CVE-2010-1938 – FreeBSD 8.0 - 'ftpd' (FreeBSD-SA-10:05) Off-By-One (PoC)
https://notcve.org/view.php?id=CVE-2010-1938
Off-by-one error in the __opiereadrec function in readrec.c in libopie in OPIE 2.4.1-test1 and earlier, as used on FreeBSD 6.4 through 8.1-PRERELEASE and other platforms, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long username, as demonstrated by a long USER command to the FreeBSD 8.0 ftpd. Error Off-by-oneen en la función __opiereadrec en readrec.c en libopie en OPIE v2.4.1-test1 y anteriores, utilizada en FreeBSD v6.4 hasta v8.1-PRERELEASE y otras plataformas, permite a atacantes remotos provocar una denegación de servicio (caída del demonio) o posiblemente ejecutar código de su elección a través de un nombre de usuraio largo, como se ha demostrado mediante un comando USER largo en el ftpd FreeBSD v8.0. • https://www.exploit-db.com/exploits/12762 http://blog.pi3.com.pl/?p=111 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584932 http://secunia.com/advisories/39963 http://secunia.com/advisories/39966 http://secunia.com/advisories/45136 http://security.FreeBSD.org/advisories/FreeBSD-SA-10:05.opie.asc http://securityreason.com/achievement_securityalert/87 http://securityreason.com/securityalert/7450 http://securitytracker.com/id?1024040 http://securitytracker.com/id?1025709 http • CWE-189: Numeric Errors •
CVE-2010-0119
https://notcve.org/view.php?id=CVE-2010-0119
Bournal before 1.4.1 on FreeBSD 8.0, when the -K option is used, places a ccrypt key on the command line, which allows local users to obtain sensitive information by listing the process and its arguments, related to "echoing." Bournal anterior a v1.4.1 sobre FreeBSD v8.0, cuando se usa la opción -K, coloca una clave ccrypt en la línea de comandos que permite a usuarios locales obtener información sensible listando el proceso y sus argumentos. Relacionado con "echoing". • http://lists.fedoraproject.org/pipermail/package-announce/2010-March/036697.html http://lists.fedoraproject.org/pipermail/package-announce/2010-March/036701.html http://lists.fedoraproject.org/pipermail/package-announce/2010-March/036764.html http://secunia.com/advisories/38723 http://secunia.com/advisories/38814 http://secunia.com/secunia_research/2010-7 http://www.securityfocus.com/archive/1/509688/100/0/threaded http://www.securityfocus.com/bid/38352 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2010-0318
https://notcve.org/view.php?id=CVE-2010-0318
The replay functionality for ZFS Intent Log (ZIL) in FreeBSD 7.1, 7.2, and 8.0, when creating files during replay of a setattr transaction, uses 7777 permissions instead of the original permissions, which might allow local users to read or modify unauthorized files in opportunistic circumstances after a system crash or power failure. La funcionalidad replay para ZFS Intent Log (ZIL) en FreeBSD versiones 7.1, 7.2 y 8.0, al crear archivos durante la reproducción de una transacción setattr, utiliza 7777 permisos en lugar de los permisos originales, lo que podría permitir a los usuarios locales leer o modificar archivos no autorizados en circunstancias oportunistas luego de un fallo del sistema o fallo eléctrico. • http://secunia.com/advisories/38124 http://security.FreeBSD.org/advisories/FreeBSD-SA-10:03.zfs.asc http://www.securityfocus.com/bid/37657 http://www.securitytracker.com/id?1023407 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2009-4358
https://notcve.org/view.php?id=CVE-2009-4358
freebsd-update in FreeBSD 8.0, 7.2, 7.1, 6.4, and 6.3 uses insecure permissions in its working directory (/var/db/freebsd-update by default), which allows local users to read copies of sensitive files after a (1) freebsd-update fetch (fetch) or (2) freebsd-update upgrade (upgrade) operation. FreeBSD-update en FreeBSD v8.0, v7.2, v7.1, v6.4, y v6.3 utiliza permisos inseguros en su directorio de trabajo (/var/db/Freebsd-update por defecto), lo que permite leer las copias de archivos confidenciales a usuarios locales después de una operacion de actualización (1) freebsd-update (fetch) o (2) freebsd-update (upgrade). • http://secunia.com/advisories/37575 http://security.freebsd.org/advisories/FreeBSD-SA-09:17.freebsd-update.asc http://www.securityfocus.com/bid/37190 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2009-4147 – FreeBSD 8.0 Run-Time Link-Editor (RTLD) - Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2009-4147
The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld-elf/rtld.c in FreeBSD 7.1 and 8.0 does not clear the (1) LD_LIBMAP, (2) LD_LIBRARY_PATH, (3) LD_LIBMAP_DISABLE, (4) LD_DEBUG, and (5) LD_ELF_HINTS_PATH environment variables, which allows local users to gain privileges by executing a setuid or setguid program with a modified variable containing an untrusted search path that points to a Trojan horse library, different vectors than CVE-2009-4146. La función _rtld en Run-Time Link-Editor (rtld) en libexec/rtld-elf/rtld.c en FreeBSD v7.1 y v8.0 no limpia las variables de entorno de (1) LD_LIBMAP, (2) LD_LIBRARY_PATH, (3) LD_LIBMAP_DISABLE, (4) LD_DEBUG, and (5) LD_ELF_HINTS_PATH lo que permite a usuarios locales conseguir privilegios mediante la ejecución de un programa setuid o setguid con una variable modificada que contiene una ruta de búsqueda sin confianza que apunta a una libreria de un troyano con vectores diferentes que CVE-2009-4146. • https://www.exploit-db.com/exploits/10255 http://packetstormsecurity.com/files/152997/FreeBSD-rtld-execl-Privilege-Escalation.html http://people.freebsd.org/~cperciva/rtld.patch http://secunia.com/advisories/37517 http://www.securityfocus.com/archive/1/508142/100/0/threaded http://www.securityfocus.com/archive/1/508146/100/0/threaded http://www.securityfocus.com/bid/37154 http://www.securitytracker.com/id?1023250 https://seclists.org/fulldisclosure/2009/Nov/371 https://c-skills& • CWE-264: Permissions, Privileges, and Access Controls •