Next Page >>
root privileges
Summary
=======
A vulnerability exists in the Cisco Unified Customer Voice Portal (CVP)
where an authenticated user can create, modify, or delete a superuser
account. Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml.
Summary
=======
A vulnerability exists in the Cisco Unified Customer Voice Portal (CVP)
where an authenticated user can create, modify, or delete a superuser
account. Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml.
Summary
=======
A vulnerability exists in the Cisco Unified Customer Voice Portal (CVP)
where an authenticated user can create, modify, or delete a superuser
account. Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml.
combinations of environment variables, an attacker is able to create or
append to arbitrary files on the system.
III. ANALYSIS
Exploitation allows local attackers to gain root privileges.
In at least one case, the attacker's umask will be honored when creating
files. In this case, the attacker could create world-writable root-owned
files anywhere on the system. By targeting specific system files, such
as /etc/ld.so.preload or various cron data file locations, an attacker
Abstract
------------------------------------------------------------------------
The PulseAudio binary is affected by a local race condition. If the
binary is installed as SUID root, it is possible to exploit this
vulnerability to gain root privileges. This attack requires that a local
attacker can create hard links on the same hard disk partition on which
PulseAudio is installed (i.e. /usr/bin and /tmp reside on the same
partition).
------------------------------------------------------------------------
I. Background
The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges. It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.
The host's jail rc.d(8) script can be used to start and stop jails
automatically on system boot/shutdown.
Versions of the Cisco Application Velocity System (AVS) prior to
software version AVS 5.1.0 do not prompt users to modify system account
passwords during the initial configuration process. Because there is no
requirement to change these credentials during the initial configuration
process, an attacker may be able to leverage the accounts that have
default credentials, some of which have root privileges, to take full
administrative control of the AVS system.
After upgrading to software version AVS 5.1.0, users will be prompted to
modify these credentials.
II. DESCRIPTION
Local exploitation of a buffer overflow vulnerability in the crontab
program of IBM Corp.'s AIX 5.2 operating system allows attackers to
execute arbitrary code with root privileges.
The problem specifically exists within the main function. While
processing command line arguments, the crontab program will copy a
user-supplied argument to a fixed size BSS (data segment) buffer. Since
no bounds checking is performed, it's possible to overwrite a large
allows world-writable directories to be created anywhere on the file
system.
III. ANALYSIS
Exploitation allows local attackers to gain root privileges.
In order to execute arbitrary code, an attacker could create a
world-writable locale directory. By creating a specially crafted
localized message file, the attacker can cause a format string of their
choosing to be passed to a function in the printf(3) family. Using known
These vulnerabilities are due to insufficient checking being performed
while handling files with elevated privileges. In each case, a race
condition exists between a check to see if an existing file is a
symbolic link and modifying it. By quickly and repeatedly removing and
recreating the file as a symbolic link, an attacker could modify
arbitrary files with root privileges.
III. ANALYSIS
Exploitation allows local attackers to gain root privileges.
attacker control. Additionally, the files to be executed or loaded are
located in a directory under attacker control.
III. ANALYSIS
Exploitation allows local attackers to gain root privileges.
In cases where programs are executed, an attacker need only create a
specially crafted environment and file structure. In cases where a
library is loaded, creating a library containing a specially crafted
initialization section is sufficient.
Synopsis
========
A buffer overflow in dhclient as included in the ISC DHCP
implementation allows for the remote execution of arbitrary code with
root privileges.
Background
==========
ISC DHCP is the reference implementation of the Dynamic Host
II. DESCRIPTION
Local exploitation of multiple buffer overflow vulnerabilities in the
'ftp' program, as included with IBM Corp.'s AIX operating system, allow
an attacker to execute arbitrary code with root privileges.
These vulnerabilities exist due to several calls to the gets() function.
The gets() function is a deprecated C library function used to read data
from standard input into a buffer. This function provides no way to
specify the maximum size of the buffer being read into, and therefore
II. DESCRIPTION
Remote exploitation of a file creation vulnerability in Sun
Microsystem's Java System Active Server Pages allows attackers to
execute arbitrary code with root privileges.
The vulnerability exists within a file included by several ASP
applications. This file provides a function that will write the
contents contained within its first parameter to a file specified by
its second parameter. Several ASP applications allow an attacker to
II. DESCRIPTION
Local exploitation of an untrusted library path vulnerability in
multiple products distributed by VMware Inc. could allow an attacker to
execute arbitrary code with root privileges.
The Linux version of VMware products include a program called
'vmware-authd', which is installed set-uid root. When this program is
executed, it reads configuration options from the executing user's
VMware configuration file. One such option allows the user to specify
http://ibm.com/db2/
II. DESCRIPTION
Local exploitation of a library loading vulnerability in IBM Corp.'s DB2
Universal Database could allow attackers to gain root privileges.
When the DB2INSTANCE environment variable is set, the libdb2 library
will use the corresponding user's directory in place of the DB2
instance directory. This allows an unprivileged local user to control
the directory structure on which several set-uid root binaries operate.
Problem Description:
An input validation flaw was found in the X.org server's XFree86-Misc
extension that could allow a malicious authorized client to cause
a denial of service (crash), or potentially execute arbitrary code
with root privileges on the X.org server (CVE-2007-5760).
A flaw was found in the X.org server's XC-SECURITY extension that
could allow a local user to verify the existence of an arbitrary file,
even in directories that are not normally accessible to that user
(CVE-2007-5958).
II. DESCRIPTION
Local exploitation of a directory traversal vulnerability within the
pkgadd program distributed with SCO Group Inc's UnixWare operating
system allows attackers to gain root privileges.
By setting an environment variable to a value containing directory
traversal sequences, such as "../", an attacker can cause the program
to create or append to arbitrary files on the system.
Index Functions Privilege Escalation (CVE-2007-6600): as a unique
feature, PostgreSQL allows users to create indexes on the results of
user-defined functions, known as "expression indexes". This provided
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions. Both of these holes have now been closed.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
II. DESCRIPTION
Local exploitation of an arbitrary library loading vulnerability in the
'pioout' program, as included with IBM Corp.'s AIX operating system,
allows an attacker to execute arbitrary code with root privileges.
The vulnerability exists due to the application loading an arbitrary
shared library provided by the attacker, without dropping privileges.
Using the -R command line argument, an attacker can specify a shared
library used to parse data coming from the printer.
need to be adjusted after applying this update.
Exim no longer runs alternate configuration files specified with the -C
option as root. The new /etc/exim4/trusted_configs file can be used to
override this new behaviour. Files listed in trusted_configs and owned by
root will be run with root privileges when using the -C option.
In addition, Exim no longer runs as root when the -D option is used. Macro
definitions that require root privileges should now be placed in trusted
configuration files.
Synopsis
========
Two vulnerabilites have been found in MIT Kerberos 5, which could allow
a remote unauthenticated user to execute arbitrary code with root
privileges.
Background
==========
MIT Kerberos 5 is a suite of applications that implement the Kerberos
stack-stored execution control structures resulting in arbitrary code
execution.
III. ANALYSIS
Exploitation allows local attackers to gain root privileges.
Non-executable memory technology such as PaX, DEP, exec-shield, or other
NX or XD technology, can help prevent against exploitation of this type
vulnerability.
Synopsis
========
Multiple vulnerabilites in MIT Kerberos 5 might allow remote
unauthenticated users to execute arbitrary code with root privileges.
Background
==========
MIT Kerberos 5 is a suite of applications that implement the Kerberos
II. DESCRIPTION
Local exploitation of a stack buffer overflow vulnerability in IBM
Corp.'s AIX operating system may allow an attacker to execute arbitrary
code with root privileges.
The vulnerability exists within the parsing of the '-p' command line
option. The argument to this option is copied into a fixed size stack
buffer using the sprintf() function without properly validating the
length. This leads to an exploitable stack buffer overflow.
II. DESCRIPTION
Local exploitation of a stack-based buffer overflow vulnerability in the
'capture' program, as included with IBM Corp.'s AIX operating system,
allows an attacker to execute arbitrary code with root privileges.
The vulnerability exists within the code that parses terminal control
sequences. A long series of control sequences will trigger an
exploitable stack-based buffer overflow.
Therefore it is trivial to patch the client software to pass the
authentication.
Furthermore with every "authentication" attempt to the server the attacker
gains knowledge of the administrative password.
The password for the "SuperUser" is sent from the TSA server to the client
in
cleartext in the following way:
Name=SuperUser Password=072 175 173 176 173 177 181
II. DESCRIPTION
Local exploitation of a format string vulnerability in the srsexec
binary, optionally included in Sun Microsystems Inc.'s Solaris 10,
allows attackers to execute arbitrary code with root privileges.
The vulnerability exists since attacker supplied data is passed directly
to the syslog() function as the format string. This allows an attacker
to overwrite arbitrary memory with arbitrary data, and can result in
the execution of arbitrary code with root privileges.
Hello,
Following up on our conversations, I am sharing with you further details of this vulnerability. These problems have been confirmed in 220 bx series of DSL modems and are also present in a number of other modems.
1. The modems have accounts besides "admin" which have super-user [root, uid=guid=0] access. There accounts are "nobody", "user", "support". At the time of modem installation, Airtel staff usually
asks the subscriber to change his/her "admin" password on the modem - but people rarely do [can be verified by logging in using default admin password on random airtel modem IPs]. The passwords for (and even the existance of) the other accounts are not revealed.
2. These accounts have their passwords set to the same simple crackable [using JtR] value across _all_ modems. Worse yet, the passwords are available as javascript variables in clear text in the HTML UI for changing passwords. They are apparently there for user input validation (is the old password correct?). Using these
passwords, one can log as super-user on _any_ airtel modem provided to subscribers.
II. DESCRIPTION
Local exploitation of a buffer overflow vulnerability in IBM Corp.'s AIX
operating system 'pioout' program allows attackers to execute arbitrary
code with root privileges.
The vulnerability exists due to insufficient input validation when
copying user-supplied data to a fixed-size buffer. By passing a long
string as a command line option, an attacker can cause an exploitable
buffer overflow.
Next Page>>
|
