XNU has an issue where missing locking in checkdirs_callback() enables a race condition with fchdir_common().
85e06607829ab208006bfe5a5ef59847This Metasploit module exploits an issue in ptrace_link in kernel/ptrace.c before Linux kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but not over an SSH session, as it requires execution from within the context of a user with an active Polkit agent. In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME.
a67b52657090e25d42aa370f66e7ca88XNU suffers from a remote double-free vulnerability due to a data race in IPComp input path.
f107571d24ce915ad24992a19c351dc1Linux suffers from use-after-free read vulnerabilities in show_numa_stats().
19f13c14c14a87e2b867f6b005de2eaeLinux suffers from broken permission and object lifetime handling for PTRACE_TRACEME.
91c78e7e5a824d9c7ed235f47eecb190Google ChromeOS SafeSetID LSM suffers from privilege escalation vulnerabilities.
1eb159ed1602375544f5e4c09949e034Linux suffers from a use-after-free via a race condition between modify_ldt() and #BR exception.
bde5e2b4c6bf6932f0057efcb1d79bacThe Qualcomm Android kernel suffers from a use-after-free vulnerability via an incorrect set_page_dirty() in KGSL.
934ee0432bced903b9c092168a681f86Linux suffers from a missing locking between ELF coredump code and userfaultfd VMA modification.
6e83b659aeebd1f611e769f9fff5b64bThis bug report describes a bug in systemd that allows a service with DynamicUser in collaboration with another service or user to create a setuid binary that can be used to access its UID beyond the lifetime of the service. This bug probably has relatively low severity, given that there are not many services yet that use DynamicUser, and the requirement of collaboration with another process limits the circumstances in which it would be useful to an attacker further; but in a system that makes heavy use of DynamicUser, it would probably have impact.
cb138590286ec36c3796f89c3e18cff6The Siemens R3964 line discipline code in drivers/tty/n_r3964.c has a few races around its ioctl handler; for example, the handler for R3964_ENABLE_SIGNALS just allocates and deletes elements in a linked list with zero locking. This code is reachable by an unprivileged user if the line discipline is enabled in the kernel config; Ubuntu 18.04, for example, ships this line discipline as a module.
1820caa252c106e5cc11b80e59c7e65cLinux suffers from a page->_refcount overflow via FUSE with ~140GiB RAM usage.
47cf01f1d9bc811d111aac20bfd03627systemd suffers from a lack of seat verification in the PAM module and in turn permits the spoofing of an active session to polkit.
da7d4cd8a891ee21f0b9d4c6fec61329libseccomp suffers from an issue where there are incorrect compilations of arithmetic comparisons.
527bc24d7a88f082d48938d2aa6fb5c0It was discovered that virtual address 0 is mappable via privileged write() to /proc/*/mem on Linux.
e66eec069282b7aa4ec9437eb8308ef8getpidcon() usage in hardware binder servicemanager on Android permits ACL bypass.
4a5995063ac40d52861f758041827b02Android suffer from a binder use-after-free via a racy initialization of ->allow_user_free.
05c41c04dbf0a020804a8db2fdf4eca1XNU suffers from a copy-on-write behavior bypass via mount of user-owned filesystem image.
babb0ad99959bd04e0f28e89ee861d68Linux suffers from out-of-bounds read and write vulnerabilities in the SNMP NAT module.
c08eaed82dad3bd5f77b4f40d1deedbbOn Android, a ptrace hold makes the seccomp filter useless on devices with a kernel with a version lower than 4.8.
ec62513ec742cfdc38e9e8d04849f77cLinux kvm_ioctl_create_device() installs fd before taking reference.
2c781194b8d221ac15f3178b357e1b58Android binder suffers from a use-after-free vulnerability in VMA via a race between reclaim and munmap.
b595de41d1f8f84b4916fab4d16567deAndroid binder suffers from a use-after-free vulnerability via fdget() optimization.
bc3a95911082f54f5d3a2b398792bb8bIt has been discovered that the Linux eBPF Spectre v1 mitigation is insufficient.
60ad2b402e4b79e4579ab76baec63e80XNU suffers from a copy-on-write behavior bypass via partial-page truncation of file.
777063e937de55773212655e72ee59fb
© 2019 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed