CVE-2018-1125
published 2018-05-23CVE-2018-1125: procps-ng before version 3.3.15 is vulnerable to a stack buffer overflow in pgrep. This vulnerability is mitigated by FORTIFY, as it involves strncat() to a…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
2.20%
80.3th percentile
procps-ng before version 3.3.15 is vulnerable to a stack buffer overflow in pgrep. This vulnerability is mitigated by FORTIFY, as it involves strncat() to a stack-allocated string. When pgrep is compiled with FORTIFY (as on Red Hat Enterprise Linux and Fedora), the impact is limited to a crash.
Affected
34 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | procps | < procps 2:3.3.15-1 (bookworm) | procps 2:3.3.15-1 (bookworm) |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1703 | — | — |
| msrc | windows_10_version_1709 | — | — |
| msrc | windows_10_version_1803 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_1903 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_server_2019 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv3.04.4MEDIUMCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.3HIGH
vendor_msrc5.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kernel: hw: Spectre SWAPGS gadget vulnerability
vendor_redhat·2019-08-06·CVSS 5.6
CVE-2019-1125 [MEDIUM] CWE-385 kernel: hw: Spectre SWAPGS gadget vulnerability
kernel: hw: Spectre SWAPGS gadget vulnerability
An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries.
To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information that could be used to try to compromise the affected system further.
On January 3, 2018, Microsoft released an advisory and security updates related to a newly-discovered class of hardware vulnerabilities (known as Spectre) involving speculative execution side channels tha
Ubuntu
procps-ng vulnerabilities
vendor_ubuntu·2018-08-16·CVSS 7.3
CVE-2018-1122 [HIGH] procps-ng vulnerabilities
Title: procps-ng vulnerabilities
Summary: Several security issues were fixed in procps-ng.
USN-3658-1 fixed a vulnerability in procps-ng. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that the procps-ng top utility incorrectly read its
configuration file from the current working directory. A local attacker
could possibly use this issue to escalate privileges. (CVE-2018-1122)
It was discovered that the procps-ng ps tool incorrectly handled memory. A
local user could possibly use this issue to cause a denial of service.
(CVE-2018-1123)
It was discovered that the procps-ng pgrep utility incorrectly handled
memory. A local attacker could possibly use this issue to cause de denial
of service. (CVE-2018-1125)
Instructions:
Ubuntu
procps-ng vulnerabilities
vendor_ubuntu·2018-05-23·CVSS 7.3
CVE-2018-1122 [HIGH] procps-ng vulnerabilities
Title: procps-ng vulnerabilities
Summary: Several security issues were fixed in procps-ng.
It was discovered that the procps-ng top utility incorrectly read its
configuration file from the current working directory. A local attacker
could possibly use this issue to escalate privileges. (CVE-2018-1122)
It was discovered that the procps-ng ps tool incorrectly handled memory. A
local user could possibly use this issue to cause a denial of service.
(CVE-2018-1123)
It was discovered that libprocps incorrectly handled the file2strvec()
function. A local attacker could possibly use this to execute arbitrary
code. (CVE-2018-1124)
It was discovered that the procps-ng pgrep utility incorrectly handled
memory. A local attacker could possibly use this issue to cause de denial
of service. (CVE-201
Red Hat
procps: stack buffer overflow in pgrep
vendor_redhat·2018-05-17·CVSS 7.5
CVE-2018-1125 [HIGH] CWE-121 procps: stack buffer overflow in pgrep
procps: stack buffer overflow in pgrep
procps-ng before version 3.3.15 is vulnerable to a stack buffer overflow in pgrep. This vulnerability is mitigated by FORTIFY, as it involves strncat() to a stack-allocated string. When pgrep is compiled with FORTIFY (as on Red Hat Enterprise Linux and Fedora), the impact is limited to a crash.
If a process inspected by pgrep has an argument longer than INT_MAX bytes, "int bytes" could wrap around back to a large positive int (rather than approaching zero), leading to a stack buffer overflow via strncat().
Mitigation: The procps suite on Red Hat Enterprise Linux is built with FORTIFY, which limits the impact of this stack overflow (and others like it) to a crash.
Package: procps (Red Hat Enterprise Linux 5) - Will not fix
Package: procps (Red Hat
Debian
CVE-2018-1125: procps - procps-ng before version 3.3.15 is vulnerable to a stack buffer overflow in pgre...
vendor_debian·2018·CVSS 7.5
CVE-2018-1125 [HIGH] CVE-2018-1125: procps - procps-ng before version 3.3.15 is vulnerable to a stack buffer overflow in pgre...
procps-ng before version 3.3.15 is vulnerable to a stack buffer overflow in pgrep. This vulnerability is mitigated by FORTIFY, as it involves strncat() to a stack-allocated string. When pgrep is compiled with FORTIFY (as on Red Hat Enterprise Linux and Fedora), the impact is limited to a crash.
Scope: local
bookworm: resolved (fixed in 2:3.3.15-1)
bullseye: resolved (fixed in 2:3.3.15-1)
forky: resolved (fixed in 2:3.3.15-1)
sid: resolved (fixed in 2:3.3.15-1)
trixie: resolved (fixed in 2:3.3.15-1)
GHSA
GHSA-jpw5-97m6-c8m2: procps-ng before version 3
ghsa_unreviewed·2022-05-13
CVE-2018-1125 [HIGH] CWE-121 GHSA-jpw5-97m6-c8m2: procps-ng before version 3
procps-ng before version 3.3.15 is vulnerable to a stack buffer overflow in pgrep. This vulnerability is mitigated by FORTIFY, as it involves strncat() to a stack-allocated string. When pgrep is compiled with FORTIFY (as on Red Hat Enterprise Linux and Fedora), the impact is limited to a crash.
OSV
procps vulnerabilities
osv·2018-05-23·CVSS 7.0
CVE-2018-1122 [HIGH] procps vulnerabilities
procps vulnerabilities
It was discovered that the procps-ng top utility incorrectly read its
configuration file from the current working directory. A local attacker
could possibly use this issue to escalate privileges. (CVE-2018-1122)
It was discovered that the procps-ng ps tool incorrectly handled memory. A
local user could possibly use this issue to cause a denial of service.
(CVE-2018-1123)
It was discovered that libprocps incorrectly handled the file2strvec()
function. A local attacker could possibly use this to execute arbitrary
code. (CVE-2018-1124)
It was discovered that the procps-ng pgrep utility incorrectly handled
memory. A local attacker could possibly use this issue to cause de denial
of service. (CVE-2018-1125)
It was discovered that procps-ng incorrectly handled memory.
OSV
CVE-2018-1125: procps-ng before version 3
osv·2018-05-23·CVSS 7.5
CVE-2018-1125 [HIGH] CVE-2018-1125: procps-ng before version 3
procps-ng before version 3.3.15 is vulnerable to a stack buffer overflow in pgrep. This vulnerability is mitigated by FORTIFY, as it involves strncat() to a stack-allocated string. When pgrep is compiled with FORTIFY (as on Red Hat Enterprise Linux and Fedora), the impact is limited to a crash.
No detection rules found.
Exploit-DB
Procps-ng - Multiple Vulnerabilities
exploitdb·2018-05-30·CVSS 2.8
CVE-2018-1124 [LOW] Procps-ng - Multiple Vulnerabilities
Procps-ng - Multiple Vulnerabilities
---
Qualys Security Advisory
Procps-ng Audit Report
Contents
Summary
1. FUSE-backed /proc/PID/cmdline
2. Unprivileged process hiding
3. Local Privilege Escalation in top (Low Impact)
4. Denial of Service in ps
5. Local Privilege Escalation in libprocps (High Impact)
5.1. Vulnerability
5.2. Exploitation
5.3. Exploitation details
5.4. Non-PIE exploitation
5.5. PIE exploitation
Acknowledgments
Patches.tar.gz.b64
Summary
We performed a complete audit of procps-ng, the "command line and full
screen utilities for browsing procfs, a 'pseudo' file system dynamically
generated by the [Linux] kernel to provide information about the status
of entries in its process table" (https://gitlab.com/procps-ng/procps).
procps-ng contains the utilities free, kill,
Exploit-DB
MyBB ChangUonDyU Plugin 1.0.2 - Cross-Site Scripting
exploitdb·2018-05-29·CVSS 6.1
CVE-2018-11532 [MEDIUM] MyBB ChangUonDyU Plugin 1.0.2 - Cross-Site Scripting
MyBB ChangUonDyU Plugin 1.0.2 - Cross-Site Scripting
---
# Exploit Title: MyBB ChangUonDyU Advanced Statistics Plugin v1.0.2 - Cross-Site Scripting
# Date: 5/25/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1125
# Version: 1.0.2
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-11532
1. Description:
This plugin displays advanced statistics on the index page such as latest posts with auto refresh using AJAX.
2. Proof of Concept:
Create a new thread with the following payload as the title
The alert will appear on the index page
3. Solution:
Update to the latest release
Bugzilla
CVE-2018-1125 procps-ng: procps-ng, procps: stack buffer overflow in pgrep [fedora-28]
bugzilla·2018-05-18·CVSS 7.5
CVE-2018-1125 [HIGH] CVE-2018-1125 procps-ng: procps-ng, procps: stack buffer overflow in pgrep [fedora-28]
CVE-2018-1125 procps-ng: procps-ng, procps: stack buffer overflow in pgrep [fedora-28]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
Bugzilla
CVE-2018-1125 procps-ng, procps: stack buffer overflow in pgrep
bugzilla·2018-05-08·CVSS 7.5
CVE-2018-1125 [HIGH] CVE-2018-1125 procps-ng, procps: stack buffer overflow in pgrep
CVE-2018-1125 procps-ng, procps: stack buffer overflow in pgrep
If an argument longer than INT_MAX bytes is given to pgrep, "int bytes" could wrap around back to a large positive int (rather than approaching zero), leading to a stack buffer overflow.
This vulnerability is mitigated by FORTIFY, as it involves strncat() to a stack-allocated string. When pgrep is compiled with FORTIFY (as on Red Hat Enterprise Linux and Fedora), the impact is limited to a crash.
Discussion:
The bug description appears to be incorrect. This is not about an argument being given to pgrep. This is about an argument given to a process that is under examination by pgrep.
Due to the use of an int in the allocator, the string length can never be large enough to case the integer to wrap back to being positive.
S
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00058.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00059.htmlhttp://seclists.org/oss-sec/2018/q2/122http://www.securityfocus.com/bid/104214https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1125https://lists.debian.org/debian-lts-announce/2018/05/msg00021.htmlhttps://usn.ubuntu.com/3658-1/https://usn.ubuntu.com/3658-3/https://www.debian.org/security/2018/dsa-4208https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txthttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00058.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00059.htmlhttp://seclists.org/oss-sec/2018/q2/122http://www.securityfocus.com/bid/104214https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1125https://lists.debian.org/debian-lts-announce/2018/05/msg00021.htmlhttps://usn.ubuntu.com/3658-1/https://usn.ubuntu.com/3658-3/https://www.debian.org/security/2018/dsa-4208https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt
2018-05-23
Published