Current Privilege Level
CVE-2009-3722
It was discovered that the handle_dr function in the KVM subsystem does not
properly verify the Current Privilege Level (CPL) before accessing a debug
register, which allows guest OS users to cause a denial of service (trap) on the
host OS via a crafted application.
CVE-2009-4031
value, which triggers a NULL pointer dereference in the gfn_to_rmap
function. (CVE-2009-2287)
The handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem
in the Linux kernel before 2.6.31.1 does not properly verify the
Current Privilege Level (CPL) before accessing a debug register,
which allows guest OS users to cause a denial of service (trap)
on the host OS via a crafted application. (CVE-2009-3722)
The ext4_decode_error function in fs/ext4/super.c in the ext4
filesystem in the Linux kernel before 2.6.32 allows user-assisted
value, which triggers a NULL pointer dereference in the gfn_to_rmap
function. (CVE-2009-2287)
The handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem
in the Linux kernel before 2.6.31.1 does not properly verify the
Current Privilege Level (CPL) before accessing a debug register,
which allows guest OS users to cause a denial of service (trap)
on the host OS via a crafted application. (CVE-2009-3722)
The ext4_decode_error function in fs/ext4/super.c in the ext4
filesystem in the Linux kernel before 2.6.32 allows user-assisted
and so on.
iret is a complex instruction whose pseudocode alone spans several pages
of the software developers manual. Interestingly, in protected mode it
is executed in two distinct stages, a pre-commit stage (before privilege
level is changed) and a post-commit stage (after privilege level is
changed). You can see the commit point in the pseudocode below (taken
from Intel manual, comment is ours)
IF new mode != 64-Bit Mode
THEN
Summary
=======
The server side of the Secure Copy (SCP) implementation in Cisco
Internetwork Operating System (IOS) contains a vulnerability that
allows any valid user, regardless of privilege level, to transfer files
to and from an IOS device that is configured to be a Secure Copy
server. This vulnerability could allow valid users to retrieve or write
to any file on the device's filesystem, including the device's saved
configuration. This configuration file may include passwords or other
sensitive information.
unless you bring in some new/unsupported hardware/features. IOS-XR is
probably going to become a target too as it makes some of these things easier
[11] but code signing may have to be broken/bypassed first. This has been done
on other devices, so it's just one more layer to attack.
An alternative rootkit ? Privilege level 16 used by the Lawful Intercept [12]
feature could be abused to do some of this too. Or the other way around: use a
"patched" IOS to keep an eye on Law Enforcement's operations on the router as
privilege level 15 doesn't allow it and the only alternative is to sniff the
traffic export.
Because Cascade Server does not restrict the kind of XSLT code users
are able to enter, any user with access to edit XSLT stylesheets can
cause Cascade Server to execute arbitrary Java code. Using the
java.lang.Runtime class, Java can run shell commands.
While the privilege level of the Cascade Server process may prevent
an attacker from gaining complete control of the host system, that
privilege level is necessarily sufficient to gain full control of
Cascade Server.
SOLUTION
Exploitation of this issue may lead to arbitrary code execution on
the system where VMrc is installed.
For an attack to be successful, an attacker would need to trick the
VMrc user into opening a malicious Web page or following a malicious
URL. Code execution would be at the privilege level of the user.
VMrc is present on a system if the VMrc browser plug-in has been
installed. This plug-in is required when using the console feature in
WebAccess. Installation of the plug-in follows after visiting the
console tab in WebAccess and choosing "Install plug-in". The plug-
Exploitation of this issue may lead to arbitrary code execution on
the system where VMrc is installed.
For an attack to be successful, an attacker would need to trick the
VMrc user into opening a malicious Web page or following a malicious
URL. Code execution would be at the privilege level of the user.
VMrc is present on a system if the VMrc browser plug-in has been
installed. This plug-in is required when using the console feature in
WebAccess. Installation of the plug-in follows after visiting the
console tab in WebAccess and choosing "Install plug-in". The plug-
via the ADMIN$ share (given the user exploited has enough privileges).
Please remember that this proof-of-concept exploit requires the targer
user to have enough privileges (e.g.: local administrator) to access the
ADMIN$ share remotely. However, the target user does need to have this
privilege level in order for the attacker to exploit the vulnerability.
For example: if the target user only has regular user privileges, an
attacker can access the file shares that user has access to. Also,
exploiting the vulnerabiliy and the level of access obtained are two
different things.
Access Protocol (LDAP) server called DC Directory. After an IP Phone
PAB Synchronizer client successfully authenticates, the Cisco Unified
Communications Manager returns credentials for the DC Directory user
that will be used by the client to synchronize a user's address book.
Depending on how a Cisco Unified Communications Manager is
configured, an attacker may obtain different privilege levels using
the intercepted credentials.
By default, Cisco Unified Communications Manager software version 4.x
administrator accounts are created as part of an underlying Microsoft
Windows operating system. Cisco Unified Communications Manager is
|
