Exploit the possiblities
Showing 76 - 100 of 1,186 RSS Feed

Operating System: FreeBSD

FreeBSD Security Advisory - OpenSSL Updates
Posted Jan 15, 2015
Site security.freebsd.org

FreeBSD Security Advisory - A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. A memory leak can occur in the dtls1_buffer_record function under certain conditions. When OpenSSL is built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl method would be set to NULL which could later result in a NULL pointer dereference. An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite using an ECDSA certificate if the server key exchange message is omitted. An OpenSSL client will accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. An OpenSSL server will accept a DH certificate for client authentication without the certificate verify message. OpenSSL accepts several non-DER-variations of certificate signature algorithm and signature encodings. OpenSSL also does not enforce a match between the signature algorithm between the signed and unsigned portions of the certificate. Bignum squaring (BN_sqr) may produce incorrect results on some platforms, including x86_64.

tags | advisory, memory leak
systems | freebsd
advisories | CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206
MD5 | 60266d8dbe7a7e17380b713e17c563c6
FreeBSD Security Advisory - NTP Weak Seeding / Buffer Overflow
Posted Dec 24, 2014
Site security.freebsd.org

FreeBSD Security Advisory - The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. When no authentication key is set in the configuration file, ntpd(8) would generate a random key that uses a non-linear additive feedback random number generator seeded with very few bits of entropy. The ntp-keygen(8) utility is also affected by a similar issue. When Autokey Authentication is enabled, for example if ntp.conf(5) contains a 'crypto pw' directive, a remote attacker can send a carefully crafted packet that can overflow a stack buffer. In ntp_proto.c, the receive() function is missing a return statement in the case when an error is detected.

tags | advisory, remote, overflow, crypto, protocol
systems | freebsd
advisories | CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296
MD5 | c0686516e1cd6bb7454b00db8848f13f
FreeBSD Security Advisory - unbound Denial Of Service
Posted Dec 17, 2014
Authored by Florian Maury | Site security.freebsd.org

FreeBSD Security Advisory - By causing queries to be made against a maliciously-constructed zone or against a malicious DNS server, an attacker who is able to cause specific queries to be sent to a nameserver can trick unbound(8) resolver into following an endless series of delegations, which consumes a lot of resources.

tags | advisory
systems | freebsd
advisories | CVE-2014-8602
MD5 | db9ec00bdf18b8c40ed20465428b9891
FreeBSD Security Advisory - BIND Denial Of Service
Posted Dec 11, 2014
Site security.freebsd.org

FreeBSD Security Advisory - By causing queries to be made against a maliciously-constructed zone or against a malicious DNS server, an attacker who is able to cause specific queries to be sent to a nameserver can cause named(8) to crash, leading to a denial of service. All recursive BIND DNS servers are vulnerable to this. Authoritative servers are only vulnerable if the attacker is able to control a delegation traversed by the authoritative server in order to serve the zone.

tags | advisory, denial of service
systems | freebsd
advisories | CVE-2014-8500
MD5 | d2f30f8ceebe3a4fe442cc6090bc853f
FreeBSD Security Advisory - file / libmagic Denial Of Service
Posted Dec 10, 2014
Site security.freebsd.org

FreeBSD Security Advisory - There are a number of denial of service issues in the ELF parser used by file(1). An attacker who can cause file(1) or any other applications using the libmagic(3) library to be run on a maliciously constructed input can cause the application to crash or consume excessive CPU resources, resulting in a denial-of-service.

tags | advisory, denial of service
systems | freebsd
advisories | CVE-2014-3710, CVE-2014-8116, CVE-2014-8117
MD5 | 5c39786c6e9f552f14d38694736de171
FreeBSD Security Advisory - stdio Buffer Overflow
Posted Dec 10, 2014
Site security.freebsd.org

FreeBSD Security Advisory - A programming error in the standard I/O library's __sflush() function could erroneously adjust the buffered stream's internal state even when no write actually occurred in the case when write(2) system call returns an error. The accounting mismatch would accumulate, if the caller does not check for stream status and will eventually lead to a heap buffer overflow. Such overflows may lead to data corruption or the execution of arbitrary code at the privilege level of the calling program.

tags | advisory, overflow, arbitrary
systems | freebsd
advisories | CVE-2014-8611
MD5 | a0b764641601f4e8629003f59b114d23
Tincd Post-Authentication Remote TCP Stack Buffer Overflow
Posted Dec 1, 2014
Authored by Martin Schobert, Tobias Ospelt | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in Tinc's tincd service. After authentication, a specially crafted tcp packet (default port 655) leads to a buffer overflow and allows to execute arbitrary code. This Metasploit module has been tested with tinc-1.1pre6 on Windows XP (custom calc payload) and Windows 7 (windows/meterpreter/reverse_tcp), and tinc version 1.0.19 from the ports of FreeBSD 9.1-RELEASE # 0 and various other OS, see targets. The exploit probably works for all versions <= 1.1pre6. A manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to be a non-exploitable crash due to calls to __memcpy_chk depending on how tincd was compiled. Bug got fixed in version 1.0.21/1.1pre7. While writing this module it was recommended to the maintainer to start using DEP/ASLR and other protection mechanisms.

tags | exploit, overflow, arbitrary, tcp
systems | linux, windows, freebsd, xp, ubuntu, 7
advisories | CVE-2013-1428, OSVDB-92653
MD5 | 84e2aa0f31859b0a33b4eb4b57cf52eb
Debian Security Advisory 3070-1
Posted Nov 10, 2014
Authored by Debian | Site debian.org

Debian Linux Security Advisory 3070-1 - Several vulnerabilities have been discovered in the FreeBSD kernel that may lead to a denial of service or information disclosure.

tags | advisory, denial of service, kernel, vulnerability, info disclosure
systems | linux, freebsd, debian
advisories | CVE-2014-3711, CVE-2014-3952, CVE-2014-3953, CVE-2014-8476
MD5 | 0a0b213c5368b4faf80d429fa7ac1d4e
FreeBSD Security Advisory - ftp Remote Command Execution
Posted Nov 5, 2014
Site security.freebsd.org

FreeBSD Security Advisory - A malicious HTTP server could cause ftp(1) to execute arbitrary commands. When operating on HTTP URIs, the ftp(1) client follows HTTP redirects, and uses the part of the path after the last '/' from the last resource it accesses as the output filename if '-o' is not specified. If the output file name provided by the server begins with a pipe ('|'), the output is passed to popen(3), which might be used to execute arbitrary commands on the ftp(1) client machine.

tags | advisory, web, arbitrary
systems | freebsd
advisories | CVE-2014-8517
MD5 | ed78374d9074f82776eb0585352bb036
FreeBSD Security Advisory - Kernel Stack Disclosure
Posted Nov 5, 2014
Site security.freebsd.org

FreeBSD Security Advisory - When setlogin(2) is called while setting up a new login session, the login name is copied into an uninitialized stack buffer, which is then copied into a buffer of the same size in the session structure. The getlogin(2) system call returns the entire buffer rather than just the portion occupied by the login name associated with the session. An unprivileged user can access this memory by calling getlogin(2) and reading beyond the terminating NUL character of the resulting string. Up to 16 (FreeBSD 8) or 32 (FreeBSD 9 and 10) bytes of kernel memory may be leaked in this manner for each invocation of setlogin(2). This memory may contain sensitive information, such as portions of the file cache or terminal buffers, which an attacker might leverage to obtain elevated privileges.

tags | advisory, kernel
systems | freebsd
advisories | CVE-2014-8476
MD5 | 2bdf8ccce86d759ea7b753ca2c34a621
FreeBSD Security Advisory - sshd Denial Of Service
Posted Nov 5, 2014
Site security.freebsd.org

FreeBSD Security Advisory - Although OpenSSH is not multithreaded, when OpenSSH is compiled with Kerberos support, the Heimdal libraries bring in the POSIX thread library as a dependency. Due to incorrect library ordering while linking sshd(8), symbols in the C library which are shadowed by the POSIX thread library may not be resolved correctly at run time. Note that this problem is specific to the FreeBSD build system and does not affect other operating systems or the version of OpenSSH available from the FreeBSD ports tree. An incorrectly linked sshd(8) child process may deadlock while handling an incoming connection. The connection may then time out or be interrupted by the client, leaving the deadlocked sshd(8) child process behind. Eventually, the sshd(8) parent process stops accepting new connections. An attacker may take advantage of this by repeatedly connecting and then dropping the connection after having begun, but not completed, the authentication process.

tags | advisory
systems | freebsd, osx
advisories | CVE-2014-8475
MD5 | 9c604890b80de664fad4262cb5aeb66b
FreeBSD Security Advisory - OpenSSL Vulnerabilities
Posted Oct 22, 2014
Site security.freebsd.org

FreeBSD Security Advisory - A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. The SSL protocol 3.0, as supported in OpenSSL and other products, supports CBC mode encryption where it could not adequately check the integrity of padding, because of the use of non-deterministic CBC padding. This protocol weakness makes it possible for an attacker to obtain clear text data through a padding-oracle attack. Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE.

tags | advisory, protocol, memory leak
systems | freebsd
advisories | CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568
MD5 | 90c6b8acebfaafe5e2930813dd469c18
FreeBSD Security Advisory - routed(8) Remote Denial Of Service
Posted Oct 22, 2014
Authored by Hiroki Sato | Site security.freebsd.org

FreeBSD Security Advisory - The input path in routed(8) will accept queries from any source and attempt to answer them. However, the output path assumes that the destination address for the response is on a directly connected network. Upon receipt of a query from a source which is not on a directly connected network, routed(8) will trigger an assertion and terminate. The affected system's routing table will no longer be updated. If the affected system is a router, its routes will eventually expire from other routers' routing tables, and its networks will no longer be reachable unless they are also connected to another router.

tags | advisory
systems | freebsd
advisories | CVE-2014-3955
MD5 | b4ae7f2045e30dd8ff594d0da4e15aae
FreeBSD Security Advisory - rtsold(8) Remote Buffer Overflow
Posted Oct 22, 2014
Authored by Florian Obser, Hiroki Sato | Site security.freebsd.org

FreeBSD Security Advisory - Due to a missing length check in the code that handles DNS parameters, a malformed router advertisement message can result in a stack buffer overflow in rtsold(8). Receipt of a router advertisement message with a malformed DNSSL option, for instance from a compromised host on the same network, can cause rtsold(8) to crash. While it is theoretically possible to inject code into rtsold(8) through malformed router advertisement messages, it is normally compiled with stack protection enabled, rendering such an attack extremely difficult. When rtsold(8) crashes, the existing DNS configuration will remain in force, and the kernel will continue to receive and process periodic router advertisements.

tags | advisory, overflow, kernel
systems | freebsd
advisories | CVE-2014-3954
MD5 | ba4740846d01f8e60e1b1dd6f55b65a7
FreeBSD Security Advisory - namei Memory Leak
Posted Oct 22, 2014
Authored by Mateusz Guzik | Site security.freebsd.org

FreeBSD Security Advisory - The namei facility will leak a small amount of kernel memory every time a sandboxed process looks up a nonexistent path name. A remote attacker that can cause a sandboxed process (for instance, a web server) to look up a large number of nonexistent path names can cause memory exhaustion.

tags | advisory, remote, web, kernel
systems | freebsd
advisories | CVE-2014-3711
MD5 | 844b73ebc895a6302bd825e68621cbf4
Cisco Ironport WSA telnetd Remote Code Execution
Posted Oct 22, 2014
Authored by Glafkos Charalambous

The Cisco Ironport WSA virtual appliances are vulnerable to an old FreeBSD telnetd encryption Key ID buffer overflow which allows remote attackers to execute arbitrary code. Cisco WSA Virtual appliances have the vulnerable telnetd daemon enabled by default.

tags | advisory, remote, overflow, arbitrary
systems | cisco, freebsd
advisories | CVE-2011-4862
MD5 | cc7b947d050036a9a4f1ee8bcfb35533
FreeBSD Security Advisory - TCP Denial Of Service
Posted Sep 17, 2014
Site security.freebsd.org

FreeBSD Security Advisory - The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. New TCP connections are initiated using special SYN flag in a datagram. Sequencing of data is controlled by 32-bit sequence numbers, that start with a random value and are increased using modulo 2**32 arithmetic. TCP endpoints maintain a window of expected, and thus allowed, sequence numbers for a connection. When a segment with the SYN flag for an already existing connection arrives, the TCP stack tears down the connection, bypassing a check that the sequence number in the segment is in the expected window. An attacker who has the ability to spoof IP traffic can tear down a TCP connection by sending only 2 packets, if they know both TCP port numbers. In case one of the two port numbers is unknown, a successful attack requires less than 2**17 packets spoofed, which can be generated within less than a second on a decent connection to the Internet.

tags | advisory, spoof, tcp, protocol
systems | freebsd
advisories | CVE-2014-0230
MD5 | d0d69a580db330d7ee9f522fb50ad2b5
FreeBSD Security Advisory - OpenSSL Vulnerabilities
Posted Sep 9, 2014
Site security.freebsd.org

FreeBSD Security Advisory - Multiple OpenSSL issues have been addressed. The receipt of a specifically crafted DTLS handshake message may cause OpenSSL to consume large amounts of memory. The receipt of a specifically crafted DTLS packet could cause OpenSSL to leak memory. A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex et al. to leak some information from the stack. Various other issues have also been addressed.

tags | advisory
systems | freebsd
advisories | CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139
MD5 | 10ab061ab8877c8642dd9dba0936d0e3
FreeBSD Security Advisory - Kernel Memory Disclosure
Posted Jul 9, 2014
Site security.freebsd.org

FreeBSD Security Advisory - The control message API is used to construct ancillary data objects for use in control messages sent and received across sockets and passed via the recvmsg(2) and sendmsg(2) system calls. Buffer between control message header and data may not be completely initialized before being copied to userland. Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO, have implicit padding that may not be completely initialized before being copied to userland. In addition, three SCTP notifications, SCTP_PEER_ADDR_CHANGE, SCTP_REMOTE_ERROR and SCTP_AUTHENTICATION_EVENT, have padding in the returning data structure that may not be completely initialized before being copied to userland.

tags | advisory
systems | freebsd
advisories | CVE-2014-3952, CVE-2014-3953
MD5 | 050c68c612331e721d019161388271b2
FreeBSD Security Advisory - file / libmagic
Posted Jun 25, 2014
Site security.freebsd.org

FreeBSD Security Advisory - The file(1) utility attempts to classify file system objects based on filesystem, magic number and language tests. The libmagic(3) library provides most of the functionality of file(1) and may be used by other applications. A specifically crafted Composite Document File (CDF) file can trigger an out-of-bounds read or an invalid pointer dereference. A flaw in regular expression in the awk script detector makes use of multiple wildcards with unlimited repetitions. A malicious input file could trigger infinite recursion in libmagic(3). A specifically crafted Portable Executable (PE) can trigger out-of-bounds read.

tags | advisory
systems | freebsd
advisories | CVE-2012-1571, CVE-2013-7345, CVE-2014-1943, CVE-2014-2270
MD5 | 1dc0c3fbf70438e2a2b1a9f541cd9a65
FreeBSD Security Advisory - iconv NULL Pointer Dereference
Posted Jun 25, 2014
Site security.freebsd.org

FreeBSD Security Advisory - A NULL pointer dereference in the initialization code of the HZ module and an out of bounds array access in the initialization code of the VIQR module make iconv_open(3) calls involving HZ or VIQR result in an application crash.

tags | advisory
systems | freebsd
advisories | CVE-2014-3951
MD5 | a18b69584636b226071cb9d556ae6020
Debian Security Advisory 2952-1
Posted Jun 6, 2014
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2952-1 - Several vulnerabilities have been discovered in the FreeBSD kernel that may lead to a denial of service or possibly disclosure of kernel memory.

tags | advisory, denial of service, kernel, vulnerability
systems | linux, freebsd, debian
advisories | CVE-2014-1453, CVE-2014-3000, CVE-2014-3880
MD5 | 16e34c34203420401ac2e0dc187238c6
FreeBSD Security Advisory - OpenSSL Issues
Posted Jun 5, 2014
Site security.freebsd.org

FreeBSD Security Advisory - Multiple OpenSSL vulnerabilities have been addressed. Receipt of an invalid DTLS fragment on an OpenSSL DTLS client or server can lead to a buffer overrun. Receipt of an invalid DTLS handshake on an OpenSSL DTLS client can lead the code to unnecessary recurse. Carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. Carefully crafted packets can lead to a NULL pointer deference in OpenSSL TLS client code if anonymous ECDH ciphersuites are enabled.

tags | advisory, overflow, vulnerability
systems | freebsd
advisories | CVE-2014-0195, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470
MD5 | 1934f39e91527b2facc8c1cda272c95d
FreeBSD Security Advisory - ktrace Kernel Memory Disclosure
Posted Jun 4, 2014
Site security.freebsd.org

FreeBSD Security Advisory - Due to an overlooked merge to -STABLE branches, the size for page fault kernel trace entries was set incorrectly. A user who can enable kernel process tracing could end up reading the contents of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password.

tags | advisory, kernel
systems | freebsd
advisories | CVE-2014-3873
MD5 | 62f1437f209060349158195286c154b4
FreeBSD Security Advisory - PAM Policy Parser
Posted Jun 4, 2014
Site security.freebsd.org

FreeBSD Security Advisory - The OpenPAM library searches for policy definitions in several locations. While doing so, the absence of a policy file is a soft failure (handled by searching in the next location) while the presence of an invalid file is a hard failure (handled by returning an error to the caller). The policy parser returns the same error code (ENOENT) when a syntactically valid policy references a non-existent module as when the requested policy file does not exist. The search loop regards this as a soft failure and looks for the next similarly-named policy, without discarding the partially-loaded configuration. A similar issue can arise if a policy contains an include directive that refers to a non-existent policy.

tags | advisory
systems | freebsd
advisories | CVE-2014-3879
MD5 | e7dfe6ea459b9d340f6e52b2eee60000
Page 4 of 48
Back23456Next

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close