similar to: Re: write(1) security problem

Some versions (the util-linux version, but not the netwrite or netkit versions) of /usr/bin/write have a buffer overrun problem that is almost certainly exploitable. Note that this gives access to the tty group, but not (directly) root. The fix is to change the two sprintfs to snprintfs. Patches have been mailed to the maintainer. -- - David A. Holland | VINO project home page:

Hi. I don''t know if this one is known, but I can''t recall seeing anything about it. If it is old news I apologize. I discovered a bug in the inetd that comes with NetKit-B-0-08 and older. If a single SYN is sent to port 13 of the server, inetd will die of Broken Pipe: write(3, "Sun Jan 12 21:50:35 1997\r\n", 26) = -1 EPIPE (Broken pipe) --- SIGPIPE (Broken pipe) ---

Hello! Well-known thing is abusive use of ping abillity to fill out the ICMP packet with '+++ATH0', which will cause hangup on 'bad' modems. The defense, at the clinet side, is to add 'S2=255' to modem settings. This 'technique' is used in irc wars, and other abusive attacks, and shell providers have a lot of problems with that. There are two ways to forbid users

--------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: Denial of service attack in in.telnetd Advisory ID: RHSA-1999:029-01 Issue date: 1999-08-19 Updated on: Keywords: telnet telnetd Cross references: --------------------------------------------------------------------- 1. Topic: A denial of service attack has been fixed in

[Mod: in a disk crash I lost the original of this message posted by Dave to linux-security so this one is from bugtraq, reposted with author''s permission -- alex] This old problem refuses to die. #!/bin/sh # # yankpw # # Under a lot of linux distributions(I know Redhat 3.0.3 and Slackware 3.0) # /var/log/messages is world readable. If a user types in his password at # the login prompt,

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Linux - Telnet AYT remote exploit Advisory number: CSSA-2001-030.0 Issue date: 2001, August 10 Cross reference: ______________________________________________________________________________ 1. Problem

-----BEGIN PGP SIGNED MESSAGE----- $Id: lpr-vulnerability-0.6-linux,v 1.2 1996/11/25 22:39:20 alex Exp $ Linux Security FAQ Update lpr Vulnerability Mon Nov 25 16:56:59 EST 1996 Copyright (C) 1995,1996 Alexander O. Yuriev (alex@bach.cis.temple.edu) CIS Laboratories

There is a serious problem with the makewhatis cronjob under Redhat Linux 4.0/3.0.3. You can use it to overwrite any file on the system. Redhat is aware of the problem, and said they would have some kind of fix by next week which should be plenty of time before this bug is exploitable again. #!/bin/sh # # blowitawaysam # # makewhatis is a shellscript that stores a tmp copy of the whatis #

> ========================================================================== > CERT(sm) Advisory CA-96.20 > Original issue date: September 18, 1996 > Last revised: -- > > Topic: Sendmail Vulnerabilities > -------------------------------------------------------------------------- > *** This advisory supersedes CA-95:05 *** Just a word of warning -

I guess I never sent the message I was going to last week about xterm. [Noteto REW: If I did, kill this message...] It seems that sending xterm an excessively long escape sequence kills it (and perchance might be made to hack it, which would be quite bad.) The xterm in XFree86-3.2 is immune to this problem. I recommend everyone upgrade ASAP. -- - David A. Holland | VINO

Hi, I have a tftp client which loads quite happily from a tftpd built from netkit-tftp-0.16 but which fails to load from from a tftpd built from tftp-hpa 0.29. In both cases, tftpd was built from pristine sources and run from xinetd under Redhat 7.3. [netkit-tftp-0.16 is the ancestor of tftp-hpa, predating HPA's maintenance of same] [the tftp client also.. .. fails with the prebuilt tftpd

Here are my preliminary tests: 5.2.18 is vulnerable (stock Redhat 3.0.3) 5.3.12 does not appear vulnerable (stock Redhat 4.0, I think) Dave G. <daveg@escape.com> http://www.escape.com/~daveg

I just wanted to post this so that it was out there and Googleable. Hopefully it will save other people a bit of time. If you have a Cisco phone (I was testing with a 7970, though presumably it would affect 7960 and others as well) that is looping trying to fetch the CTL tlv file - it may be because you are using Debians 'tftpd' (should be netkit-tftpd...*cough*hey, Debian

At this point, I've been through 4 AMD64 motherboards. Commonly, AE_BAD_CHARACTER stops ACPI (or apic?) from figuring out the system --- this has happened on 3 out of four boards. On this latest board, it can turn off APIC. If I do that, FreeBSD hangs after detecting the disks. The only "wrong" thing on the screen is module_register_init: MOD_LOAD (amr_linux,

/* vixie crontab buffer overflow for RedHat Linux * * I dont think too many people know that redhat uses vixie crontab. * I didn''t find this, just exploited it. * * * Dave G. * <daveg@escape.com> * http://www.escape.com/~daveg * * */ #include <stdio.h> #include <sys/types.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #define

Is anybody working on implementing CreateNamedPipeA/WaitNamedPipeA (KERNEL32.168 , KERNEL32.725) or can anybody comment on how much needs to be done to implement these ? Some applications seem to use this to communicate with a license manager process - even freely available product catalogs that apparently create a pro forma license file during the installation process. Martin -- Dr. Martin

-----BEGIN PGP SIGNED MESSAGE----- $Id: lpr-vulnerability-0.6-linux,v 1.1 1996/11/22 21:42:46 alex Exp $ Linux Security FAQ Update lpr Vulnerability Thu Nov 21 22:24:12 EST 1996 Copyright (C) 1995,1996 Alexander O. Yuriev (alex@bach.cis.temple.edu) CIS Laboratories

Good call - I forgot to mention that. Caldera released an advisory a couple months ago about it if anyone's interested: ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-008.0.txt Dave -----Original Message----- From: Thomas Biege [mailto:thomas@suse.de] Sent: Friday, May 19, 2000 2:44 AM To: David LaPorte Cc: Mike Bowie; linux-security@redhat.com Subject: Re: [Security -

Alexander O. Yuriev wrote: > > Your message dated: Wed, 20 Nov 1996 18:04:39 EST > > >has anyone played with the securelevel variable in the kernel and the > > >immutable flags in the ext2 file system? > > > > Yes, and its actualy quite nice. > > > > >The sysctrl code seems to allow the setting of the flag > > >only by init (PID=1)

Marek Michalkiewicz <marekm@I17LINUXB.ISTS.PWR.WROC.PL> wrote: : It seems that most of the RedHat 5.3.12 security patches are in the : standard 5.4.17, except for the patch below. Also, there are more : (different) fixes in 5.4.18 (check h_length against sizeof(sin_addr) : in inet/rcmd.c and inet/rexec.c). : + { : +