@Openwall
oss-security mailing list thread summaries, currently maintained by
@solardiz
. Originally setup and maintained as an automated feed by
@eugeneteo
.
Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136): Posted by Qualys Security Advisory on Feb 13Hi all,
Quick update: we were able to gain arbitrary control of the "rip"
register through this bug (i.e., we can jump wherever we want…
CVE-2018-6954: systemd-tmpfiles root privilege escalation by following non-terminal symlinks: Posted by Michael Orlitzky on Dec 21Product: systemd (tmpfiles) Versions-affected: 239 and earlier Author: Michael Orlitzky Fixed-in: v240 Bug-report:…
zlib memory corruption on deflate (i.e. compress): Posted by Tavis Ormandy on Mar 23Greetings list, I was recently trying to track down a reproducible crash
in a compressor. Believe it or not, it really was a bug in
zlib-1.2.11 when compressing (not…
CVE-2022-1972: out-of-bound write in Linux netfilter subsystem leads to local privilege escalation: Posted by 张子明(明程) on Jun 02Hello,
An out-of-bound write vulnerability was identified within the
netfilter subsystem
which can be exploited to…
Re: Linux Kernel eBPF Improper Input Validation Vulnerability: Posted by tr3e wang on Jun 07Hi,
The exploit code can be found at
Alexander, thanks for the update and for helping me post the exploit
code, I suffered from…
Just published a post on exploiting CVE-2024-0582, a vulnerability in the Linux kernel that remained unpatched in Ubuntu for over two months. Hope you enjoy it!
Linux Kernel: Race Condition in snd_pcm_hw_free leading to use-after-free: Posted by Hu Jiahui on Mar 28This is the original report about CVE-2022-1048.
Patch: () suse de/
#t
---------- Forwarded message ---------
发件人:…
CVE-2022-1462: Linux kernel: A race condition vulnerability in drivers/tty/tty_buffers.c: Posted by 一只狗 on May 27this vulnerability comes from commit(
)
this commit suggest do tty_flip_buffer_push without port->lock in…
Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring: Posted by Marcus Meissner on Jul 25Hi,
has been updated with exploit information.
I tried to backtrack through kernel git to find the exact commit…
Linux Kernel use-after-free write in netfilter: Posted by EDG EDG on May 31Hello,
A use-after-free write vulnerability was identified within the
netfilter subsystem
which can be exploited to achieve privilege escalation to root.
In order to…
Re: Linux kernel: Netfilter heap buffer overflow in nft_set_elem_init: Posted by Marcus Meissner on Jul 04Hi,
Mitre has assigned CVE-2022-34918 to this issue.
Ciao, Marcus
Mayhem: Targeted Corruption of Register and Stack Variables by
@canertol
et al. A novel application of Rowhammer.
A mitigation is suggested. Susceptible are at least OpenSSH, OpenSSL, MySQL, sudo (CVE-2023-42465, patched in 1.9.15).
CVE-2023-20593: A use-after-free in AMD Zen2 Processors: Posted by Tavis Ormandy on Jul 24Hello, this is CVE-2023-20593, a use-after-free in AMD Zen2 processors.
Yes, you read that right :)
This includes at least the following products:
- AMD…
Our learnings from 42 Linux kernel exploits, we are limiting io_uring: Posted by Tamás Koczka on Jun 17Hello everyone,
We've posted the following article to the Google Security Blog which
contains some of our learnings from 42 Linux kernel exploits…
Re: Denial of service in GnuPG: Posted by Demi Marie Obenour on Jul 04It has come to my attention that my original post caused at least two
mail clients to hang. Sorry about that; I did not expect any mail
client to eagerly parse the attachments. This…
Update on the distro-backdoor-scanner effort
Unpacked and scanned:
~11k EndeavourOS/Arch packages
~40k Debian packages
~19k Gentoo packages
~9k Rocky/RPM packages
So far no other backdoors like xz's found. Plans for more checks and scans. Help wanted.
Search for other potential compromises by the xz backdoor actors
PGP keys and
All packages in Gentoo, Debian, Rocky Linux
Detecting code injections in packages through debug infos
New reverse-engineering results shared by
@FiloSottile
: the hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system()
Linux kernel: net: mctp: A Use-After-Free bug in mctp_sk_unhash in net/mctp/af_mctp.c: Posted by butt3rflyh4ck on Oct 22Hi, there is a Use-After-Free bug in mctp_sk_unhash in
net/mctp/af_mctp.c in the last Linux kernel upstream. An unprivileged
the…
[CVE-2023-32233] Linux kernel use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary reads and writes in kernel memory: Posted by Piotr Krysiuk on May 08An issue has been discovered in the Linux kernel…
[CVE-2023-42753] Array Indexing error in Linux kernel: Posted by Kyle Zeng on Sep 22Hi there,
I recently found an array indexing vulnerability in the netfilter
ipset subsystem in Linux, which I believe is exploitable in some
systems because of its…
CVE-2020-15859 QEMU: net: e1000e: use-after-free while sending packets: Posted by P J P on Jul 21 Hello, A use-after-free issue was found in the INTEL 82574 NIC (e1000e) emulator of the QEMU. It could occur while sending packets if the guest user set the…
Out-of-bounds read & write in the glibc's qsort(),
@Qualys
Security Advisory.
For the algorithm lovers: Nontransitive comparison functions lead to out-of-bounds read & write in glibc's qsort().
Re: [CVE-2023-32233] Linux kernel use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary reads and writes in kernel memory: Posted by Piotr Krysiuk on May 15Per the announcement above, we are publishing…
Re: CVE-2019-18960: Firecracker v0.18.0 and v0.19.0 vsock buffer overflow: Posted by Solar Designer on Sep 11Hi,
FWIW, Valentina Palmiotti
@chompie1337
and her colleagues at Grapl have
recently looked into exploiting the below vulnerability, and…
Linux kernel: UAF, null-ptr-deref and double-free vulnerabilities in nfcmrvl module: Posted by duoming on Jun 05Hello there,
There are double-free, use-after-free(write,read), null-ptr-deref vulnerabilities
in drivers/nfc/nfcmrvl of linux that allow…
Re: zgrep, xzgrep: arbitrary-file-write vulnerability: Posted by Levente Polyak on Apr 08CVE-2022-1271 has been assigned to this issue.
Cheers,
Levente
"On PHP [this glibc bug led] to amazing results: a new exploitation technique that affects the whole PHP ecosystem, and the compromission of several applications."
CVE-2023-0122: Linux kernel: Pre-Auth Remote DoS in NVMe: Posted by Tal Lossos on Jan 12Hi all,
# Description
A NULL Pointer Dereference bug in nvmet_setup_auth
(drivers/nvme/target/auth.c) can be triggered remotely to cause a DoS.
Since the bug…
Telegram uses SOCKS5 to share user/creds: Posted by Dhiraj Mishra on Sep 27Telegram is supposedly is a secure messaging application but it uses SOCKS5 to transmit user credential's, neither traffic nor credentials are encrypted in the SOCKS5 protocol,…
CVE-2019-14821 Kernel: KVM: OOB memory access via mmio ring buffer: Posted by P J P on Sep 20 Hello, An out-of-bounds access issue was found in the way Linux kernel's KVM hypervisor implements Coalesced MMIO write operation. It operates on a MMIO ring…
CVE-2022-2602 - Linux kernel io_uring UAF: Posted by Thadeu Lima de Souza Cascardo on Oct 18A local privilege escalation vulnerabilty involving Unix socket Garbage
Collection and io_uring was reported and fixed as:
…
Re: Linux kernel: Exploitable vulnerabilities in AF_VSOCK implementation: Posted by Alexander Popov on Apr 09Hello! I published a detailed article about exploiting CVE-2021-26708 in AF_VSOCK implementation: In this article I…
Re: Linux kernel: use-after-free in io_sqpoll_wait_sq: Posted by Xingyuan Mo on Dec 27CVE-2022-47946 has been assigned to this issue.
Regards,
Xingyuan Mo
[CVE-2023-42756] Linux kernel race condition in netfilter: Posted by Kyle Zeng on Sep 27Hi there,
I recently found a race condition bug in the Linux kernel between
IPSET_CMD_ADD and IPSET_CMD_SWAP in netfilter/ip_set, which can
lead to the…
Another suspicious commit in xz, a dot disabling Landlock sandboxing
Likely preparation to backdoor the Linux kernel
Statement by original upstream author
Change in libarchive reverted
After 15+ years of being a 100% volunteer effort,
@Openwall
's maintenance of oss-security and (linux-)distros is finally sponsored by
@OpenSSF
, a project of
@LinuxFoundation
. As part of the sponsored effort, we now have distros list statistics for 2023.
glibc: Stack-based buffer overflow in nscd (0-day, no CVE yet)
Initial upstream patches for this major issue and for related minor bugs still under review. The glibc security team will send a separate notification once official patches are ready.
CVE-2023-1032 - Linux kernel io_uring IORING_OP_SOCKET double free: Posted by Thadeu Lima de Souza Cascardo on Mar 13A double-free vulnerability was found in the handling of IORING_OP_SOCKET
operation with io_uring on the Linux kernel.
It was fixed…
Make your own backdoor: CFLAGS code injection, Makefile injection, pkg-config
"I've chosen the Linux kernel as the target for the attack, and I want to do it without changing either the kernel source code or any release tarballs."
Re: New Linux kernel NetFilter flaw gives attackers root privileges: Posted by Thadeu Lima de Souza Cascardo on May 10If users don't need user namespaces, they can disable it on Ubuntu kernels as a
mitigation by doing:
sysctl -w…
CVE-2022-2586 - Linux kernel nf_tables cross-table reference UAF: Posted by Thadeu Lima de Souza Cascardo on Aug 09CVE-2022-2586 - Linux kernel nf_tables cross-table reference UAF
It was discovered that a nft object or expression could reference a nft…
Re: CVE-2019-14835: QEMU-KVM Guest to Host Kernel Escape Vulnerability: vhost/vhost_net kernel buffer overflow: Posted by Tina Li on Oct 03Hi Peter, We are trying to follow your steps to reproduce the attack. Our host is Ubuntu 18.04.2 LTS. Guest is…
CVE-2022-2588 - Linux kernel cls_route UAF: Posted by Thadeu Lima de Souza Cascardo on Aug 09CVE-2022-2588 - Linux kernel cls_route UAF
It was discovered that the cls_route filter implementation in the Linux kernel
would not remove an old filter from…
Re: CVE-2022-1729: race condition in Linux perf subsystem leads to local privilege escalation: Posted by Solar Designer on Jun 30Hi all,
I'm attaching Norbert's exploit (lpe.c) that was attached to his May 12
notification to linux-distros. We're now…
CVE-2023-1281, CVE-2023-1829: Linux kernel: Vulnerabilities in the tcindex classifier: Posted by valis on Apr 11Hi,
I have recently discovered two security issues in the tcindex
classifier (part of the network QoS subsystem of the Linux kernel):
…
[CVE-2023-42755] Linux kernel wild pointer access: Posted by Kyle Zeng on Sep 25Hi there,
I recently found a bug in the rsvp traffic classifier in the Linux kernel.
This classifier is already retired in the upstream but affects all stable
releases.…
CVE-2023-31248 - Linux kernel nf_tables UAF when using nft_chain_lookup_byid: Posted by Thadeu Lima de Souza Cascardo on Jul 05It was discovered that it was possible to refer to a deleted nf_tables
chain when using nft_chain_lookup_byid, leading to a…
CVE-2021-33656: Linux kernel: When setting font with malicous data by ioctl cmd PIO_FONT,kernel will write memory out of bounds.(: Posted by Weigang (Jimmy) on Jul 19Fix has been released in Linux kernel stable tree:
.
CVE-2023-3439: Linux MCTP use-after-free in mctp_sendmsg: Posted by Lin Ma on Jul 02Hello,
We have found a concurrency use-after-free case in Linux kernel and assigned with CVE-2023-3439 by Red Hat Team.
Below is the details about this issue.
…
usbview polkit policy local root exploit (CVE-2022-23220): Posted by Matthias Gerstner on Jan 21Hello list,
this is to inform you about a local root exploit I found in usbview [1]
release 2.1. This finding was embargoed for 7 days on the…
Linux kernel: CVE-2017-18344: arbitrary-read vulnerability in the timer subsystem: Posted by Andrey Konovalov on Aug 02Hi! Syzkaller/syzbot found a global-out-of-bounds bug in the timer subsystem of the Linux kernel [1], that is exploitable and can be…
Re: CVE-2022-1972: out-of-bound write in Linux netfilter subsystem leads to local privilege escalation: Posted by Solar Designer on Aug 06[...]
Apparently, this vulnerability was also independently discovered by
Arthur Mongodin during an internship…
Linux kernel: off-by-one in fl_set_geneve_opt: Posted by Hangyu Hua on Jun 06Hi guys,
I find a off-by-one bug in linux kernel's Flower
classifier(NET_CLS_FLOWER). It can cause denial-of-service and privilege
escalation.
# Details:
static int…
CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions: Posted by David Hildenbrand on Aug 08Hi,
I found a security issue (CVE-2022-2590) in the Linux kernel similar to
Dirty COW (CVE-2016-5195), however, restricted to…
Xen Security Advisory 254 (CVE-2017-5753,CVE-2017-5715,CVE-2017-5754) - Information leak via side effects of speculative execution: Posted by Xen . org security team on Jan 03 Xen Security Advisory CVE-2017-5753,CVE-2017-5715,CVE-2017-5754 / XSA-254…
[vs] CVE-2023-32324 heap buffer overflow in cupsd: Posted by Zdenek Dohnal on Jun 01Hi all,
there is currently embargoed CVE-2023-32324 in cups project:
Summary
A heap buffer overflow vulnerability would allow a remote attacker to
lauch a dos…
Linux kernel: multiple vulnerabilities in the USB subsystem x3: Posted by Andrey Konovalov on Dec 03Hi! More CVEs for bugs in Linux kernel USB drivers that can be triggered by an external malicious USB device. Found with syzkaller [1]. This time no…
Re: CVE-2023-0045: Linux Kernel: Bypassing Spectre-BTI User Space Mitigations: Posted by Rodrigo Branco on Feb 04Here is the original write-up:
I am already talking to Rafael from Google to get their version updated.
The…
Apache mod_dav off-by-one: Posted by Evgeny Legerov on Aug 09Hi,
How it happens that Apache process_if_header off-by-one, which has been
mentioned in
The Art of Software Security Assessment (page 420), still remains unpatched?
What am I…
CVE-2018-10853 kernel: kvm: guest userspace to guest kernel write: Posted by P J P on Sep 02 Hello, A flaw was found in the way Linux kernel KVM hypervisor emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL)…
Intel hyper-threading security issues: Posted by Loganaden Velvindron on Jun 19Hi all, OpenBSD has gone ahead and disabled Intel Hyper threading with a fairly detailed comment about the reasons behind: () openbsd org/msg99141.html…
Linux kernel io_uring out-of-bounds access to physical memory: Posted by Tobias Holl on May 08Hi all,
a bug in the fixed buffer registration code for io_uring
(io_sqe_buffer_register in io_uring/rsrc.c) allows out-of-bounds access
to physical memory…
Disclosing
#SLAM
, aka how to combine Spectre and Intel LAM (& co.) to leak kernel memory on future CPUs (demo below). Thousands of exploitable "unmasked" (or pointer chasing) gadgets in the Linux kernel. Joint work by
@MatheHertogh
@SanWieb
@c_giuffrida
:
the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able to trigger some harder to reach functionality of the backdoor. there's still more to explore.. 1/n
CVE-2023-38633 in librsvg: Arbitrary file read when xinclude href has special characters: Posted by Alan Coopersmith on Jul 27I haven't seen this go by yet, so for those who haven't seen it:
reports:
CVE-2023-38633:…
Re: Type Confusion in Linux Kernel: Posted by Kyle Zeng on Jan 10Hi John,
A crash report is attached to this email. I hope this helps evaluate
the security implication of the bug.
Best,
Kyle Zeng
…
CVE-2024-2961: glibc: ISO-2022-CN-EXT: Out-of-bound writes when writing escape sequence
iconv() in glibc 2.39 and older may overflow the output buffer by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set
CVE-2023-3338: Linux Kernel NULL Pointer Dereference in DECnet: Posted by Ornaghi Davide - Betrusted on Jun 24Hi all,
I'm reporting a Null Pointer Dereference vulnerability that I found while attempting to ping localhost by sending a
Hello message…
Strings the binary payload checks for
Ongoing further analysis of the payload
Scripted part of the backdoor illustrated by
@fr0gger_
systemd upstream stance
🤯 The level of sophistication of the XZ attack is very impressive! I tried to make sense of the analysis in a single page (which was quite complicated)!
I hope it helps to make sense of the information out there. Please treat the information "as is" while the analysis
Explanation on how and why xz/liblzma is loaded into sshd on many Linux distros, and what we can do about that and
.o file samples from 5.6.0 and 5.6.1
Mirror with working commit links
CVE-2023-35001 - Linux kernel nf_tables nft_byteorder_eval OOB read/write: Posted by Thadeu Lima de Souza Cascardo on Jul 05It was discovered that it was possible to cause an out-of-bounds read or
write when processing an nft_byteorder expression.
…
CVE-2022-4543: KASLR Leakage Achievable even with KPTI through Prefetch Side-Channel: Posted by Will on Dec 16I've discovered that KPTI has implementation issues, allowing any local attacker to easily, quickly, and reliably leak
KASLR base via prefetch…