Posts by

Heap Overflow in Sudo: The Struggling Escape Artist (CVE-2021-3156)
January 27, 2021
Yesterday, the Qualys Research Team disclosed a heap overflow vulnerability in sudo, CVE-2021-3156, called “Baron Samedit” (in a show of delightful wordplay with the Haitian Vodou spirit). It allows a local user to become root and gain control over the target system. Why it’s cool: Sudo, short for “superuser do”, is a default utility in […]
Grubbing Secure Boot the Wrong Way: CVE-2020-10713
July 29, 2020
Today, researchers at Eclypsium disclosed a buffer overflow vulnerability in GRUB2, CVE-2020-10713, affectionately termed “Boothole.” It basically results in a total pwn of Secure Boot in systems using GRUB, which is a lot of them — all Linux distros, a bunch of Windows machines, and more. Additionally, the mitigation process is a certified hot mess, […]
High STEKs: On-path attacks in GnuTLS (CVE-2020-13777)
June 11, 2020
This month, Fiona Klute disclosed a vulnerability in GnuTLS, CVE-2020-13777. It can either enable on-path attackers for TLS 1.3, or facilitate passive decryption of traffic between servers running GnuTLS for TLS 1.2. Either way, it’s not great! Why it’s cool: Attackers could exploit this vuln to recover previously captured network traffic, like conversations (for servers […]
eBPF’s Rollercoaster of Pwn: An Overview of CVE-2020-8835
April 23, 2020
Last Friday, Manfred Paul published a blog post about the vuln he used at Pwn2Own 2020, CVE-2020-8835, a local privilege escalation bug in the Linux Kernel. It affects any Linux distros using Linux kernels 5.5.0 and newer. Why it’s cool: eBPF is the Hacker News hotness for tracing (i.e. monitoring execution of) the Linux kernel, […]
RAMming Down Hype via Intel CSME
March 6, 2020
Recently, security researchers found new vectors of exploiting a vulnerability in Intel CSME, CVE-2019-0090, affecting all Intel chips other than Generation 10 (Ice Lake). The researchers haven’t released exploitation details yet, but proclaimed that “utter chaos will reign”… but not by exploiting this vulnerability! Instead, there’s a potential for chaos if attackers figure out how […]
HELO, Is It Me You’re Exploiting For?
October 1, 2019
Another month, another pre-auth RCE in Exim, an open source mail server for Unix systems. This time, it’s CVE-2019-16928, a heap-based buffer overflow reported this weekend. Why it matters: If you heard about the other Exim bug from mid-September, you probably did the smart thing and patched to the latest version (4.92+). Regrettably, this new […]
Exim Remote Code Execution, CVE-2019-15846
(Back) Slasher: RCE Horrors in Exim
September 10, 2019
Last week, a buffer overflow vuln, deemed CVE-2019-15846, was announced in Exim that allowed remote code execution (RCE) via a trailing backslash, perhaps like a blade-wielding ghost stalking you after being summoned to murder you (it’s never too early for Spooktober vibes). Exim is an open source mail transfer agent shipped with most Linux distros, […]
Off to the PTraces
July 17, 2019
Yesterday, a privilege escalation bug in the ptrace syscall was made public by Jann Horn at Project Zero, deemed CVE-2019-13272. The culprit was broken permission and object lifetime handling by the PTRACE_TRACEME request, which basically let Linux processes ask an attacker to “trace me like one of your French girls.” Why it’s cool: This vuln […]
Escaping like a Rocket via rkt enter
June 4, 2019
Last week, a researcher disclosed three vulnerabilities in rkt, CVE-2019-10144, CVE-2019-10145, and CVE-2019-10147, that let an attacker escape the container. Rkt is an open source container runtime created by CoreOS in 2014. Why it’s cool: This vuln trio allows attackers to gain root on the host machine from a rkt pod. rkt up to version […]
Race Conditions – Cloudy with a Chance of R/W Access
May 28, 2019
Docker Race Condition: CVE-2018-15664 Today, Aleksa Sarai published a Docker vulnerability, CVE-2018-15664, on the oss-sec mailing list. It turns out that a function inside Docker facilitates a TOCTOU bug (more on that below) which could lead to someone malicious inside a container to gain arbitrary read/write file access on the host with root privileges (not […]
A Buffer Buffet for Data Sampling
May 15, 2019
CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 Yesterday, three data sampling side channel vulnerabilities were disclosed in Intel CPUs by a whole bunch of smart researchers. Intel is calling them “microarchitectural data sampling” (MDS) bugs, but they’re colloquially known as ZombieLoad (CVE-2019-1109 & CVE-2018-12130), RIDL aka “Rogue In-flight Data Load” (CVE-2018-12130), and Fallout (CVE-2018-12126) — plus there was […]
apache carpe diem - cve-2019-0211
Apache CARPE DIEM: CVE-2019-0211
April 9, 2019
Recently, Charles Fol blogged about his privilege escalation bug in Apache, CVE-2019-0211, aka “CARPE DIEM” (seize the 0day, comrades!). This affects Apache HTTP Server versions 2.4.17 through version 2.4.38 (from October 9, 2015 to April 1, 2019). Why is it cool? Exploiting this bug allows for escalation from the meager privileges of an Apache worker […]