The debug command in Sendmail is enabled, allowing attackers to execute commands as root.1195CWD ~root command in ftpd allows root access.Improving the Security of Your Site by Breaking Into itBuffer overflow in passwd in BSD based operating systems 4.3 and earlier allows local users to gain root privileges by specifying a long shell or GECOS field.CA-1989-014bsd-passwd-bo(7152)Vulnerability in restore in SunOS 4.0.3 and earlier allows local users to gain privileges.CA-1989-02sun-restore-gain-privileges(6695)3CIAC-08Vulnerability in rcp on SunOS 4.0.x allows remote attackers from trusted hosts to execute arbitrary commands as root, possibly related to the configuration of the nobody user.CA-1989-07sun-rcp(3165)5Vulnerability in SMI Sendmail 4.0 and earlier, on SunOS up to 4.0.3, allows remote attackers to access user bin.CA-1990-016Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0.nfs-mknod(78)Buffer overflow in FreeBSD libmytinfo library allows local users to execute commands via a long TERMCAP environmental variable.1185FreeBSD-SA-00:17The SunView (SunTools) selection_svc facility allows remote users to read files.8BuildDisk program on NeXT systems before 2.0 does not prompt users for the root password, which allows local users to gain root privileges.CA-1990-06B-0111nextstep-builddisk-root-access(7141)Vulnerability in NeXT 1.0a and 1.0 with publicly accessible printers allows local users to gain privileges via a combination of the npd program and weak directory permissions.CA-1990-06B-0110nextstep-npd-root-access(7143)Vulnerability in restore0.9 installation script in NeXT 1.0a and 1.0 allows local users to gain root privileges.CA-1990-069B-01nextstep-restore09-root-access(7144)VMS 4.0 through 5.3 allows local users to gain privileges via the ANALYZE/PROCESS_DUMP dcl command.CA-1990-07B-0412vms-analyze-processdump-privileges(7137)/usr/sbin/Mail on SGI IRIX 3.3 and 3.3.1 does not properly set the group ID to the group ID of the user who started Mail, which allows local users to read the mail of other users.CA-1990-0813sgi-irix-reset(3164)TIOCCONS in SunOS 4.1.1 does not properly check the permissions of a user who tries to redirect console output and input, which could allow a local user to gain privileges.CA-1990-1214sunos-tioccons-console-redirection(7140)Vulnerability in the /etc/suid_exec program in HP Apollo Domain/OS sr10.2 and sr10.3 beta, related to the Korn Shell (ksh).CA-1990-047apollo-suidexec-unauthorized-access(6721)A-30rpc.pwdauthd in SunOS 4.1.1 and earlier does not properly prevent remote access to the daemon, which allows remote attackers to obtain sensitive system information.sun-pwdauthd(1782)00102Vulnerability in /bin/mail in SunOS 4.1.1 and earlier allows local users to gain root privileges via certain command line arguments.CA-1991-010010515Vulnerability in in.telnetd in SunOS 4.1.1 and earlier allows local users to gain root privileges.CA-1991-02sun-intelnetd(574)Vulnerability in in.rlogind in SunOS 4.0.3 and 4.0.3c allows local users to gain root privileges.CA-1991-02sun-intelnetd(574)chroot in Digital Ultrix 4.1 and 4.0 is insecurely installed, which allows local users to gain privileges.CA-1991-05dec-chroot(577)17The "me" user in NeXT NeXTstep 2.1 and earlier has wheel group privileges, which could allow the me user to use the su command to become root.CA-1991-06next-me(581)20The installation of Sun Source (sunsrc) tapes allows local users to gain root privileges via setuid root programs (1) makeinstall or (2) winstall.CA-1991-07sun-sourcetapes(582)001072221Vulnerability in login in AT&T System V Release 4 allows local users to gain privileges.CA-1991-0823sysv-login(583)B-28Vulnerability in /usr/bin/mail in DEC ULTRIX before 4.2 allows local users to gain privileges.CA-91.1327The default configuration of NCSA Telnet package for Macintosh and PC enables FTP, even though it does not include an "ftp=yes" line, which allows remote attackers to read and modify arbitrary files.CA-1991-15ftp-ncsa(1844)TFTP is not running in a restricted directory, allowing a remote attacker to access sensitive information such as password files.rdist in various UNIX systems uses popen to execute sendmail, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable.CA-91.2031http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-01.html8106rdist-popen-gain-privileges(7160)In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system.Vulnerability in crp in Hewlett Packard Apollo Domain OS SR10 through SR10.3 allows remote attackers to gain root privileges via insecure system calls, (1) pad_$dm_cmd and (2) pad_$def_pfk().CA-1991-23apollo-crp-root-access(7158)34Vulnerability in LAT/Telnet Gateway (lattelnet) on Ultrix 4.1 and 4.2 allows attackers to gain root privileges.CA-1991-1126ultrix-telnet(584)B-36Vulnerability in rexec daemon (rexecd) in AT&T TCP/IP 4.0 for various SVR4 systems allows remote attackers to execute arbitrary commands.CA-1992-0436att-rexecd(3159)The rexd service is running, which uses weak authentication that can allow an attacker to execute commands.This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.The rexd service is an unsecured protocol for Internet facing systems and should only be used on a trusted network segment, otherwise disabled. The software should be patched and configured properly.The default configuration for UUCP in AIX before 3.2 allows local users to gain root privileges.CA-1992-06ibm-uucp(554)38891AIX passwd allows local users to gain root access.FTP installation script anon.ftp in AIX insecurely configures anonymous FTP, which allows remote attackers to execute arbitrary commands.CA-1992-09aix-anon-ftp(3154)41SunOS 4.1.2 and earlier allows local users to gain privileges via "LD_*" environmental variables to certain dynamically linked setuid or setgid programs such as (1) login, (2) su, or (3) sendmail, that change the real and effective user ids to the same user.CA-1992-11sun-env(3152)00116The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions.Denial of service by sending forged ICMP unreachable packets.Vulnerability in integer multiplication emulation code on SPARC architectures for SunOS 4.1 through 4.1.2 allows local users to gain root access or cause a denial of service (crash).CA-1992-1549sun-integer-multiplication-access(7150)Vulnerability in Monitor utility (SYS$SHARE:SPISHR.EXE) in VMS 5.0 through 5.4-2 allows local users to gain privileges.CA-92.16CA-1992-1851vms-monitor-gain-privileges(7136)59332Cisco IOS 9.1 and earlier does not properly handle extended IP access lists when the IP route cache is enabled and the "established" keyword is set, which could allow attackers to bypass filters.CA-1992-20Vulnerability in Cisco routers versions 8.2 through 9.1 allows remote attackers to bypass access control lists when extended IP access lists are used on certain interfaces, the IP route cache is enabled, and the access list uses the "established" keyword.CA-1992-2053NFS on SunOS 4.1 through 4.1.2 ignores the high order 16 bits in a 32 bit UID, which allows a local user to gain root access if the lower 16 bits are set to 0, as fixed by the NFS jumbo patch upgrade.CA-1992-154700117nfs-uid(82)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1395. Reason: This candidate is a duplicate of CVE-1999-1395. Notes: All CVE users should reference CVE-1999-1395 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.HP ypbind allows attackers with root privileges to modify NIS data.Sun SunOS 4.1 through 4.1.3 allows local attackers to gain root access via insecure permissions on files and directories such as crash.CA-1993-0359sun-dir(521)Vulnerability in finger in Commodore Amiga UNIX 2.1p2a and earlier allows local users to read arbitrary files.CA-1993-04amiga-finger(522)Vulnerability in DEC OpenVMS VAX 5.5-2 through 5.0, and OpenVMS AXP 1.0, allows local users to gain system privileges.CA-1993-05openvms-local-privilege-elevation(7142)Cisco routers 9.17 and earlier allow remote attackers to bypass security restrictions via certain IP source routed packets that should normally be denied using the "no ip source-route" command.CA-1993-07cisco-sourceroute(541)D-15Vulnerability in passwd in SCO UNIX 4.0 and earlier allows attackers to cause a denial of service by preventing users from being able to log into the system.CA-1993-08sco-passwd-deny(542)Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow an intruder to read any files that can be accessed by the gopher daemon.LOGIN.EXE program in Novell Netware 4.0 and 4.01 temporarily writes user name and password information to disk, which could allow local users to gain privileges.CA-1993-12novell-login(545)D-21SCO UNIX System V/386 Release 3.2, and other SCO products, installs the home directories (1) /tmp for the dos user, and (2) /usr/tmp for the asg user, which allows other users to gain access to those accounts since /tmp and /usr/tmp are world-writable.CA-1993-13sco-homedir(546)/usr/5bin/su in SunOS 4.1.3 and earlier uses a search path that includes the current working directory (.), which allows local users to gain privileges via Trojan horse programs.1121935sun-su-path(7480)Sendmail WIZ command enabled, allowing root access.CA-1993-14CA-1990-1119950206 sendmail wizard thing...Improving the Security of Your Site by Breaking Into itThe permissions for the /dev/audio device on Solaris 2.2 and earlier, and SunOS 4.1.x, allow any local user to read from the device, which could be used by an attacker to monitor conversations happening near a machine that has a microphone.sun-audio(549)E-01001226436In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local user with physical access to obtain root access.The wall daemon can be used for denial of service, social engineering attacks, or to execute remote commands.Vulnerability in subnetconfig in HP-UX 9.01 and 9.0 allows local users to gain privileges.hp-subnet-config(2162)HPSBUX9402-003Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone.24AIX Licensed Program Product performance tools allow local users to gain root access.Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root.00126Vulnerability in VUE 3.0 in HP 9.x allows local users to gain root privileges, as fixed by PHSS_4994 and PHSS_5438.hp-vue(2284)HPSBUX9504-027Vulnerability in Glance and gpm programs in GlancePlus for HP-UX 9.x and earlier allows local users to access arbitrary files and gain privileges.hp-glanceplus-gpm(2060)HPSBUX9405-011passwd in SunOS 4.1.x allows local users to overwrite arbitrary files via a symlink attack and the -F command line argument.19940514 [8lgm]-Advisory-7.UNIX.passwd.11-May-1994.NEWFIX19940513 [8lgm]-Advisory-7.UNIX.passwd.11-May-199419941218 Sun Patch Id #102060-01Vulnerability in Vue 3.0 in HP 9.x allows local users to gain root privileges, as fixed by PHSS_4038, PHSS_4055, and PHSS_4066.E-23hp-vue(2284)HPSBUX9404-008Some implementations of rlogin allow root access if given a -froot parameter.458Vulnerability in hpterm on HP-UX 10.20 allows local users to gain additional privileges.HPSBUX9903-093AIX batch queue (bsh) allows local and remote users to gain additional privileges when network printing is enabled.Remote attacker can execute commands through Majordomo using the Reply-To field and a "lists" command.HP-UX 9.x does not properly enable the Xauthority mechanism in certain conditions, which could allow local users to access the X display even when they have not explicitly been authorized to do so.hp-xauthority(2261)HPSBUX9407-015dpsexec (DPS Server) when running under XDM in IBM AIX 3.2.5 and earlier does not properly check privileges, which allows local users to overwrite arbitrary files and gain privileges.35819940720 xnews and XDMcolorview in Silicon Graphics IRIX 5.1, 5.2, and 6.0 allows local attackers to read arbitrary files via the -text argument.sgi-colorview(2112)19950307 sigh. another Irix 5.2 hole.33619950209-00-P19940809 Re: IRIX 5.2 Security AdvisoryVulnerability in sgihelp in the SGI help system and print manager in IRIX 5.2 and earlier allows local users to gain root privileges, possibly through the clogin command.CA-1994-13sgi-prn-mgr(511)468E-33Vulnerability in CORE-DIAG fileset in HP message catalog in HP-UX 9.05 and earlier allows local users to gain privileges.hp-core-diag-fileset(2262)HPSBUX9409-017serial_ports administrative program in IRIX 4.x and 5.x trusts the user's PATH environmental variable to find and execute the ls program, which allows local users to gain root privileges via a Trojan horse ls program.sgi-serialports(2111)46419941002** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1022. Reason: This candidate is a duplicate of CVE-1999-1022. Notes: All CVE users should reference CVE-1999-1022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Unspecified vulnerability in pt_chmod in SCO UNIX 4.2 and earlier allows local users to gain root access.94:001sco-pt_chmod(7586)8797VB-94:01Vulnerability in prwarn in SCO UNIX 4.2 and earlier allows local users to gain root access.F-05Vulnerability in login in SCO UNIX 4.2 and earlier allows local users to gain root access.94:001Vulnerability in "at" program in SCO UNIX 4.2 and earlier allows local users to gain root access.94:001Vulnerability in Support Watch (aka SupportWatch) in HP-UX 8.0 through 9.0 allows local users to gain privileges.hp-supportwatch(2058)HPSBUX9411-019rpc.lockd in Red Hat Linux 6.1 and 6.2 allows remote attackers to cause a denial of service via a malformed request.137220000608 Remote DOS in linux rpc.lockdlinux-lockd-remote-dosPredictable TCP sequence numbers allow spoofing.tcp-seq-predict(139)Buffer overflow in NCSA WebServer (version 1.5c) gives remote access.Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access.Remote attackers can access mail files via POP3 in some Linux systems that are using shadow passwords.Vulnerability in BSD Telnet client with encryption and Kerberos 4 authentication allows remote attackers to decrypt the session via sniffing.CA-1995-03F-124881bsd-telnet(516)SGI Desktop Permissions Tool in IRIX 6.0.1 and earlier allows local users to modify permissions for arbitrary files and gain privileges.sgi-permissions(2113)F-1619950301-01-P373The SATAN session key may be disclosed if the user points the web browser to other sites, possibly allowing root access.rmmount in SunOS 5.7 may mount file systems without the nosuid flag set, contrary to the documentation and its use in previous versions of SunOS, which could allow local users with physical access to gain root privileges by mounting a floppy or CD-ROM that contains a setuid program and running volcheck, when the file systems do not have the nosuid option specified in rmmount.conf.19990510 SunOS 5.7 rmmount, no nosuid.19991011solaris-rmmount-gain-root(8350)250In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering.797AnyForm CGI remote execution.719FormMail CGI program allows remote execution of commands.In Sendmail, attackers can gain root privileges via SMTP by specifying an improper "mail from" address and an invalid "rcpt to" address that would cause the mail to bounce to a program.SunOS sendmail 5.59 through 5.65 uses popen to process a forwarding host argument, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable and passing crafted values to the -oR option.CA-1995-11VU#32787829AA-95.09http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-21.htmlA race condition in the Solaris ps command allows an attacker to overwrite critical files.8346The ghostscript command with the -dSAFER option allows remote attackers to execute commands.Some configurations of NIS+ in Linux allowed attackers to log in as the user "+".Livingston portmaster machines could be rebooted via a series of commands.Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access.Buffer overflow in syslog utility allows local or remote attackers to gain root privileges.Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm.Certain configurations of wu-ftp FTP server 2.4 use a _PATH_EXECPATH setting to a directory with dangerous commands, such as /bin, which allows remote authenticated users to gain root access via the "site exec" command.Race condition in Linux mailx command allows local users to read user files.vhe_u_mnt program in HP-UX allows local users to create root files through symlinks.HPSBUX9406-013Buffer overflow in Linux splitvt command gives root access to local users.rpc.ypupdated (NIS) allows remote users to execute arbitrary commands.rxvt, when compiled with the PRINT_PIPE option in various Linux operating systems including Linux Slackware 3.0 and RedHat 2.1, allows local users to gain root privileges by specifying a malicious program using the -print-pipe command line parameter.19960102 rxvt security holeVulnerability in object server program in SGI IRIX 5.2 through 6.1 allows remote attackers to gain root privileges in certain configurations.19960101-01-PXirix-object-server(7430)abuse.console in Red Hat 2.1 uses relative pathnames to find and execute the undrv program, which allows local users to execute arbitrary commands via a path that points to a Trojan horse program.35419960202 abuse Red Hat 2.1 security holeEcho and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm.Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys.IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files.Q155056Q148188The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts.phf CGI program allows remote command execution through shell metacharacters.CA-1996-06629136Java Bytecode Verifier allows malicious applets to execute arbitrary commands as the user of the applet.00134test-cgi program allows an attacker to list files on the server.dxconsole in DEC OSF/1 3.2C and earlier allows local users to read arbitrary files by specifying the file with the -file parameter.VB-96.05G-18http://www.tao.ca/fire/bos/0209.htmlosf-dxconsole-gain-privileges(7138)pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call.Delete or create a file via rpc.statd, due to invalid information.00135Vulnerability in union file system in FreeBSD 2.2 and earlier, and possibly other operating systems, allows local users to cause a denial of service (system reload) via a series of certain mount_union commands.FreeBSD-SA-96:10unionfs-mount-ordering(7429)G-24Manual page reader (man) in FreeBSD 2.2 and earlier allows local users to gain privileges via a sequence of commands.G-24FreeBSD-SA-96:11bsd-man-command-sequence(7348)The permissions for a system-critical NIS+ table (e.g. passwd) are inappropriate.Perl, sh, csh, or other shell interpreters are installed in the cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands.Vulnerability in a kernel error handling routine in SCO OpenServer 5.0.2 and earlier, and SCO Internet FastStart 1.0, allows local users to gain root privileges.VB-96.10sco-kernel(1965)96:001nettune in HP-UX 10.01 and 10.00 is installed setuid root, which allows local users to cause a denial of service by modifying critical networking configuration information.HPSBUX9607-03519960607 HP-UX B.10.01 vulnerabilityhp-nettune(414)The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access.The convert.bas program in the Novell web server allows a remote attackers to read any file on the system that is internally accessible by the web server.Local user gains root privileges via buffer overflow in rdist, via expstr() function.00179The dip program on many Linux systems allows local users to gain root access via a buffer overflow.A design flaw in the Z-Modem protocol allows the remote sender of a file to execute arbitrary programs on the client, as implemented in rz in the rzsz module of FreeBSD before 2.1.5, and possibly other programs.G-31FreeBSD-SA-96:17rzsz-command-execution(7540)cpio on FreeBSD 2.1.0, Debian GNU/Linux 3.0, and possibly other operating systems, uses a 0 umask when creating files using the -O (archive) or -F options, which creates the files with mode 0666 and allows local users to read or overwrite those files.Fixed in rev 1.3 of cpio/main.c.cpio-o-archive-insecure-permissions(19167)2005-0003RHSA-2005:080RHSA-2005:073http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/1391DSA-664RHSA-2005:806MDKSA-2005:032http://support.avaya.com/elmodocs2/security/ASA-2005-212.pdf17532170631435720050204 [USN-75-1] cpio vulnerabilityLocal user gains root privileges via buffer overflow in rdist, via lookup() function.admintool in Solaris allows a local user to write to arbitrary files and gain root access.Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access.DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-1999-0032.Solaris 2.4 before kernel jumbo patch -35 allows set-gid programs to dump core even if the real user id is not in the set-gid group, which allows local users to overwrite or create files at higher privileges by causing a core dump, e.g. through dmesg.29619960803 Exploiting Zolaris 2.4 ?? :)vold in Solaris 2.x allows local users to gain root access.8159fm_fls license server for Adobe Framemaker allows local users to overwrite arbitrary files and gain root access.Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access.CA-1996-19expreserve(401)11723Buffer overflow in rwhod on AIX and other operating systems allows remote attackers to execute arbitrary code via a UDP packet with a long hostname.rwhod(119)rwhod-vuln(118)Pine before version 3.94 allows local users to gain privileges via a symlink attack on a lockfile that is created when a user receives new mail.pine-tmpfile(416)19960826 [BUG] Vulnerability in PINESendmail before 8.6.7 allows local users to gain root access via a large value in the debug (-d) command line option.CA-1994-1219940315 Security problem in sendmail versions 8.x.x19940315 anyone know details?19940314 sendmail -d problem (OLD yet still here)sendmail-debug-gain-root(7155)19940327 sendmail exploit script - resend19940315 so...ppl program in HP-UX allows local users to create root files through symlinks.HPSBUX9702-053Vulnerability in a certain system call in SCO UnixWare 2.0.x and 2.1.0 allows local users to access arbitrary files and gain root privileges.VB-96.15sco-system-call(1966)96:002Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users.717(1) bash before 1.14.7, and (2) tcsh 6.05 allow local users to gain privileges via directory names that contain shell metacharacters (` back-tick), which can cause the commands enclosed in the directory name to be executed when the shell expands filenames using the \w option in the PS1 variable.19960919 Vulnerability in expansion of PS1 in bash & tcsh19960913 tee see shell problemsTransarc DCE Distributed File System (DFS) 1.1 for Solaris 2.4 and 2.5 does not properly initialize the grouplist for users who belong to a large number of groups, which could allow those users to gain access to resources that are protected by DFS.VB-96.16VB-96.16dfs-login-groups(7154)Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood.0013619961202-01-PXHPUX sysdiag allows local users to gain root privileges via a symlink attack during log file creation.19960921 Vunerability in HP sysdiag ?MIME buffer overflow in Sendmail 8.8.0 and 8.8.1 gives root access.HP Remote Watch allows a remote user to gain root access.Buffer overflow in xmcd 2.1 allows local users to gain access through a user resource setting.HP-UX gwind program allows users to modify arbitrary files.HPSBUX9410-018Bash treats any character with a value of 255 as a command separator.PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV command after specifying a username and password.5742Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option.707I-04219980402-01-PXThe WorkMan program can be used to overwrite any file to get root access.Indigo Magic System Tour in the SGI system tour package (systour) for IRIX 5.x through 6.3 allows local users to gain root privileges via a Trojan horse .exitops program, which is called by the inst command that is executed by the RemoveSystemTour program.AA-96.0847019961030 (Another) vulnerability in new SGIs19961101-01-Iirix-systour(7456)fpkg2swpk in HP-UX allows local users to gain root access.HPSBUX9612-042Buffer overflow in mstm in HP-UX allows local users to gain root access.Vulnerability in ppl in HP-UX 10.x and earlier allows local users to gain root privileges by forcing ppl to core dump.HPSBUX9704-057H-3219961104 ppl bugs19961103 Re: Untitledhp-ppl(7438)Local users can start Sendmail in daemon mode and gain root privileges.716dxchpwd in Digital Unix (OSF/1) 3.x allows local users to modify arbitrary files via a symlink attack on the dxchpwd.log file.dgux-chpwd(399)19961117 Digital Unix v3.x (v4.x?) security vulnerabilityKerberos 4 allows remote attackers to obtain sensitive information via a malformed UDP packet that generates an error string that inadvertently includes the realm name and the last user.kerberos-user-grab(65)19961122 L0pht Kerberos AdvisoryBuffer overflow in cddbd CD database server allows remote attackers to execute arbitrary commands via a long log message.cddbd-bo(2203)Buffer overflow in HP-UX newgrp program.fsdump command in IRIX allows local users to obtain root access by modifying sensitive files.19970301-01-PSendmail allows local users to write to a file and gain group permissions via a .forward or :include: file.Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others.Vulnerability in Desktop searchbook program in IRIX 5.0.x through 6.2 sets insecure permissions for certain user files (iconbook and searchbook).46319961201-01-PXirix-searchbook-permissions(7575)8563List of arbitrary files on Web host via nph-test-cgi script.Buffer overflow in AIX and Solaris "gethostbyname" library call allows root access through corrupt DNS host names.H-13Sendmail decode alias can be used to overwrite sensitive files.00122Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable.Buffer overflow in chfn command in HP-UX 9.X through 10.20 allows local users to gain privileges via a long command line argument.H-21H-1619961209 the HP Bug of the Week!Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death.swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access.Buffer overflow in ppp program in FreeBSD 2.1 and earlier allows local users to gain privileges via a long HOME environment variable.FreeBSD-SA-96:206085ppp-bo(7465)19961219 Exploit for ppp bug (FreeBSD 2.1.0).aspppd on Solaris 2.5 x86 allows local users to modify arbitrary files and gain root privileges via a symlink attack on the /tmp/.asppp.fifo file.29219961220 Solaris 2.5 x86 aspppd (semi-exploitable-hole)The jj CGI program allows command execution via shell metacharacters.Vulnerability in direct audio user space code on HP-UX 10.20 and 10.10 allows local users to cause a denial of service.hp-audio-panic(2010)HPSBUX9612-043ICMP redirect messages may crash or lock up a host.Q154174Denial of service in Windows NT DNS servers through malicious packet which contains a response to a query that wasn't made.ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs.Malicious option settings in UDP packets could force a reboot in SunOS 4.1.3 systems.Windows NT RSHSVC program allows remote users to execute arbitrary commands.Denial of service in talk program allows remote attackers to disrupt a user's display.Buffer overflow in listserv allows arbitrary command execution.IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL.Sendmail 8.6.9 allows remote attackers to execute root commands, using ident.A quote cwd command on FTP servers can reveal the full path of the home directory of the "ftp" user.The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands.Buffer overflow in the win-c-sample program (win-c-sample.exe) in the WebSite web server 1.1e allows remote attackers to execute arbitrary code via a long query string.http-website-winsample(295)2078819970106 Re: signal handlingWindows NT crashes or locks up when a Samba client executes a "cd .." command on a file share.Q140818in.rshd allows users to login with a NULL username and execute commands.FormMail CGI program can be used by web servers other than the host server that the program resides on.Remote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access list.Denial of service in syslog by sending it a large number of superfluous messages.In older versions of Sendmail, an attacker could use a pipe character to execute root commands.NFS allows users to use a "cd .." command to access other directories besides the exported file system.Remote access in AIX innd 1.5.1, using control messages.Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems.A router or firewall allows source routed packets from arbitrary hosts.IP forwarding is enabled on a machine which is not a router or firewall.NETBIOS share information may be published through SNMP registry keys in NT.A Windows NT local user or administrator account has a guessable password.A Windows NT local user or administrator account has a default, null, blank, or missing password.A Windows NT 4.0 user can gain administrative rights by forcing NtOpenProcessToken to succeed regardless of the user's permissions, aka GetAdmin.Q146965An NIS domain name is easily guessable.An SNMP community name is the default (e.g. public), null, or missing.A NETBIOS/SMB share password is guessable.A NETBIOS/SMB share password is the default, null, or missing.IP traceroute is allowed from arbitrary hosts.A Windows NT user has inappropriate rights or privileges, e.g. Act as System, Add Workstation, Backup, Change System Time, Create Pagefile, Create Permanent Object, Create Token Name, Debug, Generate Security Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory, Profile Single Process, Remote Shutdown, Replace Process Token, Restore, System Environment, Take Ownership, or Unsolicited Input.A Windows NT account policy for passwords has inappropriate, security-critical settings, e.g. for password length, password age, or uniqueness.A router's routing tables can be obtained from arbitrary hosts.The registry in Windows NT can be accessed remotely by users who are not administrators.oval:org.mitre.oval:def:1023.reg files are associated with the Windows NT registry editor (regedit), making the registry susceptible to Trojan Horse attacks.A Windows NT system's user audit policy does not log an event success or failure, e.g. for Logon and Logoff, File and Object Access, Use of User Rights, User and Group Management, Security Policy Changes, Restart, Shutdown, and System, and Process Tracking.A Windows NT system's file audit policy does not log an event success or failure for security-critical files or directories.A Windows NT account policy has inappropriate, security-critical settings for lockout, e.g. lockout duration, lockout after bad logon attempts, etc.A version of rusers is running that exposes valid user information to any entity on the network.This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.rusers is an unsecured and obsolete protocol and it should be disabled.netprint in SGI IRIX 6.4 and earlier trusts the PATH environmental variable for finding and executing the disable program, which allows local users to gain privileges.sgi-netprint(2107)39519970104 Irix: netprint story19961203-02-PX99319961203-01-PXArbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX.movemail in HP-UX 10.20 has insecure permissions, which allows local users to gain privileges.hp-movemail(2057)HPSBUX9701-0478099Vulnerability in Glance programs in GlancePlus for HP-UX 10.20 and earlier allows local users to access arbitrary files and gain privileges.hp-glanceplus(2059)H-21HPSBUX9701-044Vulnerability in dtlogin and dtsession in HP-UX 10.20 and 10.10 allows local users to bypass authentication and gain privileges.H-21Csetup under IRIX allows arbitrary file creation or overwriting.Vulnerability in chsh command in HP-UX 9.X through 10.20 allows local users to gain privileges.hp-chsh(2012)H-21wu-ftp allows files to be overwritten via the rnfr command.Talkd, when given corrupt DNS information, can be used to execute arbitrary commands with root privileges.00147Buffer overflow in Solaris getopt in libc allows local users to gain root privileges via a long argv[0].MIME conversion buffer overflow in sendmail versions 8.8.3 and 8.8.4.685Certain files in MPower in HP-UX 10.x are installed with insecure permissions, which allows local users to gain privileges.hp-mpower(2056)HPSBUX9701-051The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack.HP-UX vgdisplay program gives root access to local users.HPSBUX9702-056The Sun sdtcm_convert calendar utility for OpenWindows has a buffer overflow which can gain root access.00183IRIX startmidi program allows local users to modify arbitrary files via a symlink attack.469844719980301-01-PXVulnerability in ftpd/kftpd in HP-UX 10.x and 9.x allows local and possibly remote users to gain root privileges.HPSBUX9702-055H-33hp-ftpd-kftpd(7437)rcp on various Linux systems including Red Hat 4.0 allows a "nobody" user or other user with UID of 65535 to overwrite arbitrary files, since 65535 is interpreted as -1 by chown and other system calls, which causes the calls to fail to modify the ownership of the file.19970203 Linux rcp bugypbind with -ypset and -ypsetme options activated in Linux Slackware and SunOS allows local and remote attackers to overwrite files via a .. (dot dot) attack.19970205 Vulnerabilities in Ypbind when run with -ypset/-ypsetmeBuffer overflow of rlogin program using TERM environmental variable.Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT.Q162567Buffer overflow in ffbconfig in Solaris 2.5.1.00140Buffer overflow in NLS (Natural Language Service).ucbmail allows remote attackers to execute commands via shell metacharacters that are passed to it from INN.A version of finger is running that exposes valid user information to any entity on the network.This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.The FTP Service should be disabled because it could reveal information about a host's users, which could be used as reconnaissance information for attacks.finger allows recursive searches by using a long string of @ symbols.Finger redirection allows finger bombs.NFS cache poisoning.Buffer overflow in xmcd 2.0p12 allows local users to gain access through an environmental variable.Internet Explorer 3.01 on Windows 95 allows remote malicious web sites to execute arbitrary commands via a .isp file, which is automatically downloaded and executed without prompting the user.http://oliver.efri.hr/~crv/security/bugs/NT/ie3.htmlhttp://members.tripod.com/~unibyte/iebug3.htmBuffer overflow in TestChip function in XFree86 SuperProbe in Slackware Linux 3.1 allows local users to gain root privileges via a long -nopr argument.36419970304 Linux SuperProbe exploitBuffer overflow in FreeBSD lpd through long DNS hostnames.6093Vulnerability in AIX 4.1.4 and HP-UX 10.01 and 9.05 allows local users to cause a denial of service (crash) by using a socket to connect to a port on the localhost, calling shutdown to clear the socket, then using the same socket to connect to a different port on localhost.35219970305 Bug in connect() for aix 4.1.4 ?Macromedia Shockwave before 6.0 allows a malicious webmaster to read a user's mail box and possibly access internal web servers via the GetNextText command on a Shockwave movie.http-ns-shockwave(460)shockwave-file-read-vuln(1586)shockwave-internal-access(1585)19970314 Shockwave Security AlertDenial of service through Winpopup using large user names.Buffer overflow in Solaris fdformat command gives root access to local users.00138Remote command execution in Microsoft Internet Explorer using .lnk and .url files.Windows NT 4.0 SP2 allows remote attackers to cause a denial of service (crash), possibly via malformed inputs or packets, such as those generated by a Linux smbmount command that was compiled on the Linux 2.0.29 kernel but executed on Linux 2.0.25.19970407 DUMP of NT system crash19970403 Fatal bug in NT 4.0 server (more comments)19970402 Fatal bug in NT 4.0 serverBuffer overflow in University of Washington's implementation of IMAP and POP servers.Sysinstall in FreeBSD 2.2.1 and earlier, when configuring anonymous FTP, creates the ftp user without a password and with /bin/date as the shell, which could allow attackers to gain access to certain system resources.FreeBSD-SA-97:036087freebsd-sysinstall-ftp-password(7537)Buffer overflow in PHP cgi program, php.cgi allows shell access.712The wrap CGI program in IRIX allows remote attackers to view arbitrary directory listings via a .. (dot dot) attack.http-sgi-wrap(290)37324719970501-02-PXBuffer overflow in xlock program allows local users to execute commands as root.Buffer overflow in Kerberos IV compatibility libraries as used in Kerberos V allows local users to gain root privileges via a long line in a kerberos configuration file, which can be specified via the KRB_CONF environmental variable.19970429 vulnerabilities in kerberosBuffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges.Buffer overflow in AIX dtterm program for the CDE.dtterm-bo(878)Vulnerability in runpriv in Indigo Magic System Administration subsystem of SGI IRIX 6.3 and 6.4 allows local users to gain root privileges.sgi-runpriv(2108)46219970503-01-PX1009Symantec Norton Utilities 2.0 for Windows 95 marks the TUNEOCX.OCX ActiveX control as safe for scripting, which allows remote attackers to execute arbitrary commands via the run option through malicious web pages that are accessed by browsers such as Internet Explorer 3.0.http://mlarchive.ima.com/win95/1997/May/0342.htmlhttp://www.net-security.sk/bugs/NT/nu20.htmlhttp://news.zdnet.co.uk/story/0,,s2065518,00.htmlnu-tuneocx-activex-control(7188)KDE file manager (kfm) uses a TCP server for certain file operations, which allows remote attackers to modify arbitrary files by sending a copy command to the server.kde-flawed-ipc(1646)19970505 Hole in the KDE desktopwebdist CGI program (webdist.cgi) in SGI IRIX allows remote attackers to execute arbitrary commands via shell metacharacters in the distloc parameter.CA-1997-12http-sgi-webdist(333)37423519970501-02-PXSGI MachineInfo CGI program, installed by default on some web servers, prints potentially sensitive system status information, which could be used by remote attackers for information gathering activities.19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in webdist.cgiVulnerability in xfsdump in SGI IRIX may allow local users to obtain root privileges via the bck.log log file, possibly via a symlink attack.472http://www.insecure.org/sploits/irix.xfsdump.html19970507 Irix: miscinpview in InPerson on IRIX 5.3 through IRIX 6.5.10 trusts the PATH environmental variable to find and execute the ttsession program, which allows local users to obtain root access by modifying the PATH to point to a Trojan horse ttsession program.38120001101-01-I19970507 Irix: miscaddnetpr in IRIX 5.3 and 6.2 allows local users to overwrite arbitrary files and possibly gain root privileges via a symlink attack on the printers temporary file.330ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX19970509 Re: Irix: miscaddnetpr in SGI IRIX 6.2 and earlier allows local users to modify arbitrary files and possibly gain root access via a symlink attack on a temporary file.irix-addnetpr(1433)19970509 Re: Irix: misc3308560ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PXBuffer overflow in (1) pluggable authentication module (PAM) on Solaris 2.5.1 and 2.5 and (2) unix_scheme in Solaris 2.4 and 2.3 allows local users to gain root privileges via programs that use these modules such as passwd, yppasswd, and nispasswd.00139AA-97.09Buffer overflow in Elm 2.4 and earlier allows local users to gain privileges via a long TERM environmental variable.19970514 Re: ELM overflow19970513Buffer overflow in HPUX passwd command allows local users to gain root privileges via a command line option.HPSBUX9701-0456415Ascom Timeplex router allows remote attackers to obtain sensitive information or conduct unauthorized activities by entering debug mode through a sequence of CTRL-D characters.ascom-timeplex-debug(1824)19970515 MicroSolved finds hole in Ascom Timeplex Router SecurityUntrusted search path vulnerability in day5datacopier in SGI IRIX 6.2 allows local users to execute arbitrary commands via a modified PATH environment variable that points to a malicious cp program.sgi-day5datacopier(3316)855919970516 Irix and WWWThe access permissions for a UNIX domain socket are ignored in Solaris 2.x and SunOS 4.x, and other BSD-based operating systems before 4.4, which could allow local users to connect to the socket and possibly disrupt or control the operations of the program using that socket.45619971003 Solaris 2.6 and sockets19970517 UNIX domain socket (Solarisx86 2.5)sun-domain-socket-permissions(7172)Buffer overflow in chkey in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument.AA-97.182070014419970519 Re: Finally, most of an exploit for Solaris 2.5.1's ps.solaris-chkey-bo(7442)SunOS 4.1.4 on a Sparc 20 machine allows local users to cause a denial of service (kernel panic) by reading from the /dev/tcx0 TCX device.http://www.insecure.org/sploits/sunos.dev.tcx0.write.wierd.shit.to.device.bug.html19970519 /dev/tcx0 crashes SunOS 4.1.4 on Sparc 20'sArbitrary command execution via metamail package using message headers, when user processes attacker's message using metamail.cfingerd lists all users on a system via search.**@target.Buffer overflow in AIX lquerylv program gives root access to local users.IRIX login program with a nonzero LOCKOUT parameter allows creation or damage to files.sgi-lockout(557)990H-10619970508-02-PXVulnerability in runtime linker program rld in SGI IRIX 6.x and earlier allows local users to gain privileges via setuid and setgid programs.sgi-rld(2109)H-06519970504-01-PXBuffer overflow in suidperl (sperl), Perl 4.x and 5.x.Race condition in signal handling routine in ftpd, allowing read/write arbitrary files.Denial of service in Qmail by specifying a large number of recipients with the RCPT command.qmail-rcpt2237http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.htmlhttp://cr.yp.to/qmail/venema.html19970612 Re: Denial of service (qmail-smtpd)19970612 qmail-dos-2.c, another denial of service attackDenial of service in IIS using long URLs.Access violation in LSASS.EXE (LSA/LSARPC) program in Windows NT allows a denial of service.Q154087Buffer overflow in bootpd 2.4.3 and earlier via a long boot file location.Solaris rpcbind listens on a high numbered UDP port, which may not be filtered since the standard port number is 111.00142Denial of service in Windows NT DNS servers by flooding port 53 with too many characters.getcwd() file descriptor leak in FTP.Command execution in Sun systems via buffer overflow in the at program.rsh daemon (rshd) generates different error messages when a valid username is provided versus an invalid name, which allows remote attackers to determine valid users on the system.rsh-username-leaks(1660)19970613 rshd gives away usernamesMajorCool mj_key_cache program allows local users to modify files via a symlink attack.Buffer overflow in zgv in svgalib 1.2.10 and earlier allows local users to execute arbitrary code via a long HOME environment variable.19970619 svgalib/zgvBuffer overflow in eeprom in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument.20600143solaris-eeprom-bo(7444)ping in Solaris 2.3 through 2.6 allows local users to cause a denial of service (crash) via a ping request to a multicast address through the loopback interface, e.g. via ping -i.2090014619971005 Solaris Ping Bug and other [bc] oddities19970627 SUMMARY: Solaris Ping bug (DoS)19970626 Solaris Ping bug (DoS)ping-multicast-loopback-dos(7492)19970627 Solaris Ping bug(inetsvc)The rwho/rwhod service is running, which exposes machine status and user information.Listening TCP ports are sequentially allocated, allowing spoofing attacks.Buffer overflow in wu-ftp from PASV command causes a core dump.RIP v1 is susceptible to spoofing.Buffer overflow in FTP Serv-U 2.5 allows remote authenticated users to cause a denial of service (crash) via a long (1) CWD or (2) LS (list) command.ftp-servu(205)26919990504 Re: Buffer overflows in FTP Serv-U 2.519990503 Buffer overflows in FTP Serv-U 2.5Denial of service in Qmail through long SMTP commands.http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.htmlhttp://cr.yp.to/qmail/venema.html19970612 qmail-dos-2.c, another denial of service attackWhen compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records.Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1.The Perl fingerd program allows arbitrary command execution from remote users.The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands.wu-ftpd FTP daemon allows any user and password combination.Windows 95/NT out of band (OOB) data denial of service through NETBIOS port, aka WinNuke.1666NFS allows attackers to read and write any file on the system by specifying a false UID.A DNS server allows zone transfers.A DNS server allows inverse queries.A password for accessing a WWW URL is guessable.An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server.VU#704969wu-ftpd 2.4 FTP server does not properly drop privileges when an ABOR (abort file transfer) command is executed during a file transfer, which causes a signal to be handled incorrectly and allows local and possibly remote attackers to read arbitrary files.19970105 BoS: serious security bug in wu-ftpd v2.4 -- PATCH19970104 serious security bug in wu-ftpd v2.4wuftpd-abor-gain-privileges(7169)websendmail in Webgais 1.0 allows a remote user to access arbitrary files and execute arbitrary code via the receiver parameter ($VAR_receiver variable).2077237JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and 4.x, allows remote attackers to monitor a user's web activities, aka the Bell Labs vulnerability.HPSBUX9707-065The Webgais program allows a remote user to execute arbitrary commands.Windows NT 4.0 before SP3 allows remote attackers to bypass firewall restrictions or cause a denial of service (crash) by sending improperly fragmented IP packets without the first fragment, which the TCP/IP stack incorrectly reassembles into a valid session.nt-frag(528)19970710 A New Fragmentation AttackIRIX fam service allows an attacker to obtain a list of all files on the server.irix-fam(325)353164The campas CGI program provided with some NCSA web servers allows an attacker to execute arbitrary commands via encoded carriage return characters in the query string, as demonstrated by reading the password file.http-cgi-campas(298)1975root privileges via buffer overflow in df command on SGI IRIX systems.VU#20851CA-1997-21df-bo(440)346root privileges via buffer overflow in pset command on SGI IRIX systems.root privileges via buffer overflow in eject command on SGI IRIX systems.root privileges via buffer overflow in login/scheme command on SGI IRIX systems.root privileges via buffer overflow in ordist command on SGI IRIX systems.root privileges via buffer overflow in xlock command on SGI IRIX systems.Buffer overflow in run-time linkers (1) ld.so or (2) ld-linux.so for Linux systems allows local users to gain privileges by calling a setuid program with a long program name (argv[0]) and forcing ld.so/ld-linux.so to report an error.19970722 ld.so vulnerability19970717 KSR[T] Advisory #2: ld.so19980204 An old ld-linux.so holeBuffer overflow in AIX lchangelv gives root access.Buffer overflow in nnrpd program in INN up to version 1.6 allows remote users to execute arbitrary commands.144319970721 INN news server vulnerabilitiesBuffer overflow in ping in AIX 4.2 and earlier allows local users to gain root privileges via a long command line argument.ping-bo(803)19970721 AIX ping, lchangelv, xlock fixes19970721 AIX ping (Exploit)Buffer overflow in Exim allows local users to gain root privileges via a long :include: option in a .forward file.19970722 Security hole in exim 1.62: local root exploitOracle Webserver 2.1, when serving PL/SQL stored procedures, allows remote attackers to cause a denial of service via a long HTTP GET request.19970723 DoS against Oracle Webserver 2.1 with PL/SQL stored proceduresThe PATH in Windows NT includes the current working directory (.), which could allow local users to gain privileges by placing Trojan horse programs with the same name as commonly used system programs into certain directories.nt-path(526)19970725 Re: NT security - why bother?19970723 NT security - why bother?Buffer overflow in nss_nisplus.so.1 library in NIS+ in Solaris 2.3 and 2.4 allows local users to gain root privileges.21900148sun-nisplus-bo(7535)Certain programs in HP-UX 10.20 do not properly handle large user IDs (UID) or group IDs (GID) over 60000, which could allow local users to gain privileges.H-91hp-large-uid-gid(7594)H-09ICMP information such as (1) netmask and (2) timestamp is allowed from arbitrary hosts.icmp-timestamp(322)icmp-netmask(306)95http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1434http://descriptions.securescout.com/tc/11011http://descriptions.securescout.com/tc/11010php.cgi allows attackers to read any file on the system.An attacker can write to syslog files from any location, causing a denial of service by filling up the logs, and hiding activities.Buffer overflow in SunOS/Solaris ps command.00149Java in Netscape 4.5 does not properly restrict applets from connecting to other hosts besides the one from which the applet was loaded, which violates the Java security model and could allow remote attackers to conduct unauthorized activities.java-socket-open(1727)19990202 Unsecured server in applets under NetscapeInternet Explorer 3 records a history of all URL's that are visited by a user in DAT files located in the Temporary Internet Files and History folders, which are not cleared when the user selects the "Clear History" option, and are not visible when the user browses the folders because of tailored displays.19970806 Re: Strange behavior regarding directory19970805 Re: Strange behavior regarding directoryThe DG/UX finger daemon allows remote command execution through shell metacharacters.DNS cache poisoning via BIND, by predictable query IDs.Vulnerability in CGI program in the Lasso application by Blue World, as used on WebSTAR and other servers, allows remote attackers to read arbitrary files.http-cgi-lasso(2044)19970819 Lasso CGI security hole (fwd)spaceball program in SpaceWare 7.3 v1.0 in IRIX 6.2 allows local users to gain root privileges by setting the HOSTNAME environmental variable to contain the commands to be executed.47119970820 SpaceWare 7.3 v1.0Majordomo 1.94.3 and earlier allows remote attackers to execute arbitrary commands when the advertise or noadvertise directive is used in a configuration file, via shell metacharacters in the Reply-To header.majordomo-advertise(502)19970824 Vulnerability in Majordomorpc.mountd on Linux, Ultrix, and possibly other operating systems, allows remote attackers to determine the existence of a file on the server by attempting to mount that file, which generates different error messages depending on whether the file exists or not.mountd-file-exists(347)19970824 Serious security flaw in rpc.mountd on several operating systems.Apache httpd cookie buffer overflow for versions 1.1.1 and earlier.AIX bugfiler program allows local users to gain root access.1800The handler CGI program in IRIX allows arbitrary command execution.38019970501-02-PXThe uploader program in the WebSite web server allows a remote attacker to execute arbitrary programs.IIS newdsn.exe CGI script allows remote users to overwrite files.275Linux implementations of TFTP would allow access to files outside the restricted directory.Remote execution of arbitrary commands through Guestbook CGI program.Character-Terminal User Environment (CUE) in HP-UX 11.0 and earlier allows local users to overwrite arbitrary files and gain root privileges via a symlink attack on the IOERROR.mytty file.HPSBUX9801-07419980121 HP-UX CUE, CUD and LAND vulnerabilities19970901 HP UX Bug :)hp-cue(2007)I-027BHP-UX 9.x and 10.x running X windows may allow local attackers to gain privileges via (1) vuefile, (2) vuepad, (3) dtfile, or (4) dtpad, which do not authenticate users.hp-vue-dt(499)HPSBUX9709-069Lotus cc:Mail release 8 stores the postoffice password in plaintext in a hidden file which has insecure permissions, which allows local users to gain privileges.lotus-ccmail-passwords(1619)19970908 Password unsecurity in cc:Mail release 8Remote attackers can cause a denial of service in FTP by issuing multiple PASV commands, causing the server to run out of available ports.The asynchronous I/O facility in 4.4 BSD kernel does not check user credentials when setting the recipient of I/O notification, which allows local users to cause a denial of service by using certain ioctl and fcntl calls to cause the signal to be sent to an arbitrary process ID.openbsd-iosig(556)19970915 Vulnerability in I/O Signal Handling11062The ARP protocol allows any host to spoof ARP replies and poison the ARP cache to conduct IP address spoofing or a denial of service.Oracle Webserver 2.1 and earlier runs setuid root, but the configuration file is owned by the oracle account, which allows any local or remote attacker who obtains access to the oracle account to gain privileges or modify arbitrary files by modifying the configuration file.19970919 Instresting practises of Oracle [Oracle Webserver]The NeXT NetInfo _writers property allows local users to gain root privileges or conduct a denial of service.Race condition in xterm allows local users to modify arbitrary files via the logging option.Race condition in wu-ftpd and BSDI ftpd allows remote attackers gain root access via the SITE EXEC command.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1584, CVE-1999-1586. Reason: This candidate combined references from one issue with the description from another issue. Notes: Users should consult CVE-1999-1584 and CVE-1999-1586 to obtain the appropriate name. All references and descriptions in this candidate have been removed to prevent accidental usage.Buffer overflow in NCSA HTTP daemon v1.3 allows remote command execution.Samba has a buffer overflow which allows a remote attacker to obtain root access by specifying a long password.H-110In SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution.00156Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections.1099Denial of service in Slmail v2.5 through the POP3 port.Buffer overflow in AIX rcp command allows local users to obtain root access.All records in a WINS database can be deleted through SNMP for a denial of service.Solaris sysdef command allows local users to read kernel memory, potentially leading to root privileges.00157nis_cachemgr for Solaris NIS+ allows attackers to add malicious NIS+ servers.00155Vulnerability in HP-UX mediainit program.HPSBUX9710-071Vulnerability in telnet service in HP-UX 10.30 allows attackers to cause a denial of service.hp-telnetdos(571)HPSBUX9710-070File creation and deletion, and remote execution, in the BSD line printer daemon (lpd).HP Laserjet printers with JetDirect cards, when configured with TCP/IP, can be configured without a password, which allows remote attackers to connect to the printer and change its IP address or disable logging.laserjet-unpassworded(1876)19971004 HP Laserjet 4M Plus DirectJet ProblemHP Laserjet printers with JetDirect cards, when configured with TCP/IP, allow remote attackers to bypass print filters by directly sending PostScript documents to TCP ports 9099 and 9100.laserjet-unpassworded(1876)19971004 HP Laserjet 4M Plus DirectJet Problemsort creates temporary files and follows symbolic links, which allows local users to modify arbitrary files that are writable by the user running sort, as observed in updatedb and other programs that use sort.19980303 updatedb stuff19971006 KSR[T] Advisory #3: updatedb / crontabs19980302 overwrite any file with updatedbIMAP 4.1 BETA, and possibly other versions, does not properly handle the SIGABRT (abort) signal, which allows local users to crash the server (imapd) via certain sequences of commands, which causes a core dump that may contain sensitive password information.imapd-core(349)19971008 L0pht Advisory: IMAP4rev1 imapd serverCGI PHP mlog script allows an attacker to read any file on the target server.7133397Buffer overflow in telnet daemon tgetent routing allows remote attackers to gain root access via the TERMCAP environmental variable.CGI PHP mylog script allows an attacker to read any file on the target server.7133396Buffer overflow in AIX xdat gives root access to local users.Buffer overflow in Rainbow Six Multiplayer allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long nickname (nick) command.rainbowsix-nick-bo(1772)19990211 Rainbow Six Buffer Overflow.....Buffer overflow in OSF Distributed Computing Environment (DCE) security demon (secd) in IRIX 6.4 and earlier allows attackers to cause a denial of service via a long principal, group, or organization.VB-97.12sgi-osf-dce-dos(1123)I-06019980601-01-PXBuffer overflow in AIX writesrv command allows local users to obtain root access.