halfdog

25 exploits Active since Jan 2011
CVE-2018-1000001 NOMISEC HIGH WORKING POC
glibc < 2.26 - Buffer Underflow and Potential Code Execution via realpath()
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
32 stars
CVSS 7.8
CVE-2016-2853 EXPLOITDB HIGH WORKING POC
Linux Kernel 3.0.0-3.19.8 - Privilege Escalation via aufs and FUSE Mount Namespace Bypass
The aufs module for the Linux kernel 3.x and 4.x does not properly restrict the mount namespace, which allows local users to gain privileges by mounting an aufs filesystem on top of a FUSE filesystem, and then executing a crafted setuid program.
CVSS 7.8
CVE-2011-3607 EXPLOITDB WRITEUP
Apache HTTP Server <2.0.64, 2.2.x - Privilege Escalation
Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.
CVE-2018-1000001 METASPLOIT HIGH ruby WORKING POC
glibc < 2.26 - Buffer Underflow and Potential Code Execution via realpath()
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
CVSS 7.8
CVE-2012-3221 EXPLOITDB c WORKING POC
Oracle VM VirtualBox 3.2, 4.0, 4.1 - Denial of Service in VirtualBox Core
Unspecified vulnerability in the Oracle VM Virtual Box component in Oracle Virtualization 3.2, 4.0, and 4.1 allows local users to affect availability via unknown vectors related to VirtualBox Core. NOTE: The previous information was obtained from the October 2012 CPU. Oracle has not commented on claims from another vendor that this issue is related to "incorrect interrupt handling."
CVE-2015-1336 EXPLOITDB HIGH WORKING POC
Man-db <2.7.6.1-1 - Privilege Escalation
The daily mandb cleanup job in Man-db before 2.7.6.1-1 as packaged in Ubuntu and Debian allows local users with access to the man account to gain privileges via vectors involving insecure chown use.
CVSS 7.8
CVE-2016-0727 EXPLOITDB HIGH text WORKING POC
NTP Package <4.2.6.p3 - Privilege Escalation via Crontab Script
The crontab script in the ntp package before 1:4.2.6.p3+dfsg-1ubuntu3.11 on Ubuntu 12.04 LTS, before 1:4.2.6.p5+dfsg-3ubuntu2.14.04.10 on Ubuntu 14.04 LTS, on Ubuntu Wily, and before 1:4.2.8p4+dfsg-3ubuntu5.3 on Ubuntu 16.04 LTS allows local users with access to the ntp account to write to arbitrary files and consequently gain privileges via vectors involving statistics directory cleanup.
CVSS 7.8
CVE-2016-10156 EXPLOITDB HIGH text WORKING POC
systemd <v229 - Privilege Escalation
A flaw in systemd v228 in /src/basic/fs-util.c caused world writable suid files to be created when using the systemd timers features, allowing local attackers to escalate their privileges to root. This is fixed in v229.
CVSS 7.8
CVE-2016-1575 EXPLOITDB HIGH text WORKING POC
Linux kernel <4.5.2 - Privilege Escalation
The overlayfs implementation in the Linux kernel through 4.5.2 does not properly maintain POSIX ACL xattr data, which allows local users to gain privileges by leveraging a group-writable setgid directory.
CVSS 7.8
CVE-2015-2285 EXPLOITDB text WORKING POC
Ubuntu Upstart <1.13.2-0ubuntu9 - Command Injection
The logrotation script (/etc/cron.daily/upstart) in the Ubuntu Upstart package before 1.13.2-0ubuntu9, as used in Ubuntu Vivid 15.04, allows local users to execute arbitrary commands and gain privileges via a crafted file in /run/user/*/upstart/sessions/.
CVE-2016-1576 EXPLOITDB HIGH text WORKING POC
Linux kernel <4.5.2 - Privilege Escalation
The overlayfs implementation in the Linux kernel through 4.5.2 does not properly restrict the mount namespace, which allows local users to gain privileges by mounting an overlayfs filesystem on top of a FUSE filesystem, and then executing a crafted setuid program.
CVSS 7.8
CVE-2016-2856 EXPLOITDB HIGH text WORKING POC
Ubuntu Linux - Local Privilege Escalation via pt_chown Namespace Check Bypass
pt_chown in the glibc package before 2.19-18+deb8u4 on Debian jessie; the elibc package before 2.15-0ubuntu10.14 on Ubuntu 12.04 LTS and before 2.19-0ubuntu6.8 on Ubuntu 14.04 LTS; and the glibc package before 2.21-0ubuntu4.2 on Ubuntu 15.10 and before 2.23-0ubuntu1 on Ubuntu 16.04 LTS and 16.10 lacks a namespace check associated with file-descriptor passing, which allows local users to capture keystrokes and spoof data, and possibly gain privileges, via pts read and write operations, related to debian/sysdeps/linux.mk. NOTE: this is not considered a vulnerability in the upstream GNU C Library because the upstream documentation has a clear security recommendation against the --enable-pt_chown option.
CVSS 8.4
EIP-2026-103033 EXPLOITDB text WORKING POC
Vm86 - Syscall Task Switch Kernel Panic Denial of Service / Privilege Escalation
EIP-2026-102833 EXPLOITDB c WORKING POC
Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation
CVE-2018-1000001 EXPLOITDB HIGH ruby WORKING POC
glibc < 2.26 - Buffer Underflow and Potential Code Execution via realpath()
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
CVSS 7.8
CVE-2018-1000001 EXPLOITDB HIGH c WORKING POC
glibc < 2.26 - Buffer Underflow and Potential Code Execution via realpath()
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
CVSS 7.8
CVE-2011-1020 EXPLOITDB text WORKING POC
Linux Kernel < 2.6.37 - Unauthorized Information Exposure via Proc Filesystem
The proc filesystem implementation in the Linux kernel 2.6.37 and earlier does not restrict access to the /proc directory tree of a process after this process performs an exec of a setuid program, which allows local users to obtain sensitive information or cause a denial of service via open, lseek, read, and write system calls.
CVE-2015-8660 EXPLOITDB MEDIUM c WORKING POC
Overlayfs Privilege Escalation
The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.
CVSS 6.7
CVE-2016-2854 EXPLOITDB HIGH text WORKING POC
Linux Kernel 3.0.0-3.19.8 - Privilege Escalation via aufs POSIX ACL Handling
The aufs module for the Linux kernel 3.x and 4.x does not properly maintain POSIX ACL xattr data, which allows local users to gain privileges by leveraging a group-writable setgid directory.
CVSS 7.8
CVE-2010-3879 EXPLOITDB text WORKING POC
libfuse < 2.8.5 - Unauthenticated Arbitrary Filesystem Unmount via Symlink Attack
FUSE, possibly 2.8.5 and earlier, allows local users to create mtab entries with arbitrary pathnames, and consequently unmount any filesystem, via a symlink attack on the parent directory of the mountpoint of a FUSE filesystem, a different vulnerability than CVE-2010-0789.
CVE-2011-4415 EXPLOITDB text WRITEUP
Apache HTTP Server 2.0.x-2.0.64 and 2.2.x-2.2.21 - Denial of Service via mod_setenvif SetEnvIf Directive
The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service (memory consumption or NULL pointer dereference) via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, related to (1) the "len +=" statement and (2) the apr_pcalloc function call, a different vulnerability than CVE-2011-3607.
CVE-2015-1338 EXPLOITDB text WRITEUP
Apport < 2.19 - Denial of Service and Privilege Escalation via Symlink Attack on vmcore.log
kernel_crashdump in Apport before 2.19 allows local users to cause a denial of service (disk consumption) or possibly gain privileges via a (1) symlink or (2) hard link attack on /var/crash/vmcore.log.
CVE-2012-4530 EXPLOITDB text WRITEUP
Linux kernel <3.7.2 - Info Disclosure
The load_script function in fs/binfmt_script.c in the Linux kernel before 3.7.2 does not properly handle recursion, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.
CVE-2018-13405 EXPLOITDB HIGH c WORKING POC
Linux Kernel < 3.16 - Privilege Escalation via SGID Directory Inode Initialization
The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID.
CVSS 7.8
CVE-2012-0031 EXPLOITDB text WORKING POC
Apache HTTP Server < 2.0.65 - Denial of Service via Scoreboard Shared Memory Segment
scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an invalid call to the free function.