Mac OS X executes 'recent items' with privileges of foreground application

Overview The "recent items" feature of MacOS X allows users at the console to trivially obtain root privileges. Description MacOS X includes a feature called recent items. Recent Items is a list of documents and applications that have recently been accessed. An application launched from the Recen...

NSI RWhoisd contains format string vulnerability in print_error()

Overview A remotely exploitable format string vulnerability exists in the Referral Whois server daemon RWhoisd. Description As the Internet has grown, the centralized whois database was not able to scale. In order to deal with scaling the whois system, Referral Whois was developed. Referral Whois...

Air Messenger LAN Server (AMLServer) stores usernames and passwords in plaintext

Overview Air Messenger LAN Server AMLServer stores usernames and passwords in plaintext. Description AMLServer for windows is a paging gateway that allows users on a TCP/IP LAN to communicate with mobile devices such as phones and pagers. Access to AMLServer's services is protected by a user...

OpenSSL PRNG contains design flaw that allows a user to determine internal state and predict future output

Overview The pseudorandom number generator PRNG in OpenSSL has a weakness that allows an attacker to determine its internal state and subsequently determine its future output values. Description OpenSSL's PRNG hashes an internal state to produce output values, which are supposed to be pseudorando...

Cisco IOS vulnerable to deferred DoS via SYN scan to certain TCP port ranges

Overview Cisco Internetwork Operating System IOS may reload unexpectedly after being scanned on certain ports. Description Certain versions of Cisco IOS contain a vulnerability that allows the router to enter an unstable state after receiving a connection attempt on any TCP port in the following...

Oracle9iAS Web Cache vulnerable to buffer overflow

Overview A remotely exploitable buffer overflow in the Oracle9iAS Web Cache allows intruders to execute arbitrary code or cause the web cache process to hang or exit. Description Defcom Labs has discovered a remotely exploitable buffer overflow vulnerability in the Oracle9iAS Web Cache on all...

SSH CRC32 attack detection code contains remote integer overflow

Overview There is a remote integer overflow vulnerability in several implementations of the SSH1 protocol that allows an attacker to execute arbitrary code with the privileges of the SSH daemon, typically root. Description There is a remote integer overflow vulnerability in several implementation...

RSA Security ACE/Agent for Windows, ACE/Agent for Windows NT, and ACE/Agent for Windows 2000 do not properly handle null characters in URL

Overview RSA Security ACE/Agent for Windows, ACE/Agent for Windows NT, and ACE/Agent for Windows 2000 contain a vulnerability in which the ACE/Agent does not properly handle null characters contained in a URL. A specially crafted request may cause ACE/Agent to enter a debugging mode, possibly...

RSA Security ACE/Agent for Windows, ACE/Agent for Windows NT, and ACE/Agent for Windows 2000 do not properly handle URL encoded characters in URL

Overview RSA Security ACE/Agent for Windows, ACE/Agent for Windows NT, and ACE/Agent for Windows 2000 contain a vulnerability in which the ACE/Agent does not properly handle URL encoded characters contained in a URL. A specially crafted request may bypass authentication and expose the contents of...

Php variables passed from the browser are stored in global context

Overview Php is a dynamic scripting language used by programmers to develop webservers, message boards, chat applications and a variety of programs. By default php stores variables passed from the URL in a global context. Programmers often fail to change this setting which can allow serious...

IBM AIX line printer daemon contains a buffer overflow in send_status()

Overview The Line Printer daemon lpd shipped with AIX systems contains a buffer overflow in sendstatus that potentially allow a malicious remote user to gain root privileges. Description A buffer overflow exists in the sendstatus function of the line printer daemon lpd on AIX systems. An intruder...

IBM AIX line printer daemon contains a buffer overflow in kill_print()

Overview The Line Printer daemon lpd shipped with AIX systems contains a buffer overflow in killprint that potentially allow a malicious remote user to gain root privileges. Description A buffer overflow exists in the killprint function of the line printer daemon lpd on AIX systems. An intruder...

IBM AIX line printer daemon contains a buffer overflow in chk_fhost()

Overview The Line Printer daemon lpd shipped with AIX systems contains a buffer overflow in chkfhost that potentially allow a malicious remote user to gain root privileges. Description A buffer overflow exists in the chkfhost function of the line printer daemon lpd on AIX systems. An intruder cou...

HP-UX vulnerable to buffer overflow in line printer daemon (rlpdaemon) via crafted print request

Overview The line printer daemon rlpdaemon on HP-UX systems enable various clients to share printers over a network. There exists a buffer overflow vulnerability in this daemon that permits remote execution of arbitrary commands with elevated privileges. Description A buffer overflow exists in...

lpd hostname authentication bypassed with spoofed DNS

Overview The line printer daemon enables various clients to share printers over a network. There exists a flaw in the authentication method in this daemon that permits remote access to the server. Description A vulnerability exists in the line printer daemon lpd shipped with the lpr package for...

lpd allows options to be passed to sendmail

Overview The line printer daemon enables various clients to share printers over a network. There exists a vulnerability in this daemon that permits an intruder to send options to sendmail. Description The line printer daemon enables various clients to share printers over a network. There exists a...

Cisco PIX Firewall Manager stores enable password in plain text

Overview A vulnerability exists in the way the Cisco Pix Firewall Manager stores authentication credentials which could allow local attackers to have read access to the enable password for the Cisco Pix Firewall. Description The PIX Firewall Manager PFM is a software package designed to allow...

OpenView Network Node Manager contains vulnerability allowing for privilege escalation

Overview The HP Network Node Manager contains a vulnerability that may allow an attacker to gain elevated privileges. Description The Network Node Manager is a networked systems software management package distributed by Hewlett-Packard. A vulnerability in this software package may allow an...

Cisco IOS vulnerable to denial of service via Cisco Discovery Protocol

Overview The Cisco IOS contains a denial-of-service vulnerability that allows nearby remote attackers to crash or temporarily disable affected network devices. Description The Cisco Internetwork Operating System IOS contains a vulnerability in its processing of Cisco Discovery Protocol CDP packet...

SCO OpenServer/UnixWare vi creates temporary files insecurely

Overview The implementation of vi, a text editor, provided with SCO Openunix creates insecure temporary files with predictable names. Using a symbolic link attack, an intruder can overwrite any file writable by the user of vi. Description vi is a screen-oriented text editor. The implementation...

diffutils sdiff creates temporary files insecurely

Overview diffutils, a set of utilities distributed with many versions of linux, contains a utility called sdiff, which creates temporary files of predictable names in an insecure fashion. Using a symbolic link attack, an intruder can cause overwrite of any file writable by the user executing sdif...

Redhat Linux diskcheck.pl creates predictable temporary file and fails to check for existing symbolic link of same name

Overview Diskcheck.pl is a PERL script, part of Red Hat's powertools suite, that alerts a system administrator if any file system approaches capacity. In creating email alerts, diskcheck.pl creates insecure temporary files in a world-writable directory, which may permit an attacker to corrupt any...

Microsoft PowerPoint and Excel fail to properly detect macros thereby automatically executing malicious code via crafted document (MS01-050)

Overview A malformed Microsoft Excel or PowerPoint document can bypass macro checking thereby allowing arbitrary code to be run on the target system. Description Microsoft Excel and PowerPoint scan documents when they are opened and check for the existence of macros. If the document contains...

Check Point VPN-1/FireWall-1 4.1 on Nokia IPXXX firewall appliance retransmits original packets

Overview A vulnerability in Check Point VPN-1/FireWall-1 running on Nokia IPXXX Appliances can allow an attacker to pass traffic allowed by the security policy through the firewall while retaining the external untranslated destination IP address. Description Nokia IPXXX Appliances are security...

Solaris rpc.yppasswdd does not adequately check input allowing users to execute arbitrary code

Overview A remotely exploitable buffer overflow exists in the 'rpc.yppasswd' service on Solaris 2.6, 2.7, and 2.8. Description Network Information Service NIS provides a simple network lookup service consisting of databases and processes. Its purpose is to provide information, that has to be know...

Common Desktop Environment (CDE) ToolTalk RPC Server rpc.ttdbserverd contains format string vulnerability

Overview A vulnerability exists in CDE ToolTalk that may allow a remote attacker to execute arbitrary code with root privileges. Description Internet Security Systems ISS X-Force has discovered a format string vulnerability in the Common Desktop Environment CDE ToolTalk Remote Procedure Call RPC...

mgetty creates temporary files insecurely

Overview mgetty, a replacement for getty designed to support modem and fax use, creates files of a predictable name in a world-writable directory without checking for the prior existence or ownership of the file. Using a symbolic link attack, an intruder might cause the overwrite of arbitrary fil...

getty_ps creates temporary files insecurely

Overview gettyps is an open-source software package designed to support logons to the console and terminals. Some implementations create temporary files insecurely with predictable names, leading to corruption of arbitrary files via symbolic link attack. Description Under certain circumstances,...

IBM AIX digest buffer overflow in filename argument to command

Overview There is a buffer overflow in the digest command that may allow a local attacker to gain root privileges. Description The digest command is intended to be run by the qdaemon to generate a binary version of the queue configuration daemon information stored in /etc/qconfig. The digest...

IBM AIX setclock buffer overflow in remote timeserver argument

Overview There is a buffer overflow in the IBM AIX setclock command that may allow local attackers to gain root privileges. Description The setclock command sets the system's clock from a remote time server. This command contains a buffer overflow in the handling of the remote timeserver hostname...

Weaknesses in the SSH protocol simplify brute-force attacks against passwords typed in an existing SSH session

Overview There is a vulnerability in the SSH protocol that can simplify brute force attacks against passwords typed within an existing SSH session. Description Researchers at the University of California at Berkeley have determined that by monitoring the delays between SSH packets transmitted...

IBM AIX setsenv buffer overflow

Overview There is a buffer overflow in the IBM AIX setsenv command that may allow local attackers to gain root privileges. Description The setsenv command is used to set protected state environment variables. There is a buffer overflow in a variable value parameter to the setsenv command on IBM A...

IBM AIX enq buffer overflow in -M argument

Overview There is a buffer overflow in the enq command that may allow a local attacker to gain root privileges. Description The enq command is used to add entries to a queue, usually for printing. There is a buffer overflow in the -M argument to the enq command. --- Impact An attacker with access...

Apache web server performs case sensitive filtering on Mac OS X HFS+ case insensitive filesystem

Overview The Apache 1.3.14 web server's file access protection scheme can be bypassed for the Mac OS X HFS+ filesystem. Description The Apache web server's file access protection scheme i.e., file request "filtering" assumes that the filesystem being protected is case sensitve. For example, in a...

Sun Solaris catman creates temporary files insecurely

Overview catman, the unix manual display utility, creates insecure temporary files with predictable names in a world-writable directory. Since catman executes with system administration privileges, a symbolic link attack could overwrite arbitrary files. Description There is a vulnerability in...

Microsoft Windows Index Server discloses sensitive configuration information via crafted request to SQLQHit.asp sample application

Overview Microsoft Windows Index Server ships with an optional sample package. A component of this package, SQLQHit.asp, can disclose sensitive information when sent crafted requests. Description The Microsoft Windows Index Server ships with optional sample files. While these files should never b...

ISC inn creates temporary files insecurely

Overview inn, a network news agent, may be configured on some operating systems to use a publically-writeable directory for its temporary files. This may be exploited to gain access to the news account. Description inn is distributed on a variety of Linux platforms. The program is written under t...

Beck GmbH IPC@Chip TelnetD service ships with inadequately protected default account

Overview There is a vulnerability in the Beck IPC@CHIP that may allow an attacker to gain access to the device. Description The Beck IPC@CHIP is a single chip embedded webserver. This device also contains a telnet server that ships with an account named "Default". This account essentially grants...

IBM AIX nslookup buffer overflow in lex routines

Overview There is a problem with the nslookup program related to the handling of long strings. Description This problem is reported to be the result of incorrect bounds checking on the part of the lex routines used in nslookup. This vulnerability is mentioned in an IBM advisory as being exploited...

Web-based email services filtering systems vulnerable to malicous script execution

Overview An attacker can send a specially crafted email message to a victim containing malicious scripting JavaScript, VBScript, JScript, etc., or potentially HTML. When a victim views the message with scripting enabled, the victim's browser will then interpret this javascript which can lead to...

Hewlett-Packard HP-UX Software Distributor (SD-UX) contains vulnerability permitting privilege escalation

Overview HP9000 Series 700/800 running HP-UX releases 10.01, 10.10, 10.20 and 11.00 are affected by a buffer overflow in Hewlett-Packard's HP-UX Software Distributor SD-UX. A local user can exploit this vulnerability to gain elevated privileges. Description Several applications in SD-UX contain...

IBM AIX nslookup fails to drop root privileges

Overview The nslookup command fails to drop privileges, allowing local attackers to gain root privileges. Description The nslookup program fails to drop the privileges it gains from being setuid. This access appears to be needed to read the "/etc/resolv.conf" file. This problem was described in I...

IBM AIX nslookup buffer overflow in hostname to lookup

Overview There is a buffer overflow in nslookup that will allow local attackers to gain root privileges on vulnerable AIX systems. Description The nslookup command contains a buffer overflow in the hostname to lookup, allowing local attackers to gain root privileges. The vendor IBM has reported...

AOLServer contains buffer overflow in ParseAuth()

Overview AOLServer versions 3.3.0 and earlier contain an exploitable buffer overflow. This can lead to arbitrary execution of code on the system. Description AOLServer is a free open source web server. It was originally written by America Online AOL, and is currently developed and maintained by A...

Beck GmbH IPC@Chip FtpD allows an attacker to gain access to the device

Overview There is a vulnerability in the Beck IPC@CHIP that allows an attacker to gain access to the device. Description The Beck IPC@CHIP is a single chip embedded webserver. This device also contains an ftp server that is configured by default to allow anonymous access. Additionally, the device...

IBM AIX portmir buffer overflow

Overview There is a buffer overflow vulnerability in the AIX portmir command that may allow local attackers to gain root privileges. Description There is a buffer overflow in the AIX portmir command. This problem was described in IBM ERS security bulletin: ERS-SVA-E01-1997:006.1. --- Impact...

Beck GmbH IPC@Chip TelnetD vulnerable to brute-force password attack

Overview There is a vulnerability in the Beck IPC@CHIP that may allow an attacker to gain access to the device. Description The Beck IPC@CHIP is a single chip embedded webserver. This device contains a telnet server that "leaks information". That is, when an attacker connects to the telnet daemon...

IBM AIX portmir vulnerable to buffer overflow via echo_error

Overview There is a buffer overflow in the IBM AIX portmir command that may allow local users to gain root privileges. Description There is a buffer overflow in the echoerror routine of the IBM AIX portmir command. An attacker may be able to corrupt lock files in the "/etc/locks" directory. ---...

Taylor UUCP Package fails to properly filter command line arguments

Overview Several Linux/Unix systems ship with a utility package called Taylor UUCP. A component of the UUCP package, uuxqt, fails to properly filter arguments from the commands sent to it. This can allow an intruder to gain elevated privileges and execute commands with the privileges of uucp,...

Default installations of the Lotus Domino web server disclose system information via HTTP headers

Overview The default configuration of the Lotus Domino web server discloses system characteristics to anonymous remote users. Description The default configuration of the Lotus Domino web server discloses system information in the HTTP headers it returns to a web browser. If these headers are...