<< Previous Next >>
root privileges
II. DESCRIPTION
Remote exploitation of a heap overflow vulnerability in Apple Inc.'s
mDNSResponder application may allow attackers to execute arbitrary code
with root privileges.
The vulnerability exists within the Legacy NAT Traversal code. Unlike
the core of the mDNSResponder service, this area of code does not rely
on Multicast UDP. It listens on a dynamically allocated Unicast UDP
port.
escalation (CVE-2007-4730).
An input validation flaw was found in the X.org server's XFree86-Misc
extension that could allow a malicious authorized client to cause
a denial of service (crash), or potentially execute arbitrary code
with root privileges on the X.org server (CVE-2007-5760).
A flaw was found in the X.org server's XC-SECURITY extension that
could allow a local user to verify the existence of an arbitrary file,
even in directories that are not normally accessible to that user
(CVE-2007-5958).
Description
-----------
Rumpus turns any Mac into a file transfer server.
Rumpus v6.0 contains two buffer overflow vulnerabilities in its HTTP and FTP modules. The first allows an unauthenticated user to crash Rumpus. The later may result in arbitrary code execution under superuser privilege.
The overflow in HTTP component is caused by the lack of boundary check when parsing for HTTP action verb (GET, POST, PUT, etc.). If the verb is exactly 2908-byte long, the server runs into a segmentation fault and crashes. A manual restart is required. It has been observed that this problem occurs at other verb lengths too. The vulnerability is rated at moderate severity for the lost of service.
The overflow in FTP component is also caused by the lack of length check when parsing FTP commands that take argument such as ``MKD``, ``XMKD``, ``RMD`` and so on. The overflow occurs when the argument is ``strcpy`` to an internal buffer. This buffer is 1024-byte long. When the passed-in argument is longer than 1046 bytes, the instruction pointer will be overwritten. This allows a successful attack to run arbitrary code under the privilege of a superuser (root) by default. Though authorization is required to exploit this security bug, the vulnerability is rated at critical severity because the FTP daemon could be allowing anonymous access.
Index Functions Privilege Escalation (CVE-2007-6600): as a unique
feature, PostgreSQL allows users to create indexes on the results of
user-defined functions, known as expression indexes. This provided
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
Index Functions Privilege Escalation (CVE-2007-6600): as a unique
feature, PostgreSQL allows users to create indexes on the results of
user-defined functions, known as expression indexes. This provided
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
II. DESCRIPTION
Local exploitation of a stack based buffer overflow vulnerability in
Apple Inc.'s Mac OS X mount_smbfs utility could allow an attacker to
execute arbitrary code with root privileges.
The vulnerability exists in a portion of code responsible for parsing
command line arguments. When processing the -W option, which is used to
specify a workgroup name, the option's argument is copied into a fixed
sized stack buffer without any checks on its length. This leads to a
II. DESCRIPTION
Local exploitation of a buffer overflow vulnerability in the ftp client
of IBM Corp.'s AIX operating system allows attackers to execute
arbitrary code with root privileges.
The problem specifically exists within the domacro() function. This
function is called when executing a macro via the '$' command within
the ftp program. When executing a macro, the parameter is copied to a
fixed size stack buffer using an unbounded call to strcpy(). By
II. DESCRIPTION
Local exploitation of an arbitrary file creation vulnerability in IBM
Corp.'s Advanced Interactive eXecutive (AIX) Operating System allows
attackers to execute arbitrary code with super-user privileges.
This vulnerability exists due to the handling of several environment
variables. The libC.a library will open files as specified by the
"_LIB_INIT_DBG" and "_LIB_INIT_DBG_FILE" variables. The attacker's
"umask" will be honored, allowing them to create world-writable files,
Synopsis
========
Postfix incorrectly checks the ownership of a mailbox, allowing, in
certain circumstances, to append data to arbitrary files on a local
system with root privileges.
Background
==========
Postfix is Wietse Venema's mailer that attempts to be fast, easy to
Problem Description:
An input validation flaw was found in the X.org server's XFree86-Misc
extension that could allow a malicious authorized client to cause
a denial of service (crash), or potentially execute arbitrary code
with root privileges on the X.org server (CVE-2007-5760).
A flaw was found in the X.org server's XC-SECURITY extension that
could allow a local user to verify the existence of an arbitrary file,
even in directories that are not normally accessible to that user
(CVE-2007-5958).
II. DESCRIPTION
Local exploitation of an untrusted library path vulnerability in the
"ingvalidpw" utility, as included in Ingres Database 2006 Release 2 for
Linux, allows attackers to execute arbitrary code with root privileges.
The vulnerability exists within the "ingvalidpw" utility included with
Ingres database. This utility is used to verify a user's credentials,
and is installed set-uid root. When loading shared libraries, the
"ingvalidpw" program will load libraries from a directory owned by the
> > upon the fact that an asynchronous signal cannot be sent to a suid
> > process by an unprivileged user.
>
> I disagree with you in that. Any hard guarantee can be given only by God.
> I repeat, signals are in general not a reliable information source since they
> can be generated in a couple of ways, even by an unkind superuser :-) .
You cannot protect against the superuser, nor should you even try.
Programs which attempt to evade control by the owner of the hardware
are normally termed "malware".
II. DESCRIPTION
Local exploitation of a stack buffer overflow vulnerability in IBM
Corp.'s AIX operating system may allow an attacker to execute arbitrary
code with root privileges.
The vulnerability exists within the parsing of the '-V' command line
option. The argument to this option is copied into a fixed size stack
buffer using the sprintf() function without properly validating the
length. This leads to an exploitable stack buffer overflow.
II. DESCRIPTION
Local exploitation of a buffer overflow vulnerability in the bellmail
program of IBM Corp.'s AIX operating system allows attackers to execute
arbitrary code with root privileges.
The problem specifically exists within sendrmt function. This function
is called when a user tries to send mail using the "m" command. Within
this function, several sprintf calls are made to concatenate
user-supplied input with static strings. No bounds checking is
Synopsis
========
Multiple vulnerabilites have been found in MIT Kerberos 5, which could
allow a remote unauthenticated user to execute arbitrary code with root
privileges.
Background
==========
MIT Kerberos 5 is a suite of applications that implement the Kerberos
Administration Server of IBM Corp.'s DB2 Universal Database allows
attackers to elevate privileges to root.
This vulnerability exists due to unsafe file access from within the
db2dasrrm program. When a user starts the DAS, the "db2dasrrm" process
is started with root privileges. As part of the initialization, the
"dasRecoveryIndex", "dasRecoveryIndex.tmp", ".dasRecoveryIndex.lock",
and "dasRecoveryIndex.cor" files are created with root privileges. By
removing and re-creating these files as symbolic links, an attacker can
create arbitrary files as root.
II. DESCRIPTION
Remote exploitation of a buffer overflow vulnerability within Samba
Project's Samba could allow an attacker to execute arbitrary code with
root privileges.
This vulnerability exists in a certain function within Samba, where an
attacker could trigger a memory corruption by sending specially crafted
SMB requests resulting in heap memory overwritten with attacker supplied
data, which can allow attackers to execute code remotely.
II. DESCRIPTION
Local exploitation of an integer underflow vulnerability in the dig
program of IBM Corp.'s AIX operating system allows attackers to execute
arbitrary code with root privileges.
The problem specifically exists within dns_name_fromtext function within
the libdns.a library. This function is called when processing the '-y'
command line parameter to the dig program. By supplying a specially
crafted TSIG key parameter, an attacker is able to cause an integer
> - now we take an airplane and parachute guest straight into the
> perimeter of the fence (/proc access)
> - guest can access the house (write the file), because the house has all
> doors unlocked
Pavel required that the superuser have lax directory permisisons and
subsequently make them more restrictive, which led to a flurry of
responses about hardlinks, race conditions, etc. My example merely
removed this aspect to demonstrate that it is not a race. In mine,
the directory permissions are 0700 from the start and there are no
races involved.
Service Console package for sudo has been updated to version
sudo-1.6.9p17-3. This fixes the following issue: Sudo versions
1.6.9p17 through 1.6.9p19 do not properly interpret a system group
in the sudoers file during authorization decisions for a user who
belongs to that group, which might allow local users to leverage an
applicable sudoers file and gain root privileges by using a sudo
command.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-0034 to this issue.
Asante have released v1.07 of this switch's firmware which removes the "superuser" "asante" CLI credentials. After uploading this firmware into my switch, I examined a TFTP dump and could not identify similar credentials. It does not positively rule in or out that the backdoor is gone, but Asante claim in their notes on the new firmware this back door has been removed.
users can cause a denial of service condition or elevate privileges.
III. ANALYSIS
Exploitation allows attackers to execute arbitrary code with root
privileges. The severity of this vulnerability is lessened by the fact
that under a default configuration, the group id "system" is needed to
execute swcons.
IBM originally released an interim fix on February 22nd, 2007. The
original fix did prevent attackers from being able to overwrite or
local users to trigger a BUG_ON() call in exit_mmap.
CVE-2007-4573
Wojciech Purczynski discovered a vulnerability that can be exploited
by a local user to obtain superuser privileges on x86_64 systems.
This resulted from improper clearing of the high bits of registers
during ia32 system call emulation. This vulnerability is relevant
to the Debian amd64 port as well as users of the i386 port who run
the amd64 linux-image flavour.
Details follow:
Wolfgang M. Reimer discovered that dash, when invoked as a login shell, would
source .profile files from the current directory. Local users may be able to
bypass security restrictions and gain root privileges by placing specially
crafted .profile files where they might get sourced by other dash users.
Updated packages for Ubuntu 8.04 LTS:
Exploitation of this vulnerability allows an attacker to overwrite
arbitrary files owned by the "ingres" user. By itself, this
vulnerability does not have very serious consequences. However, when
combined with the library loading vulnerability, it allows an attacker
to execute arbitrary code with root privileges.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in Ingres
2006 Enterprise Edition Release 2 for Linux x86 (32-bit). Other
When the SQLIDEBUG environment variable is set, several set-uid binaries
will log debugging information to the specified file.
III. ANALYSIS
Exploitation allows local attackers to gain root privileges.
After creating the file, the file's ownership is changed to match the
user and group of the executing user. As such, an attacker could create
files that they own anywhere on the system.
specified when it is executed. The second parameter is a "Trace" file
that this program will open and write to with elevated privileges.
III. ANALYSIS
Exploitation allows local attackers to gain root privileges.
IV. DETECTION
iDefense confirmed the existence of this vulnerability in IBM Corp.'s
Informix Dynamic Server version 10.00 UC6TL installed on a Linux
Workaround:
Explicitly disabling the MACHINE\Administrator (or any
other lsassd local-provider accounts not in use) will
prevent unauthorized access. This may be done by running
the following command as the local superuser. Replace
<MACHINE> with the hostname of the local system
$ lw-mod-user --disable-user "<MACHINE>\Administrator"
You may verify that the account is disabled by running the
II. DESCRIPTION
Remote exploitation of multiple command injection vulnerabilities in Sun
Microsystem's Java System Active Server Pages allows attackers to
execute arbitrary code with root privileges.
These vulnerabilities exist within several ASP applications that execute
shell commands. The problem lies in the fact that these applications do
not filter or escape the parameters passed to these commands. By
inserting shell meta-characters into an HTTP request, an attacker is
telematics applications." More information is available at
http://www.qnx.com/products/rtos/.
Local exploration of a buffer overflow vulnerability inside
/usr/photon/bin/phgrafx included by default in QNX RTOS latest
version (6.3.2) could allow an attacker to gain root privileges.
II. Affected Products
Scanit has confirmed the existence of this vulnerability in QNX RTOS
6.3.2 and
<<Previous Next>>
|
