CVE-2018-8897 – Microsoft Windows - 'POP/MOV SS' Privilege Escalation
https://notcve.org/view.php?id=CVE-2018-8897
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. • https://www.exploit-db.com/exploits/44697 https://www.exploit-db.com/exploits/45024 https://github.com/can1357/CVE-2018-8897 https://github.com/nmulasmajic/CVE-2018-8897 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9 http://openwall.com/lists/oss-security/2018/05/08/1 http://openwall.com/lists/oss-security/2018/05/08/4 http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190921-01-debug-en http: • CWE-250: Execution with Unnecessary Privileges CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2018-6100 – chromium-browser: URL spoof in Omnibox
https://notcve.org/view.php?id=CVE-2018-6100
Incorrect handling of confusable characters in URL Formatter in Google Chrome on macOS prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. Aplicación insuficiente de caracteres confundibles en URL Formatter en Google Chrome, en versiones anteriores a la 66.0.3359.117 para macOS, permitía que un atacante remoto suplantase dominios mediante homogramas IDN mediante un nombre de dominio manipulado. • http://www.securityfocus.com/bid/103917 https://access.redhat.com/errata/RHSA-2018:1195 https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html https://crbug.com/811117 https://security.gentoo.org/glsa/201804-22 https://www.debian.org/security/2018/dsa-4182 https://access.redhat.com/security/cve/CVE-2018-6100 https://bugzilla.redhat.com/show_bug.cgi?id=1568778 • CWE-19: Data Processing Errors •
CVE-2017-11305 – flash-plugin: unintended reset of global settings preference file vulnerability (APSB17-42)
https://notcve.org/view.php?id=CVE-2017-11305
A regression affecting Adobe Flash Player version 27.0.0.187 (and earlier versions) causes the unintended reset of the global settings preference file when a user clears browser data. Una regresión que afecta a Adobe Flash Player en su versión 27.0.0.187 (y anteriores) provoca el restablecimiento accidental del archivo de preferencias de configuraciones globales cuando un usuario borra los datos del navegador. • http://www.securityfocus.com/bid/102139 http://www.securitytracker.com/id/1039986 https://access.redhat.com/errata/RHSA-2018:0081 https://helpx.adobe.com/security/products/flash-player/apsb17-42.html https://access.redhat.com/security/cve/CVE-2017-11305 https://bugzilla.redhat.com/show_bug.cgi?id=1525508 •
CVE-2017-11292 – Adobe Flash Player Type Confusion Vulnerability
https://notcve.org/view.php?id=CVE-2017-11292
Adobe Flash Player version 27.0.0.159 and earlier has a flawed bytecode verification procedure, which allows for an untrusted value to be used in the calculation of an array index. This can lead to type confusion, and successful exploitation could lead to arbitrary code execution. Adobe Flash Player en sus versiones 27.0.0.159 y anteriores tiene un procedimiento de verificación de código de bytes con errores, lo que permite que un valor que no es de confianza se emplee en el cálculo de un índice de arrays. Esto puede llevar a una confusión de tipos, y la explotación con éxito podría desembocar en la ejecución de código arbitrario. Adobe Flash Player contains a type confusion vulnerability which can allow for remote code execution. • http://www.securityfocus.com/bid/101286 http://www.securitytracker.com/id/1039582 https://access.redhat.com/errata/RHSA-2017:2899 https://helpx.adobe.com/security/products/flash-player/apsb17-32.html https://security.gentoo.org/glsa/201710-22 https://access.redhat.com/security/cve/CVE-2017-11292 https://bugzilla.redhat.com/show_bug.cgi?id=1502726 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVE-2017-9788 – httpd: Uninitialized memory reflection in mod_auth_digest
https://notcve.org/view.php?id=CVE-2017-9788
In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service. En Apache httpd, en versiones anteriores a la 2.2.34 y en versiones 2.4.x anteriores a la 2.4.27, el valor placeholder en cabeceras [Proxy-]Authorization del tipo 'Digest' no se inicializó o reinició antes de o entre las asignaciones sucesivas key=value por mod_auth_digest. Proporcionar una clave inicial sin asignación "=" podría reflejar el valor obsoleto de la memoria agrupada no inicializada utilizada por la petición anterior. Esto podría dar lugar al filtrado de información potencialmente confidencial y, en otros casos, a un fallo de segmentación que daría como resultado una denegación de servicio (DoS) It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. • http://www.debian.org/security/2017/dsa-3913 http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html http://www.securityfocus.com/bid/99569 http://www.securitytracker.com/id/1038906 https://access.redhat.com/errata/RHSA-2017:2478 https://access.redhat.com/errata/RHSA-2017:2479 https://access.redhat.com/errata/RHSA-2017:2483 https://access.redhat.com/errata/RHSA-2017:2708 https://access.redhat.com/errata/RHSA-2017:2709 https://access.redhat.com/errata/RHS • CWE-20: Improper Input Validation CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-456: Missing Initialization of a Variable •