From HoleList F A Q
Subject: HoleList v7 12/13/94
These bugs/holes are archived only as a record of security related
activity and are for educational purposes only. This compilation
is not meant to encourage malicious activity and is not intended
to be a cookbook of cracking material.
If you know of a hole or bug that is related to security and that is
not listed in the follow list, please contribute by sending E-Mail to
<scott@spy.org>.
BURST- HOLELIST
---
From: HoleList
Subject: Holes'n'Bugs
Date: 03/03/94
These bugs/holes are archived only as a record of security related
activity and are for educational purposes only. This compilation
is not meant to encourage malicious activity and is not intended
to be a cookbook of cracking material.
If you know of a hole or bug that is related to security and that is
not listed in the follow list, please contribute by sending E-Mail to
<scott@spy.org>.
Operating System RVP Date Description (References)
================ === ======== ================================================
/bin/sh 1-- 12/12/94 IFS hole, vi ()
/bin/su 1-- overwrite stack somehow? ()
/dev/fb 1-- frame buffer devices readable/writeable, ()
/dev/kmem 1-- /dev/kmem shold not be o+w ()
/dev/mem 1-- /dev/mem shold not be o+w ()
/dev/*st*, *mt* 1-- generally world readable/writeable ()
/etc 1-- rexd + MACH ? [NeXT] /etc/ g+w daemon ()
4.3 Tahoe 1-- chfn -- allows newlines/meta chars/bufsize ()
4.3 Tahoe 1-- ttyA&B;A:cat<ttyB;^Z;B:exit;login;A:&;B:pw/uid;A:got pw ()
AIX ? 5++ setenv SHELL=/bin/sh; crontab -e; :!/bin/sh ()
AIX 2.2.1 1-- shadow password file o+w ()
AIX 3.1.5 5-- sendmail- mail to programs ()
AIX 3.2 5-- sendmail- mail to programs ()
AIX 3.2.4 5-- sendmail- mail to programs ()
AIX 3.2.5 5-- sendmail- mail to programs ()
AIX ? 1-- * password means use root's password? ()
AIX ? 1-- rexd- any can get root access if enabled ()
Amdahl UTS 2.0 1-- NFS mountd only uses hostname ()
AT&T SVR3.2.0 1-- Bad protected mode allows root if have sh + cc ()
A/UX 2.0.1 5-- lpr -s; 1000 calls lpr re-use fname ()
A/UX 2.0.1 5-- rdist(1) uses popen(3), IFS spoof ()
A/UX 2.0.1 5-- rdist(1) uses popen(3), IFS spoof ()
BellTech SYSV386 1-- ulimit 0; passwd ==> zero's out passwd file ()
BSD 4.1 1-- Sendmail can mail directly to a file
BSD 4.1 1-- can mail directly to a file
BSD 4.1 1-- run set gid program, dump core, is set gid
BSD 4.1 1-- lock- compiled password "hasta la vista", + ^Z ()
BSD <4.2? 1-- IFS w. preserve bug in vi ()
BSD 4.1 1-- mail directly to a file ()
BSD 4.1 1-- exec sgid program, dump core, core is sgid ()
BSD 4.1 1-- Sendmail: can mail directly to a file ()
BSD 4.1 1-- lock password "hasta la vista" backdoor ()
BSD <4.2 1-- IFS w/ preserve bug w/vi ()
BSD <4.2 1-- suspend mkdir, ln file you want to dir ()
BSD <4.2? 1-- suspend mkdir, ln file you want to dir ()
BSD 4.2 1-- lock -- compiled in password "hasta la vista" ()
BSD 4.2 1-- ln passwd file to mail spool, mail to file ()
BSD 4.2 1-- can truncate read only files ()
BSD 4.2 1-- finger "string|/bin/rm -f /etc/passwd"@foo.bar ()
BSD 4.2 1-- ln -s target ~/.plan; finger user to read file ()
BSD 4.2 1-- lpr file; rm file; ln -s /any/filename file ()
BSD 4.2 1-- adb su; change check in memory; shell out ()
BSD 4.2 1-- race condition, can get root via "at" ()
BSD 4.2 1-- lock -- compiled in password "hasta la vista"
BSD 4.2 1-- ln passwd file to mail spool, mail user ()
BSD 4.2 1-- can truncate read only files ()
BSD 4.2 1-- finger "string|/bin/rm -f /etc/passwd"@foo.bar ()
BSD 4.2 1-- ln -s target ~/.plan; finger user. ()
BSD 4.2 1-- lpr file; rm file; ln -s /any/filename file ()
BSD 4.2 1-- adb su; change check in memory; shell out; su ()
BSD 4.2 1-- race condition, can get root via "at" ()
BSD 4.2 1-- /dev/kmem and /dev/mem should not be o+w ()
BSD 4.2 1-- signal any process by changing process group ()
BSD 4.3 1-- ftp -n; quote user ftp; ect. Gets root privs. ()
BSD 4.3 1-- lpd can overwrite file ()
BSD 4.3 1-- ln -s /any/suid/file -i ; -i Get suid shell. ()
BSD 4.3 1-- fchown (2) can chown _any_ file ()
BSD 4.3 1-- race condition, get root via "at" ()
BSD 4.3 1-- passwd chokes on long lines, splits pw file ()
BSD 4.3 1-- ftp -n; quote user ftp; cd ~root, get root ()
BSD 4.3 1-- lpd can overwrite file ()
BSD 4.3 1-- ln -s /any/suid/file -i ; -i Get suid shell ()
BSD 4.3 1-- fchown (2) can chown _any_ file ()
BSD 4.3 1-- race condition (expreserve?), root via "at" ()
BSD 4.3 1-- passwd chokes on long lines, splits pw file ()
BSD 4.3 5-- lpr -s; 1000 calls lpr re-use fname ()
BSD NET/2 5-- rdist(1) uses popen(3), IFS spoof ()
BSD NET/2 5-- lpr -s; 1000 calls lpr re-use fname ()
BSD ? 1-- Overwrite gets buffer -- fingerd, etc
BSD ? 1-- uudecode alias can overwrite root/daemon files ()
BSD ? 1-- /bin/mail ; !/bin/sh Get uid=bin shell ()
BSD ? 1-- rwall bug ()
BSD ? 1-- adb the running kernel, shell out and get root ()
BSD ? 1-- sendmail can mail non-root file, try twice ()
BSD ? 1-- rshd -- spoof via nameservice, rsh target -l uid
BSD386 1-- mail"<u>;cp /bin/sh /tmp;chmod 6777 /tmp/sh" ()
buffer overrun 1-- chfn ()
chfn, chsh 1-- used to create a root account ()
chmod 1-- Incorrect file or directory permissions ()
comsat 1-- running as root, utmp o+w, writes to files ()
core 1-- will system dump a setgid core image? ()
decode 1-- decode mail alias - write non-root user files ()
DellSVR3.2/1.0.6 1-- Bad prot mode allows root if have sh + cc ()
denial 1-- easy to hog processor, memory, disc, tty, etc ()
DomainO/S <=10.3 1-- break root by using s/rbak; sgid/suid ()
DomainO/S <=10.4 5-- sendmail mail to programs ()
DNS 1-- SOA can control bogus reverse ip, rhosts ()
Domain/OS <10.3 1-- break root by using s/rbak; setgid/uid ()
DYNIX 3.0.14 1-- Sendmail -C file ==> displays any file. ()
DYNIX 3.? 1-- can get root on NFS host via root via mountd ()
DYNIX 3.? 1-- on non-trusted host due to bug in mount daemon ()
DYNIX ? 1-- rsh <host> -l "" <command> runs as root ()
DYNIX ? 1-- login: -r hostname
ruser^@luser^@term^@ ()
elm 5-- ELM's autoreply can be used to get root ()
expreserve 1-- can be a huge hole ()
ESIX Rev. D 1-- Bad protected mode allows root if sh+cc ()
file mod test 1-- test file doesnt lose the suid when modified ()
fsck 1-- lost+found should be mode 700 ()
ftpd 1-- static passwd struct overwrite, wuftp < x.xx ()
ftpd 4.2 1-- userid not reset properly, "user root" ()
ftpd ? 1-- core files may contain password info ()
fchown 1-- test for bad group test ()
ftruncate 1-- can be used to change major/minor on devices ()
fingerd 1-- .plan hard-links - read files, fingerd ()
gopher 6-- Type=8 Name=shell Host=;/bin/sh Port= Path= ()
gnuemacs 1-- emacsclient/server allows access to files. ()
GN <1.19 4+- exec0::/path/prog?var=blah%0Ahack-coomands0%A ()
HDB 1-- nostrangers shell escape ()
HDB 1-- changing the owner of set uid/gid files ()
HDB 1-- meta escapes on the X command line ()
HDB 1-- ; breaks on the X line ()
hosts.equiv 1-- default + entry ()
hosts.equiv 1-- easy to spoof by bad SOA at remote site ()
HPUX <7.0 1-- chfn -- allows newlines, etc ()
HP-UX 1-- sendmail: mail directly to programs ()
HPUX A.09.01 1-- sendmail: mail directly to programs ()
HPUX ? 1-- Sendmail: versions 1.2&13.1 sm, -oQ > ()
IDA 1.4.4.1 1-- :include:/some/unreadable/file in ~/.forward ()
ICMP 4-- various icmp attacks possible ()
ICMP 1-- ICMP redirect packets change non-static routes ()
Interactive 2.x 1-- Bad protected mode allows root if sh+cc ()
IRIX 3.3 1-- any user can read any other user's mail. ()
IRIX 3.3.1 1-- any user can read any other user's mail. ()
IRIX 3.3/3.31 1-- sendmail- any user can read other user's mail ()
IRIX 4.0.X 1-- default suid scripts ()
IRIX 4.0.X 1-- various $PATH problems ()
IRIX 4.0.X 1-- sendmail race condition hole ()
IRIX 4.0.X 1-- lpd are vulnerable too ()
IRIX ? 1-- rsh <host> -l "" <command> runs as root ()
IRIX ? 1-- login: -r hostname
ruser^@luser^@term^@ ()
IRIX ? 1-- login: -r hostname
ruser^@luser^@term^@ ()
IRIX ? 1-- Overwrite gets buffer -- fingerd, etc ()
IRIX ? 1-- uudecode alias can overwrite root/daemon files ()
IRIX ? 1-- /bin/mail ; !/bin/sh Get uid=bin shell ()
IRIX ? 1-- rwall bug ()
IRIX ? 1-- adb the running kernel, shell out and get root ()
IRIX ? 1-- mail to any non-root owned file, try twice ()
IRIX ? 1-- rshd- spoof via dns - rsh target -l uid ()
IRIX ? 1-- xwsh log hole? (yo)
kernel 1-- Race conditions coupled with suid programs ()
lock 1-- 4.1bsd version had password "hasta la vista" ()
lost+found 1-- lost+found should be mode 700 ()
lpd 1-- overwrite files with root authority ()
lpr 1-- lpr -r access testing problem ()
lpr 5-- lpr -s; 1000 calls lpr re-use fname ()
lprm 1-- trusts utmp ()
mount 1-- "mount" should not be +x for users. ()
mqueue 1-- must not be mode 777! ()
movemail 1-- worm? ()
Microport 3.0 1-- ulimit 0; passwd ==> zero's out passwd file ()
network 1-- BSD network security based on "reserved ports" ()
news 1-- news receivers may execute shell commands ()
network 1-- kerberos ()
network 1-- Networks are usually very insecure. ()
NFS 1-- Many systems can be compromised with NFS/RPC. ()
NFS 1-- proxy rpc can read remote nfs files ()
NFS 1-- can generate NFS file handles ()
OSF/1 1.2 1-- write allows shell outs to gain egid term ()
OSF/1 1.3 1-- write allows shell outs to gain egid term ()
OSF/1 1.2 1-- doesn't close the fd to the term writing to ()
OSF/1 1.3 1-- doesn't close the fd to the term writing to ()
passwd 1-- fgets allows entries mangled into ::0:0::: ()
passwd 1-- fred:...:...:...:Fred ....Flintstone::/bin/sh ()
passwd 1-- IDs shouldnt contain: ;~!` M- spoof popen ()
portmap 1-- binding problems... ()
root 1-- ? (fingerd_test.sh)
rcp 1-- nobody problem ()
rexd 1-- existence ()
rexd 1-- MACH ? [NeXT] /etc/ g+w daemon ()
rdist 1-- buffer overflow ()
rdist 5-- rdist(1) uses popen(3), IFS spoof ()
RISC/os 4.51? 1-- rsh <host> -l "" <command> runs as root ()
RPC 1-- Many systems can be compromised with NFS/RPC. ()
rwall 1-- running as root, utmp o+w , writes to files ()
SCO 3.2v4.2 5-- rdist(1) uses popen(3), IFS spoof ()
SCO ? 1-- rlogin to any acct to trusted host w/o pwd ()
SCO ? 1-- rlogin to any acct from trusted host w/o pwd ()
selection_svc 1-- allowed remote access to files ()
sendmail <x.x 1-- -bt -C/usr/spool/mail/user - reads file ()
sendmail <5.57 1-- from:<"|/bin/rm /etc/passwd"> && bounce mail ()
sendmail <=5.61 1-- can mail to any file not root owned, try twice ()
sendmail <5.61 1-- sendmail- groups incorrectly, get group ()
sendmail >5.65 1-- can get daemon privalages via .forward. ()
sendmail ? 5++ can mail to programs (sendmal1, nmh, smail)
sendmail ? 1-- debug option ()
sendmail ? 1-- wizard mode ()
sendmail ? 1-- TURN command allows mail to be stolen ()
sendmail ? 1-- decode mail alias - write non-root user files ()
sendmail ? 1-- buffer overflow cause sendmail deamon lock up ()
sendmail ? 1-- what uid does |program run with? ()
SIGNALS 1-- signal any process by changing process group ()
Stellix 2.0? 1-- rsh <host> -l "" <command> runs as root ()
Stellix 2.0 1-- rsh <host> -l "" <command> runs as root ()
Stellix 2.1 1-- login: -r hostname
ruser^@luser^@term^@ ()
suid 1-- will run .profile if linked to - , IFS ()
suid 1-- never call system(3) and popen(3) ()
suid 1-- May not expect filesize signals, SIGALRMs ()
suid 1-- no setuid program on a mountable disk ()
suid 1-- ro mounting of foreign disk may allow suid. ()
suid 1-- .plan links ()
suid 1-- /usr/ucb/mail ~!cp /bin/sh /tmp/sh; chmod 2555 /tmp/sh ()
SunOS 3.3 1-- ftpd - userid not reset properly, "user root" ()
SunOS 3.5 1-- connect w/acct;user root;ls;put /tmp/f/ tmp/b ()
SunOS <4.0 1-- any user can run yp server ()
SunOS 4.0 1-- chsh -- similar to chfn ()
SunOS 386i 1-- rm logintool, hack login with adb, chmod 2750 ()
SunOS 386i/4.01? 1-- login -n root requires no password ()
SunOS 386i/4.01? 1-- login -n root (no password) ()
SunOS 4.0.1 1-- chfn buffer problems ()
SunOS 4.0.1 1-- chsh buffer problems ()
SunOS 4.0.1 1-- ypbind/ypserv, SunOS 4.0.1; need 3 machines ()
SunOS 4.0.3 1-- ypbind/ypserv, SunOS 4.0.1; need 3 machines ()
SunOS 4.0.3 1-- concurrent yppasswd sessions can trash yp map ()
SunOS 4.0.3 1-- mail to any non-root owned file, try twice ()
SunOS 4.0.3 1-- rcp buffer overflow ()
SunOS 4.0.3 1-- sendmail- mail to non-root file, try twice ()
SunOS 4.0.3 1-- ttyA&B;A:cat<ttyB;^Z;B:exit;login;A:&;B:pw/uid;A:gets PW ()
SunOS 4.0.3 1-- uucico can show ph num, login, passwd, on remote machine ()
SunOS 4.0.3 1-- ypserv sends maps to anyone w/ domain (ypsnarf)
SunOS 4.0.? 1-- anyone can restore a file over any other file. ()
SunOS 4.0.? 1-- chfn -- allows newlines, meta chars, bufsize problem. ()
SunOS 4.0.? 1-- rcp with uid -2; only from PC/NFS. ()
SunOS 4.0.? 1-- ln -s /any/suid/file -i ; -i ()
SunOS 4.0.? 1-- selection_svc can remotely grab files. ()
SunOS 4.1 1-- rshd: spoof via nameservice, rsh target -l uid ()
SunOS 4.1 1-- shared libs accept relative paths w/ suid ()
SunOS 4.1 1-- sendmail: groups incorrectly checked, can get any group ()
SunOS 4.1 1-- comsat can overwrite any file ()
SunOS 4.1.x 1-- comsat can overwrite any file ()
SunOS 4.1.x 1-- ptrace allows to become root ()
SunOS 4.1.x 1-- openlook: telnet 2000; executive,x3, run ps int ()
SunOS <4.1.1 5-- lpr -s; 1000 calls lpr re-use fname ()
SunOS 4.1.2 5-- rdist(1) uses popen(3), IFS spoof ()
SunOS ? 1-- /usr/kvm/crash allows sh escapes group kmem ()
SunOS ? 1-- ttyA&B;A:cat<ttyB;^Z;B:exit;login;A:&;B:pw/uid;A:gets PW()
SunOS ? 1-- /dev/kmem and /dev/mem should not be o+w ()
SunOS ? 1-- rshd -- spoof via nameservice, rsh target -l uid
SunOS ? 1-- ftp -n; quote user ftp; ect. Gets root privs. ()
SunOS ? 1-- symlink .plan to target file, finger user to read. ()
SunOS ? 1-- Overwrite gets buffer -- fingerd, etc. (3.5)
SunOS ? 1-- rwall bug (<= 4.01 yes). ()
SunOS ? 1-- ptrace allows to become root ()
SunOS ? 4-- icmp errors not handled correctly ()
SunOS ? 1-- adb the running kernel, shell out and get root ()
SunOS ? 1-- ftp -n; quote user ftp; ect Gets root privs ()
SunOS ? 1-- lpd can overwrite file ()
SunOS ? 1-- the window manager can be used to read any file ()
SunOS ? 1-- rexd -- any can get root access if enabled ()
SunOS ? 1-- emacsclient/server allows access to files ()
SunOS ? 1-- openlook; telnet port 2000; executive,x3, runs PS interp
SunUS ? 1-- devinfo can be used to get group kmem ()
SunOS 5.1 1-- Symlinks are broken ()
syslogd 6-- buffer overrun, allows remote access ()
syslogd 1-- syslog messages used to overwrite any file ()
system 1-- system(3) even w/ setuid(getuid()) = IFS ()
SYSV <R4 1-- write to files; race condition w/ mkdir & ln ()
SYSV <R4 1-- expreserve problem/race condition ()
SYSV R? 1-- IFS, other environment at "login:" prompt ()
tcp/ip 1-- sequence number prediction allows spoofing ()
tcp/ip 1-- source routing make host spoofing easier ()
tcp/ip 1-- rip allows one to capture traffic more easily ()
tcp/ip 4-- various icmp attacks possible ()
tftp 1-- puts/gets -- grab files, do chroot ()
traceroute 1-- allow one to easily dump packets onto net ()
ulimit 1-- passwd(1) leaves passwd locked if ulimit set ()
Ultrix 2.0? 1-- sendmail- 1.2&13.1 sm, -oQ > can r/w any ()
Ultrix 2.0? 1-- Sendmail -C file ==> displays any file. ()
Ultrix 2.2? 1-- Sendmail -C file ==> displays any file. ()
Ultrix 2.2 1-- ln passwd file to mail spool, mail to user ()
Ultrix 2.2 1-- on a non-trusted host due to bug in mountd ()
Ultrix 2.2 1-- Sendmail: -C file ==> displays any file ()
Ultrix 2.2 1-- can get root on NFS host via root via mountd ()
Ultrix 2.2 1-- get root on host running NFS from other root ()
Ultrix 3.0 1-- lock -- compiled in password "hasta la vista" ()
Ultrix 3.0 1-- login -P progname allows run programs as root ()
Ultrix 3.0 1-- login can run any program with root privs ()
Ultrix 3.0 1-- ln -s target ~/.plan; finger user to access ()
Ultrix 3.0 1-- any user can mount any filesystem ()
Ultrix 3.0 1-- X11 doesn't clear pwds in mem; /dev/mem is o+w ()
Ultrix <3.1 1-- limit file 0; passwd -->zero's out passwd file ()
Ultrix <3.1 1-- lpd can overwrite any file (back to 2.0?) ()
Ultrix 3.1? 1-- rshd: spoof via nameservice, rsh target -l uid ()
Ultrix 3.1? 1-- allows newlines, meta chars, buffsize problem ()
Ultrix <4.1 1-- overflow RISC reg buffer, get root w/ mail ()
Ultrix ? 1-- rshd -- spoof via dns, rsh target -l uid ()
Ultrix ? 1-- ypbind takes ypset from all; spoof yp DB ()
Ultrix ? 1-- yppasswd leaves yp data files world writable ()
Ultrix ? 1-- chfn -- allows newlines, meta chars, bufsize ()
Ultrix ? 1-- ftp -n; quote user ftp; ect Gets root privs ()
Ultrix ? 1-- can change host name, mount any filesystem ()
Ultrix ? 1-- uudecode alias can overwrite root/daemon files ()
Ultrix ? 4-- ICMP not handled correctly (nuke)
Ultrix ? 1-- emacsclient/server allows access to files ()
Ultrix ? 1-- lock: password "hasta la vista" backdoor ()
Ultrix ? 1-- /dev/kmem and /dev/mem should not be o+w ()
Ultrix ? 1-- can change physical ethernet address ()
UNIX 1-- / must not be go+w ()
utmp 1-- etc/utmp o+w ? ()
utmp 1-- check to see if world writeable (rwall, comsat)
utmp 1-- syslog messages can overwrite any file ()
uucp 1-- check valid UUCP akts in the /etc/ftpusers ()
uucp 1-- echo "myhost myname">x;uucp x ~uucp/.rhosts ()
uucp 1-- uucico shows ph num, login, passwd, of remote ()
uudecode 1-- if it is setuid, may create setuid files ()
uusend 1-- uusend may call "uux" while suid to root ()
uux 1-- uusend may call "uux" while suid to root ()
X11R? 1-- snoop on keyboards and bitmaps ()
X11R3 1-- can set log on and exec (fixed in "fix-6")
X11R4 1-- can set log on and exec (fixed in "fix-6")
X11R ? 1-- snoop on keyboards and bitmaps ()
X11R5 5++ xterm can create files (xterm1__)
xhost 1-- if + , anyone can connect to X server ()
ypbind 1-- accepts ypset from anyone ()
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
