Qualys has discovered that OpenBSD suffers from multiple authentication bypass and local privilege escalation vulnerabilities.
f17dd04f6e2715e22520176b0b9b59af9523bd1f17067f5a5814eb8675c0497dThe PKCS#11 feature in ssh-agent in OpenSSH versions prior to 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system.
e93ab81da334d2b2c5f8f662d87f396041e5e366d8b286e3907b5cb137de0e8eRenderDoc versions 1.26 and below suffer from integer underflow, integer overflow, and symlink vulnerabilities.
cc497579b678adb0532eece7bf7f32783a2ff614acf426c5981789ff6293796cQualys discovered a race condition (CVE-2022-3328) in snap-confine, a SUID-root program installed by default on Ubuntu. In this advisory,they tell the story of this vulnerability (which was introduced in February 2022 by the patch for CVE-2021-44731) and detail how they exploited it in Ubuntu Server (a local privilege escalation, from any user to root) by combining it with two vulnerabilities in multipathd (an authorization bypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973).
ae9802d4db6010e09c5ca96ad72cd8f9bb70aff4d7af8a1ec00cebd3203d1f95The Qualys Research Team has discovered authorization bypass and symlink vulnerabilities in multipathd. The authorization bypass was introduced in version 0.7.0 and the symlink vulnerability was introduced in version 0.7.7.
9fd49ad2d42596cc152f6771bcdd491b37e2986a01a0b0cdb2f997469ee1fdecQualys has released extensive research details regarding a heap-based buffer overflow vulnerability in sudo. The issue was introduced in July 2011 (commit 8255ed69), and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1, in their default configuration.
49c51fff2702ea3bb7dc155cf79d48dec6f6a7a00b13a95caf7f36a3f59b319fIn 2005, three vulnerabilities were discovered in qmail but were never fixed because they were believed to be unexploitable in a default installation. Qualys recently re-discovered these vulnerabilities and were able to exploit one of them remotely in a default installation.
b40bd18472de68aa880c0372a9f3305689c40f370d5468a34516ef9530fd6906Qualys discovered a vulnerability in OpenSMTPD, OpenBSD's mail server. This vulnerability, an out-of-bounds read introduced in December 2015, is exploitable remotely and leads to the execution of arbitrary shell commands.
2c58b82819510289b2fd55d1c6a82b81b279777abd6a6b0db391f990ec12b148Qualys discovered a minor vulnerability in OpenSMTPD, OpenBSD's mail server. An unprivileged local attacker can read the first line of an arbitrary file (for example, root's password hash in /etc/master.passwd) or the entire contents of another user's file (if this file and /var/spool/smtpd/ are on the same filesystem). A proof of concept exploit is included in this archive.
3617b8854e485e1d063e08764e96429e54c6b7bb0467d127e819133f80c925d5Qualys discovered a remote command execution vulnerability in Exim versions 4.87 to 4.91.
ccf81b809451dabd0ae35b330095955b9998319116314052fc75a06a7dd5e3e8Linux suffers from an integer overflow vulnerability in create_elf_tables(). Multiple exploits provided.
96f76be0c1dab33a40b6145fd293ceab661f631350fcf639a1e4bdb1faedbb92Qualys has discovered a memory leak and a buffer overflow in the dynamic loader (ld.so) of the GNU C Library (glibc).
ab2ee457cd217c4af1e191968f48de6c5ef96258d1fcf05193b1e417d462e8efA Linux PIE/stack corruption vulnerability exists. Most notably, all versions of CentOS 7 before 1708 (released on September 13, 2017), all versions of Red Hat Enterprise Linux 7 before 7.4 (released on August 1, 2017), and all versions of CentOS 6 and Red Hat Enterprise Linux 6 are exploitable.
e629fc1437f3afd0ad4608b004f8c31a78825d7d031176a742308b19fc02b46dSudo's get_process_ttyname() on Linux suffers from a race condition that allows for root privilege escalation.
fedac891bbdaf97f55757b635d5ae075843da48925d762d5149a49ade19918cdSince version 5.4 (released on March 8, 2010), the OpenSSH client supports an undocumented feature called roaming: if the connection to an SSH server breaks unexpectedly, and if the server supports roaming as well, the client is able to reconnect to the server and resume the suspended SSH session. Although roaming is not supported by the OpenSSH server, it is enabled by default in the OpenSSH client, and contains two vulnerabilities that can be exploited by a malicious SSH server (or a trusted but compromised server): an information leak (memory disclosure), and a buffer overflow (heap-based).
6d98389560de3c7942fe87c17e680b28f2ad90ec6c5d8f9a0f59e153dff5d23eQualys discovered various vulnerabilities in LibreSSL. These include a memory leak and a buffer overflow.
b0de9f18c202a6ac93d7fb4c44048d40aa246b6dbb04fa3756ef345d6a3bb3efQualys discovered various vulnerabilities in OpenSMTPD. These include, but are not limited to, denial of service, buffer overflow, hardlink attack and use-after-free vulnerabilities.
a0a4071e027cd0032bb15321814e2500f5dbd461a8b3356d921e787243fd6c28The libuser library implements a standardized interface for manipulating and administering user and group accounts, and is installed by default on Linux distributions derived from Red Hat's codebase. During an internal code audit at Qualys, they discovered multiple libuser-related vulnerabilities that allow local users to perform denial-of-service and privilege-escalation attacks. As a proof of concept, they developed an unusual local root exploit against one of libuser's applications. Both the advisory and exploit are included in this post.
8ca265d19600f642e0b8538ca2edb894bbc57f28b26136e6f5ea36ae5e348827
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed