Linux suffers from broken locking in TIOCSPGRP that can lead to a corrupted refcount.
d37fdf0d783b8893341574d9756e44cbLinux io_uring suffers from mm and files access across suid binaries.
637f9c04457efc1d0b80725cfac4b5efudisks and the Linux kernel have an issue where udisks permits users to mount romfs and romfs leaks uninitialized memory to userspace.
c048313af977e032061fd3c992081768A race condition exists with munmap() downgrades in Linux kernel versions since 4.20.
af84b28deac71be6c5fa63ed3e242c89A Linux copy-on-write issue can wrongly grant write access.
cb589228c2f3845aa384c84f4717d60eOn Android, app zygotes do not properly guard against UID reuse attacks, leak AID_READPROC, and expose mlstrustedsubject.
eebe6e6bf1383e7dfd3785cc4de920bcc-ares version 1.16.0 has an issue where ares_destroy() with pending ares_getaddrinfo() leads to a use-after-free condition.
1464ba2a11ec60f5b9714b8e26693d59Linux 5.6 has an issue with IORING_OP_MADVISE racing with coredumping.
48173960a553b8ac2d2d1b4706631456Linux futex+VFS suffers from an improper inode reference in get_futex_key() that causes a use-after-free if the superblock goes away.
b10f0f2bf1162cf416ade38ced936f86Linux has an issue where the SLUB bulk allocation slowpath omits a required TID increment.
b56ff43167ac1143eeafa23f56b39a25Linux versions 5.3 and above appear to have an issue where io_uring suffers from insecure handling of the root directory for path lookups.
cd4620f1e39d2b19219c64ba6facc1f3Android Binder use-after-free exploit.
b8930f3f9adad2325c20b748158a44e3Samsung suffers from a use-after-free vulnerability due to a missing lock in the SEND_FILE_WITH_HEADER handler in f_mtp_samsung.c.
c32b0a6b8edad815d87eab3aadeb33e9The Samsung kernel has logic bug and locking issues in PROCA that can lead to use-after-free and double-free issues from an application's context.
4809998625c6770bf24721a33e8e7f18This Metasploit module attempts to gain root privileges on Linux systems by abusing a NULL pointer dereference in the rds_atomic_free_op function in the Reliable Datagram Sockets (RDS) kernel module (rds.ko). Successful exploitation requires the RDS kernel module to be loaded. If the RDS module is not blacklisted (default); then it will be loaded automatically. This exploit supports 64-bit Ubuntu Linux systems, including distributions based on Ubuntu, such as Linux Mint and Zorin OS. This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included. Failed exploitation may crash the kernel. This module has been tested successfully on various 4.4 and 4.8 kernels.
e83495fea436d8a384500ace26357f2fAndroid suffers from ashmem read-only bypass vulnerabilities via remap_file_pages() and ASHMEM_UNPIN.
1ce1f492c6697220a1377f632e2b8f79Linux suffers from a privilege escalation vulnerability via io_uring offload of sendmsg() onto kernel thread with kernel creds.
7594e7ead982b1ba2cb61b42fa00ac35macOS suffers from an update_dyld_shared_cache privilege escalation vulnerability.
ccb563e2e8325980cd5cfa90ec74c416Ubuntu suffers from refcount underflow and type confusion vulnerabilities in shiftfs.
0997e77626bf20fe372537310c94c69fUbuntu suffers from an issue where ubuntu-aufs-modified mmap_region() breaks refcounting in overlayfs/shiftfs error path.
dbc5f5b20329ede3b61e960c453e1e6aXNU has an issue where missing locking in checkdirs_callback() enables a race condition with fchdir_common().
85e06607829ab208006bfe5a5ef59847This Metasploit module exploits an issue in ptrace_link in kernel/ptrace.c before Linux kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but not over an SSH session, as it requires execution from within the context of a user with an active Polkit agent. In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME.
a67b52657090e25d42aa370f66e7ca88XNU suffers from a remote double-free vulnerability due to a data race in IPComp input path.
f107571d24ce915ad24992a19c351dc1Linux suffers from use-after-free read vulnerabilities in show_numa_stats().
19f13c14c14a87e2b867f6b005de2eaeLinux suffers from broken permission and object lifetime handling for PTRACE_TRACEME.
91c78e7e5a824d9c7ed235f47eecb190
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed