Samsung suffers from a use-after-free vulnerability due to a missing lock in the SEND_FILE_WITH_HEADER handler in f_mtp_samsung.c.
c32b0a6b8edad815d87eab3aadeb33e9The Samsung kernel has logic bug and locking issues in PROCA that can lead to use-after-free and double-free issues from an application's context.
4809998625c6770bf24721a33e8e7f18This Metasploit module attempts to gain root privileges on Linux systems by abusing a NULL pointer dereference in the rds_atomic_free_op function in the Reliable Datagram Sockets (RDS) kernel module (rds.ko). Successful exploitation requires the RDS kernel module to be loaded. If the RDS module is not blacklisted (default); then it will be loaded automatically. This exploit supports 64-bit Ubuntu Linux systems, including distributions based on Ubuntu, such as Linux Mint and Zorin OS. This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included. Failed exploitation may crash the kernel. This module has been tested successfully on various 4.4 and 4.8 kernels.
e83495fea436d8a384500ace26357f2fAndroid suffers from ashmem read-only bypass vulnerabilities via remap_file_pages() and ASHMEM_UNPIN.
1ce1f492c6697220a1377f632e2b8f79Linux suffers from a privilege escalation vulnerability via io_uring offload of sendmsg() onto kernel thread with kernel creds.
7594e7ead982b1ba2cb61b42fa00ac35macOS suffers from an update_dyld_shared_cache privilege escalation vulnerability.
ccb563e2e8325980cd5cfa90ec74c416Ubuntu suffers from refcount underflow and type confusion vulnerabilities in shiftfs.
0997e77626bf20fe372537310c94c69fUbuntu suffers from an issue where ubuntu-aufs-modified mmap_region() breaks refcounting in overlayfs/shiftfs error path.
dbc5f5b20329ede3b61e960c453e1e6aXNU has an issue where missing locking in checkdirs_callback() enables a race condition with fchdir_common().
85e06607829ab208006bfe5a5ef59847This Metasploit module exploits an issue in ptrace_link in kernel/ptrace.c before Linux kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but not over an SSH session, as it requires execution from within the context of a user with an active Polkit agent. In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME.
a67b52657090e25d42aa370f66e7ca88XNU suffers from a remote double-free vulnerability due to a data race in IPComp input path.
f107571d24ce915ad24992a19c351dc1Linux suffers from use-after-free read vulnerabilities in show_numa_stats().
19f13c14c14a87e2b867f6b005de2eaeLinux suffers from broken permission and object lifetime handling for PTRACE_TRACEME.
91c78e7e5a824d9c7ed235f47eecb190Google ChromeOS SafeSetID LSM suffers from privilege escalation vulnerabilities.
1eb159ed1602375544f5e4c09949e034Linux suffers from a use-after-free via a race condition between modify_ldt() and #BR exception.
bde5e2b4c6bf6932f0057efcb1d79bacThe Qualcomm Android kernel suffers from a use-after-free vulnerability via an incorrect set_page_dirty() in KGSL.
934ee0432bced903b9c092168a681f86Linux suffers from a missing locking between ELF coredump code and userfaultfd VMA modification.
6e83b659aeebd1f611e769f9fff5b64bThis bug report describes a bug in systemd that allows a service with DynamicUser in collaboration with another service or user to create a setuid binary that can be used to access its UID beyond the lifetime of the service. This bug probably has relatively low severity, given that there are not many services yet that use DynamicUser, and the requirement of collaboration with another process limits the circumstances in which it would be useful to an attacker further; but in a system that makes heavy use of DynamicUser, it would probably have impact.
cb138590286ec36c3796f89c3e18cff6The Siemens R3964 line discipline code in drivers/tty/n_r3964.c has a few races around its ioctl handler; for example, the handler for R3964_ENABLE_SIGNALS just allocates and deletes elements in a linked list with zero locking. This code is reachable by an unprivileged user if the line discipline is enabled in the kernel config; Ubuntu 18.04, for example, ships this line discipline as a module.
1820caa252c106e5cc11b80e59c7e65cLinux suffers from a page->_refcount overflow via FUSE with ~140GiB RAM usage.
47cf01f1d9bc811d111aac20bfd03627systemd suffers from a lack of seat verification in the PAM module and in turn permits the spoofing of an active session to polkit.
da7d4cd8a891ee21f0b9d4c6fec61329libseccomp suffers from an issue where there are incorrect compilations of arithmetic comparisons.
527bc24d7a88f082d48938d2aa6fb5c0It was discovered that virtual address 0 is mappable via privileged write() to /proc/*/mem on Linux.
e66eec069282b7aa4ec9437eb8308ef8getpidcon() usage in hardware binder servicemanager on Android permits ACL bypass.
4a5995063ac40d52861f758041827b02Android suffer from a binder use-after-free via a racy initialization of ->allow_user_free.
05c41c04dbf0a020804a8db2fdf4eca1
© 2016 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed