A Linux PIE/stack corruption vulnerability exists. Most notably, all versions of CentOS 7 before 1708 (released on September 13, 2017), all versions of Red Hat Enterprise Linux 7 before 7.4 (released on August 1, 2017), and all versions of CentOS 6 and Red Hat Enterprise Linux 6 are exploitable.
e629fc1437f3afd0ad4608b004f8c31a78825d7d031176a742308b19fc02b46d
Qualys discovered a heap-based buffer overflow in the GNU C Library's __vsyslog_internal() function, which is called by both syslog() and vsyslog(). This vulnerability was introduced in glibc 2.37 (in August 2022).
848273d3a06e2a275e111a84edea6cdd3e2e29de8b47a4efd45b2d0d9c53c768
Qualys discovered a memory corruption in the glibc's qsort() function, due to a missing bounds check. To be vulnerable, a program must call qsort() with a nontransitive comparison function (a function cmp(int a, int b) that returns (a - b), for example) and with a large number of attacker-controlled elements (to cause a malloc() failure inside qsort()). They have not tried to find such a vulnerable program in the real world. All glibc versions from at least September 1992 (glibc 1.04) to the current release (glibc 2.38) are affected, but the glibc's developers have independently discovered and patched this memory corruption in the master branch.
f022f88e03996ad79c15bbc5396c143469581fda50195569cb1d3981ecc6fad8
Dubbed Looney Tunables, Qualys discovered a buffer overflow vulnerability in the glibc dynamic loader's processing of the GLIBC_TUNABLES environment variable. This vulnerability was introduced in April 2021 (glibc 2.34) by commit 2ed18c.
b12ee8e52aaf3d3287a35bb3ed77d6ea42f79734e21c6428997ffd1749823961
The PKCS#11 feature in ssh-agent in OpenSSH versions prior to 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system.
e93ab81da334d2b2c5f8f662d87f396041e5e366d8b286e3907b5cb137de0e8e
RenderDoc versions 1.26 and below suffer from integer underflow, integer overflow, and symlink vulnerabilities.
cc497579b678adb0532eece7bf7f32783a2ff614acf426c5981789ff6293796c
Qualys discovered a race condition (CVE-2022-3328) in snap-confine, a SUID-root program installed by default on Ubuntu. In this advisory,they tell the story of this vulnerability (which was introduced in February 2022 by the patch for CVE-2021-44731) and detail how they exploited it in Ubuntu Server (a local privilege escalation, from any user to root) by combining it with two vulnerabilities in multipathd (an authorization bypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973).
ae9802d4db6010e09c5ca96ad72cd8f9bb70aff4d7af8a1ec00cebd3203d1f95
The Qualys Research Team has discovered authorization bypass and symlink vulnerabilities in multipathd. The authorization bypass was introduced in version 0.7.0 and the symlink vulnerability was introduced in version 0.7.7.
9fd49ad2d42596cc152f6771bcdd491b37e2986a01a0b0cdb2f997469ee1fdec
Qualys has released extensive research details regarding a heap-based buffer overflow vulnerability in sudo. The issue was introduced in July 2011 (commit 8255ed69), and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1, in their default configuration.
49c51fff2702ea3bb7dc155cf79d48dec6f6a7a00b13a95caf7f36a3f59b319f
In 2005, three vulnerabilities were discovered in qmail but were never fixed because they were believed to be unexploitable in a default installation. Qualys recently re-discovered these vulnerabilities and were able to exploit one of them remotely in a default installation.
b40bd18472de68aa880c0372a9f3305689c40f370d5468a34516ef9530fd6906
Qualys discovered a vulnerability in OpenSMTPD, OpenBSD's mail server. This vulnerability, an out-of-bounds read introduced in December 2015, is exploitable remotely and leads to the execution of arbitrary shell commands.
2c58b82819510289b2fd55d1c6a82b81b279777abd6a6b0db391f990ec12b148
Qualys discovered a minor vulnerability in OpenSMTPD, OpenBSD's mail server. An unprivileged local attacker can read the first line of an arbitrary file (for example, root's password hash in /etc/master.passwd) or the entire contents of another user's file (if this file and /var/spool/smtpd/ are on the same filesystem). A proof of concept exploit is included in this archive.
3617b8854e485e1d063e08764e96429e54c6b7bb0467d127e819133f80c925d5
Qualys has discovered that OpenBSD suffers from multiple authentication bypass and local privilege escalation vulnerabilities.
f17dd04f6e2715e22520176b0b9b59af9523bd1f17067f5a5814eb8675c0497d
Qualys discovered a remote command execution vulnerability in Exim versions 4.87 to 4.91.
ccf81b809451dabd0ae35b330095955b9998319116314052fc75a06a7dd5e3e8
Linux suffers from an integer overflow vulnerability in create_elf_tables(). Multiple exploits provided.
96f76be0c1dab33a40b6145fd293ceab661f631350fcf639a1e4bdb1faedbb92
Qualys has discovered a memory leak and a buffer overflow in the dynamic loader (ld.so) of the GNU C Library (glibc).
ab2ee457cd217c4af1e191968f48de6c5ef96258d1fcf05193b1e417d462e8ef
Sudo's get_process_ttyname() on Linux suffers from a race condition that allows for root privilege escalation.
fedac891bbdaf97f55757b635d5ae075843da48925d762d5149a49ade19918cd
Since version 5.4 (released on March 8, 2010), the OpenSSH client supports an undocumented feature called roaming: if the connection to an SSH server breaks unexpectedly, and if the server supports roaming as well, the client is able to reconnect to the server and resume the suspended SSH session. Although roaming is not supported by the OpenSSH server, it is enabled by default in the OpenSSH client, and contains two vulnerabilities that can be exploited by a malicious SSH server (or a trusted but compromised server): an information leak (memory disclosure), and a buffer overflow (heap-based).
6d98389560de3c7942fe87c17e680b28f2ad90ec6c5d8f9a0f59e153dff5d23e
Qualys discovered various vulnerabilities in LibreSSL. These include a memory leak and a buffer overflow.
b0de9f18c202a6ac93d7fb4c44048d40aa246b6dbb04fa3756ef345d6a3bb3ef
Qualys discovered various vulnerabilities in OpenSMTPD. These include, but are not limited to, denial of service, buffer overflow, hardlink attack and use-after-free vulnerabilities.
a0a4071e027cd0032bb15321814e2500f5dbd461a8b3356d921e787243fd6c28
The libuser library implements a standardized interface for manipulating and administering user and group accounts, and is installed by default on Linux distributions derived from Red Hat's codebase. During an internal code audit at Qualys, they discovered multiple libuser-related vulnerabilities that allow local users to perform denial-of-service and privilege-escalation attacks. As a proof of concept, they developed an unusual local root exploit against one of libuser's applications. Both the advisory and exploit are included in this post.
8ca265d19600f642e0b8538ca2edb894bbc57f28b26136e6f5ea36ae5e348827
Apache 1.3.xx / Tomcat server with mod_jk remote denial of service exploit which uses chunked encoding requests, as described in Qualys Security Advisory QSA-2002-12-04.
26c922cb94695de52658f3b16ebbeebff4426b27d96a6b5ee0ee308e4f190146