Race condition

spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkitunixprocessnew API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a 1 setuid process or 2 pkexec process...

CVE-2013-4324

spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkitunixprocessnew API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a 1 setuid process or 2 pkexec process...

Race condition

Race condition in PolicyKit aka polkit allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkexec process before the authorization check is performed, related to 1 the polkitunixprocessnew API function, 2 the dbus API, or 3 the --process...

CVE-2013-4311

CVE-2013-4311 stems from a PolkitUnixProcess race in pkcheck that can bypass access controls via a (setuid) process or pkexec, enabling local privilege bypass. Affected are libvirt components across multiple branches: libvirt 1.0.5.x (before 1.0.5.6), 0.10.2.x (before 0.10.2.8), and 0.9.12.x (bef...

CVE-2013-4288

Polkit (PolicyKit) contains a race condition that can allow a local user to bypass authorization by starting a setuid or pkexec process before the polkit authorization check completes. The issue centers on the PolkitUnixProcess race (including polkit_unix_process_new API usage) and is related to ...

CVE-2013-1066

The CVE-2013-1066 entry affects language-selector in multiple Ubuntu-derived streams (0.110.x before 0.110.1, 0.90.x before 0.90.1, 0.79.x before 0.79.4). The root cause is improper use of D-Bus for communication with Polkit, enabling a PolkitUnixProcess PolkitSubject race condition that local us...

CVE-2013-4327

systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a 1 setuid process or 2 pkexec process, a related issue to CVE-2013-4288...

CVE-2013-4327

systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a 1 setuid process or 2 pkexec process, a related issue to CVE-2013-4288...

rtkit: insecure calling of polkit

RealtimeKit aka rtkit 0.5 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a 1 setuid process or 2 pkexec process, a related issue to...

Race condition

The checkpermissionv1 function in base/pkit.py in HP Linux Imaging and Printing HPLIP through 3.13.9 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race conditio...

CVE-2013-1062

ubuntu-system-service 0.2.4 before 0.2.4.1. 0.2.3 before 0.2.3.1, and 0.2.2 before 0.2.2.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a 1...

IBM Db2 Audit Facility Local Privilege Escalation Vulnerability - Linux

IBM Db2 is prone to a privilege escalation vulnerability. SPDX-FileCopyrightText: 2013 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:ibm:db2"; ifdescription...

RageAgainstTheCage adb

adb fails to check setuid return code and this can be caused to fail by the shell user already having RLIMITNPROC processes...

Amazon Linux AMI : dbus (ALAS-2012-128)

It was discovered that the D-Bus library honored environment settings even when running with elevated privileges. A local attacker could possibly use this flaw to escalate their privileges, by setting specific environment variables before running a setuid or setgid application linked against the...

VMware - Setuid VMware-mount Unsafe popen(3) (Metasploit)

This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit web site for more information on licensing and terms of use. http://metasploit.com/ require 'msf/core' require 'rex' require 'msf/core/post/common' require...

VMWare Setuid vmware-mount Unsafe popen(3)

This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit web site for more information on licensing and terms of use. http://metasploit.com/ require 'msf/core' require 'rex' require 'msf/core/post/common' require...

VMWare Setuid vmware-mount Unsafe popen(3)

VMWare Workstation up to and including 9.0.2 build-1031769 and Player have a setuid executable called vmware-mount that invokes lsbrelease in the PATH with popen3. Since PATH is user-controlled, and the default system shell on Debian-derived distributions does not drop privs, we can put an...

VMWare Setuid vmware-mount Unsafe popen(3)

VMWare Workstation up to and including 9.0.2 build-1031769 and Player have a setuid executable called vmware-mount that invokes lsbrelease in the PATH with popen3. Since PATH is user-controlled, and the default system shell on Debian-derived distributions does not drop privs, we can put an...

VMware Patches Root Privilege-Escalation Flaw

VMware has fixed a privilege-escalation flaw in two of its major products that could allow a local attacker to gain root privileges on a vulnerable machine. The bug affects VMware Workstation and Player on certain Linux platforms. The vulnerability, which VMware patched on Thursday, does not enab...

VMware - Setuid VMware-mount Popen lsb_release Privilege Escalation

VMware - Setuid VMware-mount Popen lsbrelease Privilege Escalation // Source: http://blog.cmpxchg8b.com/2013/08/security-debianisms.html On most modern Linux systems, /bin/sh is provided by bash, which detects that it's being invoked as sh, and attempts to mimic traditional sh. As everyone who...