CVE-2014-9419 – kernel: partial ASLR bypass through TLS base addresses leak
https://notcve.org/view.php?id=CVE-2014-9419
The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address. La función The __switch_to en arch/x86/kernel/process_64.c en el Kernel de Linux a través de 3.18.1 no asegura que los descriptores Thread Local Storage (TLS) se carguen antes de proceder con otros pasos, lo que que sea más fácil para los usuarios locales evadir el mecanismo de protección ASLR a través de una aplicación modificada que lee una dirección base TLS An information leak flaw was found in the way the Linux kernel changed certain segment registers and thread-local storage (TLS) during a context switch. A local, unprivileged user could use this flaw to leak the user space TLS base address of an arbitrary process. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=f647d7c155f069c1a068030255c300663516420e http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147864.html http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147973.html http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00015.html http:/ • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-4322 – Nexus 5 Android 5.0 - Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2014-4322
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or cause a denial of service (memory corruption) via a crafted application. drivers/misc/qseecom.c en el driver QSEECOM del Kernel de Linux 3.x utilizada en las contribuciones de Android Qualcomm Innovation Center (QuIC) para los dispositivos MSM y otros productos, no valida el desplazamiento, longitud, y valores base dentro de la llamada ioctl , lo cual permite a atacantes obtener privilegios o causar una denegación de servicio (corrupción de memoria) a través de una aplicación modificada. • https://www.exploit-db.com/exploits/35711 https://github.com/koozxcv/CVE-2014-4322 https://www.codeaurora.org/projects/security-advisories/memory-corruption-qseecom-driver-cve-2014-4322 • CWE-787: Out-of-bounds Write •
CVE-2014-8133 – kernel: x86: espfix(64) bypass via set_thread_area and CLONE_SETTLS
https://notcve.org/view.php?id=CVE-2014-8133
arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local users to bypass the ASLR protection mechanism, via a crafted application that makes a set_thread_area system call and later reads a 16-bit value. arch/x86/kernel/tls.c en la implementación Thread Local Storage (TLS) en el kernel de Linux hasta 3.18.1 permite a usuarios locales evadir el mecanismo de protección espfix, y como consecuencia facilita a usuarios locales evadir el mecanismo de protección ASLR, a través de una aplicación manipulada que hace una llamada del sistema set_thread_area y posteriormente lee un valor de 16 bits. It was found that the espfix functionality could be bypassed by installing a 16-bit RW data segment into GDT instead of LDT (which espfix checks), and using that segment on the stack. A local, unprivileged user could potentially use this flaw to leak kernel stack addresses. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=41bdc78544b8a93a9c6814b8bbbfef966272abbe http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00015.html http://rhn.redhat.com/errata/RHSA-2015-1272.html http://secunia.com/advisories/62801 http://www.debian.org/security/2015/dsa-3128 http://www.mandriva.com/security/advisories?name=MDVSA-2015:058 http://www.openwall.com/lists& • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2014-9322 – Linux Kernel - 'BadIRET' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2014-9322
arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space. arch/x86/kernel/entry_64.S en el kernel de Linux anterior a 3.17.5 no maneja correctamente los fallos asociados con el registro de segmento Stack Segment (SS), lo que permite a usuarios locales ganar privilegios mediante la provocación de una instrucción IRET que lleva al acceso a una dirección de GS Base del espacio equivocado. A flaw was found in the way the Linux kernel handled GS segment register base switching when recovering from a #SS (stack segment) fault on an erroneous return to user space. A local, unprivileged user could use this flaw to escalate their privileges on the system. • https://www.exploit-db.com/exploits/44205 https://www.exploit-db.com/exploits/36266 https://github.com/RKX1209/CVE-2014-9322 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=6f442be2fb22be02cafa606f1769fa1e6f894441 http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00020.html http://marc.info/?l= • CWE-269: Improper Privilege Management CWE-841: Improper Enforcement of Behavioral Workflow •
CVE-2014-8134 – kernel: x86: espfix not working for 32-bit KVM paravirt guests
https://notcve.org/view.php?id=CVE-2014-8134
The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the ASLR protection mechanism via a crafted application that reads a 16-bit value. La función paravirt_ops_setup en arch/x86/kernel/kvm.c en el kernel de Linux hasta 3.18 utiliza una configuración paravirt_enabled indebida para los kernels KVM invitados, lo que facilita a usuarios invitados del sistema operativo evadir el mecanismo de protección ASLR a través de una aplicación manipulada que lee un valor de 16 bits. It was found that the espfix functionality does not work for 32-bit KVM paravirtualized guests. A local, unprivileged guest user could potentially use this flaw to leak kernel stack addresses. • http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00015.html http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8134.html http://rhn.redhat.com/errata/RHSA-2016-0855.html http://secunia.com/advisories/62336 http://www.oracle.com/technetwork/t •