Privilege Escalation

glibc is vulnerable to privilege escalation. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their...

Denial Of Service (DoS)

glibc is vulnerable to privilege escalation. It was discovered that the glibc dynamic linker/loader did not handle the $ORIGIN dynamic string token set in the LDAUDIT environment variable securely. A local attacker with write access to a file system containing setuid or setgid binaries could use...

Denial Of Service (DoS)

The kernel is vulnerable to denial of service DoS.The ADDRCOMPATLAYOUT and MMAPPAGEZERO flags were not cleared when a setuid or setgid program was executed. A local, unprivileged user could use this flaw to bypass the mmapminaddr protection mechanism and perform a NULL pointer dereference attack,...

Privilege Escalation

util-linux is vulnerable to privilege escalation. The vulnerability exists as a flaw was discovered in the way that the mount and umount utilities used the setuid and setgid functions, which could lead to privileges being dropped improperly. A local user could use this flaw to run mount helper...

CVE-2016-7097

It was found that when file permissions were modified via chmod and the user modifying them was not in the owning group or capable of CAPFSETID, the setgid bit would be cleared. Setting a POSIX ACL via setxattr sets the file permissions as well as the new ACL, but doesn't clear the setgid bit in ...

UBUNTU-CVE-2020-5212

In NetHack before 3.6.5, an extremely long value for the MENUCOLOR configuration file option can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users...

EulerOS Virtualization for ARM 64 3.0.3.0 : systemd (EulerOS-SA-2019-2319)

According to the versions of the systemd packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be...

kernel: Missing check in fs/inode.c:inode_init_owner() does not clear SGID bit on non-directories for non-members

A vulnerability was found in the fs/inode.c:inodeinitowner function logic of the LInux kernel that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group an...

kernel: Missing check in fs/inode.c:inode_init_owner() does not clear SGID bit on non-directories for non-members

A vulnerability was found in the fs/inode.c:inodeinitowner function logic of the LInux kernel that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group an...

Privilege Escalation

Linux kernel is vulnerable to privilege escalation. This occurs in 'tmpfs' file system, the set group id setgid bit is not properly cleared during a setxattr call. A local user can exploit this to change permissions on a file and gain elevated privileges on the target system which allows an...

Privilege Escalation

Linux kernel is vulnerable to privilege escalation attacks. The file system implementation in the Linux kernel preserves the setgid bit during a setxattr call. This could allow a local user to gain elevated privileges via certain setgid applications...

CVE-2019-3844

It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that wil...

UBUNTU-CVE-2019-3844

It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that wil...

DEBIAN-CVE-2019-3844

It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that wil...

CVE-2019-3844

It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that wil...

CVE-2019-3844

It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that wil...

CVE-2019-3844

It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow a cooperating process to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to...

ASLR Bypass

kernel-rt is vulnerable to ASLR bypass attacks. The vulnerability exists as the archpickmmaplayout function in arch/x86/mm/mmap.c in the Linux kernel through 4.5.2 does not properly randomize the legacy base address, which makes it easier for local users to defeat the intended restrictions on the...

systemd - chown_one() Dereference Symlinks

systemd - chownone Dereference Symlinks I am sending this bug report to Ubuntu, even though it's an upstream bug, as requested at https://github.com/systemd/systemd/blob/master/docs/CONTRIBUTING.mdsecurity-vulnerability-reports . When chownone in the recursive chown logic decides that it has to...

systemd - chown_one() can Dereference Symlinks Exploit

Exploit for linux platform in category dos / poc I am sending this bug report to Ubuntu, even though it's an upstream bug, as requested at https://github.com/systemd/systemd/blob/master/docs/CONTRIBUTING.mdsecurity-vulnerability-reports . When chownone in the recursive chown logic decides that it...