setuid software vulnerabilities
vulnerabilities.aspcode.net
Searching setuid software vulnerabilities
The installation of Sun Source (sunsrc) tapes a
installation
|
Source
|
Sun
|
The installation of Sun Source (sunsrc) tapes allows local users to gain root privileges via setuid root programs (1) makeinstall or (2) winstall.
Linux kernel 2.2.19 enables CAP_SYS_RESOURCE fo
kernel
|
Linux
|
Linux kernel 2.2.19 enables CAP_SYS_RESOURCE for setuid processes, which allows local users to exceed disk quota restrictions during execution of setuid programs.
Buffer overflow in setiathome for SETI@home 3.0
setiathome
|
SETI@home
|
overflow
|
Buffer
|
Buffer overflow in setiathome for SETI@home 3.03, if installed setuid, could allow local users to execute arbitrary code via long command line options (1) socks_server, (2) socks_user, and (3) socks_passwd. NOTE: since the default configuration of setiathome is not setuid, perhaps this issue should not be included in CVE.
Format string vulnerability in tcpflow, when us
vulnerability
|
IPNetMonitorX
|
demonstrated
|
IPNetSentryX
|
RunTCPFlow
|
arbitrary
|
Sustworks
|
argument
|
context
|
tcpflow
|
execute
|
program
|
Format
|
setuid
|
string
|
device
|
allows
|
users
|
local
|
code
|
name
|
used
|
via
|
Format string vulnerability in tcpflow, when used in a setuid context, allows local users to execute arbitrary code via the device name argument, as demonstrated in Sustworks IPNetSentryX and IPNetMonitorX the setuid program RunTCPFlow.
Heap-based buffer overflow in the search_for_co
search_for_command
|
Heap-based
|
function
|
overflow
|
ltrace
|
buffer
|
Heap-based buffer overflow in the search_for_command function of ltrace 0.3.10, if it is installed setuid, could allow local users to execute arbitrary code via a long filename. NOTE: It is unclear whether there are any packages that install ltrace as a setuid program, so this candidate might be REJECTed.
Buffer overflow in snmpd in ucd-snmp 4.2.6 and
ucd-snmp
|
overflow
|
Buffer
|
snmpd
|
Buffer overflow in snmpd in ucd-snmp 4.2.6 and earlier, when installed setuid root, allows local users to execute arbitrary code via a long -p command line argument. NOTE: it is not clear whether there are any standard configurations in which snmpd is installed setuid or setgid. If not, then this issue should not be included in CVE.
Buffer overflow in Bochs before 2.1.1, if insta
overflow
|
before
|
Buffer
|
Bochs
|
Buffer overflow in Bochs before 2.1.1, if installed setuid, allows local users to execute arbitrary code via a long HOME environment variable, which is used if the .bochsrc, bochsrc, and bochsrc.txt cannot be found in a known path. NOTE: some external documents recommend that Bochs be installed setuid root, so this should be treated as a vulnerability.
Buffer overflow in queue.c in a support script
overflow
|
support
|
script
|
Buffer
|
queuec
|
sympa
|
Buffer overflow in queue.c in a support script for sympa 3.3.3, when running setuid, allows local users to execute arbitrary code.
helvis 1.8h2_1 and earlier allows local users t
recover
|
program
|
earlier
|
18h2_1
|
elvrec
|
setuid
|
allows
|
helvis
|
other
|
users
|
local
|
files
|
read
|
via
|
helvis 1.8h2_1 and earlier allows local users to recover and read the files of other users via the elvrec setuid program.
helvis 1.8h2_1 and earlier allows local users t
arbitrary
|
elvprsv
|
earlier
|
program
|
delete
|
setuid
|
helvis
|
allows
|
18h2_1
|
users
|
local
|
files
|
via
|
helvis 1.8h2_1 and earlier allows local users to delete arbitrary files via the elvprsv setuid program.
scponlyc in scponly 4.1 and earlier, when the o
application
|
LD_PRELOAD
|
mechanisms
|
privileges
|
operating
|
directory
|
arbitrary
|
modified
|
creating
|
scponlyc
|
supports
|
function
|
expected
|
scponly
|
linking
|
earlier
|
execute
|
setuid
|
modify
|
chroot
|
allows
|
system
|
using
|
users
|
local
|
calls
|
their
|
hard
|
home
|
code
|
root
|
scponlyc in scponly 4.1 and earlier, when the operating system supports LD_PRELOAD mechanisms, allows local users to execute arbitrary code with root privileges by creating a chroot directory in their home directory, hard linking to a system setuid application, and using a modified LD_PRELOAD to modify expected function calls in the setuid application.
The winbind plugin in pppd for ppp 2.4.4 and ea
winbind
|
plugin
|
pppd
|
ppp
|
The winbind plugin in pppd for ppp 2.4.4 and earlier does not check the return code from the setuid function call, which might allow local users to gain privileges by causing setuid to fail, such as exceeding PAM limits for the maximum number of user processes, which prevents the winbind NTLM authentication helper from dropping privileges.
do_command.c in Vixie cron (vixie-cron) 4.1 doe
do_commandc
|
Vixie
|
cron
|
do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the process limits as defined in /etc/security/limits.conf.
passwd command in shadow in Ubuntu 5.04 through
command
|
Ubuntu
|
shadow
|
passwd
|
passwd command in shadow in Ubuntu 5.04 through 6.06 LTS, when called with the -f, -g, or -s flag, does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits.
IBM AIX 5.3 does not properly verify the status
CVE-2002-0572
|
descriptors
|
descriptor
|
privileges
|
execution
|
invoking
|
properly
|
closing
|
program
|
variant
|
allows
|
status
|
verify
|
setuid
|
before
|
users
|
which
|
local
|
then
|
does
|
gain
|
file
|
IBM
|
AIX
|
not
|
IBM AIX 5.3 does not properly verify the status of file descriptors before setuid execution, which allows local users to gain privileges by closing file descriptor 0, 1, or 2 and then invoking a setuid program, a variant of CVE-2002-0572.
Sun Solaris 9 does not properly verify the stat
CVE-2002-0572
|
descriptors
|
descriptor
|
privileges
|
execution
|
invoking
|
properly
|
program
|
variant
|
closing
|
Solaris
|
allows
|
verify
|
status
|
setuid
|
before
|
local
|
which
|
users
|
file
|
does
|
gain
|
then
|
Sun
|
not
|
Sun Solaris 9 does not properly verify the status of file descriptors before setuid execution, which allows local users to gain privileges by closing file descriptor 0, 1, or 2 and then invoking a setuid program, a variant of CVE-2002-0572.
HP HP-UX B11.11 does not properly verify the st
CVE-2002-0572
|
descriptors
|
descriptor
|
privileges
|
execution
|
invoking
|
properly
|
closing
|
program
|
variant
|
allows
|
status
|
verify
|
setuid
|
before
|
users
|
which
|
B1111
|
HP-UX
|
local
|
does
|
file
|
gain
|
then
|
not
|
HP HP-UX B11.11 does not properly verify the status of file descriptors before setuid execution, which allows local users to gain privileges by closing file descriptor 0, 1, or 2 and then invoking a setuid program, a variant of CVE-2002-0572.
The default configuration in OpenAFS 1.4.x befo
configuration
|
OpenAFS
|
default
|
before
|
14x
|
The default configuration in OpenAFS 1.4.x before 1.4.4 and 1.5.x before 1.5.17 supports setuid programs within the local cell, which might allow attackers to gain privileges by spoofing a response to an AFS cache manager FetchStatus request, and setting setuid and root ownership for files in the cache.
The wrap_setuid_third_party_application functio
wrap_setuid_third_party_application
|
installation
|
SCX-4200
|
function
|
Samsung
|
Driver
|
script
|
The wrap_setuid_third_party_application function in the installation script for the Samsung SCX-4200 Driver 2.00.95 adds setuid permissions to third party applications such as xsane and xscanimage, which allows local users to gain privileges.
Buffer overflow in cli32 in Areca CLI 1.72.250
overflow
|
Buffer
|
Areca
|
cli32
|
CLI
|
Buffer overflow in cli32 in Areca CLI 1.72.250 and earlier might allow local users to gain privileges via a long argument. NOTE: this program is not setuid by default, but there are some usage scenarios in which an administrator might make it setuid.
Software vulnerabilities results 1 to 20 of 143
Page:
1
2
3
4
5
...
8
►