Page 2 of 36 results (0.011 seconds)

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 5

OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root. OpenBSD versiones hasta 6.6, permite a usuarios locales escalar a root porque una comprobación de LD_LIBRARY_PATH en los programas setuid puede ser vencida estableciendo un límite de recursos de RLIMIT_DATA muy pequeño. Al ejecutar chpass o passwd (que son root de setuid), en la función _dl_setup_env en el archivo ld.so intenta eliminar LD_LIBRARY_PATH del entorno, pero presenta un fallo cuando no puede asignar memoria. • https://www.exploit-db.com/exploits/47780 https://www.exploit-db.com/exploits/47803 http://packetstormsecurity.com/files/155658/Qualys-Security-Advisory-OpenBSD-Dynamic-Loader-Privilege-Escalation.html http://packetstormsecurity.com/files/155764/OpenBSD-Dynamic-Loader-chpass-Privilege-Escalation.html http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html http://seclists.org/fulldisclosure/2019/Dec/31 http://seclists.org/fulldisclosure/2023/Oct/11 http://www.openwall.com/lists/ • CWE-269: Improper Privilege Management •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2

OpenBSD kernel version <= 6.5 can be forced to create long chains of TCP SACK holes that causes very expensive calls to tcp_sack_option() for every incoming SACK packet which can lead to a denial of service. La versión del núcleo de OpenBSD anterior o igual a la versión 6.5 se puede forzar a crear largas cadenas de agujeros TCP SACK que provocan llamadas muy costosas a tcp_sack_option () para cada paquete SACK entrante que puede conducir a una denegación de servicio. • https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/006_tcpsack.patch.sig https://github.com/openbsd/src/commit/ed8fdce754a5d8d14c09e989d8877707bd43906f https://research.checkpoint.com/tcp-sack-security-issue-in-openbsd-cve-2019-8460 https://security.netapp.com/advisory/ntap-20190905-0001 https://us-cert.cisa.gov/ics/advisories/icsa-19-253-03 • CWE-1049: Excessive Data Query Operations in a Large Data Table •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

A flaw exists in OpenBSD's implementation of the stack guard page that allows attackers to bypass it resulting in arbitrary code execution using setuid binaries such as /usr/bin/at. This affects OpenBSD 6.1 and possibly earlier versions. Existe un error en la implementación de OpenBSD de la página stack guard que permite que los atacantes la omitan, lo que resulta en la ejecución de código arbitrario mediante el uso de binarios setuid como /usr/bin/at. Esto afecta a OpenBSD 6.1 y posiblemente a versiones anteriores. • http://www.securityfocus.com/bid/99172 https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/008_exec_subr.patch.sig https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt •

CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 1

The OpenBSD qsort() function is recursive, and not randomized, an attacker can construct a pathological input array of N elements that causes qsort() to deterministically recurse N/4 times. This allows attackers to consume arbitrary amounts of stack memory and manipulate stack memory to assist in arbitrary code execution attacks. This affects OpenBSD 6.1 and possibly earlier versions. La función qsort() de OpenBSD es recursiva y no aleatorizada, por lo que un atacante puede construir un array de entrada patológica de elementos N que provoca que qsort() se repita inevitablemente N/4 veces. Esto permite que los atacantes consuman cantidades de memoria de pila arbitrarias y manipulen la memoria de pila para ayudar en los ataques de ejecución de código arbitrario. • https://www.exploit-db.com/exploits/42271 http://www.securityfocus.com/bid/99177 http://www.securitytracker.com/id/1039427 https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/qsort.c?rev=1.15&content-type=text/x-cvsweb-markup https://support.apple.com/HT208112 https://support.apple.com/HT208113 https://support.apple.com/HT208115 https://support.apple.com/HT208144 https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt • CWE-400: Uncontrolled Resource Consumption •

CVSS: 7.8EPSS: 5%CPEs: 4EXPL: 5

regcomp in the BSD implementation of libc is vulnerable to denial of service due to stack exhaustion. regcomp en la implementación BSD de libc, es vulnerable a una denegación de servicio debido al agotamiento de la pila. Mac OS X, Safari, Firefox and Kaspersky all suffer from a regular expression denial of service condition that was discovered long ago in regcomp(). • https://www.exploit-db.com/exploits/36288 http://seclists.org/fulldisclosure/2014/Mar/166 http://www.securityfocus.com/bid/50541 https://cxsecurity.com/issue/WLB-2011110082 https://www.securityfocus.com/archive/1/520390 • CWE-400: Uncontrolled Resource Consumption •