CVE-2001-1000
published 2001-09-07CVE-2001-1000: rlmadmin RADIUS management utility in Merit AAA Server 3.8M, 5.01, and possibly other versions, allows local users to read arbitrary files via a symlink attack…
PriorityP412low2.1CVSS 2.0
AVLACLAuNCPINAN
EXPLOIT
EPSS
0.85%
53.4th percentile
rlmadmin RADIUS management utility in Merit AAA Server 3.8M, 5.01, and possibly other versions, allows local users to read arbitrary files via a symlink attack on the rlmadmin.help file.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| merit | aaa_radius_server | — | — |
| merit | aaa_radius_server | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Merit AAA RADIUS Server 3.8 - rlmadmin Symbolic Link
exploitdb·2001-09-07
CVE-2001-1000 Merit AAA RADIUS Server 3.8 - rlmadmin Symbolic Link
Merit AAA RADIUS Server 3.8 - rlmadmin Symbolic Link
---
source: https://www.securityfocus.com/bid/3302/info
The 'rlmadmin' user management utility included with the Merit AAA RADIUS Server package is susceptible to a trivial symbolic link attack. The program allows users to specify a directory from which configuration files should be loaded at runtime. A help file, 'rlmadmin.help', is loaded from this directory and displayed directly to the user when the program is run.
The vulnerability exists because the program is setuid root and does not check if the help file is symbolically linked before displaying its contents to the user. As a local user, it is trivial for a local user to read any file on the system. This may lead to the disclosure of sensitive data and system compromise.
#!
Exploit-DB
Debian 2.2 /usr/bin/pileup - Local Privilege Escalation
exploitdb·2001-07-13
CVE-2001-0989 Debian 2.2 /usr/bin/pileup - Local Privilege Escalation
Debian 2.2 /usr/bin/pileup - Local Privilege Escalation
---
/* pileup-xpl.c - local root exploit
*
* by core
*
* Friday the 13th, July 2001
*
* based almost entirely on code by Cody Tubbs (loophole of hhp)
*
* $ ./pileup-xpl
* pileup-xpl by core 2001 - beep beep root!
* usage: ./pileup-xpl [offset] [align(0..3)]
* Ret-addr: 0xbfffe09c, offset: 0, align: 0.
* How many voices (1 to 9)
* Starting speed (wpm)
* (C)ompetion mode or (P)ractice mode
* Enter '0' to abort the session! GL..
*
* TX RX TX RX
* -- -- -- --
*
* Accuracy: 0/6. Max speed: 13
* Score: 0
* Score: core wins!
* core-2.03# id
* uid=1000(core) gid=1000(core) euid=0(root) groups=1000(core)
* core-2.03# exit
* $
*
* greetz b10z, hhp, loophole
*
*/
#include
#include
#include
#define SH_IS_BASH 1 /* if /bin/sh -> /bin/bash */
#
Exploit-DB
Marconi ASX-1000 - Administration Denial of Service
exploitdb·2001-02-19
CVE-2001-0270 Marconi ASX-1000 - Administration Denial of Service
Marconi ASX-1000 - Administration Denial of Service
---
// source: https://www.securityfocus.com/bid/2400/info
ASX-1000 Switches are hardware packages developed by Marconi Corporation. ASX-1000 Switches can be used to regulate ATM networks, performing layer-3 switching.
A problem with the switch could allow a management denial of service. The problem occurs in the handling of arbitrary packets with both the SYN-FIN flags set, and fragments. By sending packets of this nature, the services listening on the switch enter close_wait status, and do not reset until the port is reset or the switch is power cycled.
This makes it possible for a malicious user to deny administrative access to a switch, and potentially create a network interruption by creating a neccessity to power cycle the swit
Exploit-DB
Solaris 2.7/2.8 Catman - Local Insecure tmp Symlink
exploitdb·2000-12-19
CVE-2001-0095 Solaris 2.7/2.8 Catman - Local Insecure tmp Symlink
Solaris 2.7/2.8 Catman - Local Insecure tmp Symlink
---
#!/usr/local/bin/perl -w
#
# The problem is catman creates files in /tmp insecurly.
# They are based on the PID of the catman process,
# catman will happily clobber any files that are
# symlinked to that file. The idea of this script is to
# create a block of symlinks to the target file with
# the current PID as a starting point. Depending on
# what load your system has this creates 1000 files in
# /tmp as sman_$currentpid + 1000.
#
# The drawback is you would have to know around when root
# would be executing catman. A better solution would be
# to monitor for the catman process and create the link
# before catman creates the file. I think this is a
# really small window however. This worked on a patched
# Solaris 2.7 box (August 2
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2001-09/0036.htmlhttp://www.securityfocus.com/bid/3302https://exchange.xforce.ibmcloud.com/vulnerabilities/7096http://archives.neohapsis.com/archives/bugtraq/2001-09/0036.htmlhttp://www.securityfocus.com/bid/3302https://exchange.xforce.ibmcloud.com/vulnerabilities/7096
2001-09-07
Published