When chown_one() in the recursive chown logic decides that it has to change ownership of a directory entry, it first changes ownership as follows: if (name) r = fchownat(fd, name, uid, gid, AT_SYMLINK_NOFOLLOW); else r = fchown(fd, uid, gid); if (r < 0) return -errno; So far, this looks good. But then this happens: /* The linux kernel alters the mode in some cases of chown(). Let's undo this. */ if (name) { if (!S_ISLNK(st->st_mode)) r = fchmodat(fd, name, st->st_mode, 0); else /* There's currently no AT_SYMLINK_NOFOLLOW for fchmodat() */ r = 0; } else r = fchmod(fd, st->st_mode); This is dangerous, especially in the case where `name != NULL`. First off: I don't think that the overall objective of this code block makes sense. Yes, the kernel sometimes changes the mode when ownership is changed - but that's only for set-UID binaries and set-GID binaries (but not set-GID directories). I'm pretty sure that setuid/setgid binaries aren't supposed to appear in these directories anyway. The problem here is that, as the comment explains, `fchmodat(fd, name, st->st_mode, 0)` follows symlinks. The fchmodat() call is guarded by a `S_ISLNK(st->st_mode)` check, but that's obviously racy and therefore doesn't actually help.
When systemd re-executes (e.g. during a package upgrade), state is serialized into a memfd before the execve(), then reloaded after the execve(). Serialized data is stored as text, with key-value pairs separated by newlines. Values are escaped to prevent control character injection. Lines associated with a systemd unit are read in unit_deserialize() using fgets(): char line[LINE_MAX], *l, *v; [...] if (!fgets(line, sizeof(line), f)) { if (feof(f)) return 0; return -errno; } LINE_MAX is 2048: /usr/include/bits/posix2_lim.h:#define LINE_MAX _POSIX2_LINE_MAX /usr/include/bits/posix2_lim.h:#define _POSIX2_LINE_MAX 2048 When fgets() encounters overlong input, it behaves dangerously. If a line is more than 2047 characters long, fgets() will return the first 2047 characters and leave the read cursor in the middle of the overlong line. Then, when fgets() is called the next time, it continues to read data from offset 2047 in the line as if a new line started there. Therefore, if an attacker can inject an overlong value into the serialized state somehow, it is possible to inject extra key-value pairs into the serialized state. A service that has `NotifyAccess != none` can send a status message to systemd that will be stored as a property of the service. When systemd re-executes, this status message is stored under the key "status-text". Status messages that are sent to systemd are received by manager_dispatch_notify_fd(). This function has a receive buffer of size NOTIFY_BUFFER_MAX==PIPE_BUF==4096. Therefore, a service with `NotifyAccess != none` can trigger this bug.
Card Payment 1.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can send a malicious request to the vulnerable application in order to update the admin user. The application does not verify the request, allowing an attacker to update the admin user with a malicious payload.
This PoC is based on discussions found at the following github issue: https://github.com/paramiko/paramiko/issues/1175 TLDR, Paramiko doesn't check if the client has completed the authentication step before allowing the client to open channels. The PoC below connects to an SFTP server, and lists the root directory without authenticating. Slight modification is required if you want to open an SSH channel.
Local Server 1.0.9 is vulnerable to a denial of service attack. An attacker can send a specially crafted 'DOOM' packet to the server, causing it to crash. This can be exploited by an attacker to cause a denial of service condition.
Modbus Slave is a software used for simulating up to 32 slave devices in 32 windows. It is used for SCADA systems and is a serial communications protocol originally published by Schneider Electric. A perl exploit script can be used to create a new file with the name 'exploit.msw' and dragging it onto 'mbslave.exe' will cause a loop and crash on the software.
The School Equipment Monitoring System 1.0 is vulnerable to SQL injection. This vulnerability exists in the 'login' page of the application. An attacker can inject malicious SQL queries into the 'username' parameter of the 'login' page. This can be exploited to bypass authentication and gain access to the application.
AlienIP 2.41 is vulnerable to a Denial of Service attack when a maliciously crafted IP address is entered into the application. When the maliciously crafted IP address is entered into the application, it causes the application to crash.
A SQL injection vulnerability exists in Open Faculty Evaluation System 7, due to improper sanitization of user-supplied input in the 'batch_name' parameter of the '/[PATH]/submit_feedback.php' script. An attacker can leverage this vulnerability to execute arbitrary SQL commands in the application's back-end database, allowing for data manipulation and retrieval.
Library Management System 1.0 is vulnerable to SQL Injection. This vulnerability exists due to improper sanitization of user-supplied input in the 'frmListBooks' module. An attacker can exploit this vulnerability to execute arbitrary SQL commands in the application's backend database, allowing them to access or modify sensitive data, or even gain access to the underlying system.
Services By CQR