malicious "grep" program, which is executed from chcod...

CVE-2004-1054

Untrusted execution path vulnerability in invscout in IBM AIX 5.1.0, 5.2.0, and 5.3.0 allows local users to gain privileges by modifying the PATH environment variable to point to a malicious "uname" program, which is executed from lsvpd after lsvpd has been invoked by invscout...

CVE-2004-1329

Untrusted execution path vulnerability in the diag commands 1 lsmcode, 2 diagexec, 3 invscout, and 4 invscoutd in AIX 5.1 through 5.3 allows local users to execute arbitrary programs by modifying the DIAGNOSTICS environment variable to point to a malicious Dctrl program...

CVE-2004-2490

Buffer overflow in IBM Informix Dynamic Server IDS 9.40.xC1 and 9.40.xC2 allows local users to execute arbitrary code via a long GLPATH environment variable...

Solaris 2.6/7/8/9 (SPARC) - 'ld.so.1' Local Privilege Escalation

/ $Id: raptorldpreload.c,v 1.1 2004/12/04 14:44:38 raptor Exp $ raptorldpreload.c - ld.so.1 local, Solaris/SPARC 2.6/7/8/9 Copyright c 2003-2004 Marco Ivaldi Stack-based buffer overflow in the runtime linker, ld.so.1, on Solaris 2.6 through 9 allows local users to gain root privileges via a long...

Solaris 7/8/9 CDE LibDTHelp - Local Buffer Overflow (1)

/ $Id: raptorlibdthelp.c,v 1.1 2004/12/04 14:44:38 raptor Exp $ raptorlibdthelp.c - libDtHelp.so local, Solaris/SPARC 7/8/9 Copyright c 2003-2004 Marco Ivaldi Buffer overflow in CDE libDtHelp library allows local users to execute arbitrary code via a modified DTHELPUSERSEARCHPATH environment...

Solaris 7/8/9 CDE LibDTHelp - Local Buffer Overflow (2)

/ $Id: raptorlibdthelp2.c,v 1.1 2004/12/04 14:44:38 raptor Exp $ raptorlibdthelp2.c - libDtHelp.so local, Solaris/SPARC 7/8/9 Copyright c 2003-2004 Marco Ivaldi Buffer overflow in CDE libDtHelp library allows local users to execute arbitrary code via a modified DTHELPUSERSEARCHPATH environment...

Solaris 789 CDE LibDTHelp - Local Buffer Overflow (1)

Solaris 789 CDE LibDTHelp - Local Buffer Overflow 1 / $Id: raptorlibdthelp.c,v 1.1 2004/12/04 14:44:38 raptor Exp $ raptorlibdthelp.c - libDtHelp.so local, Solaris/SPARC 7/8/9 Copyright c 2003-2004 Marco Ivaldi Buffer overflow in CDE libDtHelp library allows local users to execute arbitrary code...

CVE-2004-1028

Untrusted execution path vulnerability in chcod on AIX IBM 5.1.0, 5.2.0, and 5.3.0 allows local users to execute arbitrary programs by modifying the PATH environment variable to point to a malicious "grep" program, which is executed from chcod...

CVE-2004-1054

CVE-2004-1054 – IBM AIX invscout Local Command Execution involves a local privilege escalation in invscout on AIX 5.1.0/5.2.0/5.3.0 where an untrusted PATH can cause a malicious binary named ‘uname’ to be used by lsvpd, allowing an attacker to gain root. The attack relies on not dropping privileg...

CVE-2004-1329

Untrusted execution path vulnerability in the diag commands 1 lsmcode, 2 diagexec, 3 invscout, and 4 invscoutd in AIX 5.1 through 5.3 allows local users to execute arbitrary programs by modifying the DIAGNOSTICS environment variable to point to a malicious Dctrl program...

AIX 5.1 5.3 - paginit Local Stack Overflow

AIX 5.1 5.3 - paginit Local Stack Overflow / exploit for /usr/bin/paginit tested on: AIX 5.2 if the exploit fails it's because the shellcode ends up at a different address. use dbx to check, and change RETADDR accordingly. cees-bart / define RETADDR 0x2ff22c90 char shellcode = "\x7c\xa5\x2a\x79"...

IBM AIX 5.x - 'Diag' Local Privilege Escalation

source: https://www.securityfocus.com/bid/12041/info diag is reported prone to a local privilege escalation vulnerability. This issue is due to a failure of certain diag applications to properly implement security controls when executing an application specified by the 'DIAGNOSTICS' environment...

Solaris 7/8/9 CDE libDtHelp - Buffer Overflow Non-Exec Stack Privilege Escalation

Solaris 7/8/9 CDE libDtHelp - Buffer Overflow Non-Exec Stack Privilege Escalation. CVE-2003-0834. Local exploit for Solaris platform / $Id: raptorlibdthelp2.c,v 1.1 2004/12/04 14:44:38 raptor Exp $ raptorlibdthelp2.c - libDtHelp.so local, Solaris/SPARC 7/8/9 Copyright c 2003-2004 Marco Ivaldi...

Solaris 7/8/9 CDE libDtHelp - Buffer Overflow dtprintinfo Privilege Escalation

Solaris 7/8/9 CDE libDtHelp - Buffer Overflow dtprintinfo Privilege Escalation. CVE-2003-0834. Local exploit for Solaris platform / $Id: raptorlibdthelp.c,v 1.1 2004/12/04 14:44:38 raptor Exp $ raptorlibdthelp.c - libDtHelp.so local, Solaris/SPARC 7/8/9 Copyright c 2003-2004 Marco Ivaldi Buffer...

Aspell (word-list-compress) - Command Line Stack Overflow

Aspell word-list-compress - Command Line Stack Overflow / Fuck private exploits . Fuck iranian hacking and security !! teams who are just some fucking kiddies. Fuck all "Security money makers" word-list-compress local exploit - SECU Coded by : c0d3r / root . razavi1366atyahoodotcom...

CVE-2004-1033

Fcron 2.0.1, 2.9.4, and possibly earlier versions leak file descriptors of open files, which allows local users to bypass access restrictions and read fcron.allow and fcron.deny via the EDITOR environment variable...

CVE-2004-0318

Load Sharing Facility LSF 4.x, 5.x, and 6.x uses the LSFEAUTHUID environment variable, if it exists, instead of the real UID of the user, which could allow remote attackers within the local cluster to gain privileges...

CVE-2004-0238

Multiple buffer overflows in Overkill 0verkill 0.15pre3 might allow local users to execute arbitrary code in the client via a long HOME environment variable in the 1 loadcfg and 2 savecfg functions; possibly allow remote attackers to execute arbitrary code via long strings to 3 the sendmessage...