systemd - chown_one() can Dereference Symlinks Exploit

Exploit for linux platform in category dos / poc I am sending this bug report to Ubuntu, even though it's an upstream bug, as requested at https://github.com/systemd/systemd/blob/master/docs/CONTRIBUTING.mdsecurity-vulnerability-reports . When chownone in the recursive chown logic decides that it...

USN-3753-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description USN-3753-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement HWE kernel from Ubuntu 16.04 LTS for Ubuntu 14.0...

USN-3753-1: Linux kernel vulnerabilities

It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. CVE-2017-13168 Wen Xu discovered that a use-after-free vulnerability...

Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-3753-1)

The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-3753-1 advisory. It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could u...

Ubuntu 14.04 LTS : Linux kernel (Xenial HWE) vulnerabilities (USN-3753-2)

The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-3753-2 advisory. USN-3753-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enableme...

Linux Ubuntu - Other Users coredumps can be read via setgid Directory and killpriv Bypass Exploit

Exploit for linux platform in category dos / poc / Note: I am both sending this bug report to email protected and filing it in the Ubuntu bugtracker because I can't tell whether this counts as a kernel bug or as a Ubuntu bug. You may wish to talk to each other to determine the best place to fix...

Linux (Ubuntu) - Other Users coredumps Can Be Read via setgid Directory and killpriv Bypass

/ Note: I am both sending this bug report to [email protected] and filing it in the Ubuntu bugtracker because I can't tell whether this counts as a kernel bug or as a Ubuntu bug. You may wish to talk to each other to determine the best place to fix this. I noticed halfdog's old writeup at...

Linux #Ubuntu Coredump Reading Access Bypass Vulnerability

Linux/Ubuntu suffers from a vulnerability where other users' coredumps can be read via a setgid directory and killpriv bypass. Linux/Ubuntu: other users' coredumps can be read via setgid directory and killpriv bypass Note: I am both sending this bug report to email protected and filing it in the...

Linux/Ubuntu Coredump Reading Access Bypass

Linux/Ubuntu: other users' coredumps can be read via setgid directory and killpriv bypass Note: I am both sending this bug report to [email protected] and filing it in the Ubuntu bugtracker because I can't tell whether this counts as a kernel bug or as a Ubuntu bug. You may wish to talk to each...

DEBIAN-CVE-2018-13405

The inodeinitowner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigge...

Security Bulletin: SetGID and SetUID programs in IBM Workload Scheduler can be exploited to obtain privilege escalation (CVE-2018-1386)

Summary SetGID and SetUID programs in IBM Workload Scheduler can be exploited to obtain root privileges Vulnerability Details Some programs in IBM Workload Scheduler are executed with elevated privileges SetGID and SetUID programs and have been compiled to search for libraries in an insecure...

openSUSE Security Update : libdb-4_8 (openSUSE-2018-199)

This update for libdb-48 fixes the following issues : - A DBCONFIG file in the current working directory allowed local users to obtain sensitive information via a symlink attack involving a setgid or setuid application using libdb-48. bsc1043886 This update was imported from the SUSE:SLE-12:Updat...

openSUSE Security Update : libdb-4_5 (openSUSE-2018-200)

This update for libdb-45 fixes the following issues : - A DBCONFIG file in the current working directory allowed local users to obtain sensitive information via a symlink attack involving a setgid or setuid application using libdb-45. bsc1043886 %NASLMINLEVEL 70300 C Tenable Network Security, Inc...

SUSE-SU-2018:0510-1 Security update for libdb-4_8

This update for libdb-48 fixes the following issues: - A DBCONFIG file in the current working directory allowed local users to obtain sensitive information via a symlink attack involving a setgid or setuid application using libdb-48. bsc1043886...

SUSE SLES11 Security Update : libdb-4_5 (SUSE-SU-2018:0409-1)

This update for libdb-45 fixes the following issues : - A DBCONFIG file in the current working directory allowed local users to obtain sensitive information via a symlink attack involving a setgid or setuid application using libdb-48. bsc1043886 Note that Tenable Network Security has extracted th...

SUSE-SU-2018:0409-1 Security update for libdb-4_5

This update for libdb-45 fixes the following issues: - A DBCONFIG file in the current working directory allowed local users to obtain sensitive information via a symlink attack involving a setgid or setuid application using libdb-48. bsc1043886...

Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh,[/bin/sh,NULL])) Shellcode (25 bytes)

include const char shellcode= "\x6a\x17" // push $0x17 "\x58" // pop %eax "\x31\xdb" // xor %ebx,%ebx "\xcd\x80" // int $0x80 "\xb0\x2e" // mov $0x2e,%al "\xcd\x80" // int $0x80 "\xb0\x0b" // mov $0xb,%al So you'll get segfault if it's not able to do the setuid0. If you don't want this you can...

Debian: Security Advisory (DLA-876-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

F5 Networks BIG-IP : Linux kernel vulnerability (K31603170)

The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr call, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. CVE-2016-7097 Impact A local user may be...

Ubuntu 14.04 LTS : Linux kernel vulnerabilities (USN-3422-1)

The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-3422-1 advisory. It was discovered that a buffer overflow existed in the Bluetooth stack of the Linux kernel when handling L2CAP configuration responses. A physically...