sshd2 could open root ports
sshd2 (the SSH daemon's newer cousin) versions 2.0.11 and older will
allow non-root users to request remote forwarding from privileged ports
(the first 1024 ports, reserved for services). This is fixed in more
recent sshd2 releases.
linux random devices are too intense
In the (development) Linux 2.1 kernels, a large read from /dev/random
or /dev/urandom (devices used to give out cryptographically safe random
numbers) could cause the kernel to be so busy computing numbers that the
system is unresponsive. A patch was posted and this should be fixed
by kernel 2.2.
netware bluescreen and more nmap deaths
Windows 95/98 machines running Novel Intranetware Client v3.0.0.0
(the meaning of all those zeros at Novell is left to the reader) can be
bluescreened by doing the rapid "half-open then close" attack (such as
via nmap). The affected port is 427. Later, another guy reported
that Hylafax 4.0 (hfaxd) can be dropped this way too.
icq gui problem
This isn't much of a security hole, but is somewhat interesting because
it's different, so I'll report it. ICQ (a Windows chat program)
has a way to send files from one user to another. If the filename
is too long, ICQ will only display the first part of it -- and if
it contains an embedded linefeed, ICQ will only show the part prior
to the linefeed. So it's possible to send someone a file named "robot.jpg<LF>.exe"
and have it appear to be downloading a jpeg. When the user double-clicks
on the jpeg (presumably to display it), they'll execute a possibly-harmful
program. This depends on the user not paying attention to the filename
when double-clicking on it (since Windows will display the full filename),
but it's easy to imagine this happening. Here, the security hole
is entirely related to the GUI!
datalynx suguard stupidity
Mudge ripped apart a setuid-root "security checker" program (called
DataLynx SuGuard) that does things like execute the first 'ps' it finds
in the path, dump to statically-named /tmp files, etc. Pretty sad.
buffer overflows