Jon Oberheide

34 exploits Active since May 2005
CVE-2010-3848 EXPLOITDB c WORKING POC
Linux Kernel < 2.6.36.2 - Local Privilege Escalation via Econet iovec Structures
Stack-based buffer overflow in the econet_sendmsg function in net/econet/af_econet.c in the Linux kernel before 2.6.36.2, when an econet address is configured, allows local users to gain privileges by providing a large number of iovec structures.
CVE-2010-3850 EXPLOITDB c WORKING POC
Linux kernel <2.6.36.2 - Privilege Escalation
The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel before 2.6.36.2 does not require the CAP_NET_ADMIN capability, which allows local users to bypass intended access restrictions and configure econet addresses via an SIOCSIFADDR ioctl call.
CVE-2010-4347 EXPLOITDB c WORKING POC
Linux Kernel < 2.6.36.2 - Privilege Escalation via ACPI Debugfs Custom Method
The ACPI subsystem in the Linux kernel before 2.6.36.2 uses 0222 permissions for the debugfs custom_method file, which allows local users to gain privileges by placing a custom ACPI method in the ACPI interpreter tables, related to the acpi_debugfs_init function in drivers/acpi/debugfs.c.
CVE-2009-1378 EXPLOITDB c WORKING POC
OpenSSL 0.9.8-0.9.8k - Denial of Service via DTLS Fragment Handling Memory Leak
Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak."
CVE-2009-1386 METASPLOIT ruby WORKING POC
OpenSSL < 0.9.8i - Denial of Service via DTLS ChangeCipherSpec Packet
ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello.
CVE-2009-1185 METASPLOIT ruby WORKING POC
udev < 141 - Privilege Escalation via Unverified NETLINK Message
udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space.
CVE-2005-0783 EXPLOITDB text WRITEUP
Phorum - Cross-Site Scripting via Attached File Filename
Cross-site scripting (XSS) vulnerability in Phorum before 5.0.14a allows remote attackers to inject arbitrary web script or HTML via the filename of an attached file.
CVE-2008-5377 EXPLOITDB c WORKING POC
CUPS 1.3.8 - Arbitrary File Overwrite via Symlink Attack on Temporary File
pstopdf in CUPS 1.3.8 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pstopdf.log temporary file, a different vulnerability than CVE-2001-1333.
CVE-2008-5081 EXPLOITDB c WORKING POC
avahi < 0.6.24 - Denial of Service via mDNS Packet with Source Port 0
The originates_from_local_legacy_unicast_socket function (avahi-core/server.c) in avahi-daemon in Avahi before 0.6.24 allows remote attackers to cause a denial of service (crash) via a crafted mDNS packet with a source port of 0, which triggers an assertion failure.
CVE-2008-3834 EXPLOITDB c WORKING POC
D-bus <1.2.4 - DoS
The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error.
CVE-2009-1379 EXPLOITDB c WORKING POC
OpenSSL 1.0.0 Beta 2 - Use-After-Free in DTLS Fragment Retrieval
Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate.
CVE-2009-1386 EXPLOITDB c WORKING POC
OpenSSL < 0.9.8i - Denial of Service via DTLS ChangeCipherSpec Packet
ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello.
EIP-2026-103353 EXPLOITDB c WORKING POC
Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak
CVE-2010-1146 EXPLOITDB python WORKING POC
Linux kernel <2.6.33.2 - Privilege Escalation
The Linux kernel 2.6.33.2 and earlier, when a ReiserFS filesystem exists, does not restrict read or write access to the .reiserfs_priv directory, which allows local users to gain privileges by modifying (1) extended attributes or (2) ACLs, as demonstrated by deleting a file under .reiserfs_priv/xattrs/.
CVE-2011-1021 EXPLOITDB c WORKING POC
Linux Kernel < 3.0 - Arbitrary Kernel Memory Write via ACPI Debugfs Custom Method
drivers/acpi/debugfs.c in the Linux kernel before 3.0 allows local users to modify arbitrary kernel memory locations by leveraging root privileges to write to the /sys/kernel/debug/acpi/custom_method file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4347.
CVE-2009-0036 EXPLOITDB c WORKING POC
libvirt_proxy 0.5.1 - Buffer Overflow
Buffer overflow in the proxyReadClientSocket function in proxy/libvirt_proxy.c in libvirt_proxy 0.5.1 might allow local users to gain privileges by sending a portion of the header of a virProxyPacket packet, and then sending the remainder of the packet with crafted values in the header, related to use of uninitialized memory in a validation check.
CVE-2009-1185 EXPLOITDB c WORKING POC
udev < 141 - Privilege Escalation via Unverified NETLINK Message
udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space.
CVE-2009-2847 EXPLOITDB c WORKING POC
Linux kernel <2.6.31-rc5 - Info Disclosure
The do_sigaltstack function in kernel/signal.c in Linux kernel 2.4 through 2.4.37 and 2.6 before 2.6.31-rc5, when running on 64-bit systems, does not clear certain padding bytes from a structure, which allows local users to obtain sensitive information from the kernel stack via the sigaltstack function.
CVE-2009-3001 EXPLOITDB c WORKING POC
Linux Kernel < 2.6.31 - Uninitialized Memory Exposure via llc_ui_getname
The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel 2.6.31-rc7 and earlier does not initialize a certain data structure, which allows local users to read the contents of some kernel memory locations by calling getsockname on an AF_LLC socket.
CVE-2005-4605 EXPLOITDB c WORKING POC
Linux Kernel < 2.6.15 - Information Disclosure via Signed-Unsigned Integer Overflow in ProcFS
The procfs code (proc_misc.c) in Linux 2.6.14.3 and other versions before 2.6.15 allows attackers to read sensitive kernel memory via unspecified vectors in which a signed value is added to an unsigned value.
CVE-2008-4113 EXPLOITDB c WORKING POC
Linux Kernel < 2.6.26.4 - Sensitive Information Exposure via SCTP_HMAC_IDENT IOCTL
The sctp_getsockopt_hmac_ident function in net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.26.4, when the SCTP-AUTH extension is enabled, relies on an untrusted length value to limit copying of data from kernel memory, which allows local users to obtain sensitive information via a crafted SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function.
CVE-2009-3002 EXPLOITDB c WORKING POC
Linux Kernel < 2.6.31 - Information Disclosure via Uninitialized Memory in getname Functions
The Linux kernel before 2.6.31-rc7 does not initialize certain data structures within getname functions, which allows local users to read the contents of some kernel memory locations by calling getsockname on (1) an AF_APPLETALK socket, related to the atalk_getname function in net/appletalk/ddp.c; (2) an AF_IRDA socket, related to the irda_getname function in net/irda/af_irda.c; (3) an AF_ECONET socket, related to the econet_getname function in net/econet/af_econet.c; (4) an AF_NETROM socket, related to the nr_getname function in net/netrom/af_netrom.c; (5) an AF_ROSE socket, related to the rose_getname function in net/rose/af_rose.c; or (6) a raw CAN socket, related to the raw_getname function in net/can/raw.c.
CVE-2010-2959 EXPLOITDB c WORKING POC
Linux kernel <2.6.27.53-2.6.35.4 - RCE/DoS
Integer overflow in net/can/bcm.c in the Controller Area Network (CAN) implementation in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows attackers to execute arbitrary code or cause a denial of service (system crash) via crafted CAN traffic.
CVE-2010-3437 EXPLOITDB c WORKING POC
Linux kernel <2.6.36-rc6 - Info Disclosure/DoS
Integer signedness error in the pkt_find_dev_from_minor function in drivers/block/pktcdvd.c in the Linux kernel before 2.6.36-rc6 allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and system crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call.
CVE-2010-4073 EXPLOITDB c WORKING POC
Linux Kernel < 2.6.37 - Information Disclosure via Uninitialized IPC Structures
The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not initialize certain structures, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the (1) compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl functions in ipc/compat.c; and the (4) compat_sys_mq_open and (5) compat_sys_mq_getsetattr functions in ipc/compat_mq.c.