This exploit demonstrates the exploitability of the sock_sendpage() NULL pointer dereference vulnerability on ppc and ppc64 architectures. It utilizes the SELinux and mmap_min_addr issues to exploit the vulnerability on Red Hat Enterprise Linux 5.3 and CentOS 5.3. The vulnerability affects Linux kernel versions from 2.4.4 to 2.4.37.4, and from 2.6.0 to 2.6.30.4.
The procfs code (proc_misc.c) in Linux 2.6.14.3 and other versions before 2.6.15 allows attackers to read sensitive kernel memory via unspecified vectors in which a signed value is added to an unsigned value.
This exploit takes advantage of an underflow vulnerability in the Linux kernel to escalate privileges from CAP_SYS_ADMIN to root. It uses a different approach than the original exploit, by underflowing to static values inside the kernel that are referenced as pointers to userspace. This method is simple and reliable.
The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a pktcdvd_device from the global pkt_devs array. The index into this array is provided directly by the user and is a signed integer, so the comparison to ensure that it falls within the bounds of this array will fail when provided with a negative index. This allows an attacker to disclose 4 bytes of arbitrary kernel memory per ioctl call by specifying a large negative device index, causing the kernel to dereference to our fake pktcdvd_device structure in userspace and copy data to userspace from an attacker-controlled address.
This is a local privilege escalation exploit for the Linux Kernel Module Loader up to version 2.4.20. It allows an attacker to gain root privileges on a vulnerable system.
Execution of a particular program from the Arachne suite reliably causes a kernel panic due to a NULL-pointer dereference in nfs4_proc_lock().
Linux kernel versions 2.1.89 to 2.2.3 are vulnerable to a denial of service attack caused when a 0-length IP fragment is received, if it is the first fragment in the list. Several thousands 0-length packets must be sent in order for this to initiate a denial of service against the target.
The Linux kernel implements POSIX "Capabilities" as an additional form of privilege control. These capabilities allow more specific control over what privileged processes can do. However, there is a vulnerability where capabilities are copied with fork() execs, meaning that if capabilities are modified by a parent process, they can be carried over. An attacker can exploit this by setting all capabilities to zero and executing a setuid program that attempts to drop privileges before executing dangerous code. This can lead to a complete compromise of the system.
The autofs kernel module does not check the size of the directory names it receives. It is passed the name and the names length through dentry->d_name.name and dentry->d_name.len respectively. Later on, it memcpy()'s the name into a 256 byte buffer, using dentry->d_name.len as the number of bytes to copy, without checking its size. A nonprivileged user may attempt to cd to a directory name exceeding 255 characters. This overwrites memory, probably the kernel stack and anything beyond it, and causes kernel errors or makes the machine reboot.
The vulnerability is a buffer overflow in the mount daemons logging code which is supposed to log unauthorized mount attempts. This allows remote attackers to execute arbitrary code or cause a denial of service.
Services By CQR