padlockit with bad encryption
PadlockIt is some Windows tool that lets you store all your passwords
in one file, presumably with that file itself password-protected.
The encryption of this file is really bad, though, with no random seeding,
so it's fairly easy to figure out passwords in the file.
ibm cics has variation of /tmp race
IBM's suid-root CICS client, when run in trace mode, creates a file
in /var/cicscli (a world-writable directory) named 'shared' without checking
for softlinks, etc. Any user can make a softlink to, for example,
/etc/shadow and the CICS client will overwrite it.
security analysis: windows update
Windows has a thing called "Windows Update" which will download and
install patches to the OS automatically. Several people on Bugtraq
have been analysing the update mechanism to detect weak points. Apparently
the Windows box does a DNS lookup on "windowsupdate.microsoft.com", then
connects to a web server there and downloads the entire list of patches
that have ever been done to Windows. The list is compared to the
list of patches already installed, and new ones are downloaded from the
same web server and installed (after prompting the user). The list
is signed, so the real weak point appears to be the possibility of deflecting
the DNS and/or replacing the patches themselves.
windows ce a bit too helpful
Windows CE apparently has a feature where it will try to complete words
as you type/scrawl them. The down side of this is that if you are
entering a password, it may pop up a dialog box with helpful completions,
letting others see what the first few characters of your password are.
unix tty/modem bug
The authors of the post were vague, but the impression I got is
that a user can connect to a unix machine via a dial-up modem tty, and
then cause that tty to "hangup" via a backgrounded process. That
process could then keep the modem "in use" by holding its fd or something.
I could be wrong. All unixen are believed to be vulnerable.
rpcbind can be spoofed
The rpcbind tool on Linux 2.0, Solaris 2.6, and Irix 6.2 will allow
remote users to make changes if they are spoofing IP addresses.
This is possible because rpcbind doesn't have any back-and-forth communication
-- a one-way command from afar is all that's required.
site server serves others
Microsoft Site Server is an add-on for IIS (web server). One
thing it likes to do is have a /users directory where users can add their
own pages (including server-side scripted pages, like ASP). If the
/users directory doesn't exist, though, and someone connects to the "upload"
script and successfully logs in, a /users directory is created with permissions
that leave a lot to be desired. From that point on, anyone may put
scriptable content into that directory.
browser bugs