«
Expand/Collapse
187 items tagged "freebsd"
Related tags:
service [+],
shellcode [+],
service vulnerability [+],
execve [+],
freebsd security [+],
x86 [+],
vulnerability [+],
unix domain socket [+],
txt [+],
root [+],
reboot [+],
privilege [+],
openssl [+],
freebsd kernel [+],
encryption option [+],
assertion failure [+],
security [+],
vulnerabilities [+],
proof of concept [+],
poc [+],
null [+],
heap [+],
exploit [+],
bin [+],
advisory [+],
uipc [+],
telnet [+],
shell [+],
risk [+],
proftpd [+],
openbsd [+],
netgraph [+],
marc schiesser [+],
machine [+],
linux [+],
disk encryption [+],
denial [+],
compromise program [+],
chroot [+],
chaos communication congress [+],
Release [+],
viper [+],
version 6 [+],
unix domain sockets [+],
unix [+],
turtle [+],
telnet service [+],
telnet protocol [+],
symlink [+],
sunos [+],
stack overflow [+],
ssl [+],
ssh [+],
socket [+],
smallbind [+],
setuid [+],
server extension [+],
sendfile [+],
script [+],
sanity check [+],
rootkit [+],
query names [+],
python script [+],
programming error [+],
privilege level [+],
privilege escalation vulnerability [+],
private keys [+],
prefix length [+],
port 31337 [+],
pfs [+],
passphrase [+],
pam [+],
openssl library [+],
openssh [+],
network mask [+],
network [+],
mountd [+],
memory leak [+],
mac os x [+],
mac os [+],
logic error [+],
lib [+],
kernel panic [+],
kernel module [+],
kernel memory [+],
kernel component [+],
information leakage [+],
information [+],
grant [+],
freebsd versions [+],
freebsd unix [+],
freebsd systems [+],
encryption key [+],
encrypted [+],
encrypt [+],
eap tls [+],
domain [+],
denial of service exploit [+],
denial of service attack [+],
decompressor [+],
crypt [+],
crontab [+],
code execution [+],
chroot environment [+],
brute force [+],
bells and whistles [+],
auto [+],
authentication server [+],
zip [+],
whitepaper [+],
uma [+],
stock [+],
secunia [+],
sctp [+],
portbinding [+],
pointer [+],
pmap [+],
nfs [+],
mutex [+],
memory allocator [+],
kernel stack [+],
freebsd sa [+],
exploits [+],
exploitation [+],
exp [+],
escalation [+],
dns resource records [+],
crash [+],
cache [+],
authoritative servers [+],
assembly [+],
arbitrary code execution [+],
security advisory [+],
denial of service [+],
web server version [+],
web [+],
warszawa [+],
usa [+],
unix freebsd [+],
tcp [+],
sysret [+],
slides [+],
servers [+],
server [+],
sbin [+],
rich murphey [+],
remote exploit [+],
ptr [+],
project [+],
pfctl [+],
opiereadrec [+],
opie [+],
nfs client [+],
memory corruption [+],
mbuf [+],
locking [+],
local information [+],
litespeed [+],
linux compatibility [+],
into [+],
input validation vulnerabilities [+],
information disclosure vulnerability [+],
help [+],
heap memory [+],
handling [+],
hackers [+],
freebsd x86 [+],
fbsd [+],
dos vulnerability [+],
dos [+],
cve [+],
compatibility layer [+],
compatibility [+],
census [+],
break [+],
bomb [+],
bluetooth [+],
black hat [+],
alphanumeric [+],
bugtraq [+],
kernel [+],
telnetd [+],
ftpd [+],
buffer overflow vulnerability [+],
remote buffer overflow vulnerability [+],
remote buffer overflow [+],
null pointer [+],
local privilege escalation [+],
daemon [+],
buffer overflow [+]
-
-
16:00
»
SecuriTeam
FreeBSD is prone to a local privilege-escalation vulnerability.
-
-
9:21
»
Packet Storm Security Advisories
FreeBSD Security Advisory - FreeBSD is binary-compatible with the Linux operating system through a loadable kernel module/optional kernel component. A programming error in the handling of some Linux system calls may result in memory locations being accessed without proper validation. It is possible for a local attacker to overwrite portions of kernel memory, which may result in a privilege escalation or cause a system panic.
-
9:21
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - FreeBSD is binary-compatible with the Linux operating system through a loadable kernel module/optional kernel component. A programming error in the handling of some Linux system calls may result in memory locations being accessed without proper validation. It is possible for a local attacker to overwrite portions of kernel memory, which may result in a privilege escalation or cause a system panic.
-
9:21
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - FreeBSD is binary-compatible with the Linux operating system through a loadable kernel module/optional kernel component. A programming error in the handling of some Linux system calls may result in memory locations being accessed without proper validation. It is possible for a local attacker to overwrite portions of kernel memory, which may result in a privilege escalation or cause a system panic.
-
9:19
»
Packet Storm Security Advisories
FreeBSD Security Advisory - The internal authentication server of hostapd does not sufficiently validate the message length field of EAP-TLS messages. A remote attacker could cause the hostapd daemon to abort by sending specially crafted EAP-TLS messages, resulting in a Denial of Service.
-
9:19
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - The internal authentication server of hostapd does not sufficiently validate the message length field of EAP-TLS messages. A remote attacker could cause the hostapd daemon to abort by sending specially crafted EAP-TLS messages, resulting in a Denial of Service.
-
9:19
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - The internal authentication server of hostapd does not sufficiently validate the message length field of EAP-TLS messages. A remote attacker could cause the hostapd daemon to abort by sending specially crafted EAP-TLS messages, resulting in a Denial of Service.
-
-
8:10
»
SecDocs
Authors:
Marc Schiesser Tags:
FreeBSD Event:
Chaos Communication Congress 22th (22C3) 2005 Abstract: Most technologies and techniques intended for securing digital data focus on protection while the machine is turned on – mostly by defending against remote attacks. An attacker with physical access to the machine, however, can easily circumvent these defenses by reading out the contents of the storage medium on a different, fully accessible system or even compromise program code on it in order to leak encrypted information. Especially for mobile users, that threat is real. And for those carrying around sensitive data, the risk is most likely high. This talk will introduce a method of mitigating that particular risk by protecting not only the data through encryption, but also the applications and the operating system from being compromised while the machine is turned off.
-
8:10
»
SecDocs
Authors:
Marc Schiesser Tags:
FreeBSD Event:
Chaos Communication Congress 22th (22C3) 2005 Abstract: Most technologies and techniques intended for securing digital data focus on protection while the machine is turned on – mostly by defending against remote attacks. An attacker with physical access to the machine, however, can easily circumvent these defenses by reading out the contents of the storage medium on a different, fully accessible system or even compromise program code on it in order to leak encrypted information. Especially for mobile users, that threat is real. And for those carrying around sensitive data, the risk is most likely high. This talk will introduce a method of mitigating that particular risk by protecting not only the data through encryption, but also the applications and the operating system from being compromised while the machine is turned off.
-
8:10
»
SecDocs
Authors:
Marc Schiesser Tags:
FreeBSD Event:
Chaos Communication Congress 22th (22C3) 2005 Abstract: Most technologies and techniques intended for securing digital data focus on protection while the machine is turned on – mostly by defending against remote attacks. An attacker with physical access to the machine, however, can easily circumvent these defenses by reading out the contents of the storage medium on a different, fully accessible system or even compromise program code on it in order to leak encrypted information. Especially for mobile users, that threat is real. And for those carrying around sensitive data, the risk is most likely high. This talk will introduce a method of mitigating that particular risk by protecting not only the data through encryption, but also the applications and the operating system from being compromised while the machine is turned off.
-
-
21:46
»
SecDocs
Authors:
Marc Schiesser Tags:
FreeBSD Event:
Chaos Communication Congress 22th (22C3) 2005 Abstract: Most technologies and techniques intended for securing digital data focus on protection while the machine is turned on – mostly by defending against remote attacks. An attacker with physical access to the machine, however, can easily circumvent these defenses by reading out the contents of the storage medium on a different, fully accessible system or even compromise program code on it in order to leak encrypted information. Especially for mobile users, that threat is real. And for those carrying around sensitive data, the risk is most likely high. This talk will introduce a method of mitigating that particular risk by protecting not only the data through encryption, but also the applications and the operating system from being compromised while the machine is turned off.
-
-
17:00
»
SecuriTeam
Am4ss is prone to multiple HTML-injection vulnerabilities and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
-
-
7:05
»
Packet Storm Security Advisories
FreeBSD Security Advisory - BIND 9 stores a cache of query names that are known to be failing due to misconfigured name servers or a broken chain of trust. Under high query loads, when DNSSEC validation is active, it is possible for a condition to arise in which data from this cache of failing queries could be used before it was fully initialized, triggering an assertion failure. A remote attacker that is able to generate high volume of DNSSEC validation enabled queries can trigger the assertion failure that causes it to crash, resulting in a denial of service.
-
7:05
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - BIND 9 stores a cache of query names that are known to be failing due to misconfigured name servers or a broken chain of trust. Under high query loads, when DNSSEC validation is active, it is possible for a condition to arise in which data from this cache of failing queries could be used before it was fully initialized, triggering an assertion failure. A remote attacker that is able to generate high volume of DNSSEC validation enabled queries can trigger the assertion failure that causes it to crash, resulting in a denial of service.
-
7:05
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - BIND 9 stores a cache of query names that are known to be failing due to misconfigured name servers or a broken chain of trust. Under high query loads, when DNSSEC validation is active, it is possible for a condition to arise in which data from this cache of failing queries could be used before it was fully initialized, triggering an assertion failure. A remote attacker that is able to generate high volume of DNSSEC validation enabled queries can trigger the assertion failure that causes it to crash, resulting in a denial of service.
-
-
0:29
»
Packet Storm Security Advisories
Secunia Security Advisory - A vulnerability has been reported in FreeBSD, which can be exploited by malicious, local users to gain escalated privileges.
-
-
15:52
»
Packet Storm Security Advisories
FreeBSD Security Advisory - The FreeBSD operating system implements a rings model of security, where privileged operations are done in the kernel, and most applications request access to these operations by making a system call, which puts the CPU into the required privilege level and passes control to the kernel. FreeBSD/amd64 runs on CPUs from different vendors. Due to varying behaviour of CPUs in 64 bit mode a sanity check of the kernel may be insufficient when returning from a system call. Successful exploitation of the problem can lead to local kernel privilege escalation, kernel data corruption and/or crash.
-
15:52
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - The FreeBSD operating system implements a rings model of security, where privileged operations are done in the kernel, and most applications request access to these operations by making a system call, which puts the CPU into the required privilege level and passes control to the kernel. FreeBSD/amd64 runs on CPUs from different vendors. Due to varying behaviour of CPUs in 64 bit mode a sanity check of the kernel may be insufficient when returning from a system call. Successful exploitation of the problem can lead to local kernel privilege escalation, kernel data corruption and/or crash.
-
15:52
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - The FreeBSD operating system implements a rings model of security, where privileged operations are done in the kernel, and most applications request access to these operations by making a system call, which puts the CPU into the required privilege level and passes control to the kernel. FreeBSD/amd64 runs on CPUs from different vendors. Due to varying behaviour of CPUs in 64 bit mode a sanity check of the kernel may be insufficient when returning from a system call. Successful exploitation of the problem can lead to local kernel privilege escalation, kernel data corruption and/or crash.
-
15:49
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - The named(8) server does not properly handle DNS resource records where the RDATA field is zero length, which may cause various issues for the servers handling them. Resolving servers may crash or disclose some portion of memory to the client. Authoritative servers may crash on restart after transferring a zone containing records with zero-length RDATA fields. These would result in a denial of service, or leak of sensitive information.
-
15:49
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - The named(8) server does not properly handle DNS resource records where the RDATA field is zero length, which may cause various issues for the servers handling them. Resolving servers may crash or disclose some portion of memory to the client. Authoritative servers may crash on restart after transferring a zone containing records with zero-length RDATA fields. These would result in a denial of service, or leak of sensitive information.
-
-
16:54
»
Packet Storm Security Advisories
FreeBSD Security Advisory - There is a programming error in the DES implementation used in crypt() when handling input which contains characters that can not be represented with 7-bit ASCII. When the input contains characters with only the most significant bit set (0x80), that character and all characters after it will be ignored.
-
16:54
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - There is a programming error in the DES implementation used in crypt() when handling input which contains characters that can not be represented with 7-bit ASCII. When the input contains characters with only the most significant bit set (0x80), that character and all characters after it will be ignored.
-
16:54
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - There is a programming error in the DES implementation used in crypt() when handling input which contains characters that can not be represented with 7-bit ASCII. When the input contains characters with only the most significant bit set (0x80), that character and all characters after it will be ignored.
-
-
16:13
»
Packet Storm Security Advisories
FreeBSD Security Advisory - OpenSSL fails to clear the bytes used as block cipher padding in SSL 3.0 records when operating as a client or a server that accept SSL 3.0 handshakes. As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory. OpenSSL support for handshake restarts for server gated cryptography (SGC) can be used in a denial-of-service attack. Various other OpenSSL issues have also been addressed.
-
16:13
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - OpenSSL fails to clear the bytes used as block cipher padding in SSL 3.0 records when operating as a client or a server that accept SSL 3.0 handshakes. As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory. OpenSSL support for handshake restarts for server gated cryptography (SGC) can be used in a denial-of-service attack. Various other OpenSSL issues have also been addressed.
-
16:13
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - OpenSSL fails to clear the bytes used as block cipher padding in SSL 3.0 records when operating as a client or a server that accept SSL 3.0 handshakes. As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory. OpenSSL support for handshake restarts for server gated cryptography (SGC) can be used in a denial-of-service attack. Various other OpenSSL issues have also been addressed.
-
-
9:31
»
Packet Storm Security Advisories
FreeBSD Security Advisory - The OpenSSL library call used to decrypt private keys ignores the passphrase argument if the key is not encrypted. Because the pam_ssh module only checks whether the passphrase provided by the user is null, users with unencrypted SSH private keys may successfully authenticate themselves by providing a dummy passphrase. If the pam_ssh module is enabled, attackers may be able to gain access to user accounts which have unencrypted SSH private keys.
-
9:31
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - The OpenSSL library call used to decrypt private keys ignores the passphrase argument if the key is not encrypted. Because the pam_ssh module only checks whether the passphrase provided by the user is null, users with unencrypted SSH private keys may successfully authenticate themselves by providing a dummy passphrase. If the pam_ssh module is enabled, attackers may be able to gain access to user accounts which have unencrypted SSH private keys.
-
9:31
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - The OpenSSL library call used to decrypt private keys ignores the passphrase argument if the key is not encrypted. Because the pam_ssh module only checks whether the passphrase provided by the user is null, users with unencrypted SSH private keys may successfully authenticate themselves by providing a dummy passphrase. If the pam_ssh module is enabled, attackers may be able to gain access to user accounts which have unencrypted SSH private keys.
-
-
11:22
»
Packet Storm Security Advisories
FreeBSD Security Advisory - When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. An attacker who can connect to the telnetd daemon can execute arbitrary code with the privileges of the daemon (which is usually the "root" superuser).
-
11:22
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. An attacker who can connect to the telnetd daemon can execute arbitrary code with the privileges of the daemon (which is usually the "root" superuser).
-
11:22
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. An attacker who can connect to the telnetd daemon can execute arbitrary code with the privileges of the daemon (which is usually the "root" superuser).
-
10:35
»
Packet Storm Security Advisories
FreeBSD Security Advisory - The nsdispatch API has no mechanism to alert it to whether it is operating within a chroot environment in which the standard paths for configuration files and shared libraries may be untrustworthy. The FreeBSD ftpd daemon can be configured to use chroot, and also uses the nsdispatch API.
-
10:35
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - The nsdispatch API has no mechanism to alert it to whether it is operating within a chroot environment in which the standard paths for configuration files and shared libraries may be untrustworthy. The FreeBSD ftpd daemon can be configured to use chroot, and also uses the nsdispatch API.
-
10:35
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - The nsdispatch API has no mechanism to alert it to whether it is operating within a chroot environment in which the standard paths for configuration files and shared libraries may be untrustworthy. The FreeBSD ftpd daemon can be configured to use chroot, and also uses the nsdispatch API.
-
10:22
»
Packet Storm Security Advisories
FreeBSD Security Advisory - A remote attacker could cause the BIND resolver to cache an invalid record, which could cause the BIND daemon to crash when that record is being queried.
-
10:22
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - A remote attacker could cause the BIND resolver to cache an invalid record, which could cause the BIND daemon to crash when that record is being queried.
-
10:22
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - A remote attacker could cause the BIND resolver to cache an invalid record, which could cause the BIND daemon to crash when that record is being queried.
-
-
19:25
»
Packet Storm Security Advisories
Secunia Security Advisory - Kingcope has discovered a vulnerability in FreeBSD, which can be exploited by malicious people to compromise a vulnerable system.
-
-
15:29
»
Packet Storm Security Exploits
Remote root exploit for FreeBSD ftpd and ProFTPd on FreeBSD. It leverages the fact that /etc and /lib can be modified inside of the chroot.
-
-
15:24
»
Packet Storm Security Advisories
FreeBSD Security Advisory - When a UNIX-domain socket is attached to a location using the bind(2) system call, the length of the provided path is not validated. Later, when this address was returned via other system calls, it is copied into a fixed-length buffer. A local user can cause the FreeBSD kernel to panic. It may also be possible to execute code with elevated privileges ("gain root"), escape from a jail, or to bypass security mechanisms in other ways.
-
15:24
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - When a UNIX-domain socket is attached to a location using the bind(2) system call, the length of the provided path is not validated. Later, when this address was returned via other system calls, it is copied into a fixed-length buffer. A local user can cause the FreeBSD kernel to panic. It may also be possible to execute code with elevated privileges ("gain root"), escape from a jail, or to bypass security mechanisms in other ways.
-
15:24
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - When a UNIX-domain socket is attached to a location using the bind(2) system call, the length of the provided path is not validated. Later, when this address was returned via other system calls, it is copied into a fixed-length buffer. A local user can cause the FreeBSD kernel to panic. It may also be possible to execute code with elevated privileges ("gain root"), escape from a jail, or to bypass security mechanisms in other ways.
-
15:21
»
Packet Storm Security Advisories
FreeBSD Security Advisory - The code used to decompress a file created by compress(1) does not do sufficient boundary checks on compressed code words, allowing reference beyond the decompression table, which may result in a stack overflow or an infinite loop when the decompressor encounters a corrupted file.
-
15:21
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - The code used to decompress a file created by compress(1) does not do sufficient boundary checks on compressed code words, allowing reference beyond the decompression table, which may result in a stack overflow or an infinite loop when the decompressor encounters a corrupted file.
-
15:21
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - The code used to decompress a file created by compress(1) does not do sufficient boundary checks on compressed code words, allowing reference beyond the decompression table, which may result in a stack overflow or an infinite loop when the decompressor encounters a corrupted file.
-
14:25
»
Packet Storm Security Advisories
FreeBSD Security Advisory - A logic error in the BIND code causes the BIND daemon to accept bogus data, which could cause the daemon to crash.
-
14:25
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - A logic error in the BIND code causes the BIND daemon to accept bogus data, which could cause the daemon to crash.
-
-
14:30
»
Packet Storm Security Recent Files
Turtle rootkit for FreeBSD. This kernel module hooks unlink() so the protected file cannot be deleted, hooks kill() so the protected process cannot be killed, and has various other nice bells and whistles.
-
14:30
»
Packet Storm Security Tools
Turtle rootkit for FreeBSD. This kernel module hooks unlink() so the protected file cannot be deleted, hooks kill() so the protected process cannot be killed, and has various other nice bells and whistles.
-
14:30
»
Packet Storm Security Misc. Files
Turtle rootkit for FreeBSD. This kernel module hooks unlink() so the protected file cannot be deleted, hooks kill() so the protected process cannot be killed, and has various other nice bells and whistles.
-
-
8:53
»
Packet Storm Security Advisories
FreeBSD Security Advisory - Very large RRSIG RRsets included in a negative response can trigger an assertion failure that will crash named(8) due to an off-by-one error in a buffer size check.
-
8:53
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - Very large RRSIG RRsets included in a negative response can trigger an assertion failure that will crash named(8) due to an off-by-one error in a buffer size check.
-
8:53
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - Very large RRSIG RRsets included in a negative response can trigger an assertion failure that will crash named(8) due to an off-by-one error in a buffer size check.
-
-
16:55
»
Packet Storm Security Advisories
FreeBSD Security Advisory - The mountd(8) daemon services NFS mount requests from other client machines. When mountd is started, it loads the export host addresses and options into the kernel using the mount(2) system call. While parsing the exports(5) table, a network mask in the form of "-network=netname/prefixlength" results in an incorrect network mask being computed if the prefix length is not a multiple of 8. For example, specifying the ACL for an export as "-network 192.0.2.0/23" would result in a netmask of 255.255.127.0 being used instead of the correct netmask of 255.255.254.0.
-
16:55
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - The mountd(8) daemon services NFS mount requests from other client machines. When mountd is started, it loads the export host addresses and options into the kernel using the mount(2) system call. While parsing the exports(5) table, a network mask in the form of "-network=netname/prefixlength" results in an incorrect network mask being computed if the prefix length is not a multiple of 8. For example, specifying the ACL for an export as "-network 192.0.2.0/23" would result in a netmask of 255.255.127.0 being used instead of the correct netmask of 255.255.254.0.
-
16:55
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - The mountd(8) daemon services NFS mount requests from other client machines. When mountd is started, it loads the export host addresses and options into the kernel using the mount(2) system call. While parsing the exports(5) table, a network mask in the form of "-network=netname/prefixlength" results in an incorrect network mask being computed if the prefix length is not a multiple of 8. For example, specifying the ACL for an export as "-network 192.0.2.0/23" would result in a netmask of 255.255.127.0 being used instead of the correct netmask of 255.255.254.0.
-
-
14:22
»
Packet Storm Security Advisories
FreeBSD's crontab implementation suffers from various race condition and symlink vulnerabilities that allow for minor information leakage.
-
-
20:32
»
Packet Storm Security Advisories
FreeBSD Security Advisory - A race condition exists in the OpenSSL TLS server extension code parsing when used in a multi-threaded application, which uses OpenSSL's internal caching mechanism. The race condition can lead to a buffer overflow. A double free exists in the SSL client ECDH handling code, when processing specially crafted public keys with invalid prime numbers.
-
20:32
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - A race condition exists in the OpenSSL TLS server extension code parsing when used in a multi-threaded application, which uses OpenSSL's internal caching mechanism. The race condition can lead to a buffer overflow. A double free exists in the SSL client ECDH handling code, when processing specially crafted public keys with invalid prime numbers.
-
20:32
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - A race condition exists in the OpenSSL TLS server extension code parsing when used in a multi-threaded application, which uses OpenSSL's internal caching mechanism. The race condition can lead to a buffer overflow. A double free exists in the SSL client ECDH handling code, when processing specially crafted public keys with invalid prime numbers.
-
-
16:01
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - The pfs_getextattr(9) function, used by pseudofs for handling extended attributes, attempts to unlock a mutex which was not previously locked.
-
16:00
»
Packet Storm Security Advisories
FreeBSD Security Advisory - The pfs_getextattr(9) function, used by pseudofs for handling extended attributes, attempts to unlock a mutex which was not previously locked.
-
14:50
»
Packet Storm Security Advisories
FreeBSD Security Advisory - The pfs_getextattr(9) function, used by pseudofs for handling extended attributes, attempts to unlock a mutex which was not previously locked.
-
14:50
»
Packet Storm Security Recent Files
FreeBSD Security Advisory - The pfs_getextattr(9) function, used by pseudofs for handling extended attributes, attempts to unlock a mutex which was not previously locked.
-
14:50
»
Packet Storm Security Misc. Files
FreeBSD Security Advisory - The pfs_getextattr(9) function, used by pseudofs for handling extended attributes, attempts to unlock a mutex which was not previously locked.
-
-
20:00
»
Packet Storm Security Exploits
FreeBSD mbufs() sendfile cache poisoning local privilege escalation exploit that throws a setuid shell in /tmp. Works on 7.x and 8.x builds prior to 12Jul2010.
-
-
2:02
»
SecDocs
Authors:
Patroklos Argyroudis Tags:
buffer overflow kernel exploiting FreeBSD Event:
Black Hat EU 2010 Abstract: FreeBSD (http://www.freebsd.org/) is widely accepted as one of the most reliable and performance-driven operating systems currently available in both the open source and proprietary worlds. While the exploitation of kernel vulnerabilities has been researched in the context of the Windows and Linux operating systems, FreeBSD, and BSD systems in general, have not received the same attention. This presentation will initially examine the exploitation of kernel stack overflow vulnerabilities on FreeBSD. The development process of a privilege escalation kernel stack smashing exploit will be documented for vulnerability CVE-2008-3531. The second part of the presentation will present a detailed security analysis of the Universal Memory Allocator (UMA), the FreeBSD kernel's memory allocator. We will examine how UMA overflows can lead to arbitrary code execution in the context of the latest stable FreeBSD kernel (8.0-RELEASE), and we will develop an exploitation methodology for privilege escalation and kernel continuation.
-
2:02
»
SecDocs
Authors:
Patroklos Argyroudis Tags:
buffer overflow kernel exploiting FreeBSD Event:
Black Hat EU 2010 Abstract: FreeBSD (http://www.freebsd.org/) is widely accepted as one of the most reliable and performance-driven operating systems currently available in both the open source and proprietary worlds. While the exploitation of kernel vulnerabilities has been researched in the context of the Windows and Linux operating systems, FreeBSD, and BSD systems in general, have not received the same attention. This presentation will initially examine the exploitation of kernel stack overflow vulnerabilities on FreeBSD. The development process of a privilege escalation kernel stack smashing exploit will be documented for vulnerability CVE-2008-3531. The second part of the presentation will present a detailed security analysis of the Universal Memory Allocator (UMA), the FreeBSD kernel's memory allocator. We will examine how UMA overflows can lead to arbitrary code execution in the context of the latest stable FreeBSD kernel (8.0-RELEASE), and we will develop an exploitation methodology for privilege escalation and kernel continuation.
-
-
15:00
»
Packet Storm Security Advisories
Census Labs have discovered two improper input validation vulnerabilities in the FreeBSD kernel's NFS client-side implementation (FreeBSD 8.0-RELEASE, 7.3-RELEASE and 7.2-RELEASE) that allow local unprivileged users to escalate their privileges, or to crash the system by performing a denial of service attack.