Exploitdb Exploits
3,138 exploits tracked across all sources.
MailEnable 1.52 - HTTP Mail Service Stack Buffer Overflow (PoC)
by fl0 fl0w
Linux Kernel <2.6.19 - Privilege Escalation
The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel before 2.6.19 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket.
by INetCop Security
CVSS 7.8
Linux Kernel < 2.6.31 - Information Disclosure via Uninitialized Memory in getname Functions
The Linux kernel before 2.6.31-rc7 does not initialize certain data structures within getname functions, which allows local users to read the contents of some kernel memory locations by calling getsockname on (1) an AF_APPLETALK socket, related to the atalk_getname function in net/appletalk/ddp.c; (2) an AF_IRDA socket, related to the irda_getname function in net/irda/af_irda.c; (3) an AF_ECONET socket, related to the econet_getname function in net/econet/af_econet.c; (4) an AF_NETROM socket, related to the nr_getname function in net/netrom/af_netrom.c; (5) an AF_ROSE socket, related to the rose_getname function in net/rose/af_rose.c; or (6) a raw CAN socket, related to the raw_getname function in net/can/raw.c.
by Jon Oberheide
Linux kernel <2.6.30.4, <2.4.37.4 - Privilege Escalation
The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.
by Ramon de C Valle
CVSS 7.8
Linux Kernel < 2.6.31 - Information Disclosure via Uninitialized Memory in getname Functions
The Linux kernel before 2.6.31-rc7 does not initialize certain data structures within getname functions, which allows local users to read the contents of some kernel memory locations by calling getsockname on (1) an AF_APPLETALK socket, related to the atalk_getname function in net/appletalk/ddp.c; (2) an AF_IRDA socket, related to the irda_getname function in net/irda/af_irda.c; (3) an AF_ECONET socket, related to the econet_getname function in net/econet/af_econet.c; (4) an AF_NETROM socket, related to the nr_getname function in net/netrom/af_netrom.c; (5) an AF_ROSE socket, related to the rose_getname function in net/rose/af_rose.c; or (6) a raw CAN socket, related to the raw_getname function in net/can/raw.c.
by Clément Lecigne
Linux Kernel < 2.6.31 - Uninitialized Memory Exposure via llc_ui_getname
The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel 2.6.31-rc7 and earlier does not initialize a certain data structure, which allows local users to read the contents of some kernel memory locations by calling getsockname on an AF_LLC socket.
by Jon Oberheide
Avast! 4.8.1335 Professional - Kernel Local Buffer Overflow
by Heurs
Linux kernel <2.6.30.4, <2.4.37.4 - Privilege Escalation
The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.
by INetCop Security
CVSS 7.8
FreeBSD 6.1 - 'kqueue()' Null Pointer Dereference Privilege Escalation
by Przemyslaw Frasunek
Linux Kernel < 2.6.31 - Denial of Service via Pseudo-Terminal I/O Activity
The tty_ldisc_hangup function in drivers/char/tty_ldisc.c in the Linux kernel 2.6.31-rc before 2.6.31-rc8 allows local users to cause a denial of service (system crash, sometimes preceded by a NULL pointer dereference) or possibly gain privileges via certain pseudo-terminal I/O activity, as demonstrated by KernelTtyTest.c.
by Eric W. Biederman
Linux Kernel < 2.6.30.5 - 'cfg80211' Remote Denial of Service
by Jon Oberheide
Linux Kernel < 2.6.31-rc6 - Denial of Service or Privilege Escalation via CLOCK_MONOTONIC_RAW clock_nanosleep
The init_posix_timers function in kernel/posix-timers.c in the Linux kernel before 2.6.31-rc6 allows local users to cause a denial of service (OOPS) or possibly gain privileges via a CLOCK_MONOTONIC_RAW clock_nanosleep call that triggers a NULL pointer dereference.
by Hiroshi Shimamoto
FreeBSD 7.2-RELEASE - SCTP Local Kernel Denial of Service
by Shaun Colley
Linux Kernel < 2.6.15 - Information Disclosure via Signed-Unsigned Integer Overflow in ProcFS
The procfs code (proc_misc.c) in Linux 2.6.14.3 and other versions before 2.6.15 allows attackers to read sensitive kernel memory via unspecified vectors in which a signed value is added to an unsigned value.
by Jon Oberheide
Linux kernel <2.6.31-rc5 - Info Disclosure
The do_sigaltstack function in kernel/signal.c in Linux kernel 2.4 through 2.4.37 and 2.6 before 2.6.31-rc5, when running on 64-bit systems, does not clear certain padding bytes from a structure, which allows local users to obtain sensitive information from the kernel stack via the sigaltstack function.
by Jon Oberheide
PHP Fuzzer Framework - Default Location Insecure Temporary File Creation
by Melissa Elliott
Google SketchUp Pro 7.0 - '.skp' Remote Stack Overflow (PoC)
by LiquidWorm
VideoLAN VLC Media Player 0.8.6f - 'smb://' URI Handling Remote Buffer Overflow
by Pankaj Kohli
ISC BIND 9.4-9.4.3-P2, 9.5-9.5.1-P2, 9.6-9.6.1 - Denial of Service via ANY Record in Dynamic Update
The dns_db_findrdataset function in db.c in named in ISC BIND 9.4 before 9.4.3-P3, 9.5 before 9.5.1-P3, and 9.6 before 9.6.1-P1, when configured as a master server, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an ANY record in the prerequisite section of a crafted dynamic update message.
by kingcope
ISC DHCP <4.1.0p1-2.0 - Buffer Overflow
Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option.
by Jon Oberheide
Live For Speed 2 Version Z - '.Mpr' Local Buffer Overflow
by n00b
FreeBSD 6.0 and 8.0 - Denial of Service via IATA Driver IOCTL Request
The IATA (ata) driver in FreeBSD 6.0 and 8.0, when read access to /dev is available, allows local users to cause a denial of service (kernel panic) via a certain IOCTL request with a large count, which triggers a malloc call with a large value.
by Shaun Colley
Linux Kernel 2.6.28-2.6.28.4 - Denial of Service via UTF-8 Console Character Selection
The console selection feature in the Linux kernel 2.6.28 before 2.6.28.4, 2.6.25, and possibly earlier versions, when the UTF-8 console is used, allows physically proximate attackers to cause a denial of service (memory corruption) by selecting a small number of 3-byte UTF-8 characters, which triggers an "off-by-two memory error." NOTE: it is not clear whether this issue crosses privilege boundaries.
by sgrakkyu
FreeBSD 7.0-7.1 - Local Privilege Escalation via Stack-Based Buffer Overflow in vfs_mount.c
Stack-based buffer overflow in sys/kern/vfs_mount.c in the kernel in FreeBSD 7.0 and 7.1, when vfs.usermount is enabled, allows local users to gain privileges via a crafted (1) mount or (2) nmount system call, related to copying of "user defined data" in "certain error conditions."
by Patroklos Argyroudis
By Source