MacOS/iOS kernel heap overflow due to lack of lower size check in getvolattrlist(CVE-2018-4243)

getvolattrlist takes a user controlled bufferSize argument via the fgetattrlist syscall. When allocating a kernel buffer to serialize the attr list to there's the following comment: / Allocate a target buffer for attribute results. Note that since we won't ever copy out more than the caller...

XNU Kernel - Heap Overflow Due to Bad Bounds Checking in MPTCP

XNU Kernel - Heap Overflow Due to Bad Bounds Checking in MPTCP mptcpusrconnectx is the handler for the connectx syscall for the APMULTIPATH socket family. The logic of this function fails to correctly handle source and destination sockaddrs which aren't AFINET or AFINET6: // verify salen for...

XNU Kernel - Heap Overflow Due to Bad Bounds Checking in MPTCP Exploit

Exploit for multiple platform in category dos / poc mptcpusrconnectx is the handler for the connectx syscall for the APMULTIPATH socket family. The logic of this function fails to correctly handle source and destination sockaddrs which aren't AFINET or AFINET6: // verify salen for AFINET: if...

MGASA-2018-0264 Updated kernel-tmb packages fix security vulnerabilities

This kernel-tmb update is based on the upstream 4.14.44 and fixes at least the following security issues: This update adds KPTI mitigation for Meltdown CVE-2017-5754 on 32bit x86. The netfilter subsystem in the Linux kernel through 4.15.7 mishandles the case of a rule blob that contains a jump bu...

Amazon Linux 2 : kernel (ALAS-2018-1023)

A weakness was found in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated. CVE-2018-1108 A flaw was found in the way the Linux kernel handled exceptions delivered after a stac...

EulerOS 2.0 SP2 : kernel (EulerOS-SA-2018-1133)

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The Linux kernel, before version 4.14.3, is vulnerable to a denial of service in drivers/md/dm.c:dmgetfromkobject which can be caused by local...

Linux/x86 - Bind (5555/TCP) Shell Shellcode (98 bytes)

include / ; Bind TCP Shellcode ; Copyright 2018, Luca Di Domenico ; ; This program is free software: you can redistribute it and/or modify ; it under the terms of the GNU General Public License as published by ; the Free Software Foundation, either version 3 of the License, or ; at your option an...

Important: kernel

Issue Overview: A weakness was found in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated. CVE-2018-1108 A flaw was found in the way the Linux kernel handled exceptions...

Linux/x86 - Reverse (10.0.7.17:4444/TCP) Shell (/bin/sh) Shellcode (101 Bytes)

Linux/x86 - Reverse 10.0.7.17:4444/TCP Shell /bin/sh Shellcode 101 Bytes. Shellcode exploit for Linuxx86 platform / Name : Jonathan "Chops" Crosby Email : [email protected] Twitter : @securitychops Website : https://securitychops.com Blog Post :...

Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall

/ Commit 3a4d44b61625 "ntp: Move adjtimex related compat syscalls to native counterparts" removed the memset in compatgettimex. Since then, the compat adjtimex syscall can invoke doadjtimex with an uninitialized -tai. If doadjtimex doesn't write to -tai e.g. because the arguments are invalid,...

Linux/x86 - Bind (9443/TCP) Shell + fork() + Null-Free Shellcode (113 bytes)

Linux/x86 - Bind 9443/TCP Shell + fork + Null-Free Shellcode 113 bytes. Shellcode exploit for Linuxx86 platform / Title: Linux x86 TCP Bind Shell + fork - 113 bytes NULL Free Author: Amine Kanane Student-ID: SLAE - 1203 Desc: Listen for a connection on Local Port 9443 and spawn a command shell Th...

kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c

A flaw was found in the Linux kernel's implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory...

hw: cpu: speculative execution branch target injection

An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions a commonly used performance optimization. There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant...

hw: cpu: speculative execution branch target injection

An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions a commonly used performance optimization. There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant...

kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c

A flaw was found in the Linux kernel's implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory...

CVE-2018-8897

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual SDM was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for DB exceptions that are deferred by MOV SS or POP SS, as demonstrated ...

CVE-2018-8897

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual SDM was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for DB exceptions that are deferred by MOV SS or POP SS, as demonstrated ...

CVE-2018-8897

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual SDM was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for DB exceptions that are deferred by MOV SS or POP SS, as demonstrated ...

kernel security and bug fix update

2.6.32-696.28.1.OL6 - Update genkey bug 25599697 2.6.32-696.28.1 - x86 entry/64: Don't use IST entry for BP stack Waiman Long 1567078 1567079 CVE-2018-8897 - x86 xen: do not use xeninfo on HVM, set pvinfo name to 'Xen HVM' Vitaly Kuznetsov 1569141 1568241 2.6.32-696.27.1 - mm account skipped...

hw: cpu: speculative execution branch target injection

An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions a commonly used performance optimization. There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant...