Eric W. Biederman

18 exploits Active since Sep 2009
CVE-2013-1959 WRITEUP WRITEUP
Linux Kernel < 3.8.9 - Privilege Escalation via uid_map and gid_map File Handling
kernel/user_namespace.c in the Linux kernel before 3.8.9 does not have appropriate capability requirements for the uid_map and gid_map files, which allows local users to gain privileges by opening a file within an unprivileged process and then modifying the file within a privileged process.
CVE-2015-2925 WRITEUP WRITEUP
Linux kernel <4.2.4 - Privilege Escalation
The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a "double-chroot attack."
CVE-2014-5207 WRITEUP WRITEUP
Linux Kernel < 3.16.1 - Privilege Escalation via Bind Mount Remount
fs/namespace.c in the Linux kernel through 3.16.1 does not properly restrict clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing MNT_ATIME_MASK during a remount of a bind mount, which allows local users to gain privileges, interfere with backups and auditing on systems that had atime enabled, or cause a denial of service (excessive filesystem updating) on systems that had atime disabled via a "mount -o remount" command within a user namespace.
CVE-2015-2925 WRITEUP WRITEUP
Linux kernel <4.2.4 - Privilege Escalation
The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a "double-chroot attack."
CVE-2022-24122 WRITEUP HIGH WRITEUP
Linux kernel <5.16.4 - Privilege Escalation
kernel/ucount.c in the Linux kernel 5.14 through 5.16.4, when unprivileged user namespaces are enabled, allows a use-after-free and privilege escalation because a ucounts object can outlive its namespace.
CVSS 7.8
CVE-2013-1858 WRITEUP WRITEUP
Linux Kernel < 3.8.3 - Privilege Escalation via CLONE_NEWUSER and CLONE_FS Flag Combination
The clone system-call implementation in the Linux kernel before 3.8.3 does not properly handle a combination of the CLONE_NEWUSER and CLONE_FS flags, which allows local users to gain privileges by calling chroot and leveraging the sharing of the / directory between a parent process and a child process.
CVE-2013-1956 WRITEUP WRITEUP
Linux Kernel < 3.8.6 - Local Filesystem Restriction Bypass via Clone System Call
The create_user_ns function in kernel/user_namespace.c in the Linux kernel before 3.8.6 does not check whether a chroot directory exists that differs from the namespace root directory, which allows local users to bypass intended filesystem restrictions via a crafted clone system call.
CVE-2013-1957 WRITEUP WRITEUP
Linux Kernel < 3.8.6 - Local Filesystem Read-Only Bypass via Mount Namespace
The clone_mnt function in fs/namespace.c in the Linux kernel before 3.8.6 does not properly restrict changes to the MNT_READONLY flag, which allows local users to bypass an intended read-only property of a filesystem by leveraging a separate mount namespace.
CVE-2013-1958 WRITEUP WRITEUP
Linux Kernel < 3.8.6 - Local Privilege Escalation via PID Namespace Bypass
The scm_check_creds function in net/core/scm.c in the Linux kernel before 3.8.6 does not properly enforce capability requirements for controlling the PID value associated with a UNIX domain socket, which allows local users to bypass intended access restrictions by leveraging the time interval during which a user namespace has been created but a PID namespace has not been created.
CVE-2013-1979 WRITEUP WRITEUP
Linux Kernel < 3.8.11 - Privilege Escalation via Incorrect Credential Passing
The scm_set_cred function in include/net/scm.h in the Linux kernel before 3.8.11 uses incorrect uid and gid values during credentials passing, which allows local users to gain privileges via a crafted application.
CVE-2013-4270 WRITEUP WRITEUP
Linux Kernel < 3.11.5 - Local Privilege Escalation via net_ctl_permissions UID/GID Bypass
The net_ctl_permissions function in net/sysctl_net.c in the Linux kernel before 3.11.5 does not properly determine uid and gid values, which allows local users to bypass intended /proc/sys/net restrictions via a crafted application.
CVE-2015-4176 WRITEUP MEDIUM WRITEUP
Linux Kernel < 4.0.1 - Unauthorized File Read via Mount Connectivity
fs/namespace.c in the Linux kernel before 4.0.2 does not properly support mount connectivity, which allows local users to read arbitrary files by leveraging user-namespace root access for deletion of a file or directory.
CVSS 5.5
CVE-2015-4177 WRITEUP MEDIUM WRITEUP
Linux Kernel < 4.0.4 - Denial of Service via MNT_DETACH umount2 System Call
The collect_mounts function in fs/namespace.c in the Linux kernel before 4.0.5 does not properly consider that it may execute after a path has been unmounted, which allows local users to cause a denial of service (system crash) by leveraging user-namespace root access for an MNT_DETACH umount2 system call.
CVSS 5.5
CVE-2015-4178 WRITEUP MEDIUM WRITEUP
Linux Kernel < 4.0.4 - Denial of Service via MNT_DETACH umount2 System Call
The fs_pin implementation in the Linux kernel before 4.0.5 does not ensure the internal consistency of a certain list data structure, which allows local users to cause a denial of service (system crash) by leveraging user-namespace root access for an MNT_DETACH umount2 system call, related to fs/fs_pin.c and include/linux/fs_pin.h.
CVSS 5.5
CVE-2017-15129 WRITEUP MEDIUM WRITEUP
Linux Kernel < 4.14.11 - Use-After-Free in Network Namespace Handling
A use-after-free vulnerability was found in network namespaces code affecting the Linux kernel before 4.14.11. The function get_net_ns_by_id() in net/core/net_namespace.c does not check for the net::count value after it has found a peer network in netns_ids idr, which could lead to double free and memory corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is thought to be unlikely.
CVSS 4.7
CVE-2017-6874 WRITEUP HIGH WRITEUP
Linux Kernel 4.9-4.9.15 - Use-After-Free via ucounts Race Condition
Race condition in kernel/ucount.c in the Linux kernel through 4.10.2 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls that leverage certain decrement behavior that causes incorrect interaction between put_ucounts and get_ucounts.
CVSS 7.0
CVE-2020-12826 WRITEUP MEDIUM WRITEUP
Linux kernel <5.6.5 - Privilege Escalation
A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2. Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in a different security domain. Exploitation limitations include the amount of elapsed time before an integer overflow occurs, and the lack of scenarios where signals to a parent process present a substantial operational threat.
CVSS 5.3
CVE-2009-3043 EXPLOITDB c WORKING POC
Linux Kernel < 2.6.31 - Denial of Service via Pseudo-Terminal I/O Activity
The tty_ldisc_hangup function in drivers/char/tty_ldisc.c in the Linux kernel 2.6.31-rc before 2.6.31-rc8 allows local users to cause a denial of service (system crash, sometimes preceded by a NULL pointer dereference) or possibly gain privileges via certain pseudo-terminal I/O activity, as demonstrated by KernelTtyTest.c.