CVE-2019-19726 – OpenBSD 6.x - Dynamic Loader Privilege Escalation
https://notcve.org/view.php?id=CVE-2019-19726
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root. OpenBSD versiones hasta 6.6, permite a usuarios locales escalar a root porque una comprobación de LD_LIBRARY_PATH en los programas setuid puede ser vencida estableciendo un límite de recursos de RLIMIT_DATA muy pequeño. Al ejecutar chpass o passwd (que son root de setuid), en la función _dl_setup_env en el archivo ld.so intenta eliminar LD_LIBRARY_PATH del entorno, pero presenta un fallo cuando no puede asignar memoria. • https://www.exploit-db.com/exploits/47780 https://www.exploit-db.com/exploits/47803 http://packetstormsecurity.com/files/155658/Qualys-Security-Advisory-OpenBSD-Dynamic-Loader-Privilege-Escalation.html http://packetstormsecurity.com/files/155764/OpenBSD-Dynamic-Loader-chpass-Privilege-Escalation.html http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html http://seclists.org/fulldisclosure/2019/Dec/31 http://seclists.org/fulldisclosure/2023/Oct/11 http://www.openwall.com/lists/ • CWE-269: Improper Privilege Management •
CVE-2019-8460
https://notcve.org/view.php?id=CVE-2019-8460
OpenBSD kernel version <= 6.5 can be forced to create long chains of TCP SACK holes that causes very expensive calls to tcp_sack_option() for every incoming SACK packet which can lead to a denial of service. La versión del núcleo de OpenBSD anterior o igual a la versión 6.5 se puede forzar a crear largas cadenas de agujeros TCP SACK que provocan llamadas muy costosas a tcp_sack_option () para cada paquete SACK entrante que puede conducir a una denegación de servicio. • https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/006_tcpsack.patch.sig https://github.com/openbsd/src/commit/ed8fdce754a5d8d14c09e989d8877707bd43906f https://research.checkpoint.com/tcp-sack-security-issue-in-openbsd-cve-2019-8460 https://security.netapp.com/advisory/ntap-20190905-0001 https://us-cert.cisa.gov/ics/advisories/icsa-19-253-03 • CWE-1049: Excessive Data Query Operations in a Large Data Table •
CVE-2017-1000372
https://notcve.org/view.php?id=CVE-2017-1000372
A flaw exists in OpenBSD's implementation of the stack guard page that allows attackers to bypass it resulting in arbitrary code execution using setuid binaries such as /usr/bin/at. This affects OpenBSD 6.1 and possibly earlier versions. Existe un error en la implementación de OpenBSD de la página stack guard que permite que los atacantes la omitan, lo que resulta en la ejecución de código arbitrario mediante el uso de binarios setuid como /usr/bin/at. Esto afecta a OpenBSD 6.1 y posiblemente a versiones anteriores. • http://www.securityfocus.com/bid/99172 https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/008_exec_subr.patch.sig https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt •
CVE-2017-1000373 – OpenBSD - 'at Stack Clash' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2017-1000373
The OpenBSD qsort() function is recursive, and not randomized, an attacker can construct a pathological input array of N elements that causes qsort() to deterministically recurse N/4 times. This allows attackers to consume arbitrary amounts of stack memory and manipulate stack memory to assist in arbitrary code execution attacks. This affects OpenBSD 6.1 and possibly earlier versions. La función qsort() de OpenBSD es recursiva y no aleatorizada, por lo que un atacante puede construir un array de entrada patológica de elementos N que provoca que qsort() se repita inevitablemente N/4 veces. Esto permite que los atacantes consuman cantidades de memoria de pila arbitrarias y manipulen la memoria de pila para ayudar en los ataques de ejecución de código arbitrario. • https://www.exploit-db.com/exploits/42271 http://www.securityfocus.com/bid/99177 http://www.securitytracker.com/id/1039427 https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/qsort.c?rev=1.15&content-type=text/x-cvsweb-markup https://support.apple.com/HT208112 https://support.apple.com/HT208113 https://support.apple.com/HT208115 https://support.apple.com/HT208144 https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt • CWE-400: Uncontrolled Resource Consumption •
CVE-2014-7250
https://notcve.org/view.php?id=CVE-2014-7250
The TCP stack in 4.3BSD Net/2, as used in FreeBSD 5.4, NetBSD possibly 2.0, and OpenBSD possibly 3.6, does not properly implement the session timer, which allows remote attackers to cause a denial of service (resource consumption) via crafted packets. La pila de TCP en 4.3BSD Net/2, utilizado en FreeBSD 5.4, NetBSD posiblemente 2.0, y OpenBSD posiblemente 3.6, no implementa correctamente el temporizador de la sesión, lo que permite a atacantes remotos causar una denegación de servicio (consumo de recursos) a través de paquetes manipulados. • http://jvn.jp/en/jp/JVN07930208/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2014-000134 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195243 • CWE-399: Resource Management Errors •