BSD (Multiple Distributions) - 'setusercontext()' Multiple Vulnerabilities

BSD setusercontext vulnerabilites discovered by Kingcope, July 2009 lewls XD Let's go.. BSD derived operating systems have a special function to set a "user context". The function setusercontext is available on for example FreeBSD 5.0 and 7.0. An example from ftpd.c : setusercontextlc, pw, uidt0,...

BSD setusercontext Vulnerabilities

BSD setusercontext vulnerabilites discovered by Kingcope, July 2009 lewls XD Let's go.. BSD derived operating systems have a special function to set a "user context". The function setusercontext is available on for example FreeBSD 5.0 and 7.0. An example from ftpd.c : setusercontextlc, pw, uidt0,...

CentOS Security Advisory CESA-2009:1180 (bind)

The remote host is missing updates to bind announced in advisory CESA-2009:1180. SPDX-FileCopyrightText: 2009 E-Soft Inc. Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only...

Gentoo Security Advisory GLSA 200907-10 (syslog-ng)

The remote host is missing updates announced in advisory GLSA 200907-10. OpenVAS Vulnerability Test $ Description: Auto generated from Gentoo's XML based advisory Authors: Thomas Reinke Copyright: Copyright c 2009 E-Soft Inc. http://www.securityspace.com Text descriptions are largely excerpted fr...

GLSA-200907-10 : Syslog-ng: Chroot escape

The remote host is affected by the vulnerability described in GLSA-200907-10 Syslog-ng: Chroot escape Florian Grandel reported that Syslog-ng does not call chdir before chroot which leads to an inherited file descriptor to the current working directory. Impact : A local attacker might exploit a...

Syslog-ng: Chroot escape

Background Syslog-ng is a flexible and scalable system logger. Description Florian Grandel reported that Syslog-ng does not call chdir before chroot which leads to an inherited file descriptor to the current working directory. Impact A local attacker might exploit a separate vulnerability in...

FreeBSD : rssh -- file name disclosure bug (a4815970-c5cc-11d8-8898-000d6111a684)

rssh expands command line parameters before invoking chroot. This could result in the disclosure to the client of file names outside of the chroot directory. A posting by the rssh author explains : The cause of the problem identified by Mr. McCaw is that rssh expanded command-line arguments prior...

MDVA-2009:019 : glibc

The glibc packages released with Mandriva Linux 2008 and Mandriva Linux 2008 Spring had the /etc/ld.so.conf file using relative paths to include other config files at /etc/ld.so.conf.d, breaking usage of ldconfig -r, for example when you have chroot environments. This update fixes ld.so.conf to u...

Mandriva Update for postfix MDKA-2007:079 (postfix)

Check for the Version of postfix OpenVAS Vulnerability Test Mandriva Update for postfix MDKA-2007:079 postfix Authors: System Generated Check Copyright: Copyright c 2009 Greenbone Networks GmbH, http://www.greenbone.net This program is free software; you can redistribute it and/or modify it under...

Mandriva Update for postfix MDKA-2007:079 (postfix)

Check for the Version of postfix OpenVAS Vulnerability Test Mandriva Update for postfix MDKA-2007:079 postfix Authors: System Generated Check Copyright: Copyright c 2009 Greenbone Networks GmbH, http://www.greenbone.net This program is free software; you can redistribute it and/or modify it under...

Mandriva Update for rpm MDVA-2008:164 (rpm)

Check for the Version of rpm OpenVAS Vulnerability Test Mandriva Update for rpm MDVA-2008:164 rpm Authors: System Generated Check Copyright: Copyright c 2009 Greenbone Networks GmbH, http://www.greenbone.net This program is free software; you can redistribute it and/or modify it under the terms o...

Linux/x86 - setuid / setgid / chroot break

No description provided by source. /----------------------------------------------------------------------/ / s390 shellcode 0x0a / 0x0 free / / setuid / setgid / chroot break / / code [email protected] / /----------------------------------------------------------------------/ char...

BSD/x86 - setuid(0) + Break chroot (../ 10x Loop) + execute /bin/sh Shellcode (57 bytes)

BSD/x86 - setuid0 + Break chroot ../ 10x Loop + execute /bin/sh Shellcode 57 bytes. Shellcode exploit for BSDx86 platform / The setuid0+chroot+execve shellcode it will: setuid0 put '../' 10 times in chroot execute /bin/sh Size 57 bytes OS BSD /rootteam/dev0id rootteam.void.ru [email protected]...

BSD/x86 - setuid(0) + Break chroot (../ 10x Loop) + Bind TCP (2222/TCP) Shell Shellcode (133 bytes)

BSD/x86 - setuid0 + Break chroot ../ 10x Loop + Bind TCP 2222/TCP Shell Shellcode 133 bytes. Shellcode exploit for BSDx86 platform / The setuid0+chroot+bind shellcode it will: setuid0 put '../' 10 times in chroot open shell on 2222nd port Size 133 bytes OS BSD /rootteam/dev0id rootteam.void.ru...

BSD/x86 - setuid(0) + Break chroot (../ 10x Loop) Shellcode (34 bytes)

BSD/x86 - setuid0 + Break chroot ../ 10x Loop Shellcode 34 bytes. Shellcode exploit for BSDx86 platform / The setuid0+chroot shellcode. It is the one of the smallest shellcodes in the !!world!! it will put '../' 10 times Size 34 bytes OS BSD /rootteam/dev0id rootteam.void.ru [email protected]...

BSD/x86 - Break chroot (../ 10x Loop) Shellcode (28 bytes)

BSD/x86 - Break chroot ../ 10x Loop Shellcode 28 bytes. Shellcode exploit for BSDx86 platform / One of the smallest chroot shellcodes in the !!world!! it will put '../' 10 times Size 28 bytes OS BSD /rootteam/dev0id rootteam.void.ru [email protected] BITS 32 xor ecx,ecx xor eax,eax push ecx m...

BSD/x86 - Break chroot (../ 10x Loop) Shellcode (40 bytes)

BSD/x86 - Break chroot ../ 10x Loop Shellcode 40 bytes. Shellcode exploit for BSDx86 platform / One of the smallest chroot shellcodes it will put '../' 10 times Size 40 bytes OS BSD /rootteam/dev0id rootteam.void.ru [email protected] BITS 32 jmp short callme main: pop esi mov edi,esi xor...

Linux/x86 - setuid(0) + Break chroot (../ 10x Loop) Shellcode (34 bytes)

Linux/x86 - setuid0 + Break chroot ../ 10x Loop Shellcode 34 bytes. Shellcode exploit for Linuxx86 platform / The setuid0+chroot shellcode. It is the one of the smallest shellcodes in the !!world!! it will put '../' 10 times Size 34 bytes OS Linux /rootteam/dev0id rootteam.void.ru...

Debian: Security Advisory (DSA-1674-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2008 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

FreeBSD : syslog-ng2 -- startup directory leakage in the chroot environment (75f2382e-b586-11dd-95f9-00e0815b8da8)

Florian Grandel reports : I have not had the time to analyze all of syslog-ng code. But by reading the code section near the chroot call and looking at strace results I believe that syslog-ng does not chdir to the chroot jail's location before chrooting into it. This opens up ways to work around...