CVE-2010-3081 – Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2010-3081
The compat_alloc_user_space functions in include/asm/compat.h files in the Linux kernel before 2.6.36-rc4-git2 on 64-bit platforms do not properly allocate the userspace memory required for the 32-bit compatibility layer, which allows local users to gain privileges by leveraging the ability of the compat_mc_getsockopt function (aka the MCAST_MSFILTER getsockopt support) to control a certain length value, related to a "stack pointer underflow" issue, as exploited in the wild in September 2010. Las funciones compat_alloc_user_space en los ficheros include/asm/compat.h del kernel de Linux en versiones anteriores a la v2.6.36-rc4-git2 en plataformas de 64-bit no reservan adecuadamente la memoria del espacio de usuario requerida para la capa de compatibilidad de 32-bit, lo que permite a usuarios locales escalar privilegios basándose en la capacidad de la función compat_mc_getsockopt (también conocido como soporte MCAST_MSFILTER getsockopt) para controlar un valor de longitud determinado, relacionado con un "stack pointer underflow", como se ha demostrado en septiembre del 2010. • https://www.exploit-db.com/exploits/15024 http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0273.html http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0278.html http://blog.ksplice.com/2010/09/cve-2010-3081 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=c41d68a513c71e35a14f66d71782d27a79a81ea6 http://isc.sans.edu/diary.html?storyid=9574 http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html http://lists.opensuse. • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2010-3301 – Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation
https://notcve.org/view.php?id=CVE-2010-3301
The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression. La llamada del sistema IA32 para la emulación de binarios de 32 bits en arch/x86/ia32/ia32entry.S en el kernel Linux anterior a v2.6.36-rc4-git2 en la plataforma x86_64 no vuelve a cero el registro% eax después de la ruta de entrada de 32-bits cuando ptrace es utilizado, lo cual permite a usuarios locales conseguir privilegios mediante un acceso out-of-bounds a la tabla de llamadas al sistema usando el registro rax%. NOTA: esta vulnerabilidad ya existía en CVE-2007-4573 • https://www.exploit-db.com/exploits/15023 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=36d001c70d8a0144ac1d038f6876c484849a74de http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=eefdca043e8391dcd719711716492063030b55ac http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html http://secunia.com/advisories/42758 http://sota.gen.nz/compat2 http: • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-269: Improper Privilege Management •
CVE-2010-2955 – kernel: wireless: fix 64K kernel heap content leak via ioctl
https://notcve.org/view.php?id=CVE-2010-2955
The cfg80211_wext_giwessid function in net/wireless/wext-compat.c in the Linux kernel before 2.6.36-rc3-next-20100831 does not properly initialize certain structure members, which allows local users to leverage an off-by-one error in the ioctl_standard_iw_point function in net/wireless/wext-core.c, and obtain potentially sensitive information from kernel heap memory, via vectors involving an SIOCGIWESSID ioctl call that specifies a large buffer size. La función cfg80211_wext_giwessid en net/wireless/wext-compat.c en el kernel de Linux anterior a v2.6.36-rc3-next-20100831 no inicializa adecuadamente determinadas estructuras de miembros, lo que permite a usuarios locales aprovechar un error off-by-one en la función net/wireless/wext-core.c y obtener información potencialmente sensible desde la memoria dinámica (heap) del kernel, a través de vectores que involucran una llamada SIOCGIWESSID ioctl que especifica un gran tamaño de búfer. • http://forums.grsecurity.net/viewtopic.php?f=3&t=2290 http://git.kernel.org/?p=linux/kernel/git/linville/wireless-2.6.git%3Ba=commit%3Bh=42da2f948d949efd0111309f5827bf0298bcc9a4 http://grsecurity.net/~spender/wireless-infoleak-fix2.patch http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html http://lkml.org/lkml/2010/8/27/413 http://lkml.org/lkml/2010/8/30/127 http://lkml.org/lkml • CWE-193: Off-by-one Error •
CVE-2010-2960
https://notcve.org/view.php?id=CVE-2010-2960
The keyctl_session_to_parent function in security/keys/keyctl.c in the Linux kernel 2.6.35.4 and earlier expects that a certain parent session keyring exists, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a KEYCTL_SESSION_TO_PARENT argument to the keyctl function. La función keyctl_session_to_parent en security/keys/keyctl.c en el kernel de Linux v2.6.35.4 y anteriores, espera que determinados keyrings de sesión aparezcan, lo que permite a usuarios locales provocar una denegación de servicio(deferencia a puntero nulo y caída de sistema) o posiblemente tener otro impacto sin especificar a través del argumento KEYCTL_SESSION_TO_PARENT a la función keyctl. • http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html http://secunia.com/advisories/41263 http://securitytracker.com/id?1024384 http://twitter.com/taviso/statuses/22777866582 http://www.openwall.com/lists/oss-security/2010/09/02/1 http://www.securityfocus.com/bid/42932 http://www.ubuntu.com/usn/USN-1000-1 http://www.vupen.com/english/advisories/2011/0298 https://bugzilla.redhat.c • CWE-476: NULL Pointer Dereference •
CVE-2010-2524 – kernel: dns_resolver upcall security issue
https://notcve.org/view.php?id=CVE-2010-2524
The DNS resolution functionality in the CIFS implementation in the Linux kernel before 2.6.35, when CONFIG_CIFS_DFS_UPCALL is enabled, relies on a user's keyring for the dns_resolver upcall in the cifs.upcall userspace helper, which allows local users to spoof the results of DNS queries and perform arbitrary CIFS mounts via vectors involving an add_key call, related to a "cache stuffing" issue and MS-DFS referrals. La funcionalidad de resolución DNS en el kernel de Linux anterior a v2.6.35, cuando CONFIG_CIFS_DFS_UPCALL está activado, cuenta con el "keyring" de usuario para la "upcall" dns_resolver en el espacio de usuario cifs.upcall, lo que permite a usuarios locales secuestrar los resultados de las consultas DNS y realizar montajes (mounts) CIFS de su elección a través de vectores que involucran una llamada add_key, relacionado con un cuestión de relleno de caché (stuffing) y referencias MS-DFS. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=4c0c03ca54f72fdd5912516ad0a23ec5cf01bda7 http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00004.html http://marc.info/?l=oss-security&m=128072090331700&w=2 http://marc.info/?l=oss-security&m=128078387328921&w=2 http://marc.info/?l=oss-security&m=128080755321157&w=2 http://secunia.com/advisories/43315 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.35 http://www.mandr •