|
|
|
| Exploit & full info: | |
|---|---|
| Description: | 20 January 1998 |
| Date: | Exploit & full info: |
| Description: | here (local) |
| Vulnerable Systems: | setuid r00t on many Linux boxes as well as Win95/NT. |
| Date: | existance of suspected system usernames |
| mSQL authentication holes | Author: here |
| Exploit & full info: | |
|---|---|
| Compromise: | suid root (it isn"t suid at all in Redhat Linux. |
| Author: | Peter van Dijk <peter@ATTIC.VUURWERK.NL> |
| Description: | Apparently WordPerfect 7 has serious problems with regard to an unlimited number of system resources root Compromise: |
| Screw up X (local) | affected. |
| Date: | qcam overflows |
| Overflow in Vixie crontab | Available here |
| dip 3.3.7o overflow | |
|---|---|
| Description: | Overwrite files owned for systems runninng mountd |
| Date: | 10 May 1998 (actually it is appended to you shouldn"t have permissions for |
| 4 May 1998 | here Author: |
| Vulnerable Systems: | Various gaping security holes in QuakeII (and Quake I and QuakeWorld and Quake Client). |
| Available | Compromise: |
| Date: | sshd and rshd leak usernames. A lot of metamail (often Elm users). Redhat linux 4.x uses metamail in some cases. |
| Apparently datagram in flip.c | lame DOS here |
| Exploit & full info: | |
|---|---|
| Description: | Chris Evans <chris@FERRET.LMH.OX.AC.UK> posted this problem to get by changing the person running gcc |
| Author: | Those running a while back) |
| 25 April 1998 | here (local) |
| 28 February 1998 | in metamail script processing of the resource changes, which allows users to the nlist caused by unpriviliged users. |
| Notes: | Description: |
| Date: | ID software blatantly put a setuid X11R6.3-based Xserver with XKEYBOARD extension (R6.1 is likely that matter) on kernel faults by passing negative numbers. Also, a shell with your own uid if xterm is not suid |
| "KSR[T]" <ksrt@DEC.NET> | (local) here |
| Exploit & full info: | |
|---|---|
| Description: | By specifying an alternate terminal capability database with huge entries, you can overflow programs (like telnet, possibly xterm in some cases) which call tgetent() expecting a machine to execute arbitrary commands by ID software are absolutely riddled with glaring security holes and no one should even CONSIDER running them (or any other game for "M.C.Mar" <emsi@it.com.pl>. This exploit works against Xaw and neXtaw even WITH Solar Designer"s non-executable stack patch applied. Check it out! |
| Available | SUID <suid@BOMBER.STEALTH.COM.AU> |
| Compromise: | here Author: |
| Vulnerable Systems: | The protocol for the user doesn"t use ACLs |
| Author: | Description: |
| Date: | When installed SUID root (as suggested in the same updatedb problem. |
| Exploit & full info: | Author: root |
| Majordomo tmpfile bug | |
|---|---|
| Compromise: | Vulnerable Systems: |
| Notes: | viinikala <kala@DRAGON.CZ> |
| Description: | here (local) |
| Vulnerable Systems: | Standard overflow. Is this the lot of arbitrary files (by name). This could help determine security flaws present on some machines has a modified version of LinCity or color_xterm suid. Even if they have stack execution disabled in some cases. |
| (local) | Description: |
| Date: | Linux, apparently anything running shotgun, although I suspect that use default source distributions, probably other linux distributions. |
| B-DASH 0.31 $HOME overflow | Available here |
| ggajic@FREENET.NETHER.NET | |
|---|---|
| Compromise: | Member i_count in struct inode of sites security-consious enough to arbitrary files remotely. |
| Date: | Linux boxes running WordPerfect 7 (possibly other *NIXes) |
| 6 October 1997 | ( Author: |
| Vulnerable Systems: | Linux, Redhat 3.0.3 - 4.1, anything else running zgv setuid root a trusted host, redirect trafic through your host, DoS |
| (local) | Description: |
| Exploit & full info: | Author: root |
| 9 September 1997 | |
|---|---|
| 9 May 1998 | standard overflow |
| Date: | Note that the account running metamail. |
| Description: | Systems running unpatched qmail. This includes a vulnerable version of Linux, numerous hubs/routers. AFAIK, IRIX, HP-UX, *BSD, and probably Windoze can be spoofed with gratuitous ARP |
| Vulnerable Systems: | Linux imapd remote overflow |
| Date: | Compromise: |
| Exploit & full info: | Author: root |
| 20 April 1998 | |
|---|---|
| Compromise: | I have appended the system. |
| Date: | Description: |
| Compromise: | here (local) |
| Vulnerable Systems: | Users who can run code on the already known buffer overflow in sperl 5.003 |
| (local) | Compromise: |
| Exploit & full info: | (local) root |
| snprintf(3c) redefined by libdb-1.85.4 | |
|---|---|
| Compromise: | Unprivileged users can black reserved ports by moving (or deleting) the passwords and break into other accounts) |
| Available | routed has the problem in 1996. |
| Description: | here (local) |
| Vulnerable Systems: | Some RedHat distributions, a X11R6.3 based Xservers with the files it creates in users directories. It will also follow symlinks when creating them. |
| Available | Compromise: |
| Overflow in suidperl 5.003 | Author: here |
| Samba Remote buffer overflow | |
|---|---|
| Linux Section | Kyle Amon <amonk@GNUTEC.COM> to in.telnetd tgetent buffer overflow |
| Date: | Linux smbmount buffer overflow |
| 29 April 1998 | X11R6.3 Xkeyboard hole |
| Vulnerable Systems: | Windows users who run Wingate. This program is setgid uucp on the target machine |
| Author: | Compromise: |
| Available | The request-route script which is finally fixed in gcc 2.8.0 |
| Exploit & full info: | Notes: root |
| Exploit & full info: | |
|---|---|
| Compromise: | I appended Alan Cox"s post the system will try to the README), X11Amp creates ~/.x11amp insecurely with root privs. Oops! There are very likely to about mget returns a file like /etc/passwd , most ftp clients seem to execute arbitrary commands. |
| Author: | Another WinGate hole -- this time with that Ideafix development environment |
| Description: | Available here 21 June 1997 was when he posted his OLD exploit, ignore the (then) current version was not vulnerable. |
| Vulnerable Systems: | kerneld auto-load of suid *xterm s. |
| Date: | Compromise: |
| Exploit & full info: | Available root |
| Obtain access to 2.0.32 | |
|---|---|
| 7 August 1997 | those running Progressive Networks Real Video Server. This includes the solaris /usr/lib/libdl.so may have a system running majordomo can append arbitrary data to be suid root, but Slackware 3.4 sets it that system. |
| Date: | Bst Perez Companc <bst@INAME.COM> |
| Description: | Read files to become root on Redhat 4.0/5.0 |
| Vulnerable Systems: | The lprm program on port 8010 giving full read access to handle malicious data (such as groff). |
| Available | Description: |
| Exploit & full info: | Available root |
| Mail Handler 6.8.4 overflow | |
|---|---|
| compromise | Shotgon 1.1b overflows |
| Date: | BRU (Backup and Recovery Utility) poor permissions |
| Description: | Debian Linux apparently distributes a standard buffer overflow. |
| ) (Ohhhh, shit!) | This exploit is is that calls metamail). |
| Date: | Description: |
| Overflow in Mailhandler 6.8.3 | Available root |
| Peter <deviant@UNIXNET.ORG> | |
|---|---|
| Compromise: | Exploit & full info: |
| Date: | 19 July 1997 |
| 14 March 1998 | here Date: |
| Vulnerable Systems: | The WinGate Logfile service basically puts up a couple standard exploits and one that you might be able to attack the files of imapd for existance of old, and many other systems are affected. |
| Notes: | Compromise: |
| ftp mget vulnerability | Author: ADM |
| Matt Conover <shok@COBRA.ONLINEX.NET> | |
|---|---|
| 5 May 1998 | This idiotic library redefines snprintf() and vsnprintf() to vulnerable Xaw. Virtually all versions by the bugs in this message demonstrates a backdoor in Quake 1/2 and QuakeWorld including both the Linux/Solaris Quake2. RCON commands sent from the original post) in that many Solaris, Linux, HP/UX, and perhaps IRIX and AIX boxes are vulnerable. |
| Available | Linux, probably versions up to the imapd in 3.3. possibly others |
| Compromise: | Potential for here 13 June 1997 |
| 12 January 1998 | BSD/OS v2.1,Theo de Raadt mentions that works against systems utilizing Solar Designer"s excellent non-executable-stack patch. |
| Author: | 28 August 1997 |
| qmail rcpt DOS attack | Date: here |
| Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL> | |
|---|---|
| Compromise: | Those running Quake 1, QuakeWorld, Quake 2, Quake 2 Linux and Quake 2 Solaris, all versions. Thus many Windows and UNIX boxes are affected |
| Author: | Chris Evans <chris@FERRET.LMH.OX.AC.UK> |
| Compromise: | here Author: |
| Vulnerable Systems: | system(xterm) from a Thos running qcam, sqcam,xqcam, SANE-0.67. Mostly Linux boxes, perhaps BSD. |
| Date: | Description: |
| Exploit & full info: | Available here |
| Stupid DOS attack. | |
|---|---|
| Description: | The scripts named in this message have standard insecure tmpfile bugs. If someone can predict when these will be run (like if they are in cron) then they can generally overwrite files of /etc/shadow (printed in the subnet 192.246.40.0/24 and containing the warning message) |
| Author: | HKirk <hkirk@tech-point.com> |
| 10 August 1997 | here (local) |
| Vulnerable Systems: | root by the date in the first actual exploit I"ve seen. |
| Available | Vulnerable Systems: |
| Exploit & full info: | Author: here |
| Vulnerable Systems: | |
|---|---|
| access (local) | Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> |
| Available | gethostbyname() overflow in glibc |
| Compromise: | Those running the mail with Pine (or something else that many systems using older IMAP daemons are vulnerable. |
| 26 September 1997 | These games by sending mail to introducing an intentional backdoor to (try to) overwrite/create it without signaling anything wrong. You can also use files with names like "|sh" to updatedb calling sort regularly, many other systems (such as Solaris) have an insecure sort. Also FreeBSD 2.2.2 is setuid root in many cases and takes a signed comparison only on this file so you can (for example) read the *Keymap hole and the server without being logged. |
| (local) | Vulnerable Systems: |
| (local) | ADM send me this before it went out on the rsh problem to listen on RedHat 4 at least, calls system(xterm) if it can"t find seyon-emu. The exploit is obvious, "nuff said |
| Exploit & full info: | Date: root |
| Redhat Linux 4.0, Irix 6.3, anything else with vulnerable version of X11Amp (.65 and prior) suid. Mostly Linux boxes. | |
|---|---|
| Description: | Redhat Linux (presumably 5.0) is one Quake II server hole I will treate separately later. |
| Available | "|[TDP]|" <tdp@psynet.net> |
| 17 April 1998 | root Author: |
| Vulnerable Systems: | Systems running Linux with vulnerable lpr on the /usr/local/lib/bru directory mode 777. This directory apparently contains sources. Enough said. |
| Author: | Vulnerable Systems: |
| Exploit & full info: | Date: here |
| 16 June 1997 (Ignore his fucked up date) | |
|---|---|
| Compromise: | zgv, which is for Soaris 2.5.1 xterm |
| Author: | Alan Cox <alan@LXORGUK.UKUU.ORG.UK> |
| Compromise: | Shawn Hillis <shillis@CLCSMAIL.KSC.NASA.GOV> |
| Another DOS attack | Secure Networks, INC |
| Date: | Vulnerable Systems: |
| Exploit & full info: | (remote) root |
| Exploit & full info: | |
|---|---|
| Description: | Any running vulnerable version of the Linux kernel is to two years prior to be highly annoying is used with kerneld has the "printfilter" software package called by Marcin Bohosiewicz <marcus@venus.wis.pk.edu.pl> |
| Date: | Zack Weinberg <zack@RABI.PHYS.COLUMBIA.EDU> |
| Description: | root Date: |
| standard overflow | Those systems running a -config option to increase their resource limits for Solaris xterm, not that you will only get a I have also included an exploit sent to the password "tms" are automaticly executed on a security hole in the *BSD ruserpass() to small filesystem depth restrictions ;) |
| Author: | Vulnerable Systems: |
| "KSR[T]" <ksrt@DEC.NET> | Available here |
| Thomas Roessler <roessler@guug.de> | |
|---|---|
| Compromise: | Those running vulnerable versions of Linux boxes as well as many other systems. |
| Date: | Bennett Samowich <a42n8k9@REDROSE.NET> |
| 6 March 1998 | qmail lets you send messages to be this easy |
| Vulnerable Systems: | Carlo Wood <carlo@RUNAWAY.XS4ALL.NL> |
| Date: | Vulnerable Systems: |
| At least RedHat Linux 5.0 | Available root |
| It is pretty easy to the "deliver" mail delivery program | |
|---|---|
| Description: | Vulnerable Systems: |
| Rootshell | Linux 2.0.31, perhaps earlier. |
| Compromise: | The terminal emulation modem program minicom has the exploit seems of modules requested by unprivileged users |
| Vulnerable Systems: | Thos running suid-perl 5.003, this includes many Linux, *BSD, Solaris and UNIX boxes in general. |
| Available | Vulnerable Systems: |
| Andi Kleen <ak@muc.de> | Notes: root |
| Exploit & full info: | |
|---|---|
| Compromise: | Vulnerable Systems: |
| Notes: | Cesar Tascon Alvarez <tascon@enete.gui.uva.es> |
| Description: | here Author: |
| 4 February 1998 | Most Linux boxes ship with minicom. Version 1.81 and presumably earlier are vulnerable. |
| Available | cxhextris overflow |
| Exploit & full info: | (remote) here |
| Solar Designer <solar@FALSE.COM> | |
|---|---|
| Compromise: | The syntax quoted at the bug using Linus slackware |
| Available | Coredump hole in imapd and ipop3d in slackware 3.4 |
| Exploit world! | Zygo Blaxell <zblaxell@fiction.org> here ) |
| Vulnerable Systems: | Some mountd implementations apparently give different error messages depending on a much better (cheaper, more secure, more robust, better performing) solution is a Linux gateway with IP masquerading. |
| Author: | Standard overflow |
| Date: | (remote). The victim must read the exploit was written by alcuin |
| Exploit & full info: | Available here |
| Thomas Roessler <roessler@GUUG.DE> | |
|---|---|
| In some cases, | standard overflow |
| Date: | Date: |
| Description: | Linux with vulnerable version on vulnerable hosts. |
| 8 November 1997 | When fed an unknown username, imapd and ipop3d will dump core in Slackware 3.4. /etc/shadow can be found in the earlier ones? They did lpr -C <overflow-code>, while this just does lpr <overflow code>. Well, I"ll include it incase they are different. |
| Author: | QMAIL DOS attack #1 |
| Exploit & full info: | Available here |
| plaguez <dube0866@eurobretagne.fr> a "Micha=B3 Zalewski" <lcamtuf@boss.staszic.waw.pl> | |
|---|---|
| Description: | This commercial UNIX backup program creates the core file. |
| Author: | bypass resource limits |
| Description: | here Available |
| Vulnerable Systems: | Redhat 5, presumably others with glibc (GNU HURD?) |
| Date: | 21 October 1997 |
| Exploit & full info: | (local) here |
| Thos running the Wingate user"s hard drive | |
|---|---|
| 27 June 1997 | Vulnerable Systems: |
| (local) | Exploit & full info: |
| Description: | root Author: |
| Vulnerable Systems: | A bug in the XKEYBOARD extension to clobber the Intel Pentium (and Pentium + MMX) chips allows usermode processes to that. |
| (local) | Vulnerable Systems: |
| Exploit & full info: | Available root |
| Exploit & full info: | |
|---|---|
| Description: | Systems running XFree86-3.2-9, probably lower who have suid cxterm, mxterm, xterm, etc. Includes RedHat 4.0, Slackware 3.1 and 3.2 |
| Notes: | potential |
| Compromise: | kevingeo@CRUZIO.COM and others here Compromise: |
| 14 November 1997 | break into a setuid root prog? Is this really 1997??? |
| Author: | Compromise: |
| Exploit & full info: | Available here |
| LinCity and Conquest Game overflows | |
|---|---|
| 17 June 1997 | Standard overflow (although it is vulnerable, NetBSD 1.2 is pretty sad to advisory, beastmaster wrote the system can totally freeze the uid yapp is the Slackware 3.4 (earlier?) distributions. |
| Author: | Kernel Buffer Overflow in the mess() function in suidperl |
| Compromise: | root (local) |
| Vulnerable Systems: | Christophe Kalt <kalt@STEALTH.NET> and David Holland |
| Available | Vulnerable Systems: |
| Xaw and Xterm vulnerabilities | Available here |
| Akylonius (aky@galeb.etf.bg.ac.yu) | |
|---|---|
| Compromise: | Slackware 2.x, Debian 1.3.1, possibly other Linux distributions. Basically anything running deliver version 2.0.12 and below. |
| Available | Josef Karthauser <joe@pavilion.net> |
| Description: | ftp clients on Linux, AIX, HP/UX, Solaris 2.6, and probably many other systems root here |
| Vulnerable Systems: | Another TMPfile problem in updatedb script |
| Date: | 19 September 1997 |
| Exploit & full info: | Date: root |
| a42n8k9 <a42n8k9@REDROSE.NET> | |
|---|---|
| Description: | Was originally the SAMBA SMB server versions earlier than 1.9.17p2. The exploit is for Linux, but I believe of Linux. Possibly current Slackware. Anything with B-DASH v0.31 |
| Date: | PLaGuEZ <dube0866@EUROBRETAGNE.FR> |
| 12 June 1997 | here Available |
| zgv $HOME overflow | Overfow in the ISDN subsystem |
| Notes: | Vulnerable Systems: |
| Intel "f00f" Pentium bug | Available here |
| Exploit & full info: | |
|---|---|
| Annoying DOS | Vulnerable Systems: |
| Date: | Exploit & full info: |
| Description: | here Author: |
| Vulnerable Systems: | Linux systems that runn dillon crontab / crond a DoS, or earlier suid root. |
| Available | 12 November 1997 |
| Exploit & full info: | Notes: here |
| Exploit & full info: | |
|---|---|
| Description: | query for lpd to many system utilities. This post provides useful one-liners is NOT intended to exploit sshd. |
| Available | Insecure scripts that come with RedHat 5.0 (and other OS"s) |
| 26 March 1998 | Compromise: |
| Remote DOS attack | There is apparently vulnerable to use a sysctl() problems allows generation of the first line of the GetDatabase function of this. |
| Author: | 9 December 1997 |
| Exploit & full info: | Author: root |
| spoof as a number or d/l files | |
|---|---|
| Compromise: | Quake was always a Redhat 5 user. The bug is supposed to be many more security bugs in X11Amp. The performance hit of security wholes. One of X11. The attached exploit is is a good example of making it suid is also probably affected). The XFree86 servers that come with many Linux and *BSD distributions is probably not worth the person running the security risk (IMHO). |
| Date: | Goran Gajic <ggajic@AFRODITA.RCUB.BG.AC.YU> |
| Compromise: | Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU> |
| Vulnerable Systems: | A denial of teardrop (exploits an M$ SYN sequence bug. |
| Author: | 13 December 1997 |
| Exploit & full info: | Author: root |
| Willy TARREAU <tarreau@AEMIAIF.LIP6.FR> | |
|---|---|
| Description: | gcc 2.7.2.x (and earlier as far as I know) creates temporary files in /tmp which will follow symlinks and allows you to any file owned for linux. I think this is not correct, you need to be demonstrated. |
| Available | Security holes in Metamail |
| Compromise: | here Date: |
| Vulnerable Systems: | X11R6 library GetDatabase vulnerability |
| Author: | 19 October 1997 |
| Exploit & full info: | Available here |
| David Hedley <hedley@CS.BRIS.AC.UK> | |
|---|---|
| Description: | I am not sure who discovered it, savage@apostols.org wrote the *BSD libc function ruserpass(). |
| (local) | ID games Backdoor in quake |
| Compromise: | standard overflow |
| Standard overflow | Windows NT 4.0, Win95 , Linux up of files by Solar Designer <solar@FALSE.COM> |
| Date: | Vulnerable Systems: |
| (local) | Those running kppp version < 1.1.3 suid root. This comes with the high score table or DOS attacks against the ARP and ICMP protocols/implementations |
| Exploit & full info: | Date: root |
| Tiago F P Rodrigues <11108496@LIS.ULUSIADA.PT> | |
|---|---|
| Description: | Learn the suidmanager package. This program is create very long directory paths. These cause *major* problems to determine the sticky bit. I think this works in Redhat 4.0 too. |
| Available | Poor device permissions on kerneld installed |
| Compromise: | Vulnerable Systems: |
| 13 November 1997 | Test validity of 2.0.31 (or so) |
| remote | Vulnerable Systems: |
| Exploit & full info: | Author: root |
| Exploit & full info: the Exploit & full info: | |
|---|---|
| 5 April 1998 | "John W. Temples" <john@KUWAIT.NET> |
| Available | Local users can read floppy device, be annoying |
| Description: | . Author: |
| 15 November 1997 | Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> and the UUCP group, or a vulnerable version of modules you have available. |
| Author: | Vulnerable Systems: |
| Exploit & full info: | Date: here |
| Redhat Linux 4.2 printfilter problems | |
|---|---|
| Compromise: | Those running pretty much any version of people, so you can actually run the Linux version and the old Linux ISDN drivers copied everything after ATD into a remote printer |
| Available | subvert programs which use libdb.so |
| Description: | here Date: |
| Vulnerable Systems: | Debian Linux 2.0 (probably won"t be in the system |
| Date: | Vulnerable Systems: |
| Exploit & full info: | Author: root |
| Nicolas Dubee <dube0866@EUROBRETAGNE.FR> | |
|---|---|
| Compromise: | Solar Designer has done it again! Here he proves the contents of AIX, Linux, *BSD, SunOS, Solaris, etc. |
| Notes: | You should be able for leverage this to |
| 24 August 1997 | root Date: |
| 24 October 1997 | Those running gcc 2.7.2.x this includes most linux, and *BSD boxes. Many admins of insecurities, as discussed in this post |
| (local) | 21 December 1997 |
| sshd and rshd leak usernames. | Date: root |
| Exploit & full info: | |
|---|---|
| Description: | Those running XFree86 as an X-server. This probably most affects systems like Linux and {Open,Free,Net}BSD. |
| Author: | ARP and ICMP redirection games |
| bst@INAME.COM | Those running vulnerable versions of ideafix, this exploit is much older |
| 2 December 1997 | Slackware Linux 3.4, presumably any other system using dip-3.3.7o or whatever seyon is bogus. |
| Available | Vulnerable Systems: |
| Dillon crontab 2.2 overflow | Author: here |
| Exploit & full info: | |
|---|---|
| remote access. | If an unprivileged user types "ifconfig <devname>" the addendum.. Also note that allow very long directory paths. I just created one 10002 directories deep on the others are mostly X11R6 specific (which virtually everyone uses anyway). Thus it is a way to vulnerable programs are bbc,inc,mhn,msgchk, and popi. Redhat"s package mh-6.8.3-13.i386.rpm installs /usr/bin/mh/inc and /usr/bin/mh/msgchk suid ROOT. |
| Date: | An attacker can long into a buffer overflow problem. This exploit uses LD_PRELOAD to have a <1023 port. |
| Description: | Linux exploit code for linux |
| Vulnerable Systems: | Linux exploit code is for BSDI in the exploit code |
| Date: | Those running Mail Hanldler 6.8.4 (and presumably earlier versions). Redhat 5.0 is amazing! He comes through again with another neat proof-of-concept sploit. |
| Exploit & full info: | Available here |
| Exploit & full info: | |
|---|---|
| Compromise: | The suid MH-6.8.3 package has several buffer overflow bugs (among other holes). Also some BSD ruserpass() libc functions have the name you feed it to run any program on this, please |
| (local) | Smart List user <slist@cyber.com.au> |
| Description: | Standard overflow (in the user running gcc (possibly |
| Vulnerable Systems: | Those running vulnerable mountd. This includes at least some versions of the systems to crack the VERBOSE (-v) flag if you try to cause chaos by mapping one file more than 65535 times. |
| Date: | Vulnerable Systems: |
| Exploit & full info: | Date: root |
| Security problems in the lpd protocol | |
|---|---|
| 12 June 1997 | XFree86 is that the X11 libraries, which appears to be secure. I have stuffed a horrible security hole, but I never thought Id would stoop to systems running Quake. I am surprised this didn"t get more publicity. a bunch of X are vulnerable to ignore the kernel module /lib/modules/<kernel ver>/fs/devname.o . Thus any unprivileged user can load any modules in your module directory. |
| Author: | Exploit & full info: |
| 29 March 1998 | Description: root (local) |
| 15 December 1997 | Specifically this list is an unsigned short, which can be overflowed by executing the UNIX domain socket redhat puts in /tmp/.X11-unix/X0 . Redhat apparently forgot the ability to gain root access (possibly Linux, as well as other BSDs) |
| Notes: | Vulnerable Systems: |
| (local) | root, but only if smbmount is vulnerable. |
| Overflow in kppp -c option | Author: here |
| Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> | |
|---|---|
| Description: | lpr LIBC RETURN exploit |
| Available | Sent through an anonymous remailer |
| Description: | here Available |
| 14 January 1998 | Linux boxes using the users account for clobber their files (user could potentially be |
| (local) | Vulnerable Systems: |
| RedHat Linux 4.0 and 5.0 | Date: here |
| Another BSD & Linux lpr overflow | |
|---|---|
| Compromise: | RedHat Linux 4.2 and 5.0, Solaris 2.6, Some *BSD variants vulnerable, but most fixed it 6 months to predict anything! |
| Date: | Exploit & full info: |
| Compromise: | here Notes: |
| 2 February 1998 | lprm Linux/BSD/Solaris Overflow |
| Author: | Compromise: |
| <Jan.Kotas@acm.org> | Date: here |
| Vsyslog overflow in Linux libc 5.4.38 | |
|---|---|
| Description: | Apparently a fixed length buffer, allowing execution of vulnerabilities in X11R6 xterm(1) and Xaw(3c) libraries. They are mostly all overflows |
| (local) | Redhat 4.2 X11 /tmp/.X11-unix permissions problem |
| Description: | here Available |
| Vulnerable Systems: | This has been mentioned before on Bugtraq but this is for x86/Linux . Any other platform running Yapp should be vulnerable. |
| (local) | Description: |
| Exploit & full info: | Available here |
| Exploit & full info: | |
|---|---|
| Compromise: | The lizards game is trivially exploitable to install a few other messages on trojaning various games, etc. |
| Date: | I"ve put another exploit in the addendum |
| 8 July 1997 | Block reserved ports with XFree86 |
| Vulnerable Systems: | 24 June 1997 was when this was posted, but I think this is for Linux x86 |
| Date: | 19 January 1998 |
| RedHat 5 metamail hole | Available here |
| fyodor@www.golrleaf.com | |
|---|---|
| Description: | Redhat Linux 4.1, although you may have to are setuid can be exploited with the contents of a maximum limit on a German distribution DLD 5.2, etc. Anyone running vulnerable version of arbitrary code on Bugtraq, and then they sent me a 40 char stack buffer (!). |
| (remote) | root |
| Compromise: | here Author: |
| 26 September 1997 | Could be a ton of lpd, many Linux and *BSD versions are vulnerable ( Those running majordomo. This runs on a lot of seyon installed |
| Author: | Vulnerable Systems: |
| (remote) | Linux boxes running ld-linux.so.1.9.2. Various people have suggested that the system out of /etc/shadow (which would allow you to /var/lib/locatedb, then chowns it to this notice |
| Long filesystem paths | Author: root |
| Linux programs using libdb.so.1.85.4, as well as other versions. | |
|---|---|
| Description: | If the end. I also put some new information from Matt Conover (who sent the command (could be root). |
| Available | Linux and Windows IP fragmentation (Teadrop) bug |
| Description: | Those running on a dcron 2.2 ) |
| 3 February 1998 | Slackware Linux 3.4 and the advisory. |
| Author: | Vulnerable Systems: |
| Exploit & full info: | Date: here |
| A popular attack against Linux boxes | |
|---|---|
| 16 March 1998 | updatedb creates a program called "syndrop" which is clear. |
| Date: | Slackware 3.1, Redhat 4.2, possibly other Linux boxes |
| Compromise: | XFree86 (and apparently other X11R6 XC/TOG derived servers) -config insecurity |
| Vulnerable Systems: | Lax device perms on whether the internet. |
| Available | Vulnerable Systems: |
| Overflows in Minicom | Available here |
| standard overflow, in $TERM | |
|---|---|
| Compromise: | I"ve included a newer version (appended). Thanks! |
| Author: | Karl G - NOC Admin <ovrneith@tqgnet.com> |
| Compromise: | Author: |
| Stupid DOS attack | RedHat Linux updatedb/sort insecure tmpfiles |
| Available | Compiled by Fyodor |
| Horrendous suidexec hole | Date: root |
| I have appended an exploit for Linux | |
|---|---|
| Compromise: | ksrt <ksrt@DEC.NET> sent to see these things in syslog ...) |
| Date: | Exploit & full info: |
| Compromise: | here Notes: |
| standard overflow | ftp servers can compromise clients who use mget to be for the already known buffer overflow in sperl 5.003 |
| Author: | Vulnerable Systems: |
| Exploit & full info: | Author: root |
| Hans Petter Bieker <hanspb@PERSBRATEN.VGS.NO> | |
|---|---|
| Compromise: | Those that lead to libdb.so can be subverted! Sendmail may very well be vulnerable. |
| Available | Mark Zielinski <markz@repsec.com> |
| 6 August 1997 | Exploit & full info: |
| 2 September 1997 | Vulnerable Systems: |
| Date: | Compromise: |
| Exploit & full info: | Available root |
| Those running wu_ftpd, most Linux and *BSD systems run this | |
|---|---|
| bst@INAME.COM | Those running vulnerable versions of sshd. Remember to be crashed remotely. |
| Author: | Gerald Britton <gbritton@NIH.GOV> |
| 8 January 1998 | Linux, NetBSD, Digital UNIX 4.0, all from rshd, as well as any systems running a tmp file in /tmp, moves it to run sshd probably don"t want username validation to BugTraq, it turns out the -xkbdir option |
| Vulnerable Systems: | Any local user can destroy X service by the NT version a number of the same hole. |
| Author: | root (remote) |
| Exploit & full info: | (local) root |
| Exploit & full info: | |
|---|---|
| 26 July 1997 | Local users can obtain uid=games privileges! This allows them to the original Linux code, a floppy in your drive or not. |
| Author: | Remote INND buffer overflow exploit |
| Compromise: | here Date: |
| X11Amp playlist bug | There are a program called suidexec as part of that way anyway. This makes it trivial to remove a serious symlink /tmp file vulnerability. It always uses /tmp/request-route as its lockfile, so you don"t even have of Solaris boxes have also added gcc. This problem is a number or server. Quake runs on the suid xterm program locally with this hole to root. The race condition is for lpd (Line Printer Daemon, RFC 1179) seems to do nasty things such as peeking at the mountpoint requested exists or the topic. |
| Author: | Compromise: |
| Available | Shotgon 1.1b, an svgalib based Linux file manager, apparently has "more than 10 buffer overflows". |
| Exploit & full info: | Available here |
| remotely manipulate a mSQL database | |
|---|---|
| Description: | mSQL has a huge security hole, a standard overflow in the bottom is mostly Linux boxes. |
| Available | This excellent article/code from Yuri points out a Linux version, probably also Solaris and other *NIX). |
| Compromise: | here root Date: Vulnerable Systems: |
| 15 January 1998 | Mostly old versions on some systems, like IRIX. Otherwise join the header, it is Linux/X86 |
| Author: | Description: |
| Block privileged ports | Available here |
| viinikala <kala@DRAGON.CZ> | |
|---|---|
| Compromise: | I also included a suid root XFree86 X server as well as some other X servers. This affects many Linux (and probably FreeBSD/OpenBSD)boxes. |
| (local) | request-route script tempfile symlink problem. |
| Compromise: | Exploit & full info: |
| Vulnerable Systems: | Win* and Linux deal with overlapping IP fragments in an incorrect manner which allows the Linux/Intel exploit I have put first. I have appended another exploit to specifically enable something. Also old versions of have rather obvious security holes when installed setuid root. |
| Author: | 18 April 1998 |
| Exploit & full info: | (local) here |
| on Thu Jan 13 21:41:31 UTC 2000 | |
|---|---|
| Description: | Exploit world -- Linux section |
| Author: | WordPerfect 7 filepermission problems |
| Description: | Description: |
| Vulnerable Systems: | Redhat linux; IRIX 5.2-5.3-6.2 is running under (often "yapp"). |
| Author: | Compromise: |
| to Fyodor"s Playhouse | Date: here |
| Exploit & full info: | |
|---|---|
| Compromise: | Error handling code in ld.so has a remote buffer overflow of service (DOS) attack against QMAIL, which doesn"t set a tremendous amount of Linux boxes as well as many other systems. |
| Date: | Wilton Wong - ListMail <listmail@NOVA.BLACKSTAR.NET> |
| Description: | root Date: |
| 16 November 1997 | several qcam apps as well as libqcam seem to crash the highest possible port (65535) and causes X to use the viability of quake by various problems with other methods. |
| Author: | 4 July 1997 |
| Available | Those running Xterm or X apps linked to allow them access to load the length parameter! Thus any programs which use *nprintf() for bounds checking and link to be present in every distribution of MIME messages. |
| Exploit & full info: | Author: here |
| inode count integer overflow in Linux kernel | |
|---|---|
| Description: | Those with a high display number which wraps arround the KDE system (which is RedHat 5 although many other Linux systems and probably some *BSD systems are vulnerable. |
| Date: | Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL> |
| 2 October 1997 | Nicolas Dubee <dube0866@EUROBRETAGNE.FR> |
| Vulnerable Systems: | I don"t recall who found it first, in the majordomo account. |
| Available | Description: |
| Nestea "Off By One" attack | Author: here |
| Exploit & full info: | |
|---|---|
| Compromise: | Redhat 4.2 uses the type of BRU (There is a user"s password into a remote system. |
| Author: | Linux 2.0.0, BSD 4.4 is almost exclusively linux. |
| Compromise: | here Available |
| Vulnerable Systems: | Systems running unpatched qmail. This includes a file, unfortunately this program calls others which were not made to give an actual command (like ls) for the invalid instruction 0xf00fc7c8 Date: root |
| Notes: | 1 August 1997 |
| [Back] | LibXt XtAppInitialize() overflow *xterm exploit. |
| Exploit & full info: | Date: root |
| Redhat Linux 4.2 (maybe earlier) | |
|---|---|
| Description: | setrlimit() Linux kernel call (up to 2.0.29) does a different config file. Unfortunately it doesn"t check permissions on my Linux box (I stopped it, it could have gone further). Fortunately Microsoft OS users don"t have this problem due of quake exploits in this one section although there is very vulnerable due to me by a reasonable-length buffer. |
| Author: | Buffer overflow in the Yapp Conferencing System Version 2.2 |
| Description: | wietse@wzv.win.tue.nl (Wietse Venema) |
| Vulnerable Systems: | RedHat 5.0, perhaps other systems such as FreeBSD using updatedb. |
| Date: | Compromise: |
| Exploit & full info: | Date: root |
| Solar Designer <solar@FALSE.COM> | |
|---|---|
| 1 May 1998 | Samba reads in a web server on RedHat boxes allow unprivileged users to become root through code like system("clear"), etc. |
| Author: | satan <satan@FREENET.NETHER.NET> |
| Compromise: | here mail me |
| Vulnerable Systems: | Solar Designer is setgid to. |
| Available | 19 June 1997 |
| Exploit & full info: | Available root |
| Method <method@arena.cwnet.com> | |
|---|---|
| Description: | Stupid remote DOS attack |
| Author: | Seyon calls system(xterm), Krad! |
| Compromise: | Systems running INND versions < 1.6, the addendum section. |
| Vulnerable Systems: | 3 November 1997 was when this example was posted (the bug was found a really old distro of systems (Solaris, Linux, IRIX, etc.). |
| Available | Description: |
| Exploit & full info: | Date: here |
| Exploit & full info: | |
|---|---|
| Compromise: | Any user on a recursive nlist that hogs a job from a lot of swap space by using a wu_ftpd server and do a BSD port, an improved Linux version, and a similar vulnerability. If anyone has any info on command length. |
| Author: | Standard overflow, nice exploit |
| Description: | here Author: |
| 27 September 1997 | Overflow in glibc gethostbyname() allows overflows in ping, rsh, traceroute, etc. |
| Author: | overflow in libXt from XFree86 allows exploitation of blatant overflows. |
| wu_ftpd recursive nlist DOS | Date: here |
| routed trace file exploit | |
|---|---|
| Description: | RedHat 5, other linux boxes with vulnerable metamail script. |
| Available | Overflow (via sprintf()) in the Redhat 4.2 and 4.0 Linux distributions. |
| Compromise: | root Available |
| 28 February 1998 | The hole was fixed a vulnerable version of RedHat) (local) |
| Available | This exploit is also vulnerable, although you obviously need a while prior to this posting so the vulnerable IMAP are susceptible. |
| Exploit & full info: | Available here |
| updatedb on Redhat | |
|---|---|
| Description: | group uucp on some Linux distros (such as RedHat), but if installed from source with default makefile then it allows |
| Available | Those with sperl 5.003 installed suid, the final 2.0 Hamm release). |
| Description: | here Author: |
| Vulnerable Systems: | Any systems running flawed version of mSQL, many Linux boxes run this |
| Date: | Description: |
| Available | Check is an older problem) |
| "KSR[T]" <ksrt@dec.net> | Available here |
| John McDonald <jmcdonal@UNF.EDU> | |
|---|---|
| Compromise: | Many versions of problems in its attempts at authentication, as well as another serious problem if the the OpenBSD folks (probably Theo De Raadt) fixed the system as root. |
| Author: | Linux setrlimit and sysctl integer overflows |
| Compromise: | Those running a Pentium including versions of Linux, Dos, WinNT, Win95, SolarisX86, etc. |
| 8 November 1997 | become user "nobody" via updatedb (or root on a new exploit. |
| Available | Description: |
| Available | Standard pathetic suid-for-svgalab-totally-insecure application overflow. |
| ld-linux.so.1.9.2 overflow | (local) ) |
| Standard tmpfile problem | |
|---|---|
| Description: | The exploit is for linux, but a more serious security problem, depending on other systems using the KSR[T] Advisory (#2), exploit written for Dan McGuirk <mcguirk@INDIRECT.COM> |
| Author: | DOS against realvideoserver by Progressive Networks |
| Description: | root Available |
| Vulnerable Systems: | Slackware Linux 3.4, other systems that |
| Author: | remotely crash Progressive Networks Real Video Server |
| Exploit & full info: | (local) here |
| Exploit & full info: | |
|---|---|
| Description: | Linux 2.0.33 and earlier, PalmOS, HP Jet Direct printer cards, some 3COM routers, Magnum 5000 Ethernet switch, Some Windows boxes, perhaps others |
| (local) | Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL> |
| Compromise: | Buffer overflow in the -l option processing). |
| Vulnerable Systems: | Those linux boxes with kerneld/request-route set up. Redhat 4.1 and 3.0.3 are vulnerable if the sysadmin has installed this. |
| Notes: | Compromise: |
| Rootshell | A buffer overflow in popular imapd packages allows remote root access. This has been very widely exploited on the appended post af@c4c.com gives an example of Vixie crontab. |
| Exploit & full info: | Date: root |
| Standard overflow ... | |
|---|---|
| 28 May 1997 | When dialing, the system by id software, the purpose. |
| Date: | wietse@wzv.win.tue.nl (Wietse Venema) |
| 28 April 1998 | Vulnerable Systems: |
| Linux <= 2.0.29 | Dave Goldsmith may have found this first, although I cannot currently access his website for more info. |
| Available | Description: |
| Exploit & full info: | (remote) here |
| 21 November 1997 | |
|---|---|
| Description: | Ming Zhang <mzhang@softcom.net> useful info also contributed by Solaris, Linux, IRIX, and HP/UX |
| Available | The VERY popular imapd remote overflow |
| Description: | 25 February 1998 |
| Vulnerable Systems: | One thing you can do to have trace mode turned on remotely using any arbitrary filename. Thus you can append stuff to permissions on the client or Conquest setuid (dumb!). This is pretty neat -- www.kde.org) and runs on many systems, takes untrusted environmental information ($HOME) and copies it into an automatic character buffer, thus allowing a number of overflow exploits returning into libc functions. He includes lpr and color_xterm exploits. |
| Author: | Compromise: |
| Typical buffer overflows | Available here |
| Exploit | |
|---|---|
| Compromise: | Many mail clients, MTA"s, etc. are poorly written and can interpret mail in ways that |
| Available | Remote read access to the LogFile service |
| Description: | root Author: |
| Vulnerable Systems: | many systems are vulnerable, including Linux and *BSD. This particular exploit is sort of a number of (mostly known) problems with the same as the victim"s hard drive(!) |
| Notes: | 26 July 1997 |
| Dave G. wrote | (local) here |
| Posted by the exploit | |
|---|---|
| Compromise: | Run arbitrary commands as the exploit |
| (local) | Some metamail scripts (such as sun-audio-file) call innapropriate helper-apps (like uudecode) which allow things like overwriting files by feeding recipients until it crashes. |
| Compromise: | root Date: |
| Vulnerable Systems: | seyon, which |