Dan Rosenberg

24 exploits Active since Jan 2010
CVE-2010-3904 NOMISEC HIGH WORKING POC
Reliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation
The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.
CVSS 7.8
CVE-2010-3849 EXPLOITDB c WORKING POC
Linux Kernel < 2.6.36.2 - Denial of Service via NULL Pointer Dereference in econet_sendmsg
The econet_sendmsg function in net/econet/af_econet.c in the Linux kernel before 2.6.36.2, when an econet address is configured, allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a sendmsg call that specifies a NULL value for the remote address field.
CVE-2010-3850 EXPLOITDB c WORKING POC
Linux kernel <2.6.36.2 - Privilege Escalation
The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel before 2.6.36.2 does not require the CAP_NET_ADMIN capability, which allows local users to bypass intended access restrictions and configure econet addresses via an SIOCSIFADDR ioctl call.
CVE-2011-0531 METASPLOIT ruby WORKING POC
VLC media player < 1.1.6.1 - Remote Code Execution via Crafted MKV File
demux/mkv/mkv.hpp in the MKV demuxer plugin in VideoLAN VLC media player 1.1.6.1 and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary commands via a crafted MKV (WebM or Matroska) file that triggers memory corruption, related to "class mismatching" and the MKV_IS_ID macro.
CVE-2011-4862 METASPLOIT ruby WORKING POC
GNU inetutils < 1.9 - Remote Code Execution via Long Encryption Key
Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.
CVE-2010-3904 METASPLOIT HIGH ruby WORKING POC
Reliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation
The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.
CVSS 7.8
CVE-2011-4862 METASPLOIT ruby WORKING POC
GNU inetutils < 1.9 - Remote Code Execution via Long Encryption Key
Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.
CVE-2011-0531 EXPLOITDB ruby WORKING POC
VLC media player < 1.1.6.1 - Remote Code Execution via Crafted MKV File
demux/mkv/mkv.hpp in the MKV demuxer plugin in VideoLAN VLC media player 1.1.6.1 and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary commands via a crafted MKV (WebM or Matroska) file that triggers memory corruption, related to "class mismatching" and the MKV_IS_ID macro.
CVE-2009-4497 EXPLOITDB text WRITEUP
LXR Cross Referencer 0.9.5 and 0.9.6 - Cross-Site Scripting via Ident Program i Parameter
Cross-site scripting (XSS) vulnerability in LXR Cross Referencer 0.9.5 and 0.9.6 allows remote attackers to inject arbitrary web script or HTML via the i parameter to the ident program.
CVE-2011-0180 EXPLOITDB c WORKING POC
Apple Mac OS X <10.6.7 - Info Disclosure
Integer overflow in HFS in Apple Mac OS X before 10.6.7 allows local users to read arbitrary (1) HFS, (2) HFS+, or (3) HFS+J files via a crafted F_READBOOTSTRAP ioctl call.
EIP-2026-103351 EXPLOITDB c WORKING POC
Linux Kernel < 2.6.34 (Ubuntu 10.10 x86) - 'CAP_SYS_ADMIN' Local Privilege Escalation (1)
CVE-2011-0020 EXPLOITDB text WRITEUP
Pango < 1.28.3 - Heap-Based Buffer Overflow via Crafted Font File
Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box for an FT_Bitmap object.
CVE-2011-4862 EXPLOITDB ruby WORKING POC
GNU inetutils < 1.9 - Remote Code Execution via Long Encryption Key
Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.
CVE-2010-1457 EXPLOITDB text WRITEUP
GNUstep Base <1.20.0 - Info Disclosure
Tools/gdomap.c in gdomap in GNUstep Base before 1.20.0 allows local users to read arbitrary files via a (1) -c or (2) -a option, which prints file contents in an error message.
CVE-2010-1636 EXPLOITDB c WORKING POC
Linux Kernel 2.6.29-2.6.32 - Unauthorized Sensitive Information Exposure via btrfs_ioctl_clone
The btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the btrfs functionality in the Linux kernel 2.6.29 through 2.6.32, and possibly other versions, does not ensure that a cloned file descriptor has been opened for reading, which allows local users to read sensitive information from a write-only file descriptor.
CVE-2010-4158 EXPLOITDB c WORKING POC
Linux Kernel < 2.6.36.2 - Information Disclosure via Uninitialized Stack Memory in Socket Filter
The sk_run_filter function in net/core/filter.c in the Linux kernel before 2.6.36.2 does not check whether a certain memory location has been initialized before executing a (1) BPF_S_LD_MEM or (2) BPF_S_LDX_MEM instruction, which allows local users to obtain potentially sensitive information from kernel stack memory via a crafted socket filter.
CVE-2010-4258 EXPLOITDB c WORKING POC
Linux Kernel < 2.6.36.2 - Privilege Escalation via KERNEL_DS get_fs Handling
The do_exit function in kernel/exit.c in the Linux kernel before 2.6.36.2 does not properly handle a KERNEL_DS get_fs value, which allows local users to bypass intended access_ok restrictions, overwrite arbitrary kernel memory locations, and gain privileges by leveraging a (1) BUG, (2) NULL pointer dereference, or (3) page fault, as demonstrated by vectors involving the clear_child_tid feature and the splice system call.
CVE-2010-3904 EXPLOITDB HIGH c WORKING POC
Reliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation
The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.
CVSS 7.8
EIP-2026-102904 EXPLOITDB c WORKING POC
Linux Kernel 2.6.28/3.0 (DEC Alpha Linux) - Local Privilege Escalation
EIP-2026-102900 EXPLOITDB c WORKING POC
Linux Kernel 2.4.0 - Stack Infoleaks
CVE-2010-3904 EXPLOITDB HIGH ruby WORKING POC
Reliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation
The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.
CVSS 7.8
EIP-2026-102797 EXPLOITDB bash WORKING POC
Calibre E-Book Reader - Race Condition Privilege Escalation
CVE-2010-2025 EXPLOITDB html WORKING POC
Cisco Scientific Atlanta WebSTAR DPC2100R2 - Cross-Site Request Forgery
Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface on the Cisco Scientific Atlanta WebSTAR DPC2100R2 cable modem with firmware 2.0.2r1256-060303 allow remote attackers to hijack the authentication of administrators for requests that (1) reset the modem, (2) erase the firmware, (3) change the administrative password, (4) install modified firmware, or (5) change the access level, as demonstrated by a request to goform/_aslvl.
CVE-2011-4862 EXPLOITDB ruby WORKING POC
GNU inetutils < 1.9 - Remote Code Execution via Long Encryption Key
Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.