what you don't know can hurt you
Showing 1 - 25 of 363 RSS Feed

Operating System: BSD

FreeBSD fd Privilege Escalation
Posted Dec 30, 2019
Authored by Karsten Konig

Local root exploit for the FreeBSD fd vulnerability as disclosed in FreeBSD-SA-19:02.fd.

tags | exploit, local, root
systems | freebsd, bsd
advisories | CVE-2019-5596
MD5 | 6426b023a6749568c0e3de1d4ba2531a
FreeBSD mqueuefs Privilege Escalation
Posted Dec 30, 2019
Authored by Karsten Konig

Local root exploit for the FreeBSD mqueuefs vulnerability as disclosed in FreeBSD-SA-19:15.mqueuefs.

tags | exploit, local, root
systems | freebsd, bsd
MD5 | fa32a042469b8505c6692ec2c13703e4
macOS Kernel wait_for_namespace_event() Race Condition / Use-After-Free
Posted Dec 18, 2019
Authored by Google Security Research, bazad

In the macOS kernel, the XNU function wait_for_namespace_event() in bsd/vfs/vfs_syscalls.c releases a file descriptor for use by userspace but may then subsequently destroy that file descriptor using fp_free(), which unconditionally frees the fileproc and fileglob. This opens up a race window during which the process could manipulate those objects while they're being freed. Exploitation requires root privileges.

tags | exploit, kernel, root
systems | bsd
MD5 | cba1e82afa4ec28fd0073d6cfded8a11
FreeBSD Security Advisory - FreeBSD-SA-19:26.mcu
Posted Nov 12, 2019
Authored by InTeL | Site security.freebsd.org

FreeBSD Security Advisory - From time to time Intel releases new CPU microcode to address functional issues and security vulnerabilities. Such a release is also known as a Micro Code Update (MCU), and is a component of a broader Intel Platform Update (IPU). FreeBSD distributes CPU microcode via the devcpu-data port and package.

tags | advisory, vulnerability
systems | freebsd, bsd
advisories | CVE-2017-5715, CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11135, CVE-2019-11139
MD5 | 3f292061289055eb717818fe052c4a7b
FreeBSD Security Advisory - FreeBSD-SA-19:24.mqueuefs
Posted Aug 21, 2019
Authored by Karsten Konig | Site security.freebsd.org

FreeBSD Security Advisory - System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file. A local user can use this flaw to obtain access to files, directories, sockets, etc., opened by processes owned by other users. If obtained struct file represents a directory from outside of user's jail, it can be used to access files outside of the jail. If the user in question is a jailed root they can obtain root privileges on the host system.

tags | advisory, overflow, local, root
systems | freebsd, bsd
advisories | CVE-2019-5603
MD5 | 9cfd72e9cfbe028258e3db3b70d85035
FreeBSD Security Advisory - FreeBSD-SA-19:20.bsnmp
Posted Aug 6, 2019
Authored by Guido Vranken | Site security.freebsd.org

FreeBSD Security Advisory - A function extracting the length from type-length-value encoding is not properly validating the submitted length. A remote user could cause, for example, an out-of-bounds read, decoding of unrelated data, or trigger a crash of the software such as bsnmpd resulting in a denial of service.

tags | advisory, remote, denial of service
systems | freebsd, bsd
advisories | CVE-2019-5610
MD5 | 6ef4969cfc02cf46cf589e659797306b
FreeBSD Security Advisory - FreeBSD-SA-19:17.fd
Posted Jul 25, 2019
Authored by Mark Johnston | Site security.freebsd.org

FreeBSD Security Advisory - If a process attempts to transmit rights over a UNIX-domain socket and an error causes the attempt to fail, references acquired on the rights are not released and are leaked. This bug can be used to cause the reference counter to wrap around and free the corresponding file structure. A local user can exploit the bug to gain root privileges or escape from a jail.

tags | advisory, local, root
systems | unix, freebsd, bsd
advisories | CVE-2019-5607
MD5 | 1a3189674b2fd461c7cc9af0c29d8185
FreeBSD Security Advisory - FreeBSD-SA-19:16.bhyve
Posted Jul 25, 2019
Authored by Reno Robert | Site security.freebsd.org

FreeBSD Security Advisory - The pci_xhci_device_doorbell() function does not validate the 'epid' and 'streamid' provided by the guest, leading to an out-of-bounds read. A misbehaving bhyve guest could crash the system or access memory that it should not be able to.

tags | advisory
systems | freebsd, bsd
advisories | CVE-2019-5604
MD5 | 71bf823754b425dc351c08e498f7d8ae
FreeBSD Security Advisory - FreeBSD-SA-19:15.mqueuefs
Posted Jul 25, 2019
Authored by Mateusz Guzik | Site security.freebsd.org

FreeBSD Security Advisory - System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file. A local user can use this flaw to obtain access to files, directories, sockets etc. opened by processes owned by other users. If obtained struct file represents a directory from outside of user's jail, it can be used to access files outside of the jail. If the user in question is a jailed root they can obtain root privileges on the host system.

tags | advisory, overflow, local, root
systems | freebsd, bsd
advisories | CVE-2019-5603
MD5 | 17ac53321b9a37616cc3344652d76b23
FreeBSD Security Advisory - FreeBSD-SA-19:14.freebsd32
Posted Jul 25, 2019
Authored by Ilja van Sprundel | Site security.freebsd.org

FreeBSD Security Advisory - Due to insufficient initialization of memory copied to userland in the components listed above small amounts of kernel memory may be disclosed to userland processes. A user who can invoke 32-bit FreeBSD ioctls may be able to read the contents of small portions of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password.

tags | advisory, kernel
systems | freebsd, bsd
advisories | CVE-2019-5605
MD5 | 5736cbc3b6e4753872fa443e695addc6
FreeBSD Security Advisory - FreeBSD-SA-19:13.pts
Posted Jul 25, 2019
Authored by syzkaller | Site security.freebsd.org

FreeBSD Security Advisory - The code which handles a close(2) of a descriptor created by posix_openpt(2) fails to undo the configuration which causes SIGIO to be raised. This bug can lead to a write-after-free of kernel memory. The bug permits malicious code to trigger a write-after-free, which may be used to gain root privileges or escape a jail.

tags | advisory, kernel, root
systems | freebsd, bsd, osx
advisories | CVE-2019-5606
MD5 | bb73159089c28abc1e386b3526667139
FreeBSD Security Advisory - FreeBSD-SA-19:12.telnet
Posted Jul 24, 2019
Authored by Juniper Networks | Site security.freebsd.org

FreeBSD Security Advisory - Insufficient validation of environment variables in the telnet client supplied in FreeBSD can lead to stack-based buffer overflows. A stack-based overflow is present in the handling of environment variables when connecting via the telnet client to remote telnet servers. This issue only affects the telnet client. Inbound telnet sessions to telnetd(8) are not affected by this issue. These buffer overflows may be triggered when connecting to a malicious server, or by an active attacker in the network path between the client and server. Specially crafted TELNET command sequences may cause the execution of arbitrary code with the privileges of the user invoking telnet(1).

tags | advisory, remote, overflow, arbitrary
systems | freebsd, bsd
advisories | CVE-2019-0053
MD5 | ab448af83d8c939a666a34e2fc68c7f5
FreeBSD Security Advisory - FreeBSD-SA-19:10.ufs
Posted Jul 3, 2019
Authored by David G. Lawrence | Site security.freebsd.org

FreeBSD Security Advisory - A bug causes up to three bytes of kernel stack memory to be written to disk as uninitialized directory entry padding. This data can be viewed by any user with read access to the directory. Additionally, a malicious user with write access to a directory can cause up to 254 bytes of kernel stack memory to be exposed. Some amount of the kernel stack is disclosed and written out to the filesystem.

tags | advisory, kernel
systems | freebsd, bsd
advisories | CVE-2019-5601
MD5 | 46094c4f37df1255acbd646ec82e3d07
FreeBSD Security Advisory - FreeBSD-SA-19:09.iconv
Posted Jul 3, 2019
Authored by Andrea Venturoli | Site security.freebsd.org

FreeBSD Security Advisory - With certain inputs, iconv may write beyond the end of the output buffer. Depending on the way in which iconv is used, an attacker may be able to create a denial of service, provoke incorrect program behavior, or induce a remote code execution. iconv is a libc library function and the nature of possible attacks will depend on the way in which iconv is used by applications or daemons.

tags | advisory, remote, denial of service, code execution
systems | freebsd, bsd
advisories | CVE-2019-5600
MD5 | 7b79e911c86a0f9ff912dd1aa191a5f3
FreeBSD Security Advisory - FreeBSD-SA-19:08.rack
Posted Jun 21, 2019
Authored by Jonathan Looney | Site security.freebsd.org

FreeBSD Security Advisory - While processing acknowledgements, the RACK code uses several linked lists to maintain state entries. A malicious attacker can cause the lists to grow unbounded. This can cause an expensive list traversal on every packet being processed, leading to resource exhaustion and a denial of service. An attacker with the ability to send specially crafted TCP traffic to a victim system can degrade network performance and/or consume excessive CPU by exploiting the inefficiency of traversing the potentially very large RACK linked lists with relatively small bandwidth cost.

tags | advisory, denial of service, tcp
systems | freebsd, bsd
advisories | CVE-2019-5599
MD5 | 61bd1985fd9c500e680146f09bfc02c8
Linux / FreeBSD TCP-Based Denial Of Service
Posted Jun 18, 2019
Authored by Jonathan Looney | Site netflix.com

Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels. The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed _"SACK Panic_," allows a remotely-triggered kernel panic on recent Linux kernels. There are patches that address most of these vulnerabilities. If patches can not be applied, certain mitigations will be effective.

tags | advisory, kernel, tcp, vulnerability
systems | linux, freebsd, bsd
advisories | CVE-2019-11477, CVE-2019-11478, CVE-2019-11479, CVE-2019-5599
MD5 | 2c46702ff7e7c931dd0a108fe8cfe05d
FreeBSD rtld execl() Privilege Escalation
Posted May 22, 2019
Authored by stealth, Kingcope | Site metasploit.com

This Metasploit module exploits a vulnerability in the FreeBSD run-time link-editor (rtld). The rtld unsetenv() function fails to remove LD_* environment variables if __findenv() fails. This can be abused to load arbitrary shared objects using LD_PRELOAD, resulting in privileged code execution.

tags | exploit, arbitrary, code execution
systems | freebsd, bsd
advisories | CVE-2009-4146, CVE-2009-4147
MD5 | 8389e3a76ad8302ffe4213d460a38deb
FreeBSD Security Advisory - FreeBSD-SA-19:07.mds
Posted May 15, 2019
Site security.freebsd.org

FreeBSD Security Advisory - On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser).

tags | advisory, web, kernel, local
systems | freebsd, bsd
advisories | CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
MD5 | f3d49ad33dba5d63cb9cccec7a4b379e
FreeBSD Security Advisory - FreeBSD-SA-19:03.wpa
Posted May 15, 2019
Site security.freebsd.org

FreeBSD Security Advisory - Multiple vulnerabilities exist in the hostapd(8) and wpa_supplicant(8) implementations.

tags | advisory, vulnerability
systems | freebsd, bsd
advisories | CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497
MD5 | 71ae117c46b8fba957049dd0f7eb8d5a
FreeBSD Intel SYSRET Privilege Escalation
Posted Mar 7, 2019
Authored by Rafal Wojtczuk, Brendan Coles, John Baldwin, iZsh | Site metasploit.com

This Metasploit module exploits a vulnerability in the FreeBSD kernel, when running on 64-bit Intel processors. By design, 64-bit processors following the X86-64 specification will trigger a general protection fault (GPF) when executing a SYSRET instruction with a non-canonical address in the RCX register. However, Intel processors check for a non-canonical address prior to dropping privileges, causing a GPF in privileged mode. As a result, the current userland RSP stack pointer is restored and executed, resulting in privileged code execution.

tags | exploit, x86, kernel, code execution
systems | freebsd, bsd
advisories | CVE-2012-0217
MD5 | 3c4bc514cf25ebc9c86255e4a4f4d06e
FreeBSD Security Advisory - FreeBSD-SA-18:14.bhyve
Posted Dec 6, 2018
Authored by Reno Robert | Site security.freebsd.org

FreeBSD Security Advisory - Insufficient bounds checking in one of the device models provided by bhyve(8) can permit a guest operating system to overwrite memory in the bhyve(8) processing possibly permitting arbitrary code execution. A guest OS using a firmware image can cause the bhyve process to crash, or possibly execute arbitrary code on the host as root.

tags | advisory, arbitrary, root, code execution
systems | freebsd, bsd
advisories | CVE-2018-17160
MD5 | 7dc5a9cc50e7bfcc59073a947a869ea7
FreeBSD Security Advisory - FreeBSD-SA-18:13.nfs
Posted Nov 28, 2018
Authored by Jakub Jirasek | Site security.freebsd.org

FreeBSD Security Advisory - Insufficient and improper checking in the NFS server code could cause a denial of service or possibly remote code execution via a specially crafted network packet. A remote attacker could cause the NFS server to crash, resulting in a denial of service, or possibly execute arbitrary code on the server.

tags | advisory, remote, denial of service, arbitrary, code execution
systems | freebsd, bsd
advisories | CVE-2018-17157, CVE-2018-17158, CVE-2018-17159
MD5 | c429bab0bdb3143934610a88f982eccd
FreeBSD Security Advisory - FreeBSD-SA-18:12.elf
Posted Sep 13, 2018
Authored by Fraunhofer FKIE, Thomas Barabosch, Mark Johnston | Site security.freebsd.org

FreeBSD Security Advisory - Insufficient validation was performed in the ELF header parser, and malformed or otherwise invalid ELF binaries were not rejected as they should be. Execution of a malicious ELF binary may result in a kernel crash or may disclose kernel memory.

tags | advisory, kernel
systems | freebsd, bsd
advisories | CVE-2018-6924
MD5 | 00b792f169afd323a3ed205a6d9a506d
FreeBSD Security Advisory - FreeBSD-SA-18:10.ip
Posted Aug 15, 2018
Authored by Juha-Matti Tilli | Site security.freebsd.org

FreeBSD Security Advisory - A researcher has notified us of a DoS attack applicable to another operating system. While FreeBSD may not be vulnerable to that exact attack, we have identified several places where inadequate DoS protection could allow an attacker to consume system resources. It is not necessary that the attacker be able to establish two-way communication to carry out these attacks. These attacks impact both IPv4 and IPv6 fragment reassembly. In the worst case, an attacker could send a stream of crafted fragments with a low packet rate which would consume a substantial amount of CPU. Other attack vectors allow an attacker to send a stream of crafted fragments which could consume a large amount of CPU or all available mbuf clusters on the system. These attacks could temporarily render a system unreachable through network interfaces or temporarily render a system unresponsive. The effects of the attack should clear within 60 seconds after the attack stops.

tags | advisory
systems | freebsd, bsd
advisories | CVE-2018-6923
MD5 | 6d1a3e8fec6cb509fd14501d91ac75b5
FreeBSD Security Advisory - FreeBSD-SA-18:11.hostapd
Posted Aug 15, 2018
Authored by Mathy Vanhoef | Site security.freebsd.org

FreeBSD Security Advisory - When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC flag set, the data field was decrypted first without verifying the MIC. When the dta field was encrypted using RC4, for example, when negotiating TKIP as a pairwise cipher, the unauthenticated but decrypted data was subsequently processed. This opened wpa_supplicant(8) to abuse by decryption and recovery of sensitive information contained in EAPOL-Key messages. All users of the WPA2 TKIP pairwise cipher are vulnerable to information, for example, the group key.

tags | advisory
systems | freebsd, bsd
advisories | CVE-2018-14526
MD5 | 6161d24d13a49c91a2677cc51cfcb2a2
Page 1 of 15
Back12345Next

File Archive:

January 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    8 Files
  • 2
    Jan 2nd
    11 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    2 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    18 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    10 Files
  • 10
    Jan 10th
    13 Files
  • 11
    Jan 11th
    2 Files
  • 12
    Jan 12th
    4 Files
  • 13
    Jan 13th
    21 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    12 Files
  • 16
    Jan 16th
    18 Files
  • 17
    Jan 17th
    11 Files
  • 18
    Jan 18th
    3 Files
  • 19
    Jan 19th
    2 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    21 Files
  • 22
    Jan 22nd
    19 Files
  • 23
    Jan 23rd
    19 Files
  • 24
    Jan 24th
    11 Files
  • 25
    Jan 25th
    1 Files
  • 26
    Jan 26th
    1 Files
  • 27
    Jan 27th
    19 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close