what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 15 of 15 RSS Feed

Files

Sequoia: A Deep Root In Linux's Filesystem Layer
Posted Jul 21, 2021
Authored by Qualys Security Advisory

Qualys discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer: by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer. They successfully exploited this uncontrolled out-of-bounds write, and obtained full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation; other Linux distributions are certainly vulnerable, and probably exploitable. A basic proof of concept (a crasher) is attached to this advisory.

tags | exploit, kernel, local, root, proof of concept
systems | linux, debian, fedora, ubuntu
advisories | CVE-2021-33909, CVE-2021-33910
SHA-256 | 0c0b69962c7c4951fd574d5a8b85049490d77ada7568b05cfb4bce7ca40aa09a

Related Files

glibc syslog() Heap-Based Buffer Overflow
Posted Jan 31, 2024
Authored by Qualys Security Advisory

Qualys discovered a heap-based buffer overflow in the GNU C Library's __vsyslog_internal() function, which is called by both syslog() and vsyslog(). This vulnerability was introduced in glibc 2.37 (in August 2022).

tags | exploit, advisory, overflow
advisories | CVE-2023-6246
SHA-256 | 848273d3a06e2a275e111a84edea6cdd3e2e29de8b47a4efd45b2d0d9c53c768
undefinedglibc qsort() Out-Of-Bounds Read / Writeundefined
Posted Jan 31, 2024
Authored by Qualys Security Advisory

Qualys discovered a memory corruption in the glibc's qsort() function, due to a missing bounds check. To be vulnerable, a program must call qsort() with a nontransitive comparison function (a function cmp(int a, int b) that returns (a - b), for example) and with a large number of attacker-controlled elements (to cause a malloc() failure inside qsort()). They have not tried to find such a vulnerable program in the real world. All glibc versions from at least September 1992 (glibc 1.04) to the current release (glibc 2.38) are affected, but the glibc's developers have independently discovered and patched this memory corruption in the master branch.

tags | exploit, advisory
advisories | CVE-2023-6246
SHA-256 | f022f88e03996ad79c15bbc5396c143469581fda50195569cb1d3981ecc6fad8
glibc ld.so Local Privilege Escalation
Posted Oct 6, 2023
Authored by Qualys Security Advisory

Dubbed Looney Tunables, Qualys discovered a buffer overflow vulnerability in the glibc dynamic loader's processing of the GLIBC_TUNABLES environment variable. This vulnerability was introduced in April 2021 (glibc 2.34) by commit 2ed18c.

tags | exploit, overflow
advisories | CVE-2023-4911
SHA-256 | b12ee8e52aaf3d3287a35bb3ed77d6ea42f79734e21c6428997ffd1749823961
snap-confine must_mkdir_and_open_with_perms() Race Condition
Posted Dec 9, 2022
Authored by Qualys Security Advisory

Qualys discovered a race condition (CVE-2022-3328) in snap-confine, a SUID-root program installed by default on Ubuntu. In this advisory,they tell the story of this vulnerability (which was introduced in February 2022 by the patch for CVE-2021-44731) and detail how they exploited it in Ubuntu Server (a local privilege escalation, from any user to root) by combining it with two vulnerabilities in multipathd (an authorization bypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973).

tags | exploit, local, root, vulnerability
systems | linux, ubuntu
advisories | CVE-2021-44731, CVE-2022-3328, CVE-2022-41973, CVE-2022-41974
SHA-256 | ae9802d4db6010e09c5ca96ad72cd8f9bb70aff4d7af8a1ec00cebd3203d1f95
Polkit pkexec Local Privilege Escalation
Posted Jan 26, 2022
Authored by Qualys Security Advisory | Site qualys.com

Qualys discovered a local privilege escalation (from any user to root) in polkit's pkexec, a SUID-root program that is installed by default on every major Linux distribution.

tags | advisory, local, root
systems | linux
advisories | CVE-2021-4034
SHA-256 | 23ec1cb3b1b5fe5409bb892ba3ae31bb746e06cafdf7afafd72fd7d4b136ebba
Debian Security Advisory 4634-1
Posted Feb 28, 2020
Authored by Debian | Site debian.org

Debian Linux Security Advisory 4634-1 - Qualys discovered that the OpenSMTPD SMTP server performed insufficient validation of SMTP commands, which could result in local privilege escalation or the execution of arbitrary code.

tags | advisory, arbitrary, local
systems | linux, debian
advisories | CVE-2020-8794
SHA-256 | 5da50339d4d1fb31d2ce2fa5d1c69b447dfd44db51920c67a0c326da5a65d4c0
OpenSMTPD Out-Of-Bounds Read
Posted Feb 25, 2020
Authored by Qualys Security Advisory

Qualys discovered a vulnerability in OpenSMTPD, OpenBSD's mail server. This vulnerability, an out-of-bounds read introduced in December 2015, is exploitable remotely and leads to the execution of arbitrary shell commands.

tags | exploit, arbitrary, shell
systems | openbsd
advisories | CVE-2020-8794
SHA-256 | 2c58b82819510289b2fd55d1c6a82b81b279777abd6a6b0db391f990ec12b148
OpenSMTPD Local Information Disclosure
Posted Feb 25, 2020
Authored by Qualys Security Advisory

Qualys discovered a minor vulnerability in OpenSMTPD, OpenBSD's mail server. An unprivileged local attacker can read the first line of an arbitrary file (for example, root's password hash in /etc/master.passwd) or the entire contents of another user's file (if this file and /var/spool/smtpd/ are on the same filesystem). A proof of concept exploit is included in this archive.

tags | exploit, arbitrary, local, root, proof of concept
systems | openbsd
advisories | CVE-2020-8793
SHA-256 | 3617b8854e485e1d063e08764e96429e54c6b7bb0467d127e819133f80c925d5
Debian Security Advisory 4611-1
Posted Jan 30, 2020
Authored by Debian | Site debian.org

Debian Linux Security Advisory 4611-1 - Qualys discovered that the OpenSMTPD SMTP server performed insufficient validation of email addresses which could result in the execution of arbitrary commands as root. In addition this update fixes a denial of service by triggering an opportunistic TLS downgrade.

tags | advisory, denial of service, arbitrary, root
systems | linux, debian
advisories | CVE-2020-7247
SHA-256 | b13a8757f4f9e0b2f590ed0cdbe4d23e4718fa37e2ea6ca4ed4d48c3bfa33f2a
OpenBSD OpenSMTPD Privilege Escalation / Code Execution
Posted Jan 29, 2020
Authored by Qualys Security Advisory

Qualys discovered a vulnerability in OpenSMTPD, OpenBSD's mail server. This vulnerability is exploitable since May 2018 (commit a8e222352f, "switch smtpd to new grammar") and allows an attacker to execute arbitrary shell commands, as root.

tags | exploit, arbitrary, shell, root
systems | openbsd
advisories | CVE-2020-7247
SHA-256 | 9415f92980a964e9430ed555502126d19de735d2acfd5db27d83bb342e5a8b2c
Qualys Security Advisory - OpenBSD Dynamic Loader Privilege Escalation
Posted Dec 12, 2019
Authored by Qualys Security Advisory

Qualys discovered a local privilege escalation in OpenBSD's dynamic loader (ld.so). This vulnerability is exploitable in the default installation (via the set-user-ID executable chpass or passwd) and yields full root privileges. They developed a simple proof of concept and successfully tested it against OpenBSD 6.6 (the current release), 6.5, 6.2, and 6.1, on both amd64 and i386; other releases and architectures are probably also exploitable.

tags | exploit, local, root, proof of concept
systems | openbsd
advisories | CVE-2019-19726
SHA-256 | 4e1f695e83c851f4826c356e0fbe52865163d4b41d6d1a6675fca7178914287b
Debian Security Advisory 4517-1
Posted Sep 6, 2019
Authored by Debian | Site debian.org

Debian Linux Security Advisory 4517-1 - "Zerons" and Qualys discovered that a buffer overflow triggerable in the TLS negotiation code of the Exim mail transport agent could result in the execution of arbitrary code with root privileges.

tags | advisory, overflow, arbitrary, root
systems | linux, debian
advisories | CVE-2019-15846
SHA-256 | 48c9e7e3415df4075f9fcb477fc3b8cd54fa5aa909f175f1c2839f3653a83d56
Exim 4.9.1 Remote Command Execution
Posted Jun 6, 2019
Authored by Qualys Security Advisory

Qualys discovered a remote command execution vulnerability in Exim versions 4.87 to 4.91.

tags | advisory, remote
advisories | CVE-2019-10149
SHA-256 | ccf81b809451dabd0ae35b330095955b9998319116314052fc75a06a7dd5e3e8
Qualys Security Advisory - LibreSSL Leak / Overflow
Posted Oct 18, 2015
Authored by Qualys Security Advisory

Qualys discovered various vulnerabilities in LibreSSL. These include a memory leak and a buffer overflow.

tags | advisory, overflow, vulnerability, memory leak
advisories | CVE-2015-5333, CVE-2015-5334
SHA-256 | b0de9f18c202a6ac93d7fb4c44048d40aa246b6dbb04fa3756ef345d6a3bb3ef
Qualys Security Advisory - OpenSMTPD Audit Report
Posted Oct 4, 2015
Authored by Qualys Security Advisory

Qualys discovered various vulnerabilities in OpenSMTPD. These include, but are not limited to, denial of service, buffer overflow, hardlink attack and use-after-free vulnerabilities.

tags | advisory, denial of service, overflow, vulnerability
SHA-256 | a0a4071e027cd0032bb15321814e2500f5dbd461a8b3356d921e787243fd6c28
Page 1 of 1
Back1Next

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close