Network Security News – Monday, January 02, 2006 Events
Avirt Gateway/Gateway Suite/SOHO HTTP Proxy Overflow
A remote overflow exists in Avirt Gateway, Avirt Gateway Suite and Avirt SOHO. The HTTP proxy fails to check bounds of header fields in HTTP GET requests, resulting in a buffer overflow. With a specially crafted request, an attacker can cause a denial of service or execute arbitrary code, resulting in a loss of integrity and/or availability.. Read more at osvdb.org/6804
Avirt Gateway/Gateway Suite/SOHO Telnet Proxy Overflow
A remote overflow exists in Avirt Gateway, Avirt Gateway Suite and Avirt SOHO. The telnet proxy fails to check bounds of user-supplied input resulting in a buffer overflow. With a specially crafted request, an attacker can cause a denial of service or execute arbitrary code, resulting in a loss of integrity and/or availability.. Read more at osvdb.org/6805
Multics on HIS 645 Crafted IDC Modifier Privileged Ring Access
Multics on 645 contains a flaw that may allow a local user to gain elevated privileges. The issue occurs when a crafted IDC modifier is used to gain access to ring0 functions. This could be achieved when a user supplied an argument pointer that is constructed to contain an IDC modifier (increment address,
decrement tally, and continue) that causes the first reference through the indirect chain to address a valid argument. This first reference is the one made by the argument validator. The reference through the IDC modifier increments the address field of the tally word causing it to point to a different indirect word which in turn points to a different ITS pointer which points to an argument which is writable in ring 0 only. The second reference through this modified indirect chain is made by the ring 0 program which proceeds to write data where it shouldn't.. Read more at osvdb.org/22136
Multics on HIS 645 Unlocked Stack Base Master Mode Privilege Escalation
Multics contains a flaw that may allow a local user to elevate privileges. The issue is due to a flaw in the unlocked stack base system. It is possible for an attacker to manipulate the signaller to enter at location 0 with an invalid index register before setting the stack pointer to an area of extraneous storage in a link segment (such as emergency_shutdown.link). This could allow an attacker to place custom code in the link that would be executed with ring0 privileges.. Read more at osvdb.org/22134
Multics on HIS 645 mxerror Crafted signaller|0 Local DoS
Multics contains a flaw that may allow a local user to crash the machine. The issue occurs when a user causes the master mode procedure to enter a location improperly. When the index register zero is out of bounds, the processor registers are saved for debugging and control is transferred to "mxerror". By moving the signaller|0 with a bad value in index register zero, a user could crash the system.. Read more at osvdb.org/22133
Multics on HIS 645 Execute Instruction SDW Access Check Bypass
Multics contains a flaw that may allow a local attacker to gain elevated privileges. The issue occured when a specific sequence of code was used to bypass the access checking on the 645 machine. This occured when the execute instruction was in certain restricted locations of a segment with at least read-execute (re) permission. The execute instruction then referenced an
object instruction in word zero of a second segment with at least R permission. The object instruction indirected through an ITS pointer in the first segment to access a word for reading or writing in a third segment. The third segment was required to be "active"; that is, to have an SDW pointing to a valid page table for the segment. If all these conditions were met precisely, the access control fields in the SDW of the third segment would be ignored and the object instruction permitted to complete without access checks.. Read more at osvdb.org/22135
Multics on 6180 Tally Word Permission Error Login DoS
Multics on 6180 contains a flaw that may allow a local user to crash the machine. The issue occured during the login process, when the 'tally word' did not have write permission, causing an access violation, subsequently crashing the entire machine. This could be performed without authenticating on the machine.. Read more at osvdb.org/22129
Multics on 6180 SLT-KS Dual SDW hphcs_ Privilege Escalation
Multics contains a flaw that may allow a local user to gain elevated privileges. The issue occured when a user used the hphcs_ privileged gate to transfer the appropriate absolute segment number rather than using dynamic linking to gain access to any hphcs_ capability.. Read more at osvdb.org/22130
Multics on 6180 Multiple Unspecified Issues
Multics on 6180 machines contain several flaws. During an audit of the Multics system, many vulnerabilities were identified and disclosed. At the end of the audit, notation was made that there "additional vulnerabilities identified but at the time have not been developed into demonstrations." No further details have been provided.. Read more at osvdb.org/22131
Multics on 6180 Call Limiter Gate Segment Failure Privilege Escalation
Multics on 6180 contains a flaw that may allow a local user to gain elevated privileges. The issue was caused by the call limiter not being set on gate segments, allowing the user to transfer to any instruction within the gate rather than to just an entry transfer vector. This would allow control of data passed to the mxerror routines, allowing ring0 access.. Read more at osvdb.org/22128
Vuln: IBM AIX GetShell and GetCommand Partial File Disclosure Vulnerability
IBM AIX GetShell and GetCommand Partial File Disclosure Vulnerability. Read more at securityfocus.com/bid/16103
Vuln: IBM AIX GetShell and GetCommand File Enumeration Vulnerability
IBM AIX GetShell and GetCommand File Enumeration Vulnerability. Read more at securityfocus.com/bid/16102
Leave a Reply