<< Previous Next >>
64/bit Linux
Problem Description:
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
The clone system call in the Linux kernel 2.6.28 and earlier allows
local users to send arbitrary signals to a parent process from an
unprivileged child process by launching an additional child process
with the CLONE_PARENT flag, and then letting this new process
exit. (CVE-2009-0028)
>
> - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
> Advisory Name: Linux RDS Protocol Local Privilege Escalation
> Release Date: 2010-10-19
> Application: Linux Kernel
> Versions: 2.6.30 - 2.6.36-rc8
> Severity: High
> Author: Dan Rosenberg < drosenberg (at) vsecurity (dot) com >
> Vendor Status: Patch Released [3]
> CVE Candidate: CVE-2010-3904
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: Linux RDS Protocol Local Privilege Escalation
Release Date: 2010-10-19
Application: Linux Kernel
Versions: 2.6.30 - 2.6.36-rc8
Severity: High
Author: Dan Rosenberg < drosenberg (at) vsecurity (dot) com >
Vendor Status: Patch Released [3]
CVE Candidate: CVE-2010-3904
Problem Description:
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
The personality subsystem in the Linux kernel before 2.6.31-rc3 has a
PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT
and MMAP_PAGE_ZERO flags when executing a setuid or setgid program,
which makes it easier for local users to leverage the details of
memory usage to (1) conduct NULL pointer dereference attacks, (2)
bypass the mmap_min_addr protection mechanism, or (3) defeat address
your vendor.
===[ DESCRIPTION ]======================================================
On x86_64 platform the Linux kernel supports compatibility emulation for
IA32 userland applications providing 32-bit system calls amongst other
32-bit resources.
As a result of arch/x86_64/ia32/ia32entry.S code optimization invalid
opcodes was used in the low level assembler routines providing
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
Array index error in the gdth_read_event function in
drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows
local users to cause a denial of service or possibly gain privileges
via a negative event index in an IOCTL request. (CVE-2009-3080)
The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the
Linux kernel before 2.6.32-rc7 allows attackers to have an unspecified
Thomas Pollet discovered that the RDS network protocol did not check
certain iovec buffers. A local attacker could exploit this to crash the
system or possibly execute arbitrary code as the root user. (CVE-2010-3865)
Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did
not correctly clear kernel memory. A local attacker could exploit this to
read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875)
Vasiliy Kulikov discovered that the Linux kernel sockets implementation did
not properly initialize certain structures. A local attacker could exploit
# PRE-CERT Security Advisory #
* Advisory: PRE-SA-2011-01
* Released on: 23 Feb 2011
* Last updated on: 23 Feb 2011
* Affected product: Linux Kernel 2.4 and 2.6
* Impact: - privilege Escalation
- denial-of-service
- disclosure of sensitive information
* Origin: storage devices
* CVE Identifier: - CVE-2011-1010
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
The error-reporting functionality in (1) fs/ext2/dir.c, (2)
fs/ext3/dir.c, and possibly (3) fs/ext4/dir.c in the Linux kernel
2.6.26.5 does not limit the number of printk console messages that
report directory corruption, which allows physically proximate
attackers to cause a denial of service (temporary system hang) by
mounting a filesystem that has corrupted dir->i_size and dir->i_blocks
values and performing (a) read or (b) write operations. NOTE:
Thomas Pollet discovered that the RDS network protocol did not check
certain iovec buffers. A local attacker could exploit this to crash the
system or possibly execute arbitrary code as the root user. (CVE-2010-3865)
Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did
not correctly clear kernel memory. A local attacker could exploit this to
read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875)
Vasiliy Kulikov discovered that the Linux kernel sockets implementation did
not properly initialize certain structures. A local attacker could exploit
Release Date: 2008/12/05
I. Impact
Local Denial of Service on Linux kernel 2.6.x
II. Description
A vulnerabilty exists in Linux Kernel which can be exploited
Linux 32-bit .bundle
md5sum: 38760682ad3b2f6bfb4e40f424c95c2a
sha1sum: ec78099322b5fb2a737cd74a1978a5c07382dc8a
Workstation for Linux 64-bit
Linux 64-bit .rpm
md5sum: 24311492bc515e9bc98eff9b2e7d33a2
sha1sum: b4947ef09f740440e8a24fc2ba05c0a7c11b82f5
Workstation for Linux 64-bit
Linux 64-bit .bundle
----- Original Message -----
From: "Cal Leeming [Simplicity Media Ltd]" <cal.leeming@simplicitymedialtd.co.uk>
To: "Dan Rosenberg" <dan.j.rosenberg@gmail.com>
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Sent: Tuesday, December 7, 2010 4:06:44 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] Linux kernel exploit
Anyone tested this in sandbox yet?
On 07/12/2010 20:25, Dan Rosenberg wrote:
> Hi all,
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
Array index error in the gdth_read_event function in
drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows
local users to cause a denial of service or possibly gain privileges
via a negative event index in an IOCTL request. (CVE-2009-3080)
The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the
Linux kernel before 2.6.32-rc7 allows attackers to have an unspecified
Problem Description:
A vulnerability was discovered and corrected in the Linux 2.6 kernel:
The compat_alloc_user_space functions in include/asm/compat.h files
in the Linux kernel before 2.6.36-rc4-git2 on 64-bit platforms do
not properly allocate the userspace memory required for the 32-bit
compatibility layer, which allows local users to gain privileges by
leveraging the ability of the compat_mc_getsockopt function (aka the
MCAST_MSFILTER getsockopt support) to control a certain length value,
related to a stack pointer underflow issue, as exploited in the wild
Affected: Corporate 4.0
_______________________________________________________________________
Problem Description:
The isdn_ioctl function in isdn_common.c in the Linux kernel prior to
2.6.23 allows local users to cause a denial of service via a crafted
ioctl struct in which iocts is not null terminated, which trigger a
buffer overflow (CVE-2007-6151).
The do_corefump function in fs/exec.c in the Linux kernel prior to
Affected: Corporate 4.0
_______________________________________________________________________
Problem Description:
The isdn_ioctl function in isdn_common.c in the Linux kernel prior to
2.6.23 allows local users to cause a denial of service via a crafted
ioctl struct in which iocts is not null terminated, which trigger a
buffer overflow (CVE-2007-6151).
The do_corefump function in fs/exec.c in the Linux kernel prior to
Linux 32-bit .bundle
md5sum: 38760682ad3b2f6bfb4e40f424c95c2a
sha1sum: ec78099322b5fb2a737cd74a1978a5c07382dc8a
Workstation for Linux 64-bit
Linux 64-bit .rpm
md5sum: 24311492bc515e9bc98eff9b2e7d33a2
sha1sum: b4947ef09f740440e8a24fc2ba05c0a7c11b82f5
Workstation for Linux 64-bit
Linux 64-bit .bundle
By exploiting the VMware flaw described in this document, user-mode
code executing in a virtual machine may gain kernel privileges within
the virtual machine, dependent upon the guest operating system. The
flaw has been proven exploitable on x64 versions of Windows, and it
has produced potentially exploitable crashes on x64 versions of *BSD.
The Linux kernel does not allow exploitation of the flaws on x64
versions of Linux.
VULNERABILITY DETAILS
---------------------
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
Buffer overflow in the hfsplus_find_cat function in
fs/hfsplus/catalog.c in the Linux kernel before 2.6.28-rc1 allows
attackers to cause a denial of service (memory corruption or
system crash) via an hfsplus filesystem image with an invalid
catalog namelength field, related to the hfsplus_cat_build_key_uni
function. (CVE-2008-4933)
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
Array index error in the gdth_read_event function in
drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows
local users to cause a denial of service or possibly gain privileges
via a negative event index in an IOCTL request. (CVE-2009-3080)
The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the
Linux kernel before 2.6.32-rc7 allows attackers to have an unspecified
By exploiting either of the VMware flaws described in this document,
user-mode code executing in a virtual machine may gain kernel
privileges within the virtual machine, dependent upon the guest
operating system. The flaws have been proven exploitable on x64
versions of Windows, and they have produced potentially exploitable
crashes on x64 versions of *BSD. The Linux kernel does not allow
exploitation of these flaws on x64 versions of Linux.
VULNERABILITY DETAILS
---------------------
md5sum: e7793b14b995d3b505f093c84e849421
tar Installation file for 32-bit Linux
md5sum: a0a8e1d8188f4be03357872a57a767ab
RPM Installation file for 64-bit Linux
md5sum: 960d753038a268b8f101f4b853c0257e
tar Installation file for 64-bit Linux
md5sum: 4697ec8a9d6c1152d785f3b77db9d539
~ md5sum: 323f054957066fae07735160b73b91e5
~ RPM Installation file for 32-bit Linux
~ md5sum: c44183ad11082f05593359efd220944e
~ tar Installation file for 32-bit Linux
~ md5sum: 57601f238106cb12c1dea303ad1b4820
~ RPM Installation file for 64-bit Linux
~ md5sum: e9ba644be4e39556724fa2901c5e94e9
~ tar Installation file for 64-bit Linux
~ md5sum: d8d423a76f99a94f598077d41685e9a9
~ VMware Workstation 5.5.5
----- Original Message -----
From: "dan j rosenberg" <dan.j.rosenberg@gmail.com>
To: "Cal Leeming [Simplicity Media Ltd]" <cal.leeming@simplicitymedialtd.co.uk>, full-disclosure-bounces@lists.grok.org.uk, "Ariel Biener" <ariel@post.tau.ac.il>
Cc: "leandro lista" <leandro_lista@portari.com.br>, firebits@backtrack.com.br, bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Sent: Monday, December 13, 2010 4:08:05 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] Linux kernel exploit
Please don't inundate me with e-mail because none of you bothered to read the exploit header.
The exploit so far has a 100% success rate on the systems it was designed to work on.
On Fri, Jan 2, 2009 at 12:15 AM, <i9p@hotmail.fr> wrote:
> /*
> Linux Kernel 2.6.18/2.6.24/2.6.20/2.6.22/2.6.21 denial of service exploit
>
> Author : Adurit Team
> >> djekmani4ever
This bug is already fixed upstream. More details can be found at:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-5029
Linux 32-bit .bundle
md5sum: d4a721c1918c0e8a87c6fa4bad49ad35
sha1sum: c0c6f9b56e70bd3ffdb5467ee176110e283a69e5
Workstation for Linux 64-bit
Linux 64-bit .rpm
md5sum: 72adfdb03de4959f044fcb983412ae7c
sha1sum: ba16163c8d9b5aa572526b34a7b63dc6e68f9bbb
Workstation for Linux 64-bit
Linux 64-bit .bundle
/*
* Linux Kernel CAP_SYS_ADMIN to root exploit
* by Dan Rosenberg
* @djrbliss on twitter
*
* Usage:
* gcc -w caps-to-root.c -o caps-to-root
* sudo setcap cap_sys_admin+ep caps-to-root
* ./caps-to-root
*
==========================
* Advisory: PRE-SA-2011-06
* Released on: 19 August 2011
* Last updated on: 19 August 2011
* Affected product: Linux Kernel 2.4, 2.6, and 3.0
* Impact: denial-of-service
* Origin: Be file system
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: CVE-2011-2928
==========================
* Advisory: PRE-SA-2011-03
* Released on: 13 Apr 2011
* Last updated on: 13 Apr 2011
* Affected product: Linux Kernel 2.4 and 2.6
* Impact: denial-of-service
* Origin: storage devices
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: CVE-2011-1577
<<Previous Next>>
|
