BugTraq summary, week of 02 nov 1998.

solaris & digital cde will change file permissions
Under CDE, a utility called /usr/dt/bin/dtappgather can be used to change the permissions of a file to 555 (everyone has read/execute permission) in one of two different ways.  For the first method, set the environment variable DTUSERSESSION to the path (relative to /var/dt/appconfig/appmanager) of the file you wish to change the permissions of (like ../../../../etc/shadow).  For the second method, /var/dt/appconfig/appmanager apparently has permissions allowing global write access, so you can create a soft-link to any file and dtappgather will follow it.

icbs emulation on linux has bug
Running "head -c 32 /dev/socksys" on a Linux box running icbs support (allows ancient BSD binaries to be run) will cause the box to panic and reboot.

solaris snmp server has silly defaults
The default configuration Solaris 2.6's SNMP server (apparently only 2.6 is vulernable) installs some SNMP communities with dumb passwords like "public" and "private" that would allow outsiders to change system settings via SNMP.  HPUX has a similar bug, but on HPUX it only affects the SNMP server's configuration.

xlock bug
There is a bug in the way xlock assumes that your '.signature' or '.plan' file won't have any lines that start with a NUL byte.  This is probably not a security hole, but it is an interesting bug.  The code assumed that a successful return from fgets meant that a string of greater-than-zero length had been returned.  However, fgets returns success if any data has been read.  If the data began with a NUL byte, strlen will return zero.  The xlock coders assumed that the string length would be greater than zero on a successful fgets call, and used 'strlen()-1' as the offset into the string -- which in this case would be -1!

sun ultrasparc-1 processor bug
A Sun UltraSPARC-1 processor running at 200Mhz or less can be locked up by a sequence of user-level machine code instructions when running in 64-bit mode.  This only affects Solaris 7, and Solaris 7 won't boot into 64-bit mode unless told to, for this reason.

cisco ios acl slip-up
Cisco routers 70xx (with the RSP card only), 72xx, and 75xx can sometimes let packets through even though an ACL (access control list -- basically firewalling rules) forbids it.  This would be really bad for anyone using these routers as a firewall.  Cisco has released a patch.

xf86config abuses /tmp
The xf86config script for XFree86 creates files in /tmp without checking to see if they already exist.  The standard softlink attack will work.
 

buffer overflows

• Sending a very large packet to a QuakeWorld Windows server will cause it to crash.  This is obviously a major security concern.
• The ssh 1.2.26 client, when compiled with Kerberos, has a buffer overflow in handling a hostname.  To exploit it, you need to be able to create a 128+ character hostname in DNS, and fake reverse resolution for a server.

• Navigator, when sending web forms using enctype="multipart/form-data", will create a temporary file containing the form data.  Occasionally it will fail to clean up these files, which can contain passwords and credit-card numbers.  The file permissions are set correctly on unix, so this is merely an annoyance, but this is a problem on public-access Windows boxes (for example, in libraries).
• Navigator is storing IMAP mail account passwords in the 'preferences.js' file even if you have told it not to remember your mail account passwords.  This is bad on multi-user systems because the permissions for reading 'preferences.js' tend to be very lax.
• IE 4.x will forget some of your security settings if you are using a custom security level, and you switch to one of the built-in security levels and then back.  For instance, if your custom security level has Java disabled, entering Internet security and then coming back will cause Java to be enabled again.