CVE-2004-0564

CVE-2004-0564 concerns rp-pppoe (pppoe) when the rp-pppoe package is configured to run setuid root. The description states that if rp-pppoe is installed or configured to operate with setuid root contrary to its design, local users can overwrite arbitrary files. Several connected sources (SUSE and...

CVE-2004-0564

Roaring Penguin pppoe rp-ppoe, if installed or configured to run setuid root contrary to its design, allows local users to overwrite arbitrary files. NOTE: the developer has publicly disputed the claim that this is a vulnerability because pppoe "is NOT designed to run setuid-root." Therefore this...

CVE-2004-0564

Roaring Penguin pppoe rp-ppoe, if installed or configured to run setuid root contrary to its design, allows local users to overwrite arbitrary files. NOTE: the developer has publicly disputed the claim that this is a vulnerability because pppoe "is NOT designed to run setuid-root." Therefore this...

binfmt_elf.txt

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Synopsis: Linux kernel binfmtelf loader vulnerabilities Product: Linux kernel Version: 2.4 up to to and including 2.4.27, 2.6 up to to and including 2.6.8 Vendor: http://www.kernel.org/ URL: http://isec.pl/vulnerabilities/isec-0017-binfmtelf.txt CVE:...

Linux ELF loader vulnerabilities

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Synopsis: Linux kernel binfmtelf loader vulnerabilities Product: Linux kernel Version: 2.4 up to to and including 2.4.27, 2.6 up to to and including 2.6.8 Vendor: http://www.kernel.org/ URL: http://isec.pl/vulnerabilities/isec-0017-binfmtelf.txt CVE:...

RHEL 2.1 / 3 : cyrus-sasl (RHSA-2004:546)

Updated cyrus-sasl packages that fix a setuid and setgid application vulnerability are now available. Updated 7th October 2004 Revised cryus-sasl packages have been added for Red Hat Enterprise Linux 3; the patch in the previous packages broke interaction with ldap. The cyrus-sasl package contain...

Important: Red Hat Security Advisory: cyrus-sasl security update

Updated cyrus-sasl packages that fix a setuid and setgid application vulnerability are now available. Updated 7th October 2004 Revised cryus-sasl packages have been added for Red Hat Enterprise Linux 3; the patch in the previous packages broke interaction with ldap. The cyrus-sasl package contain...

mpg123 -- buffer overflow in URL handling

Carlos Barros reports that mpg123 contains two buffer overflows. These vulnerabilities can potentially lead to execution of arbitrary code. The first buffer overflow can occur when mpg123 parses a URL with a user-name/password field that is more than 256 characters long. This problem can be...

Debian DSA-086-1 : ssh-nonfree - remote root exploit

We have received reports that the 'SSH CRC-32 compensation attack detector vulnerability' is being actively exploited. This is the same integer type error previously corrected for OpenSSH in DSA-027-1. OpenSSH the Debian ssh package was fixed at that time, but ssh-nonfree and ssh-socks were not...

Debian DSA-463-1 : samba - privilege escalation

Samba, a LanManager-like file and printer server for Unix, was found to contain a vulnerability whereby a local user could use the 'smbmnt' utility, which is setuid root, to mount a file share from a remote server which contained setuid programs under the control of the user. These programs could...

Debian DSA-364-3 : man-db - buffer overflows, arbitrary command execution

man-db provides the standard man1 command on Debian systems. During configuration of this package, the administrator is asked whether man1 should run setuid to a dedicated user 'man' in order to provide a shared cache of preformatted manual pages. The default is for man1 NOT to be setuid, and in...

Debian DSA-472-1 : fte - several vulnerabilities

Steve Kemp and Jaguar discovered a number of buffer overflow vulnerabilities in vfte, a version of the fte editor which runs on the Linux console, found in the package fte-console. This program is setuid root in order to perform certain types of low-level operations on the console. Due to these...

Debian DSA-299-1 : leksbot - improper setuid-root execution

Maurice Massar discovered that, due to a packaging error, the program /usr/bin/KATAXWR was inadvertently installed setuid root. This program was not designed to run setuid, and contained multiple vulnerabilities which could be exploited to gain root privileges. %NASLMINLEVEL 70300 C Tenable Netwo...

Debian DSA-310-1 : xaos - improper setuid-root execution

XaoS, a program for displaying fractal images, is installed setuid root on certain architectures in order to use svgalib, which requires access to the video hardware. However, it is not designed for secure setuid execution, and can be exploited to gain root privileges. In these updated packages,...

Debian DSA-034-1 : ePerl - remote root exploit

Fumitoshi Ukai and Denis Barbier have found several potential buffer overflow bugs in our version of ePerl as distributed in all of our distributions. When eperl is installed setuid root, it can switch to the UID/GID of the scripts owner. Although Debian doesn't ship the program setuid root, this...

CVE-2003-1052

IBM DB2 7.1 and 8.1 allow the bin user to gain root privileges by modifying the shared libraries that are used in setuid root programs...

bsd/x86 execve /bin/sh setuid (0) 29 bytes

No description provided by source. / BSD version FreeBSD, OpenBSD, NetBSD. [email protected] 29 bytes. -setuid0; -execve/bin/sh; / char shellcode= "\x31\xc0" // xor %eax,%eax "\x50" // push %eax "\xb0\x17" // mov $0x17,%al "\x50" // push %eax "\xcd\x80" // int $0x80 "\x50" // push %eax...

freebsd/x86 kldload /tmp/o.o 74 bytes

Exploit for freebsd/x86 platform in category shellcode ===================================== freebsd/x86 kldload /tmp/o.o 74 bytes ===================================== / The kldload shellcode setuid0 loads /tmp/o.o kernel module Size 74 bytes OS FreeBSD /rootteam/dev0id www.sysworld.net...

bsd/x86 - execve /bin/sh setuid 0 29 bytes

bsd/x86 execve /bin/sh setuid 0 29 bytes. Shellcode exploit for bsdx86 platform / BSD version FreeBSD, OpenBSD, NetBSD. [email protected] 29 bytes. -setuid0; -execve/bin/sh; / char shellcode= "\x31\xc0" // xor %eax,%eax "\x50" // push %eax "\xb0\x17" // mov $0x17,%al "\x50" // push %eax...

os-x/PPC setuid(0) + execve /bin/sh 88 bytes

Exploit for os-x/ppc platform in category shellcode ============================================ os-x/PPC setuid0 + execve /bin/sh 88 bytes ============================================ / PPC OSX/Darwin Shellcode by B-r00t. 2003. Does setuid0; execve/bin/sh; exit0; See ASM below. 88 Bytes. / char...