Qualys Corporation

38 exploits Active since Oct 2002
CVE-2017-1000371 EXPLOITDB HIGH c WORKING POC
Linux Kernel 4.1-4.1.43 - Stack Guard Page Bypass via RLIMIT_STACK Allocation
The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems.
CVSS 7.8
CVE-2017-1000371 EXPLOITDB HIGH c WORKING POC
Linux Kernel 4.1-4.1.43 - Stack Guard Page Bypass via RLIMIT_STACK Allocation
The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems.
CVSS 7.8
CVE-2019-10149 EXPLOITDB CRITICAL text WRITEUP
Exim 4.87 - 4.91 Local Privilege Escalation
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
CVSS 9.8
CVE-2020-8793 EXPLOITDB MEDIUM c WORKING POC
OpenSMTPD < 6.6.4 - Local Arbitrary File Read via Race Condition in makemap.c and smtpd.c
OpenSMTPD before 6.6.4 allows local users to read arbitrary files (e.g., on some Linux distributions) because of a combination of an untrusted search path in makemap.c and race conditions in the offline functionality in smtpd.c.
CVSS 4.7
CVE-2015-0235 EXPLOITDB ruby WORKING POC
Exim GHOST (glibc gethostbyname) Buffer Overflow
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."
CVE-2017-1000409 EXPLOITDB HIGH text WRITEUP
glibc 2.5 - Buffer Overflow via LD_LIBRARY_PATH Environment Variable
A buffer overflow in glibc 2.5 (released on September 29, 2006) and can be triggered through the LD_LIBRARY_PATH environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.
CVSS 7.0
CVE-2017-1000367 EXPLOITDB MEDIUM c WORKING POC
Todd Miller's sudo <1.8.20 - Info Disclosure & Command Execution
Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution.
CVSS 6.4
CVE-2018-1124 EXPLOITDB HIGH text WRITEUP
procps-ng <3.3.15 - Privilege Escalation
procps-ng before version 3.3.15 is vulnerable to multiple integer overflows leading to a heap corruption in file2strvec function. This allows a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users.
CVSS 7.8
CVE-2017-1000253 EXPLOITDB HIGH c WORKING POC
Linux - Info Disclosure
Linux distributions that have not patched their long-term kernels with https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (committed on April 14, 2015). This kernel vulnerability was fixed in April 2015 by commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to Linux 3.10.77 in May 2015), but it was not recognized as a security threat. With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down address allocation strategy, load_elf_binary() will attempt to map a PIE binary into an address range immediately below mm->mmap_base. Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent PT_LOAD segment(s) end up being mapped above mm->mmap_base into the are that is supposed to be the "gap" between the stack and the binary.
CVSS 7.8
CVE-2015-3246 EXPLOITDB text WRITEUP
libuser <0.56.13-8 & 0.60 <0.60-7 - DoS
libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local users to cause a denial of service (inconsistent file state) by causing an error during the modification. NOTE: this issue can be combined with CVE-2015-3245 to gain privileges.
CVE-2017-1084 EXPLOITDB HIGH c WORKING POC
FreeBSD < 11.2 - Stack-Based Buffer Overflow via Stack Guard-Page Bypass
In FreeBSD before 11.2-RELEASE, multiple issues with the implementation of the stack guard-page reduce the protections afforded by the guard-page. This results in the possibility a poorly written process could be cause a stack overflow.
CVSS 7.5
CVE-2017-1085 EXPLOITDB HIGH c WORKING POC
FreeBSD < 11.2 - Arbitrary Code Execution via setrlimit() Stack Memory Permissions
In FreeBSD before 11.2-RELEASE, an application which calls setrlimit() to increase RLIMIT_STACK may turn a read-only memory region below the stack into a read-write region. A specially crafted executable could be exploited to execute arbitrary code in the user context.
CVSS 7.8
CVE-2017-1084 EXPLOITDB HIGH c WORKING POC
FreeBSD < 11.2 - Stack-Based Buffer Overflow via Stack Guard-Page Bypass
In FreeBSD before 11.2-RELEASE, multiple issues with the implementation of the stack guard-page reduce the protections afforded by the guard-page. This results in the possibility a poorly written process could be cause a stack overflow.
CVSS 7.5