Debian Linux Security Advisory 2769-1 - Several vulnerabilities have been discovered in the FreeBSD kernel that may lead to a denial of service or privilege escalation.
f28d7bebc27c12dd5bebb230f071a816d319c8f0c43da006404a93fa32c755ebFreeBSD Security Advisory - The nullfs(5) filesystem allows all or a part of an already mounted filesystem to be made available in a different part of the global filesystem namespace. It is commonly used to make a set of files available to multiple chroot(2) or jail(2) environments without replicating the files in each environment. A common idiom, described in the FreeBSD Handbook, is to mount one subtree of a filesystem read-only within a jail's filesystem namespace, and mount a different subtree of the same filesystem read-write. The nullfs(5) implementation of the VOP_LINK(9) VFS operation does not check whether the source and target of the link are both in the same nullfs instance. It is therefore possible to create a hardlink from a location in one nullfs instance to a file in another, as long as the underlying (source) filesystem is the same. If multiple nullfs views into the same filesystem are mounted in different locations, a user with read access to one of these views and write access to another will be able to create a hard link from the latter to a file in the former, even though they are, from the user's perspective, different filesystems. The user may thereby gain write access to files which are nominally on a read-only filesystem.
8e26c5d77292e81b956d9bc998be84a6dc0f5a3d49036c051611a187679425d8FreeBSD Security Advisory - The ioctl(2) system call allows an application to perform device- or protocol-specific operations through a file or socket descriptor associated with a specific device or protocol. As is commonly the case, the IPv6 and ATM network layer ioctl request handlers are written in such a way that an unrecognized request is passed on unmodified to the link layer, which will either handle it or return an error code. Network interface drivers, however, assume that the SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK requests have been handled at the network layer, and therefore do not perform input validation or verify the caller's credentials. Typical link-layer actions for these requests may include marking the interface as "up" and resetting the underlying hardware. An unprivileged user with the ability to run arbitrary code can cause any network interface in the system to perform the link layer actions associated with a SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR or SIOCSIFNETMASK ioctl request; or trigger a kernel panic by passing a specially crafted address structure which causes a network interface driver to dereference an invalid pointer. Although this has not been confirmed, the possibility that an attacker may be able to execute arbitrary code in kernel context can not be ruled out.
a5ca4fe5fc583837849cbb21a1852129d96964f3d5e07eadde7ab78f09bf4a19FreeBSD Security Advisory - The sendfile(2) system call allows a server application (such as an HTTP or FTP server) to transmit the contents of a file over a network connection without first copying it to application memory. High performance servers such as Apache and ftpd use sendfile. On affected systems, if the length passed to sendfile(2) is non-zero and greater than the length of the file being transmitted, sendfile(2) will pad the transmission up to the requested length or the next pagesize boundary, whichever is smaller. The content of the additional bytes transmitted in this manner depends on the underlying filesystem, but may potentially include information useful to an attacker. An unprivileged user with the ability to run arbitrary code may be able to obtain arbitrary kernel memory contents.
2c43f9839d8e9bf39752b47d4b9dbc5baf6ebdb977b3951776c95386cd3691b1Debian Linux Security Advisory 2743-1 - Several vulnerabilities have been discovered in the FreeBSD kernel that may lead to a privilege escalation or information leak.
569d8b0cda13d3a73e841bf15e6cefd040a645974771d3bc8fc7fc5adeea0929FreeBSD Security Advisory - When initializing the SCTP state cookie being sent in INIT-ACK chunks, a buffer allocated from the kernel stack is not completely initialized. Fragments of kernel memory may be included in SCTP packets and transmitted over the network. For each SCTP session, there are two separate instances in which a 4-byte fragment may be transmitted. This memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include an user-entered password.
31263b7b248f107d5f7ed98d3b388e63dc69a3862d01f93e4c9b344f9c86de7cFreeBSD Security Advisory - An integer overflow in computing the size of a temporary buffer can result in a buffer which is too small for the requested operation. An unprivileged process can read or write pages of memory which belong to the kernel. These may lead to exposure of sensitive information or allow privilege escalation.
831fd4ba520eff2086ca0682aa7616522338d8662d219c74c434ceb7166343dbFreeBSD Security Advisory - The kernel incorrectly uses client supplied credentials instead of the one configured in exports(5) when filling out the anonymous credential for a NFS export, when -network or -host restrictions are used at the same time. The remote client may supply privileged credentials (e.g. the root user) when accessing a file under the NFS share, which will bypass the normal access checks.
d672bbe3c1c06396c194b1f5062f4d67d79b24f02a60b7a89344ec0f57fe8219FreeBSD Security Advisory - Due to a software defect a specially crafted query which includes malformed rdata, could cause named(8) to crash with an assertion failure and rejecting the malformed query. This issue affects both recursive and authoritative-only nameservers.
f1c6bd390fafc6b86654d596d7ddcfa62102f4a0aa7b681a7a87ed56ead922b7This Metasploit module exploits a vulnerability that can be used to modify portions of a process's address space, which may lead to privilege escalation. Systems such as FreeBSD 9.0 and 9.1 are known to be vulnerable.
9d8c78182da26e1da3cf3977d1da297ce969b5376665d620df728cbdcad3f431Debian Linux Security Advisory 2714-1 - Konstantin Belousov and Alan Cox discovered that insufficient permission checks in the memory management of the FreeBSD kernel could lead to privilege escalation.
26e535e94e7f71003a1fffd0d098d7f8d670f7c87a3b3313885b7e81b305b395FreeBSD 9.0+ privilege escalation exploit that leverages the mmap vulnerability.
a973c83e5edcbbb9daa0f1ee93d7602a34fc84b380f80b2f787c0b16ff88417aFreeBSD versions 9.0 and 9.1 mmap/ptrace privilege escalation exploit that leverages the issue described in FreeBSD-SA-13:06.
33ab3cd2db81ca119a894609c3cbec29fc118789f6df44a99945d5cda231b71cThis exploits performs privilege escalation leveraging the mmap vulnerability in FreeBSD 9.1 as described in FreeBSD-SA-13:06.
f4335d5441b706cb24ce9fb6b71366091edddbb0838d83d2cd1b69a4edab8fdfFreeBSD Security Advisory - Due to insufficient permission checks in the virtual memory system, a tracing process (such as a debugger) may be able to modify portions of the traced process's address space to which the traced process itself does not have write access. This error can be exploited to allow unauthorized modification of an arbitrary file to which the attacker has read access, but not write access. Depending on the file and the nature of the modifications, this can result in privilege escalation. To exploit this vulnerability, an attacker must be able to run arbitrary code with user privileges on the target system.
46c9d0684ffdd8c4787e60e14015a9e757b66b443d2622296e77fbdbc855860aDebian Linux Security Advisory 2672-1 - Adam Nowacki discovered that the new FreeBSD NFS implementation processes a crafted READDIR request which instructs to operate a file system on a file node as if it were a directory node, leading to a kernel crash or potentially arbitrary code execution.
8eabdee56b79c7299333824f4fec68170872a9111bb52fc743a14016b0ae8d10strongSwan is a complete IPsec implementation for the Linux, Android, Maemo, FreeBSD, and Mac OS X operating systems. It interoperates with with most other IPsec-based VPN products via the IKEv2 or IKEv1 key exchange protocols. The focus of the strongSwan project is on strong authentication mechanisms using X.509 public key certificates and optional secure storage of private keys on smartcards through a standardized PKCS#11 interface. A rich choice of modular plugins adds additional features like Trusted Network Connect or advanced cryptographical algorithms.
f52a048aabc783056f90efab6c181ccb17b17396d3208327b4f90debaa4c16a3FreeBSD Security Advisory - When processing READDIR requests, the NFS server does not check that it is in fact operating on a directory node. An attacker can use a specially modified NFS client to submit a READDIR request on a file, causing the underlying filesystem to interpret that file as a directory.
bdaaa4f57ae7233f6c31b6eae202bb3c0468403f3d7945ce9f1166ffc3299396This toolkit houses various IPv6 tools that have been tested to compile and run on Debian GNU/Linux 6.0, FreeBSD 9.0, NetBSD 5.1, OpenBSD 5.0, Mac OS 10.8.0, and Ubuntu 11.10.
75ff27cd30407cd57f35a7646b82e6fede9cfc7e1fac089b3da43e547424af48FreeBSD Security Advisory - A flaw in the OpenSSL handling of OCSP response verification could be exploited to cause a denial of service attack. OpenSSL has a weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS. The weakness could reveal plaintext in a timing attack.
b53bfd66b506dafcb90c6c9516eb9205fffab27069d0f3a35836d94fab93d2feFreeBSD Security Advisory - A flaw in a library used by BIND allows an attacker to deliberately cause excessive memory consumption by the named(8) process. This affects both recursive and authoritative servers.
1dd487d7a38a6be933444db11b02dd1e2e265a2e5fb5dd7875698187215034f8This toolkit houses various IPv6 tools that have been tested to compile and run on Debian GNU/Linux 6.0, FreeBSD 9.0, NetBSD 5.1, OpenBSD 5.0, Mac OS 10.8.0, and Ubuntu 11.10.
8392ec6c2414194f839d154313ea7965a2c6503286828f22860c4c50a635d099FreeBSD Security Advisory - BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. DNS64 is an IPv6 transition mechanism that will return a synthesized AAAA response even if there is only an A record available. Due to a software defect a crafted query can cause named(8) to crash with an assertion failure.
7a8b0adfcf6016b307c0e17b5c45fdec29ac76e9591aba0e5450056bd38ad916FreeBSD Security Advisory - The glob(3) function is a pathname generator that implements the rules for file name pattern matching used by the shell. GLOB_LIMIT is supposed to limit the number of paths to prevent against memory or CPU attacks. The implementation however is insufficient. An attacker that is able to exploit this vulnerability could cause excessive memory or CPU usage, resulting in a denial of service.
f2e502ca64a6aa303c90908a48c574ac08e6abef1995c2a730359cea8c7e9fecThis toolkit houses various IPv6 tools that have been tested to compile and run on Debian GNU/Linux 6.0, FreeBSD 9.0, NetBSD 5.1, OpenBSD 5.0, Mac OS 10.8.0, and Ubuntu 11.10.
182d3e7b34ea800eae21d5fbf5fd4fa7f13792f27d9a4c5f61947ae0e178a720
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed