FireWire IOCTL integer overflow in different BSD-based Unix system

Negative IOCTL paramter value allows read access to kernel memory...

NetBSD多个本地信息泄露漏洞

NetBSD是一款开放源代码的操作系统。 NetBSD在返回内核内存到用户空间时缺少过滤，本地攻击者可以利用漏洞获得内核敏感信息。 目前没有详细漏洞细节提供。 NetBSD NetBSD 3.0.1 NetBSD NetBSD 3.0 NetBSD NetBSD 2.1 NetBSD NetBSD 2.0.3 NetBSD NetBSD 2.0.2 NetBSD NetBSD 2.0.1 NetBSD NetBSD 2.0 NetBSD NetBSD Current NetBSD NetBSD 3,1RC1 NetBSD NetBSD 2.1.1 NetBSD NetBSD 2.0.4...

Apple Airport - 802.11 Probe Response Kernel Memory Corruption (PoC) (Metasploit)

A proof-of-concept exploit has been added to the Metasploit Framework 3.0 source tree: msf use auxiliary/dos/wireless/daringphucball require 'msf/core' module Msf class Auxiliary::Dos::Wireless::DaringPhucball 'Apple Airport 802.11 Probe Response Kernel Memory Corruption', 'Description' = %q The...

Apple Airport 802.11 Probe Response Kernel Memory Corruption PoC

Exploit for hardware platform in category dos / poc ================================================================ Apple Airport 802.11 Probe Response Kernel Memory Corruption PoC ================================================================ A proof-of-concept exploit has been added to the...

Apple Airport - 802.11 Probe Response Kernel Memory Corruption (PoC) (Metasploit)

Apple Airport - 802.11 Probe Response Kernel Memory Corruption PoC Metasploit A proof-of-concept exploit has been added to the Metasploit Framework 3.0 source tree: msf use auxiliary/dos/wireless/daringphucball require 'msf/core' module Msf class Auxiliary::Dos::Wireless::DaringPhucball 'Apple...

Solaris 10 sysinfo(2) Local Kernel Memory Disclosure Exploit

No description provided by source. / $Id: raptorsysinfo.c,v 1.2 2006/08/22 13:47:54 raptor Exp $ raptorsysinfo.c - Solaris sysinfo2 kernel memory leak Copyright c 2006 Marco Ivaldi [email protected] systeminfo.c for Sun Solaris allows local users to read kernel memory via a 0 variable count...

Symantec AntiVirus privilege escalation

Insufficient address checks in SAVRT, NAVENG and NAVEX15 devices IOCTLS calls allos to overwrite kernel memory...

CVE-2006-5218

Integer overflow in the systracepreprepl function STRIOCREPLACE in systrace in OpenBSD 3.9 and NetBSD 3 allows local users to cause a denial of service crash, gain privileges, or read arbitrary kernel memory via large numeric arguments to the systrace ioctl...

CVE-2006-5218

Integer overflow in the systracepreprepl function STRIOCREPLACE in systrace in OpenBSD 3.9 and NetBSD 3 allows local users to cause a denial of service crash, gain privileges, or read arbitrary kernel memory via large numeric arguments to the systrace ioctl...

CVE-2006-5218

The CVE-2006-5218 entry describes an integer overflow in the systrace_preprepl function (STRIOCREPLACE) within the systrace component of OpenBSD 3.9 and NetBSD 3. This vulnerability can be triggered by large numeric arguments to the systrace ioctl, allowing local users to cause a denial of servic...

[Reversemode Advisory] Symantec Antivirus Engine Privilege Escalation

Symantec Antivirus Engine is prone to a local privilege escalation vulnerability. Two Device Drivers are affected: NAVEX15.sys, NAVENG.sys. NAVEX15.sys LOW CONSTANT VALUE PAGE:0004B611 sub edx, 222AD3h PAGE:0004B617 push esi PAGE:0004B618 jz short loc4B63C loc4B63C: mov edx, ecx+3Ch PAGE:0004B63F...

CVE-2006-5174

CVE-2006-5174 concerns the Linux kernel 2.6 copy_from_user() implementation on s390/s390x where a local user could read kernel memory due to improper clearing of a kernel buffer. Affected platform: Linux kernel 2.6 before 2.6.19-rc1 on s390. The issue is an information leak (partial confidentiali...

sysinforaptor.txt

/ $Id: raptorsysinfo.c,v 1.2 2006/08/22 13:47:54 raptor Exp $ raptorsysinfo.c - Solaris sysinfo2 kernel memory leak Copyright c 2006 Marco Ivaldi systeminfo.c for Sun Solaris allows local users to read kernel memory via a 0 variable count argument to the sysinfo system call, which causes a -1...

sppp -- buffer overflow vulnerability

Problem Description While processing Link Control Protocol LCP configuration options received from the remote host, sppp4 fails to correctly validate option lengths. This may result in data being read or written beyond the allocated kernel memory buffer. Impact An attacker able to send LCP packet...

Solaris 10 sysinfo(2) Local Kernel Memory Disclosure Exploit

Exploit for solaris platform in category local exploits ============================================================ Solaris 10 sysinfo2 Local Kernel Memory Disclosure Exploit ============================================================ / $Id: raptorsysinfo.c,v 1.2 2006/08/22 13:47:54 raptor Exp ...

Linux Kernel SCSI ProcFS拒绝服务漏洞

BUGTRAQ ID: 14790 CVECAN ID: CVE-2005-2800 Linux Kernel是开放源码操作系统Linux所使用的内核。 Linux Kernel的SCSI驱动的procfs接口中存在拒绝服务漏洞。本地攻击者可以反复读取/proc/scsi/sg/devices，而next iterator返回NULL或错误时没有正确的处理这种情况，耗尽kernel内存，导致拒绝服务。 Linux kernel = 2.6.13 Ubuntu Linux 5.0 4 powerpc Ubuntu Linux 5.0 4 i386 Ubuntu Linux 5.0 4...

security flaw

Linux kernel before 2.6.16.21 and 2.6.17, when running on PowerPC, does not perform certain required accessok checks, which allows local users to read arbitrary kernel memory on 64-bit systems signal64.c and cause a denial of service crash and possibly read kernel memory on 32-bit systems...

security flaw

Race condition in the 1 addkey, 2 requestkey, and 3 keyctl functions in Linux kernel 2.6.x allows local users to cause a denial of service crash or read sensitive kernel memory by modifying the length of a string argument between the time that the kernel calculates the length and when it copies t...

CVE-2006-3824

systeminfo.c for Sun Solaris allows local users to read kernel memory via a 0 variable count argument to the sysinfo system call, which causes a -1 argument to be used by the copyout function. NOTE: this issue has been referred to as an integer overflow, but it is probably more like a signedness...

CVE-2006-3824

CVE-2006-3824 : Solaris sysinfo(2) local kernel memory disclosure. Local users can read kernel memory when a 0-variable-count argument is passed to sysinfo, causing a -1 argument to be used by copyout. This is described as an integer overflow/signedness issue. Public exploit evidence exists (Sola...