A serious vulnerability has been found in IRIX telnetd which can give remote root access to any IRIX 6.2-6.5.8[m,f] system. The vulnerability occurrs when one of the environment variables contains a format string which is passed on to the syslog() function. Proof of concept exploit included (updated version - compiler and little endian fixes). Fix available here.
22385913d3970f9f00addf76aa299feeThe $from-bug is in the horde library file 'horde.lib', (on debian systems installed in /usr/share/horde/lib/horde.lib) in line 1108 belonging to function "mailfrom". In this file there is a call to "popen" with an unchecked "from:"-line as argument. Bug found and exploited by Jens "atomi" Steube, fixed and documentated by Christian "thepoet" Winter
7ee65a0d5d1fa264e6a56df32877bea2WebSite Pro is a Web Server for Win95/98/NT platforms. The vulnerability (or bad server administration) allows any user to create arbitrary files with arbitrary text on the victim machine, from the Internet web browser. By a default installation, any user can create or uploads files to the victim machine running a vulnerable version of WebSite Pro. The problem is a bad "protection access" of the main directories on the machine.
923f9c6216a742ebff00f589bf593f03Packet Storm new exploits for August, 2000.
3d58f82c7badff1819cdd9e0aebfdbe6/usr/sbin/dmplay local exploit for Irix 6.2 and 6.3.
ac9e33b42c4a60714cc75052c38c0cd9Win2k IIS remote exploit - Retrieves files using the Translate: f bug.
ca39fae3ccf6cef0b09f5c8b1e171366Microsoft Outlook date header remote exploit - executes an arbitrary command on the machine reading mail when new mail is downloaded. Tested against Windows 98, 2000, and NT. Includes Delphi source.
609d7f1261dc06565e9076ce17f1b7c7/usr/lib/InPerson/inpview local exploit for irix 6.5 and 6.5.8.
e451bb3c91d58f58a0be7cf74296cba9/usr/sbin/eject local exploit for Irix 6.2.
b4d3a80494b3fd6e91498e0cc48548belibxt.so HOME environment variable local buffer overflow exploit for Irix 6.2 and 6.3.
7f9f46d42599b7d53ae329ac72d78ee1/sbin/pset local exploit for Irix 6.2 and 6.3.
248262637213c4375240580b19979b36/usr/sbin/gr_osview local exploit for Irix 6.2 and 6.3.
5e2840ed7076d1cb5b71eb61c4225231libc.so NLSPATH local exploit for Irix 6.2.
2b1f37157932fbf6eba526123da8636flibgl.so HOME environment variable local exploit for irix 6.2.
7d324da5715b5fe5187746417eff352c/usr/lib/iaf/scheme (login) local exploit for Irix 5.3.
ccb17fe3c022a4e18e6bdbfe5af14102libxaw.so inputmethod local exploit for irix 6.2.
f021df30c7f4708c805d9116ac2dc5f9/usr/bin/mail local exploit for Irix 6.2 and 6.3.
7ebdbdd3a3ce3f6fb2be68925c40d8ffIrix 6.3/6.2 /usr/bin/X11/xlock local buffer overflow exploit.
19d26832ec333919d795f33bfc09de1fIrix 6.2/5.3 named iquery remote root buffer overflow exploit. Spawns a bindshell.
ae79a7e9edab60e1b0a4d70a00b1c04bAutofsd remote buffer overflow exploit for Irix 6.4 and 6.5.
01378a7a7c5f88bb5c1927e293890131Irix 6.5/6.4/6.3/6.2 arrayd remote buffer overflow exploit as described in CA-99-09-arrayd.txt.
e14c5e74a826f15f48e76a155fec4eb9SGI objectserver "export" exploit - Remotely adds new entry to the export list on the IRIX system. See our SGI objectserver "account" exploit for more information. Only directories that aren't supersets of already exported ones can be added to the export list.
7819f36ebeb0df0e7d844ea40bc548a4rpc.ttdbserverd remote root exploit for irix 5.2 5.3 6.2 6.3 6.4 6.5 6.5.2.
983cc713413d355851a1143d56d1b1e5/usr/bin/lp local root exploit for solaris 2.7 x86.
706bd11fe7e7a238911ed863d11ec443libc.so LC_MESSAGES local exploit for solaris 2.7 x86.
39fa1e883a0035bd2109d6da65288055
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed