BSD derived operating systems have a special function to set a 'user context'. The function setusercontext() is available on for example FreeBSD 5.0 and 7.0. An example from ftpd.c : setusercontext(lc, pw, (uid_t)0, LOGIN_SETLOGIN|LOGIN_SETGROUP|LOGIN_SETPRIORITY| LOGIN_SETRESOURCES|LOGIN_SETUMASK). An interesing setting here is LOGIN_SETRESOURCES with which a USER is allowed to set resources actually. From the manpage: LOGIN_SETRESOURCES Set resource limits for the current process based on values specified in the system login class database. Class capability tags used, with and without -cur (soft limit) or -max (hard limit) suffixes and the corresponding resource setting: cputime RLIMIT_CPU, filesize RLIMIT_FSIZE, datasize RLIMIT_DATA, stacksize RLIMIT_STACK, coredumpsize RLIMIT_CORE, memoryuse RLIMIT_RSS, memorylocked RLIMIT_MEMLOCK, maxproc RLIMIT_NPROC, openfiles RLIMIT_NOFILE, sbsize RLIMIT_SBSIZE, vmemoryuse RLIMIT_VMEM. Now one can set (means: upload) their own ~/.login_conf and play around a bit. For example the chroot() call in ftpd.c can be bypassed by setting 'openfiles' to a value of 5.
FreeBSD <= 6.1 suffers from classical check/use race condition on SMP systems in kevent() syscall, leading to kernel mode NULL pointer dereference. It can be triggered by spawning two threads: 1st thread looping on open() and close() syscalls, and the 2nd thread looping on kevent(), trying to add possibly invalid filedescriptor. The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but was not recognized as security vulnerability. The following code exploits this vulnerability to run root shell.
Faslo Player 7.0 is vulnerable to a local buffer overflow vulnerability when a specially crafted .m3u file is opened. This can be exploited to execute arbitrary code by tricking a user into opening a malicious .m3u file. The vulnerability is caused due to a boundary error within the application when processing the file. This can be exploited to cause a stack-based buffer overflow by supplying a specially crafted .m3u file with an overly long string.
KSP 2006 FINAL is vulnerable to a local buffer overflow vulnerability when a specially crafted .M3U file is loaded. This vulnerability can be exploited by an attacker to execute arbitrary code on the vulnerable system by tricking a user into loading a malicious .M3U file. The vulnerability is caused due to a boundary error when handling .M3U files, which can be exploited to cause a stack-based buffer overflow by writing past the end of a buffer on the stack.
The vulnerability is caused due to the application not properly restricting access to the pages/edituser.php script. This can be exploited to modify a user's username and password without having proper credentials.
A vulnerability exists in PHP Dir Submit Version 1.00 (aid) which allows an attacker to inject arbitrary SQL commands. An attacker can exploit this vulnerability by registering in the site, adding a post, and pressing on 'View Article'. The attacker can then inject arbitrary SQL commands via the 'aid' parameter in the 'showarticle' menu.
An attacker can set the adminLoggedIn cookie to true, allowing them to bypass authentication and gain access to the admin panel.
A remote SQL injection vulnerability exists in Moa gallery 1.1.0. An attacker can send a specially crafted HTTP request to the vulnerable application in order to execute arbitrary SQL commands in the back-end database. This can be exploited to manipulate data, disclose sensitive information, or gain access to the system.
This exploit is a local ring0 root exploit for Linux kernel 2.4/2.6 (32bit) sock_sendpage(). It has been tested on RedHat Linux 9.0, Fedora core 4~11, Whitebox 4, and CentOS 4.x. The exploit is slow and dirty and was discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team. It was written by p0c73n1 and is based on the code of spender and venglin.
This exploit is for CVE-2009-2692 on Android. The hole is closed in Android kernels released August 2009 or later.