UBUNTU-CVE-2016-7093

Xen 4.5.3, 4.6.3, and 4.7.x allow local HVM guest OS administrators to overwrite hypervisor memory and consequently gain host OS privileges by leveraging mishandling of instruction pointer truncation during emulation...

CVE-2016-7093

Xen 4.5.3, 4.6.3, and 4.7.x allow local HVM guest OS administrators to overwrite hypervisor memory and consequently gain host OS privileges by leveraging mishandling of instruction pointer truncation during emulation...

Citrix XenServer Multiple Security Updates (CTX216071)

A number of security vulnerabilities have been identified in Citrix XenServer that may allow malicious privileged code running within a guest VM to compromise the host. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright...

Fedora 24 : xen (2016-7d2c67d1f5)

x86: Disallow L3 recursive pagetable for 32-bit PV guests XSA-185, CVE-2016-7092 1374470 x86: Mishandling of instruction pointer truncation during emulation XSA-186, CVE-2016-7093 1374471 x86 HVM: Overflow of shctxt-segreg XSA-187, CVE-2016-7094 1374473 Note that Tenable Network Security has...

x86: Mishandling of instruction pointer truncation during emulation

ISSUE DESCRIPTION When emulating HVM instructions, Xen uses a small i-cache for fetches from guest memory. The code that handles cache misses does not check if the address from which it fetched lies within the cache before blindly writing to it. As such it is possible for the guest to overwrite...

UBUNTU-CVE-2016-2271

VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows local HVM guest users to cause a denial of service guest crash via vectors related to a non-canonical RIP...

Apple Mac OSX iOS - Unsandboxable Kernel Code Exection Due to iokit Double Release in IOKit

Apple Mac OSX iOS - Unsandboxable Kernel Code Exection Due to iokit Double Release in IOKit Source: https://code.google.com/p/google-security-research/issues/detail?id=620 I wanted to demonstrate that these iOS/OS X kernel race condition really are exploitable so here's a PoC which gets RIP on OS...

Apple Mac OSX / iOS - Unsandboxable Kernel Code Exection Due to iokit Double Release in IOKit

Exploit for multiple platform in category dos / poc Source: https://code.google.com/p/google-security-research/issues/detail?id=620 I wanted to demonstrate that these iOS/OS X kernel race condition really are exploitable so here's a PoC which gets RIP on OS X. The same techniques should transfer...

Apple Mac OSX / iOS - Unsandboxable Kernel Code Exection Due to iokit Double Release in IOKit

Source: https://code.google.com/p/google-security-research/issues/detail?id=620 I wanted to demonstrate that these iOS/OS X kernel race condition really are exploitable so here's a PoC which gets RIP on OS X. The same techniques should transfer smoothly to iOS : The bug is here: void...

PT-2016-7986

Name of the Vulnerable Software and Affected Versions xwpe versions prior to 1.5.30a-2.1 Description A stack-based buffer overflow allows local attackers to execute arbitrary code or cause a denial of service. This occurs when overly long input strings exceed buffer boundaries. Specifically, an...

USN-2395-1 linux vulnerabilities

Nadav Amit reported that the KVM Kernel Virtual Machine mishandles noncanonical addresses when emulating instructions that change the rip Instruction Pointer. A guest user with access to I/O or the MMIO can use this flaw to cause a denial of service system crash of the guest. CVE-2014-3647 A flaw...

kernel: x86_64: ptrace: sysret to non-canonical address

It was found that the Linux kernel's ptrace subsystem allowed a traced process' instruction pointer to be set to a non-canonical memory address without forcing the non-sysret code path when returning to user space. A local, unprivileged user could use this flaw to crash the system or, potentially...

DEBIAN-CVE-2014-4699

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service double...

UBUNTU-CVE-2014-4699

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service double...

Jordan Windows Telnet Server 1.0/1.2 Username Stack Based Buffer Overrun Vulnerability (2)

No description provided by source. source: http://www.securityfocus.com/bid/9316/info Jordan Windows Telnet Server has been reported prone to a remote buffer overrun vulnerability. The issue has been reported to present itself when a username of excessive length is supplied to the Telnet server...

WinRAR <= 3.60 beta 6 (SFX Path) Stack Overflow Exploit PoC

No description provided by source. WinRAR - Stack Overflows in SelF - eXtracting Archives ====================================================== Tested Versions..: WinRAR 3.60 beta 4 Author.............: posidron An SFX SelF-eXtracting archive is an archive, merged with an executable module, whic...

slocate 2.5/2.6 - Local Buffer Overrun Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/6676/info A vulnerability has been discovered in slocate. It has been reported that a buffer overrun occurs when running the slocate program with command line arguments of excessive length. Specifically, it is possible to...

SuSE 11.1 Security Update : xpdf-tools (SAT Patch Number 3857)

This update of xpdf fixes an out-of-bounds write in CharCodeToUnicode.cc and a bad instruction pointer while parsing malformed PDF files. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from SuSE 11 update information. The...

FTPPad 1.2.0 - Remote Stack Buffer Overflow (Metasploit)

$Id: ftppadlistreply.rb 11039 2010-11-14 19:03:24Z jduck $ This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use...

FTPPad 1.2.0 Stack Buffer Overflow

$Id: ftppadlistreply.rb 10661 2010-10-12 18:40:13Z jduck $ This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use...