CVE-2009-4358
https://notcve.org/view.php?id=CVE-2009-4358
freebsd-update in FreeBSD 8.0, 7.2, 7.1, 6.4, and 6.3 uses insecure permissions in its working directory (/var/db/freebsd-update by default), which allows local users to read copies of sensitive files after a (1) freebsd-update fetch (fetch) or (2) freebsd-update upgrade (upgrade) operation. FreeBSD-update en FreeBSD v8.0, v7.2, v7.1, v6.4, y v6.3 utiliza permisos inseguros en su directorio de trabajo (/var/db/Freebsd-update por defecto), lo que permite leer las copias de archivos confidenciales a usuarios locales después de una operacion de actualización (1) freebsd-update (fetch) o (2) freebsd-update (upgrade). • http://secunia.com/advisories/37575 http://security.freebsd.org/advisories/FreeBSD-SA-09:17.freebsd-update.asc http://www.securityfocus.com/bid/37190 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2009-4147 – FreeBSD 8.0 Run-Time Link-Editor (RTLD) - Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2009-4147
The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld-elf/rtld.c in FreeBSD 7.1 and 8.0 does not clear the (1) LD_LIBMAP, (2) LD_LIBRARY_PATH, (3) LD_LIBMAP_DISABLE, (4) LD_DEBUG, and (5) LD_ELF_HINTS_PATH environment variables, which allows local users to gain privileges by executing a setuid or setguid program with a modified variable containing an untrusted search path that points to a Trojan horse library, different vectors than CVE-2009-4146. La función _rtld en Run-Time Link-Editor (rtld) en libexec/rtld-elf/rtld.c en FreeBSD v7.1 y v8.0 no limpia las variables de entorno de (1) LD_LIBMAP, (2) LD_LIBRARY_PATH, (3) LD_LIBMAP_DISABLE, (4) LD_DEBUG, and (5) LD_ELF_HINTS_PATH lo que permite a usuarios locales conseguir privilegios mediante la ejecución de un programa setuid o setguid con una variable modificada que contiene una ruta de búsqueda sin confianza que apunta a una libreria de un troyano con vectores diferentes que CVE-2009-4146. • https://www.exploit-db.com/exploits/10255 http://packetstormsecurity.com/files/152997/FreeBSD-rtld-execl-Privilege-Escalation.html http://people.freebsd.org/~cperciva/rtld.patch http://secunia.com/advisories/37517 http://www.securityfocus.com/archive/1/508142/100/0/threaded http://www.securityfocus.com/archive/1/508146/100/0/threaded http://www.securityfocus.com/bid/37154 http://www.securitytracker.com/id?1023250 https://seclists.org/fulldisclosure/2009/Nov/371 https://c-skills& • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2009-4146 – FreeBSD 8.0 Run-Time Link-Editor (RTLD) - Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2009-4146
The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld-elf/rtld.c in FreeBSD 7.1, 7.2, and 8.0 does not clear the LD_PRELOAD environment variable, which allows local users to gain privileges by executing a setuid or setguid program with a modified LD_PRELOAD variable containing an untrusted search path that points to a Trojan horse library, a different vector than CVE-2009-4147. La función _rtld en el Run-Time Link-Editor (rtld) de libexec/rtld-elf/rtld.c de FreeBSD v7.1, v7.2 y v8.0, no limpia la variable de entorno LD_PRELOAD, esto permite a usuarios locales aumentar sus privilegios al ejecutar el programa setuid o setguid con la variable LD_PRELOAD modificada para que contenga una ruta de búsqueda no confiable que apunte a una biblioteca de un Troyano. Se trata de una vulnerabilidad diferente de CVE-2009-4147. • https://www.exploit-db.com/exploits/10255 http://packetstormsecurity.com/files/152997/FreeBSD-rtld-execl-Privilege-Escalation.html http://people.freebsd.org/~cperciva/rtld.patch http://secunia.com/advisories/37517 http://www.securityfocus.com/archive/1/508142/100/0/threaded http://www.securityfocus.com/archive/1/508146/100/0/threaded http://www.securityfocus.com/archive/1/508168/100/0/threaded http://www.securityfocus.com/bid/37154 http://www.securitytracker.com/id?1023250 https: • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2009-3527 – FreeBSD 6.4 - 'pipeclose()'/'knlist_cleardel()' Race Condition
https://notcve.org/view.php?id=CVE-2009-3527
Race condition in the Pipe (IPC) close function in FreeBSD 6.3 and 6.4 allows local users to cause a denial of service (crash) or gain privileges via vectors related to kqueues, which triggers a use after free, leading to a NULL pointer dereference or memory corruption. Condición de carrera en la función Close Pipe (IPC)en FreeBSD v6.3 y v6.4, permite a usuarios locales provocar una denegación de servicio (caída) u obtener privilegios a través de vectores relacionados con "kqueues", lo que provoca una liberación después del uso , aprovechando una deferencia a puntero NULL o una corrupción de memoria. • https://www.exploit-db.com/exploits/9859 http://osvdb.org/58544 http://security.freebsd.org/advisories/FreeBSD-SA-09:13.pipe.asc http://www.securityfocus.com/archive/1/506449 http://www.securityfocus.com/bid/36375 http://www.securitytracker.com/id?1022982 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2009-2649 – FreeBSD 6/8 - ata Device Local Denial of Service
https://notcve.org/view.php?id=CVE-2009-2649
The IATA (ata) driver in FreeBSD 6.0 and 8.0, when read access to /dev is available, allows local users to cause a denial of service (kernel panic) via a certain IOCTL request with a large count, which triggers a malloc call with a large value. El controlador IATA (ata) en FreeBSD v6.0 y v8.0, cuando está disponible la lectura en el directorio /dev, permite a usuarios locales provocar una denegación de servicio (kernel panic) a través de ciertas peticiones IOCTL con un "count" largo, que provoca una llamada para la reserva de memoria (malloc) con un valor largo. • https://www.exploit-db.com/exploits/9134 http://www.securityfocus.com/bid/35645 http://www.securitytracker.com/id?1022538 • CWE-264: Permissions, Privileges, and Access Controls •