CVE-2017-5753 – Multiple CPUs - 'Spectre' Information Disclosure
https://notcve.org/view.php?id=CVE-2017-5753
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. Los sistemas con microprocesadores con ejecución especulativa y predicción de ramas podrían permitir la revelación no autorizada de información al atacante con acceso de usuario local mediante un análisis de un canal lateral. An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5753 triggers the speculative execution by performing a bounds-check bypass. • https://www.exploit-db.com/exploits/43427 https://github.com/sachinthaBS/Spectre-Vulnerability-CVE-2017-5753- http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00008.html http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00016.html http://nvidia.custhe • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-203: Observable Discrepancy •
CVE-2017-1000366 – Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2017-1000366
glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier. Glibc contiene una vulnerabilidad que permite que los valores LD_LIBRARY_PATH especialmente creados para manipular la región heap/stack de la memoria, generando entonces un alias, lo que podría conllevar a la ejecución del código arbitrario. Tenga en cuenta que se han realizado cambios de refuerzo adicionales en glibc para evitar la manipulación del stack y heap de la memoria de almacenamiento dinámico, pero estos problemas no se pueden explotar directamente, por lo que no se les ha otorgado un CVE. • https://www.exploit-db.com/exploits/42276 https://www.exploit-db.com/exploits/42274 https://www.exploit-db.com/exploits/42275 http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html http://seclists.org/fulldisclosure/2019/Sep/7 http://www.debian.org/security/2017/dsa-3887 http://www.securityfocus.com/bid/99127 http://www.securitytracker.com/id/1038712 https://access.redhat.com/errata/RHSA-2017:1479 https://access.redhat.com/errata/ • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2016-3714 – ImageMagick Improper Input Validation Vulnerability
https://notcve.org/view.php?id=CVE-2016-3714
The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick." Los codificadores (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN y (8) PLT en ImageMagick en versiones anteriores a 6.9.3-10 y 7.x en versiones anteriores a 7.0.1-1 permiten a atacantes remotos ejecutar código arbitrario a través de metacaracteres shell en una imagen manipulada, también conocido como "ImageTragick". It was discovered that ImageMagick did not properly sanitize certain input before passing it to the delegate functionality. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application. ImageMagick contains an improper input validation vulnerability that affects the EPHEMERAL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, and PLT coders. • https://www.exploit-db.com/exploits/39767 https://www.exploit-db.com/exploits/39791 https://github.com/Hood3dRob1n/CVE-2016-3714 https://github.com/jpeanut/ImageTragick-CVE-2016-3714-RShell https://github.com/chusiang/CVE-2016-3714.ansible.role https://github.com/JoshMorrison99/CVE-2016-3714 https://github.com/tommiionfire/CVE-2016-3714 http://git.imagemagick.org/repos/ImageMagick/blob/a01518e08c840577cabd7d3ff291a9ba735f7276/ChangeLog http://lists.opensuse.org/opensuse-security-announce/2016-05/msg • CWE-20: Improper Input Validation •
CVE-2015-7547 – glibc - 'getaddrinfo' Stack Buffer Overflow (PoC)
https://notcve.org/view.php?id=CVE-2015-7547
Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing "dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module. Múltiples desbordamientos de buffer basado en pila en las funciones (1) send_dg y (2) send_vc en la librería libresolv en la librería GNU C (también conocida como glibc o libc6) en versiones anteriores a 2.23 permiten a atacantes remotos causar una denegación de servicio (caída) o posiblemente ejecutar código arbitrario a través de una respuesta DNS manipulada que desencadenan una llamada a la función getaddrinfo con la familia de direcciones AF_UNSPEC o AF_INET6, en relación con la ejecución de "consultas duales A/AAAA DNS" y el módulo libnss_dns.so.2 NSS. A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Note: this issue is only exposed when libresolv is called from the nss_dns NSS service module. • https://www.exploit-db.com/exploits/39454 https://www.exploit-db.com/exploits/40339 https://github.com/fjserna/CVE-2015-7547 https://github.com/cakuzo/CVE-2015-7547 https://github.com/Stick-U235/CVE-2015-7547-Research https://github.com/t0r0t0r0/CVE-2015-7547 https://github.com/babykillerblack/CVE-2015-7547 https://github.com/Amilaperera12/Glibc-Vulnerability-Exploit-CVE-2015-7547 https://github.com/miracle03/CVE-2015-7547-master https://github.com/bluebluelan/CVE-2015-7547 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •
CVE-2015-5300 – ntp: MITM attacker can force ntpd to make a step larger than the panic threshold
https://notcve.org/view.php?id=CVE-2015-5300
The panic_gate check in NTP before 4.2.8p5 is only re-enabled after the first change to the system clock that was greater than 128 milliseconds by default, which allows remote attackers to set NTP to an arbitrary time when started with the -g option, or to alter the time by up to 900 seconds otherwise by responding to an unspecified number of requests from trusted sources, and leveraging a resulting denial of service (abort and restart). La comprobación panic_gate en NTP anterior a versión 4.2.8p5 es solo habilitada nuevamente después del primer cambio al reloj del sistema que fue mayor que 128 milisegundos por defecto, permitiendo a los atacantes remotos fijar el NTP a un tiempo arbitrario cuando arranca con la opción -g, o alterar el tiempo hasta 900 segundos, de lo contrario por respuesta a un número no especificado de peticiones de fuentes de confianza y aprovechando una denegación de servicio resultante (anular y reiniciar). It was found that ntpd did not correctly implement the threshold limitation for the '-g' option, which is used to set the time without any restrictions. A man-in-the-middle attacker able to intercept NTP traffic between a connecting client and an NTP server could use this flaw to force that client to make multiple steps larger than the panic threshold, effectively changing the time to an arbitrary value at any time. • http://aix.software.ibm.com/aix/efixes/security/ntp_advisory5.asc http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170684.html http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170926.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177507.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00059.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00060.html http://lists.opensuse.org/opensuse-security-announc • CWE-20: Improper Input Validation CWE-361: 7PK - Time and State •