1110 matches found
IRIX 6.5.x inpview Race Condition Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/1530/info Certain versions of IRIX ship with a version of inpview that creates files in '/var/tmp/' in an insecure manner and is therefore prone to a race condition. InPerson's 'inpview' is a networked multimedia...
Mozilla Firefox <= 1.5.0.4 - Javascript Navigator Object Code Execution PoC
No description provided by source. !-- Firefox = 1.5.0.4 Javascript navigator Object Code Execution PoC http://browserfun.blogspot.com/ The following bug mfsa2006-45 was tested on the Firefox 1.5.0.4 running on Windows 2000 SP4, Windows XP SP4, and a recently updated Gentoo Linux system. This bug...
freebsd/x86 chown 0:0 , chmod 6755 & execve /tmp/sh 44 bytes
No description provided by source. / FreeBSD shellcode chown/tmp/sh, 0, 0; chmod/tmp/sh, 06755; 44 bytes Claes M. Nyberg 20020209 [email protected], [email protected] / / void mainvoid asm xor %eax, %eax eax = 0 pushl %eax string ends with NULL pushl $0x68732f2f push 'hs//' //sh pushl...
DataLynx suGuard 1.0 Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/186/info A vulnerability exists within the DataLynx's suGuard program which allows a local attacker to gain administrative privilege by exploiting poor use of the /tmp directory and poor programming. !/bin/sh sgrun exploi...
LPRng 3.6.x Failure To Drop Supplementary Groups Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/2865/info The LPRng software is an enhanced, extended, and portable implementation of the Berkeley LPR print spooler functionality. When the LPRng daemon is initialized, it fails to drop its supplementary groups. As a...
Tarantella Enterprise 3 gunzip Race Condition Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/3966/info Tarantella Enterprise 3 is vulnerable to a race condition during the installation process. During installation, a root owned binary is created in /tmp the directory specified by the $TMPDIR environment variable...
RedHat Linux 6.1 i386 Tmpwatch Recursive Write DoS Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/1664/info Any user with write access to /tmp or /var/tmp, can induce tmpwatch to cause Red Hat and others runnng tmpwatch from cron to stop responding, and possibly require a hard reboot. This is accomplished by creating ...
linux/x86 cp /bin/sh /tmp/katy ; chmod 4555 katy 126 bytes
No description provided by source. / Linux/x86 /bin/cp /bin/sh /tmp/katy ; chmod 4555 /tmp/sh using fork / include stdio.h char shellcode = \xeb\x5e\x5f\x31\xc0\x88\x47\x07\x88\x47\x0f\x88\x47\x19\x89\x7f \x1a\x8d\x77\x08\x89\x77\x1e\x31\xf6\x8d\x77\x10\x89\x77\x22\x89...
SUSE 7.0 KFM Insecure TMP File Creation Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/2629/info KFM is the KDE File Manager, included with version 1 of the KDE base package in most Linux installations. KFM is designed as a graphical, easily navigated interface to the Linux Filesystem. A problem with KFM...
HP-UX 11.0 net.init RC Script Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/1602/info A vulnerability exists in HP-UX, from Hewlett Packard, under certain configurations. Version 11.0 is confirmed to have this problem; other versions may also be susceptible. If the CLEARTMP option in...
Siemens Reliant UNIX 5.4 ppd -T Race Condition Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/2606/info Reliant Unix is a variant of the UNIX Operating System distributed by Fujitsu-Siemens. Reliant Unix is a scalable UNIX Operating system designed for use on Siemens servers. A problem in the operating system coul...
VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} Symlink Multiple Impact
VladTheEnterprising Gem for Ruby contains a flaw as the program creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against the /tmp/my.cnf.targethost file they can overwrite arbitrary files, gain access to the MySQL root password, or inject arbitrary...
ciborg Gem for Ruby default.rb /tmp/perlbrew-installer Local Symlink File Overwrite
ciborg Gem for Ruby contains a flaw as default.rb creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against the /tmp/perlbrew-installer file to cause the program to unexpectedly overwrite an arbitrary file...
Chkrootkit 0.49 - Local Privilege Escalation
We just found a serious vulnerability in the chkrootkit package, which may allow local attackers to gain root access to a box in certain configurations /tmp not mounted noexec. The vulnerability is located in the function slapper in the shellscript chkrootkit: SLAPPER.A,B,C,D and the multi-platfo...
Chkrootkit 0.49 - Local Privilege Escalation
Chkrootkit 0.49 - Local Privilege Escalation We just found a serious vulnerability in the chkrootkit package, which may allow local attackers to gain root access to a box in certain configurations /tmp not mounted noexec. The vulnerability is located in the function slapper in the shellscript...
CVE-2014-4039
ppc64-diag 2.6.1 uses 0775 permissions for /tmp/diagSEsnap and does not properly restrict permissions for /tmp/diagSEsnap/snapH.tar.gz, which allows local users to obtain sensitive information by reading files in this archive, as demonstrated by /var/log/messages and /etc/yaboot.conf...
CVE-2014-4039
ppc64-diag 2.6.1 uses 0775 permissions for /tmp/diagSEsnap and does not properly restrict permissions for /tmp/diagSEsnap/snapH.tar.gz, which allows local users to obtain sensitive information by reading files in this archive, as demonstrated by /var/log/messages and /etc/yaboot.conf...
CVE-2014-4038
ppc64-diag 2.6.1 allows local users to overwrite arbitrary files via a symlink attack related to 1 rtaserrd/diagsupport.c and /tmp/getdtfiles, 2 scripts/ppc64diagmkrsrc and /tmp/diagSEsnap/snapH.tar.gz, or 3 lpd/test/lpdelatest.sh and /var/tmp/ras...
[oss-security] Re: CVE request: PHP configure script and Lynis tool /tmp/ issues reported on full disclosure
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 39 if "$OS" = "AIX" ; then 40 TMPFILE=/tmp/lynis.$$ We can make a CVE assignment corresponding to your disclosure of this lynis.$$ issue on oss-security. Use CVE-2014-3982. A CVE for this most likely won't or shouldn't have a...
[oss-security] CVE request: multiple /tmp races in ppc64-diag
Just quoting from our bug report: As noted in the SUSE bug report, numerous /tmp race conditions exist in ppc64-diag, in particular: rtaserrd/diagsupport.c:233: char command="/usr/bin/find /proc/device-tree -name status -print /tmp/getdtfiles"; rtaserrd/diagsupport.c:241: fp1 =...