«
Expand/Collapse
149 items tagged "freebsd"
Related tags:
remote buffer overflow vulnerability [+],
remote buffer overflow [+],
daemon [+],
service [+],
null pointer [+],
shellcode [+],
execve [+],
x86 [+],
unix domain socket [+],
txt [+],
root [+],
reboot [+],
privilege [+],
openssl [+],
encryption option [+],
vulnerability [+],
vulnerabilities [+],
service vulnerability [+],
proof of concept [+],
heap [+],
freebsd kernel [+],
bin [+],
uipc [+],
telnet [+],
shell [+],
proftpd [+],
poc [+],
openbsd [+],
null [+],
netgraph [+],
exploit [+],
denial [+],
chroot [+],
Release [+],
freebsd security [+],
viper [+],
version 6 [+],
unix domain sockets [+],
unix [+],
turtle [+],
telnet service [+],
telnet protocol [+],
symlink [+],
sunos [+],
stack overflow [+],
ssl [+],
ssh [+],
socket [+],
smallbind [+],
setuid [+],
server extension [+],
sendfile [+],
script [+],
rootkit [+],
python script [+],
private keys [+],
prefix length [+],
port 31337 [+],
pfs [+],
passphrase [+],
pam [+],
openssl library [+],
openssh [+],
network mask [+],
network [+],
mountd [+],
memory leak [+],
mac os x [+],
mac os [+],
logic error [+],
lib [+],
kernel panic [+],
kernel module [+],
information leakage [+],
information [+],
grant [+],
freebsd versions [+],
freebsd unix [+],
freebsd systems [+],
encryption key [+],
encrypted [+],
encrypt [+],
domain [+],
denial of service exploit [+],
denial of service attack [+],
decompressor [+],
crontab [+],
code execution [+],
chroot environment [+],
brute force [+],
bells and whistles [+],
auto [+],
assertion failure [+],
security [+],
advisory [+],
zip [+],
whitepaper [+],
uma [+],
stock [+],
privilege escalation vulnerability [+],
portbinding [+],
pointer [+],
pmap [+],
nfs [+],
mutex [+],
memory allocator [+],
kernel stack [+],
freebsd sa [+],
exploitation [+],
exp [+],
crash [+],
cache [+],
assembly [+],
arbitrary code execution [+],
denial of service [+],
web server version [+],
web [+],
warszawa [+],
usa [+],
unix freebsd [+],
tcp [+],
slides [+],
server [+],
secunia [+],
sbin [+],
rich murphey [+],
remote exploit [+],
pfctl [+],
opiereadrec [+],
opie [+],
nfs client [+],
memory corruption [+],
mbuf [+],
locking [+],
local information [+],
litespeed [+],
input validation vulnerabilities [+],
information disclosure vulnerability [+],
help [+],
heap memory [+],
handling [+],
freebsd x86 [+],
fbsd [+],
exploits [+],
escalation [+],
dos vulnerability [+],
dos [+],
cve [+],
census [+],
bomb [+],
bluetooth [+],
black hat [+],
alphanumeric [+],
security advisory [+],
telnetd [+],
ftpd [+],
kernel [+],
bugtraq [+],
buffer overflow vulnerability [+],
local privilege escalation [+],
buffer overflow [+]
-
-
16:13
»
Packet Storm Security Advisories
FreeBSD Security Advisory - OpenSSL fails to clear the bytes used as block cipher padding in SSL 3.0 records when operating as a client or a server that accept SSL 3.0 handshakes. As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory. OpenSSL support for handshake restarts for server gated cryptography (SGC) can be used in a denial-of-service attack. Various other OpenSSL issues have also been addressed.
-
16:13
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - OpenSSL fails to clear the bytes used as block cipher padding in SSL 3.0 records when operating as a client or a server that accept SSL 3.0 handshakes. As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory. OpenSSL support for handshake restarts for server gated cryptography (SGC) can be used in a denial-of-service attack. Various other OpenSSL issues have also been addressed.
-
16:13
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - OpenSSL fails to clear the bytes used as block cipher padding in SSL 3.0 records when operating as a client or a server that accept SSL 3.0 handshakes. As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory. OpenSSL support for handshake restarts for server gated cryptography (SGC) can be used in a denial-of-service attack. Various other OpenSSL issues have also been addressed.
-
-
9:31
»
Packet Storm Security Advisories
FreeBSD Security Advisory - The OpenSSL library call used to decrypt private keys ignores the passphrase argument if the key is not encrypted. Because the pam_ssh module only checks whether the passphrase provided by the user is null, users with unencrypted SSH private keys may successfully authenticate themselves by providing a dummy passphrase. If the pam_ssh module is enabled, attackers may be able to gain access to user accounts which have unencrypted SSH private keys.
-
9:31
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - The OpenSSL library call used to decrypt private keys ignores the passphrase argument if the key is not encrypted. Because the pam_ssh module only checks whether the passphrase provided by the user is null, users with unencrypted SSH private keys may successfully authenticate themselves by providing a dummy passphrase. If the pam_ssh module is enabled, attackers may be able to gain access to user accounts which have unencrypted SSH private keys.
-
9:31
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - The OpenSSL library call used to decrypt private keys ignores the passphrase argument if the key is not encrypted. Because the pam_ssh module only checks whether the passphrase provided by the user is null, users with unencrypted SSH private keys may successfully authenticate themselves by providing a dummy passphrase. If the pam_ssh module is enabled, attackers may be able to gain access to user accounts which have unencrypted SSH private keys.
-
-
11:22
»
Packet Storm Security Advisories
FreeBSD Security Advisory - When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. An attacker who can connect to the telnetd daemon can execute arbitrary code with the privileges of the daemon (which is usually the "root" superuser).
-
11:22
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. An attacker who can connect to the telnetd daemon can execute arbitrary code with the privileges of the daemon (which is usually the "root" superuser).
-
11:22
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. An attacker who can connect to the telnetd daemon can execute arbitrary code with the privileges of the daemon (which is usually the "root" superuser).
-
10:35
»
Packet Storm Security Advisories
FreeBSD Security Advisory - The nsdispatch API has no mechanism to alert it to whether it is operating within a chroot environment in which the standard paths for configuration files and shared libraries may be untrustworthy. The FreeBSD ftpd daemon can be configured to use chroot, and also uses the nsdispatch API.
-
10:35
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - The nsdispatch API has no mechanism to alert it to whether it is operating within a chroot environment in which the standard paths for configuration files and shared libraries may be untrustworthy. The FreeBSD ftpd daemon can be configured to use chroot, and also uses the nsdispatch API.
-
10:35
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - The nsdispatch API has no mechanism to alert it to whether it is operating within a chroot environment in which the standard paths for configuration files and shared libraries may be untrustworthy. The FreeBSD ftpd daemon can be configured to use chroot, and also uses the nsdispatch API.
-
10:22
»
Packet Storm Security Advisories
FreeBSD Security Advisory - A remote attacker could cause the BIND resolver to cache an invalid record, which could cause the BIND daemon to crash when that record is being queried.
-
10:22
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - A remote attacker could cause the BIND resolver to cache an invalid record, which could cause the BIND daemon to crash when that record is being queried.
-
10:22
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - A remote attacker could cause the BIND resolver to cache an invalid record, which could cause the BIND daemon to crash when that record is being queried.
-
-
19:25
»
Packet Storm Security Advisories
Secunia Security Advisory - Kingcope has discovered a vulnerability in FreeBSD, which can be exploited by malicious people to compromise a vulnerable system.
-
-
15:29
»
Packet Storm Security Exploits
Remote root exploit for FreeBSD ftpd and ProFTPd on FreeBSD. It leverages the fact that /etc and /lib can be modified inside of the chroot.
-
-
15:24
»
Packet Storm Security Advisories
FreeBSD Security Advisory - When a UNIX-domain socket is attached to a location using the bind(2) system call, the length of the provided path is not validated. Later, when this address was returned via other system calls, it is copied into a fixed-length buffer. A local user can cause the FreeBSD kernel to panic. It may also be possible to execute code with elevated privileges ("gain root"), escape from a jail, or to bypass security mechanisms in other ways.
-
15:24
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - When a UNIX-domain socket is attached to a location using the bind(2) system call, the length of the provided path is not validated. Later, when this address was returned via other system calls, it is copied into a fixed-length buffer. A local user can cause the FreeBSD kernel to panic. It may also be possible to execute code with elevated privileges ("gain root"), escape from a jail, or to bypass security mechanisms in other ways.
-
15:24
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - When a UNIX-domain socket is attached to a location using the bind(2) system call, the length of the provided path is not validated. Later, when this address was returned via other system calls, it is copied into a fixed-length buffer. A local user can cause the FreeBSD kernel to panic. It may also be possible to execute code with elevated privileges ("gain root"), escape from a jail, or to bypass security mechanisms in other ways.
-
15:21
»
Packet Storm Security Advisories
FreeBSD Security Advisory - The code used to decompress a file created by compress(1) does not do sufficient boundary checks on compressed code words, allowing reference beyond the decompression table, which may result in a stack overflow or an infinite loop when the decompressor encounters a corrupted file.
-
15:21
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - The code used to decompress a file created by compress(1) does not do sufficient boundary checks on compressed code words, allowing reference beyond the decompression table, which may result in a stack overflow or an infinite loop when the decompressor encounters a corrupted file.
-
15:21
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - The code used to decompress a file created by compress(1) does not do sufficient boundary checks on compressed code words, allowing reference beyond the decompression table, which may result in a stack overflow or an infinite loop when the decompressor encounters a corrupted file.
-
14:25
»
Packet Storm Security Advisories
FreeBSD Security Advisory - A logic error in the BIND code causes the BIND daemon to accept bogus data, which could cause the daemon to crash.
-
14:25
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - A logic error in the BIND code causes the BIND daemon to accept bogus data, which could cause the daemon to crash.
-
-
14:30
»
Packet Storm Security Recent Files
Turtle rootkit for FreeBSD. This kernel module hooks unlink() so the protected file cannot be deleted, hooks kill() so the protected process cannot be killed, and has various other nice bells and whistles.
-
14:30
»
Packet Storm Security Tools
Turtle rootkit for FreeBSD. This kernel module hooks unlink() so the protected file cannot be deleted, hooks kill() so the protected process cannot be killed, and has various other nice bells and whistles.
-
14:30
»
Packet Storm Security Misc. Files
Turtle rootkit for FreeBSD. This kernel module hooks unlink() so the protected file cannot be deleted, hooks kill() so the protected process cannot be killed, and has various other nice bells and whistles.
-
-
8:53
»
Packet Storm Security Advisories
FreeBSD Security Advisory - Very large RRSIG RRsets included in a negative response can trigger an assertion failure that will crash named(8) due to an off-by-one error in a buffer size check.
-
8:53
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - Very large RRSIG RRsets included in a negative response can trigger an assertion failure that will crash named(8) due to an off-by-one error in a buffer size check.
-
8:53
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - Very large RRSIG RRsets included in a negative response can trigger an assertion failure that will crash named(8) due to an off-by-one error in a buffer size check.
-
-
16:55
»
Packet Storm Security Advisories
FreeBSD Security Advisory - The mountd(8) daemon services NFS mount requests from other client machines. When mountd is started, it loads the export host addresses and options into the kernel using the mount(2) system call. While parsing the exports(5) table, a network mask in the form of "-network=netname/prefixlength" results in an incorrect network mask being computed if the prefix length is not a multiple of 8. For example, specifying the ACL for an export as "-network 192.0.2.0/23" would result in a netmask of 255.255.127.0 being used instead of the correct netmask of 255.255.254.0.
-
16:55
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - The mountd(8) daemon services NFS mount requests from other client machines. When mountd is started, it loads the export host addresses and options into the kernel using the mount(2) system call. While parsing the exports(5) table, a network mask in the form of "-network=netname/prefixlength" results in an incorrect network mask being computed if the prefix length is not a multiple of 8. For example, specifying the ACL for an export as "-network 192.0.2.0/23" would result in a netmask of 255.255.127.0 being used instead of the correct netmask of 255.255.254.0.
-
16:55
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - The mountd(8) daemon services NFS mount requests from other client machines. When mountd is started, it loads the export host addresses and options into the kernel using the mount(2) system call. While parsing the exports(5) table, a network mask in the form of "-network=netname/prefixlength" results in an incorrect network mask being computed if the prefix length is not a multiple of 8. For example, specifying the ACL for an export as "-network 192.0.2.0/23" would result in a netmask of 255.255.127.0 being used instead of the correct netmask of 255.255.254.0.
-
-
14:22
»
Packet Storm Security Advisories
FreeBSD's crontab implementation suffers from various race condition and symlink vulnerabilities that allow for minor information leakage.
-
-
20:32
»
Packet Storm Security Advisories
FreeBSD Security Advisory - A race condition exists in the OpenSSL TLS server extension code parsing when used in a multi-threaded application, which uses OpenSSL's internal caching mechanism. The race condition can lead to a buffer overflow. A double free exists in the SSL client ECDH handling code, when processing specially crafted public keys with invalid prime numbers.
-
20:32
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - A race condition exists in the OpenSSL TLS server extension code parsing when used in a multi-threaded application, which uses OpenSSL's internal caching mechanism. The race condition can lead to a buffer overflow. A double free exists in the SSL client ECDH handling code, when processing specially crafted public keys with invalid prime numbers.
-
20:32
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - A race condition exists in the OpenSSL TLS server extension code parsing when used in a multi-threaded application, which uses OpenSSL's internal caching mechanism. The race condition can lead to a buffer overflow. A double free exists in the SSL client ECDH handling code, when processing specially crafted public keys with invalid prime numbers.
-
-
16:01
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - The pfs_getextattr(9) function, used by pseudofs for handling extended attributes, attempts to unlock a mutex which was not previously locked.
-
16:00
»
Packet Storm Security Advisories
FreeBSD Security Advisory - The pfs_getextattr(9) function, used by pseudofs for handling extended attributes, attempts to unlock a mutex which was not previously locked.
-
14:50
»
Packet Storm Security Advisories
FreeBSD Security Advisory - The pfs_getextattr(9) function, used by pseudofs for handling extended attributes, attempts to unlock a mutex which was not previously locked.
-
14:50
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - The pfs_getextattr(9) function, used by pseudofs for handling extended attributes, attempts to unlock a mutex which was not previously locked.
-
14:50
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - The pfs_getextattr(9) function, used by pseudofs for handling extended attributes, attempts to unlock a mutex which was not previously locked.
-
-
20:00
»
Packet Storm Security Exploits
FreeBSD mbufs() sendfile cache poisoning local privilege escalation exploit that throws a setuid shell in /tmp. Works on 7.x and 8.x builds prior to 12Jul2010.
-
-
2:02
»
SecDocs
Authors:
Patroklos Argyroudis Tags:
buffer overflow kernel exploiting FreeBSD Event:
Black Hat EU 2010 Abstract: FreeBSD (http://www.freebsd.org/) is widely accepted as one of the most reliable and performance-driven operating systems currently available in both the open source and proprietary worlds. While the exploitation of kernel vulnerabilities has been researched in the context of the Windows and Linux operating systems, FreeBSD, and BSD systems in general, have not received the same attention. This presentation will initially examine the exploitation of kernel stack overflow vulnerabilities on FreeBSD. The development process of a privilege escalation kernel stack smashing exploit will be documented for vulnerability CVE-2008-3531. The second part of the presentation will present a detailed security analysis of the Universal Memory Allocator (UMA), the FreeBSD kernel's memory allocator. We will examine how UMA overflows can lead to arbitrary code execution in the context of the latest stable FreeBSD kernel (8.0-RELEASE), and we will develop an exploitation methodology for privilege escalation and kernel continuation.
-
2:02
»
SecDocs
Authors:
Patroklos Argyroudis Tags:
buffer overflow kernel exploiting FreeBSD Event:
Black Hat EU 2010 Abstract: FreeBSD (http://www.freebsd.org/) is widely accepted as one of the most reliable and performance-driven operating systems currently available in both the open source and proprietary worlds. While the exploitation of kernel vulnerabilities has been researched in the context of the Windows and Linux operating systems, FreeBSD, and BSD systems in general, have not received the same attention. This presentation will initially examine the exploitation of kernel stack overflow vulnerabilities on FreeBSD. The development process of a privilege escalation kernel stack smashing exploit will be documented for vulnerability CVE-2008-3531. The second part of the presentation will present a detailed security analysis of the Universal Memory Allocator (UMA), the FreeBSD kernel's memory allocator. We will examine how UMA overflows can lead to arbitrary code execution in the context of the latest stable FreeBSD kernel (8.0-RELEASE), and we will develop an exploitation methodology for privilege escalation and kernel continuation.
-
-
15:00
»
Packet Storm Security Advisories
Census Labs have discovered two improper input validation vulnerabilities in the FreeBSD kernel's NFS client-side implementation (FreeBSD 8.0-RELEASE, 7.3-RELEASE and 7.2-RELEASE) that allow local unprivileged users to escalate their privileges, or to crash the system by performing a denial of service attack.
1337day (was: Inj3ct0r, 1337db)
OSVDB Vulnerabilities
Exploit-DB
SecurityFocus Vulnerabilities
Bugtraq
XSSed
Sophos security news
Penetration Testing
SecuriTeam
BackTrack Linux Forums
Threatpost
carnal0wnage.attackresearch.com
Carnal0wnage
Darknet
The Exploitant
Hack a Day
Wirevolution
11:00