CVE-2012-0217 – FreeBSD - Intel SYSRET Privilege Escalation
https://notcve.org/view.php?id=CVE-2012-0217
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: because this issue is due to incorrect use of the Intel specification, it should have been split into separate identifiers; however, there was some value in preserving the original mapping of the multi-codebase coordinated-disclosure effort to a single identifier. El modo de usuario Scheduler en el núcleo en Microsoft Windows Server v2008 R2 y R2 SP1 y Windows v7 Gold y SP1 sobre la plataforma x64 no maneja adecuadamente solicitudes del sistema, lo que permite a usuarios locales obtener privilegios a través de una aplicación modificada, también conocida como "vulnerabilidad de corrupción de memoria de modo de usuario Scheduler". It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. • https://www.exploit-db.com/exploits/46508 https://www.exploit-db.com/exploits/28718 https://www.exploit-db.com/exploits/20861 http://blog.illumos.org/2012/06/14/illumos-vulnerability-patched http://blog.xen.org/index.php/2012/06/13/the-intel-sysret-privilege-escalation http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2012-003.txt.asc http://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html http://lists.xen.org/archives/html/xen-devel/2012-06 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2011-1547 – IPComp - encapsulation Kernel Memory Corruption
https://notcve.org/view.php?id=CVE-2011-1547
Multiple stack consumption vulnerabilities in the kernel in NetBSD 4.0, 5.0 before 5.0.3, and 5.1 before 5.1.1, when IPsec is enabled, allow remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a crafted (1) IPv4 or (2) IPv6 packet with nested IPComp headers. Multiples vulnerabilidades de consumos de pila en el Kernel de NetBSD v4.0, v5.0 con anterioridad a v5.0.3 y v5.1 con anterioridad a v5.1.1, IPsec cuando está activada, permite a atacantes remotos provocar una denegación de servicio ( corrupción de memoria y kernel panic ) o posiblemente tener un impacto no especificado a través de paquetes manipulados en ( 1 )IPv4 o ( 2 )IPv6 con cabeceras anidadas IPComp. • https://www.exploit-db.com/exploits/17097 http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-004.txt.asc http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080031.html http://www.kb.cert.org/vuls/id/668220 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2010-2530
https://notcve.org/view.php?id=CVE-2010-2530
Multiple integer signedness errors in smb_subr.c in the netsmb module in the kernel in NetBSD 5.0.2 and earlier, FreeBSD, and Apple Mac OS X allow local users to cause a denial of service (panic) via a negative size value in a /dev/nsmb ioctl operation, as demonstrated by a (1) SMBIOC_LOOKUP or (2) SMBIOC_OPENSESSION ioctl call. Múltiples errores de signo entero en smb_subr.c en el módulo netsmb en el kernel de NetBSD v5.0.2 y versiones anteriores, FreeBSD y Mac OS X permite a usuarios locales causar una denegación de servicio (pánico) a través de un valor negativo en una operación ioctl /dev/nsmb, como se demuestra por una llamada ioctl a (1) SMBIOC_LOOKUP o (2) SMBIOC_OPENSESSION. • http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netsmb/smb_subr.c.diff?r1=1.34&r2=1.35&only_with_tag=MAIN&f=h http://www.openwall.com/lists/oss-security/2010/07/12/6 http://www.openwall.com/lists/oss-security/2010/07/16/2 http://www.securityfocus.com/bid/41557 • CWE-189: Numeric Errors •
CVE-2010-0561
https://notcve.org/view.php?id=CVE-2010-0561
Integer signedness error in NetBSD 4.0, 5.0, and NetBSD-current before 2010-01-21 allows local users to cause a denial of service (kernel panic) via a negative mixer index number being passed to (1) the azalia_query_devinfo function in the azalia audio driver (src/sys/dev/pci/azalia.c) or (2) the hdaudio_afg_query_devinfo function in the hdaudio audio driver (src/sys/dev/pci/hdaudio/hdaudio_afg.c). Error de presencia de signo entero en NetBSD v4.0, v5.0, y NetBSD-current anterior a 2010-01-21, permite a usuarios locales provocar una denegación de servicio (kernel panic) a través de una mezcla negativa de números indexados que son pasados a (1) la función azalia_query_devinfo en el controlador de audio azalia (src/sys/dev/pci/azalia.c) o (2) la función hdaudio_afg_query_devinfo en el controlador de audio (src/sys/dev/pci/hdaudio/hdaudio_afg.c). • http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2010-003.txt.asc http://osvdb.org/62081 http://osvdb.org/62082 http://secunia.com/advisories/38284 http://www.securityfocus.com/bid/38057 http://www.securitytracker.com/id?1023539 • CWE-189: Numeric Errors •
CVE-2009-2793 – NetBSD 5.0.1 - 'IRET' General Protection Fault Handling Privilege Escalation
https://notcve.org/view.php?id=CVE-2009-2793
The kernel in NetBSD, probably 5.0.1 and earlier, on x86 platforms does not properly handle a pre-commit failure of the iret instruction, which might allow local users to gain privileges via vectors related to a tempEIP pseudocode variable that is outside of the code-segment limits. El kernel en NetBSD, posiblemente 5.0.1 y anteriores, en plataformas x86 no gestiona adecuadamente el fallo de preasignación de la instrucción "iret", lo que permitiría a usuarios locales conseguir privilegios a través de vectores relacionados con la variable de pseudocódigo tempEIP que esta fuera de los limites de segmento de código. • https://www.exploit-db.com/exploits/33229 http://www.securityfocus.com/archive/1/506531/100/0/threaded • CWE-264: Permissions, Privileges, and Access Controls •