A list of Security hole fixes for NeXTSTEP/OpenStep (
https://golem.ph.utexas.edu/~distler/progs/index.html)
Reproduced from the website (
https://golem.ph.utexas.edu/~distler/progs/index.html) of
Professor Jacques Distler, Professor of Physics, Physics Department, University of Texas, Austin, Texas 78712
There is a lot more, I should have used a script to convert to phpbb. That is what computers and chat-gpt are good at :).
Would be interesting to see, if today's bad guys and their tools are still capable of exploiting these vulnerabilities :)
Quote from: nuss on June 22, 2024, 04:21:16 AMWould be interesting to see, if today's bad guys and their tools are still capable of exploiting these vulnerabilities :)
Would be interesting to see their approach. Would they use a standard distribution model?
Surely if
nmap or
queso finds a computer (i.e WinXP) they would fire up their scripts from WinXP.
Some on I know was telling me about phf, nph-test-cgi and other cgi-bin scripts that were available and that you could use alta-vista for searching websites, i.e you could search for "Directory listing of /cgi-bin/" and it would return a lot of sites.
| Program | Security hole | Affected NS version | Fix |
| rlogin(1) | local users can gain root access (https://web.archive.org/web/20021202164910/http://www.cert.org/advisories/CA-1997-06.html) | earlier than OS 4.1 | *Replacement programme. (https://golem.ph.utexas.edu/~distler/progs/rlogin.tar.gz) |
| syslog(3) | buffer overrun in the syslog library routine -- effects vary (https://web.archive.org/web/20020220115435/http://www.cert.org/advisories/CA-1995-13.html) | All? There is a test program included to see if your system is vulnerable. Mine was. | *New (https://golem.ph.utexas.edu/~distler/progs/newlog-1.0.4.tar.gz) library (blurb (https://golem.ph.utexas.edu/~distler/progs/newlog-1.0.4.txt)). This does not replace the NeXT shared library. You need to recompile programs to link to the new library. An example of a program recompiled with the new syslog() library is *logger (https://golem.ph.utexas.edu/~distler/progs/logger.tar.gz)(1). |
| talkd(8) | remote users can gain root access (https://web.archive.org/web/20010617072007/http://www.cert.org/advisories/CA-1997-04.html) | All? | Install BIND 8.2.3 (ftp://ftp.isc.org/isc/bind/src/cur/bind-8/) and run a caching-only nameserver on your machine and/or install the *replacement (https://golem.ph.utexas.edu/~distler/progs/talkd.html) daemon. Note that earlier versions of BIND have some serious security problems (http://www.isc.org/products/BIND/bind-security.html). |
| rpc.statd(8) | remote users can gain root access on NFS server. (https://web.archive.org/web/20011206071250/http://www.cert.org/advisories/CA-1997-26.html) Note that this is distinct from the previous root hole (https://web.archive.org/web/20000618020140/http://www.netcraft.co.uk/security/lists/sdsc.txt) which was patched in OS 4.0 | All? | None available yet. |
| rpc.ypupdated(8) | remote users can gain root access on NIS server (https://web.archive.org/web/20010107221500/http://www.cert.org/advisories/CA-1995-17.html) | All? | None available yet. |
| rdist(1) | local users can gain root access (https://web.archive.org/web/20011118052204/http://www.cert.org/advisories/CA-1996-14.html) in more than one way (https://web.archive.org/web/20010617083812/http://www.cert.org/advisories/CA-1997-23.html). | All? | Install Rdist-6.1.3. (ftp://usc.edu/pub/rdist/) |
| lpr(1) | local users can gain root access (https://web.archive.org/web/20010420201209/http://www.cert.org/advisories/CA-1997-19.html) | earlier than OS 4.2 | Install this wrapper (https://golem.ph.utexas.edu/~distler/progs/lpr_wrapper.tar.gz) provided in the AusCERT (ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.12.lpr.buffer.overrun.vul) Advisory. |
| ftpd(8) | remote users can gain root access (https://web.archive.org/web/20010804091303/http://www.cert.org/advisories/CA-1997-16.html) in several (https://web.archive.org/web/20010331074134/http://www.cert.org/advisories/CA-1999-03.html) ways. Other vulnerabilities include the FTP bounce attack (https://web.archive.org/web/20010123080200/http://www.cert.org/advisories/CA-1997-27.html), which can be used for all sorts (https://web.archive.org/web/20000115063213/http://www.cert.org/tech_tips/ftp_port_attacks.html) of mischief (https://web.archive.org/web/19971018173434/http://www.secnet.com/sni-advisories/sni-19.bsd.lpd.advisory.html). Note that wu-ftpd-2.6.0 and older have a remote root hole (https://web.archive.org/web/20001018141040/http://www.cert.org/advisories/CA-2000-13.html) in the site exec command. It, and a large number of other ftpd's (not including NeXT's ftpd) have a similar setproctitle() (https://web.archive.org/web/20001018141040/http://www.cert.org/advisories/CA-2000-13.html) vulnerability. | All | Install wu-ftpd-2.6.2 (ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.2.tar.gz). Version 2.6.2 compiles cleanly under NeXTStep 3.3 and definitively closes (https://web.archive.org/web/20020405045051/http://golem.ph.utexas.edu/~distler/progs/ftpd/ERRATA.txt) a longstanding security vulnerability associated to long pathnames. If you used a previous version of WU-ftpd or Pro-ftpd, you should update immediately, as significant security flaws (https://web.archive.org/web/20010121143500/http://www.cert.org/advisories/CA-1999-13.html) have been found. If you are running 2.6.1, you should upgrade immediately (https://web.archive.org/web/20011209172314/http://www.cert.org/advisories/CA-2001-33.html).
If you're interested in S/Key support, see here (https://web.archive.org/web/20011005181407/http://golem.ph.utexas.edu/~distler/progs/ftpd/index.html). |
| Ping Flood ("Smurf") Attack (https://web.archive.org/web/20010115085100/http://www.cert.org/advisories/CA-1998-01.html) | Kernel hangs | All? (Mine was) | Filter broadcast ICMP ("ping") packets at your router. |
| sendmail(8) | Versions up through 8.8.8, by default, allows the relaying of SPAM (https://web.archive.org/web/19991013050908/http://maps.vix.com/tsi/ar-what.html). This can lead to severe denial of service attack (https://web.archive.org/web/19991103073145/http://www.cert.org/summaries/CS-97.06.html), especially when the recipients start complaining to you! | All | Upgrade to Sendmail 8.11.x (http://www.sendmail.org), which has relaying turned off by default, as well as other anti-spam (https://web.archive.org/web/20010309022207/http://www.sendmail.org/m4/cf-readme.txt) features built in. Here's a very simple sendmail.mc (https://web.archive.org/web/20060207075317/https://golem.ph.utexas.edu/~distler/progs/mynext8.10.mc) file to get you started. |
| fingerd(8) | Gives away too much information to potential attackers. For instance finger 0@150.107.173.240 (http://www.mit.edu:8001/finger?0%40150.107.173.240) gives a list of users on your system! | All | *Replacement (https://web.archive.org/web/20060207075311/https://golem.ph.utexas.edu/~distler/progs/fingerd.tar.gz) daemon. It's compiled QUAD-fat, but you'll enjoy it more if you customize pathnames.h and recompile it. For even more control over what information you give out, use it with this version of *finger (https://web.archive.org/web/20060207075343/https://golem.ph.utexas.edu/~distler/progs/finger.tar.gz). |
| telnetd(8) | Remotely exploitable buffer overflow (https://web.archive.org/web/20011120065901/http://www.cert.org/advisories/CA-2001-21.html) which can crash the server or can be leveraged to gain root access | All? | to be updated |
Will add the rest later. @Nitro what php code do I use to display 8 ) instead of a smiley?EDIT: Updated and finished from
Professor Jacques Distler's site. A lot more to be found.
Quote from: pTeK on July 23, 2024, 03:32:33 AMWill add the rest later. @Nitro what php code do I use to display 8 ) instead of a smiley?
In the lower right corner of your post: More > Modify > Other options > Don't use smileys. After that preview your post to make sure that it looks the way that you want, then click save. The "Quick Reply" editor doesn't show the "Other Options" button, so when you create a post you can bring up the full editor by clicking on "Preview". The full editor also allows you to attach images and files to a post. Hope that helps.
ISTR a Sendmail security hole that applied to 3.3 --- not the one about email forwarding, but one where you would telnet to port 25, do something, and then get dropped into a root shell. It was about 25 years ago when I last tried it, though, and I forget all details.
Quote from: Nitro on July 23, 2024, 10:59:05 AMIn the lower right corner of your post: More > Modify > Other options > Don't use smileys. After that preview your post to make sure that it looks the way that you want, then click save. The "Quick Reply" editor doesn't show the "Other Options" button, so when you create a post you can bring up the full editor by clicking on "Preview". The full editor also allows you to attach images and files to a post. Hope that helps.
Thanks for that much appreciated.
Quote from: stepleton on July 23, 2024, 12:40:51 PMISTR a Sendmail security hole that applied to 3.3 --- not the one about email forwarding, but one where you would telnet to port 25, do something, and then get dropped into a root shell. It was about 25 years ago when I last tried it, though, and I forget all details.
Sounds like a interesting exploit, it should be in the BSD source then.
Quote from: pTeK on July 23, 2024, 03:32:33 AM
Just had a look in user
@evolver56k Darwin0.3 archive for telnetd(8) (
https://github.com/evolver56k/Darwin-0.3/tree/master/network_cmds-1/telnetd.tproj) and can't find
telrcv(). I'm guessing it's in the libtelnet/ function?