<< Previous Next >>
Linux kernel
Problem Description:
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
The clone system call in the Linux kernel 2.6.28 and earlier allows
local users to send arbitrary signals to a parent process from an
unprivileged child process by launching an additional child process
with the CLONE_PARENT flag, and then letting this new process
exit. (CVE-2009-0028)
Problem Description:
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
The personality subsystem in the Linux kernel before 2.6.31-rc3 has a
PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT
and MMAP_PAGE_ZERO flags when executing a setuid or setgid program,
which makes it easier for local users to leverage the details of
memory usage to (1) conduct NULL pointer dereference attacks, (2)
bypass the mmap_min_addr protection mechanism, or (3) defeat address
Problem Description:
A vulnerability was discovered and corrected in the Linux 2.6 kernel:
The setup_arg_pages function in fs/exec.c in the Linux kernel before
2.6.36, when CONFIG_STACK_GROWSDOWN is used, does not properly restrict
the stack memory consumption of the (1) arguments and (2) environment
for a 32-bit application on a 64-bit platform, which allows local
users to cause a denial of service (system crash) via a crafted exec
system call, a related issue to CVE-2010-2240. (CVE-2010-3858)
Problem Description:
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
The exit_notify function in kernel/exit.c in the Linux kernel
before 2.6.30-rc1 does not restrict exit signals when the
CAP_KILL capability is held, which allows local users to send an
arbitrary signal to a process by running a program that modifies the
exit_signal field and then uses an exec system call to launch a setuid
application. (CVE-2009-1337)
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
Array index error in the gdth_read_event function in
drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows
local users to cause a denial of service or possibly gain privileges
via a negative event index in an IOCTL request. (CVE-2009-3080)
The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the
Linux kernel before 2.6.32-rc7 allows attackers to have an unspecified
Affected: Corporate 4.0
_______________________________________________________________________
Problem Description:
The isdn_ioctl function in isdn_common.c in the Linux kernel prior to
2.6.23 allows local users to cause a denial of service via a crafted
ioctl struct in which iocts is not null terminated, which trigger a
buffer overflow (CVE-2007-6151).
The do_corefump function in fs/exec.c in the Linux kernel prior to
Thomas Pollet discovered that the RDS network protocol did not check
certain iovec buffers. A local attacker could exploit this to crash the
system or possibly execute arbitrary code as the root user. (CVE-2010-3865)
Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did
not correctly clear kernel memory. A local attacker could exploit this to
read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875)
Vasiliy Kulikov discovered that the Linux kernel sockets implementation did
not properly initialize certain structures. A local attacker could exploit
----- Original Message -----
From: "Cal Leeming [Simplicity Media Ltd]" <cal.leeming@simplicitymedialtd.co.uk>
To: "Dan Rosenberg" <dan.j.rosenberg@gmail.com>
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Sent: Tuesday, December 7, 2010 4:06:44 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] Linux kernel exploit
Anyone tested this in sandbox yet?
On 07/12/2010 20:25, Dan Rosenberg wrote:
> Hi all,
Thomas Pollet discovered that the RDS network protocol did not check
certain iovec buffers. A local attacker could exploit this to crash the
system or possibly execute arbitrary code as the root user. (CVE-2010-3865)
Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did
not correctly clear kernel memory. A local attacker could exploit this to
read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875)
Vasiliy Kulikov discovered that the Linux kernel sockets implementation did
not properly initialize certain structures. A local attacker could exploit
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
Array index error in the gdth_read_event function in
drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows
local users to cause a denial of service or possibly gain privileges
via a negative event index in an IOCTL request. (CVE-2009-3080)
The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the
Linux kernel before 2.6.32-rc7 allows attackers to have an unspecified
By exploiting either of the VMware flaws described in this document,
user-mode code executing in a virtual machine may gain kernel
privileges within the virtual machine, dependent upon the guest
operating system. The flaws have been proven exploitable on x64
versions of Windows, and they have produced potentially exploitable
crashes on x64 versions of *BSD. The Linux kernel does not allow
exploitation of these flaws on x64 versions of Linux.
VULNERABILITY DETAILS
---------------------
PRE-CERT Security Advisory
==========================
* Advisory: PRE-SA-2012-03
* Released on: 10 May 2012
* Affected product: Linux Kernel 3.3.x <= 3.3.4
2.6.x <= 2.6.35.13
* Impact: code execution / privilege escalation
* Origin: HFS plus file system
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: CVE-2012-2319
By exploiting the VMware flaw described in this document, user-mode
code executing in a virtual machine may gain kernel privileges within
the virtual machine, dependent upon the guest operating system. The
flaw has been proven exploitable on x64 versions of Windows, and it
has produced potentially exploitable crashes on x64 versions of *BSD.
The Linux kernel does not allow exploitation of the flaws on x64
versions of Linux.
VULNERABILITY DETAILS
---------------------
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
Buffer overflow in the hfsplus_find_cat function in
fs/hfsplus/catalog.c in the Linux kernel before 2.6.28-rc1 allows
attackers to cause a denial of service (memory corruption or
system crash) via an hfsplus filesystem image with an invalid
catalog namelength field, related to the hfsplus_cat_build_key_uni
function. (CVE-2008-4933)
your vendor.
===[ DESCRIPTION ]======================================================
On x86_64 platform the Linux kernel supports compatibility emulation for
IA32 userland applications providing 32-bit system calls amongst other
32-bit resources.
As a result of arch/x86_64/ia32/ia32entry.S code optimization invalid
opcodes was used in the low level assembler routines providing
# PRE-CERT Security Advisory #
* Advisory: PRE-SA-2011-01
* Released on: 23 Feb 2011
* Last updated on: 23 Feb 2011
* Affected product: Linux Kernel 2.4 and 2.6
* Impact: - privilege Escalation
- denial-of-service
- disclosure of sensitive information
* Origin: storage devices
* CVE Identifier: - CVE-2011-1010
Problem Description:
A vulnerability was discovered and corrected in the Linux 2.6 kernel:
The compat_alloc_user_space functions in include/asm/compat.h files
in the Linux kernel before 2.6.36-rc4-git2 on 64-bit platforms do
not properly allocate the userspace memory required for the 32-bit
compatibility layer, which allows local users to gain privileges by
leveraging the ability of the compat_mc_getsockopt function (aka the
MCAST_MSFILTER getsockopt support) to control a certain length value,
related to a stack pointer underflow issue, as exploited in the wild
Release Date: 2008/12/05
I. Impact
Local Denial of Service on Linux kernel 2.6.x
II. Description
A vulnerabilty exists in Linux Kernel which can be exploited
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
Array index error in the gdth_read_event function in
drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows
local users to cause a denial of service or possibly gain privileges
via a negative event index in an IOCTL request. (CVE-2009-3080)
The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the
Linux kernel before 2.6.32-rc7 allows attackers to have an unspecified
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
The error-reporting functionality in (1) fs/ext2/dir.c, (2)
fs/ext3/dir.c, and possibly (3) fs/ext4/dir.c in the Linux kernel
2.6.26.5 does not limit the number of printk console messages that
report directory corruption, which allows physically proximate
attackers to cause a denial of service (temporary system hang) by
mounting a filesystem that has corrupted dir->i_size and dir->i_blocks
values and performing (a) read or (b) write operations. NOTE:
Affected: Corporate 4.0
_______________________________________________________________________
Problem Description:
The isdn_ioctl function in isdn_common.c in the Linux kernel prior to
2.6.23 allows local users to cause a denial of service via a crafted
ioctl struct in which iocts is not null terminated, which trigger a
buffer overflow (CVE-2007-6151).
The do_corefump function in fs/exec.c in the Linux kernel prior to
--snip--
/*
* Linux Kernel <= 2.6.37 local privilege escalation
* by Dan Rosenberg
* @djrbliss on twitter
*
* Usage:
* gcc full-nelson.c -o full-nelson
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
Array index error in the gdth_read_event function in
drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows
local users to cause a denial of service or possibly gain privileges
via a negative event index in an IOCTL request. (CVE-2009-3080)
The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the
Linux kernel before 2.6.32-rc7 allows attackers to have an unspecified
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
The skfp_ioctl function in drivers/net/skfp/skfddi.c in the Linux
kernel before 2.6.28.6 permits SKFP_CLR_STATS requests only when the
CAP_NET_ADMIN capability is absent, instead of when this capability
is present, which allows local users to reset the driver statistics,
related to an inverted logic issue. (CVE-2009-0675)
The sock_getsockopt function in net/core/sock.c in the Linux kernel
On Fri, Jan 2, 2009 at 12:15 AM, <i9p@hotmail.fr> wrote:
> /*
> Linux Kernel 2.6.18/2.6.24/2.6.20/2.6.22/2.6.21 denial of service exploit
>
> Author : Adurit Team
> >> djekmani4ever
This bug is already fixed upstream. More details can be found at:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-5029
/*
Linux Kernel 2.6.18/2.6.24/2.6.20/2.6.22/2.6.21 denial of service exploit
Author : Adurit Team
>> djekmani4ever
Home : www.hightsec.com
greetz : adurit team - v4-team - Zigma - stack - Mr.safa7 - king sabri - alphanix - and all my friends
==========================
* Advisory: PRE-SA-2011-06
* Released on: 19 August 2011
* Last updated on: 19 August 2011
* Affected product: Linux Kernel 2.4, 2.6, and 3.0
* Impact: denial-of-service
* Origin: Be file system
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: CVE-2011-2928
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
The chip_command function in drivers/media/video/tvaudio.c in the
Linux kernel 2.6.25.x before 2.6.25.19, 2.6.26.x before 2.6.26.7,
and 2.6.27.x before 2.6.27.3 allows attackers to cause a denial of
service (NULL function pointer dereference and OOPS) via unknown
vectors. (CVE-2008-5033)
Stack-based buffer overflow in the hfs_cat_find_brec function
>
>
> --snip--
>
> /*
> * Linux Kernel<= 2.6.37 local privilege escalation
> * by Dan Rosenberg
> * @djrbliss on twitter
> *
> * Usage:
> * gcc full-nelson.c -o full-nelson
----- Original Message -----
From: "dan j rosenberg" <dan.j.rosenberg@gmail.com>
To: "Cal Leeming [Simplicity Media Ltd]" <cal.leeming@simplicitymedialtd.co.uk>, full-disclosure-bounces@lists.grok.org.uk, "Ariel Biener" <ariel@post.tau.ac.il>
Cc: "leandro lista" <leandro_lista@portari.com.br>, firebits@backtrack.com.br, bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Sent: Monday, December 13, 2010 4:08:05 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] Linux kernel exploit
Please don't inundate me with e-mail because none of you bothered to read the exploit header.
The exploit so far has a 100% success rate on the systems it was designed to work on.
<<Previous Next>>
|
