what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 26 RSS Feed

Files from Dan Rosenberg

Email addressdan.j.rosenberg at gmail.com
First Active2010-03-05
Last Active2019-12-23
vReliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation
Posted Dec 23, 2019
Authored by Dan Rosenberg, Brendan Coles | Site metasploit.com

This Metasploit module exploits a vulnerability in the rds_page_copy_user function in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8 to execute code as root (CVE-2010-3904). This module has been tested successfully on Fedora 13 (i686) kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04 (x86_64) with kernel version 2.6.32-21-generic.

tags | exploit, kernel, root
systems | linux, fedora, ubuntu
advisories | CVE-2010-3904
SHA-256 | bc46d127784cc25a8eebe3568a7dc33efb953a22d3a6de8a44f9394b892ee0c6
Reliable Datagram Sockets (RDS) Privilege Escalation
Posted May 19, 2018
Authored by Dan Rosenberg, Brendan Coles | Site metasploit.com

This Metasploit module exploits a vulnerability in the rds_page_copy_user function in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8 to execute code as root (CVE-2010-3904). This Metasploit module has been tested successfully on Fedora 13 (i686) with kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04 (x86_64) with kernel version 2.6.32-21-generic.

tags | exploit, kernel, root
systems | linux, fedora, ubuntu
advisories | CVE-2010-3904
SHA-256 | a2c6557a8aad197f0270adb44eb609acd74de83e2d42b87eb9f291e7a97fe369
HTC IQRD Android Permission Leakage
Posted Apr 23, 2012
Authored by Dan Rosenberg | Site vsecurity.com

VSR identified a vulnerability in IQRD. The IQRD service listens locally on a TCP socket bound to port 2479. This socket is intended to allow the Carrier IQ service to request device-specific functionality from IQRD. Unfortunately, there is no restriction or validation on which applications may request services using this socket. As a result, any application with the android.permission.INTERNET permission may connect to this socket and send specially crafted messages in order to perform potentially malicious actions.

tags | advisory, tcp
advisories | CVE-2012-2217
SHA-256 | 62460a143a7893941f8c2a7a320f48f1e15c0964c0c6ff6e99e6284cd21d8be2
Calibre E-Book Reader Local Root Race Condition
Posted Nov 3, 2011
Authored by Dan Rosenberg, zx2c4

Calibre E-Book Reader local root race condition exploit that subverts recent changes preventing symlinks and checking path prefixes.

tags | exploit, local, root
SHA-256 | a8d8f271f9bcea57da5e8e80f09acc4ebc27b5f8820e5bdda23f748aa4eb75ef
DEC Alpha Linux 3.0 Local Root Exploit
Posted Jun 12, 2011
Authored by Dan Rosenberg

DEC Alpha Linux versions 3.0 and below local root exploit.

tags | exploit, local, root
systems | linux
SHA-256 | d76bee4c4585b03f096adb7e2ba9879f136892e3a1e26c3bf3b96050672a92de
VMware Tools Disclosure / Privilege Escalation
Posted Jun 4, 2011
Authored by Dan Rosenberg | Site vsecurity.com

VSR identified multiple vulnerabilities in VMware Tools, a suite of utilities shipped by VMware with multiple product offerings, as well as by open-source distributions as the open-vm-tools package. The first of these issues results in a minor information disclosure vulnerability, while the second two issues may result in privilege escalation in a VMware guest with VMware Tools installed.

tags | advisory, vulnerability, info disclosure
advisories | CVE-2011-1787, CVE-2011-2145
SHA-256 | 1af05a5d5b02a34bd95ed4566b81d89008382e496b13d51cebc3c4a6458acab9
Apple HFS+ Information Disclosure
Posted Mar 22, 2011
Authored by Dan Rosenberg | Site vsecurity.com

VSR identified a vulnerability in HFS+, a filesystem implemented in the OS X XNU kernel. HFS+ is the default filesystem in use on many installations of the Mac OS X operating system. By exploiting this vulnerability, an unprivileged user with local access to a machine using HFS+ may be able to read raw filesystem data, bypassing file permissions and resulting in information disclosure.

tags | advisory, kernel, local, info disclosure
systems | apple, osx
advisories | CVE-2011-0180
SHA-256 | 4c4a96b0699e3dfee3ea36679e925786c985788771d9efba8b469276fa52bc3f
FreeBSD crontab Information Leakage
Posted Feb 28, 2011
Authored by Dan Rosenberg

FreeBSD's crontab implementation suffers from various race condition and symlink vulnerabilities that allow for minor information leakage.

tags | advisory, vulnerability
systems | freebsd
SHA-256 | 0c48aa105ac5559bbac3c34bec72fc1a917b4bb2c39f51d11be3e0a1932aa408
VideoLAN VLC MKV Memory Corruption
Posted Feb 3, 2011
Authored by Dan Rosenberg | Site metasploit.com

This Metasploit module exploits an input validation error in VideoLAN VLC < 1.1.7. By creating a malicious MKV or WebM file, a remote attacker could execute arbitrary code.

tags | exploit, remote, arbitrary
advisories | CVE-2011-0531, OSVDB-70698
SHA-256 | 089c03cdcf6cbedcf40c0da3c8c00719db381e766eff4249410bb2a906521f96
OpenOffice.org Multiple Memory Corruption Vulnerabilities
Posted Jan 26, 2011
Authored by Dan Rosenberg | Site vsecurity.com

VSR identified multiple memory corruption vulnerabilities in OpenOffice.org. By convincing a victim to open a maliciously crafted RTF or Word document, arbitrary code may be executed on the victim's machine. Versions prior to 3.3 are affected.

tags | advisory, arbitrary, vulnerability
advisories | CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454
SHA-256 | 76148fa5fbd6a847442ba5146f5992a028c81ea3ce77f8550dd19a9ce932f325
Linux Kernel CAP_SYS_ADMIN To Root Exploit
Posted Jan 5, 2011
Authored by Dan Rosenberg

This Linux kernel CAP_SYS_ADMIN exploit leverages a signedness error in the Phonet protocol. By specifying a negative protocol index, it crafts a series of fake structures in userspace and causes the incrementing of an arbitrary kernel address, which then gets leveraged to execute arbitrary kernel code.

tags | exploit, arbitrary, kernel, protocol
systems | linux
SHA-256 | 09c12d1fafa94bbe4bde3fb6ae32992db287027ff62b658aa13d193e41f7f87f
Linux Kernel 2.6.37 Local Privilege Escalation
Posted Dec 8, 2010
Authored by Dan Rosenberg

Linux kernel local privilege escalation exploit for versions 2.6.37 and below. It leverages three separate vulnerabilities to achieve root including a NULL pointer dereference, being able to assign arbitrary Econet addresses to arbitrary interfaces, and the ability to write a NULL word to an arbitrary kernel address.

tags | exploit, arbitrary, kernel, local, root, vulnerability
systems | linux
advisories | CVE-2010-4258, CVE-2010-3849, CVE-2010-3850
SHA-256 | 90c6bf981c13631f20aedf98e74ee2ce76bde194f9c594a64c300a938f3bfa47
Linux Kernel Stack Byte Leakage Exploit
Posted Nov 10, 2010
Authored by Dan Rosenberg | Site vsecurity.com

Local Linux kernel exploit that demonstrate how the "mem" array used as scratch space for socket filters is not initialized, allowing unprivileged users to leak kernel stack bytes.

tags | exploit, kernel, local
systems | linux
SHA-256 | 41f4c4f5e19f3b41bc7cfe2dad288a198d7cdca8f0b4d55690ee5693864819b2
Linux RDS Protocol Local Privilege Escalation
Posted Oct 19, 2010
Authored by Dan Rosenberg | Site vsecurity.com

On October 13th, VSR identified a vulnerability in the RDS protocol, as implemented in the Linux kernel. Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write arbitrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root.

tags | advisory, arbitrary, kernel, local, root, protocol
systems | linux
advisories | CVE-2010-3904
SHA-256 | bb09d9a3c04ad643125f43810191104a9e73f9ab75e3f77d497d3f284186f60b
Linux Kernel 2.6.36-rc8 RDS Privilege Escalation
Posted Oct 19, 2010
Authored by Dan Rosenberg | Site vsecurity.com

Linux kernel versions 2.6.36-rc8 and below RDS privilege escalation exploit.

tags | exploit, kernel
systems | linux
advisories | CVE-2010-3904
SHA-256 | 0262577e3e756fba60e9c378405ae208ebb9563222e21ca4a4b81be04b89e9d5
Coda Filesystem Kernel Memory Disclosure
Posted Aug 17, 2010
Authored by Dan Rosenberg | Site vsecurity.com

Virtual Security Research, LLC. Security Advisory - VSR identified a vulnerability in the Coda filesystem kernel module, as implemented for FreeBSD and NetBSD. By sending a specially crafted ioctl request to a mounted Coda filesystem, an unprivileged local user could read large portions of kernel heap memory, leading to the disclosure of potentially sensitive information.

tags | advisory, kernel, local, info disclosure
systems | netbsd, freebsd
advisories | CVE-2010-3014
SHA-256 | 2a33556640e8aacacde12fc52c8c1542bef5798e08d4ad672635ca2fb49e83f2
Mac OS X WebDAV Kernel Extension Denial Of Service
Posted Jul 26, 2010
Authored by Dan Rosenberg

The Mac OS X WebDAV kernel extension is vulnerable to a denial of service issue that allows a local unprivileged user to trigger a kernel panic due to a memory overallocation.

tags | advisory, denial of service, kernel, local
systems | apple, osx
advisories | CVE-2010-1794
SHA-256 | d6f15be99289fd0bcf6c81b9793b54371556cccddb48c1a7ecd9884a927c66d7
FuzzDiff Crash Analysis Tool
Posted Jul 26, 2010
Authored by Dan Rosenberg | Site vsecurity.com

FuzzDiff is a simple tool created to assist in helping make crash analysis during file format fuzzing a bit easier. When provided with a fuzzed file, a corresponding original un-fuzzed file, and the path to the targeted program, FuzzDiff will selectively "un-fuzz" portions of the fuzzed file while re-launching the application to monitor for crashes. This will yield a file that still crashes the target application, but contains a minimum set of changes from the original, un-fuzzed file. This can be useful in pinning down the exact cause of a crash.

tags | fuzzer
SHA-256 | 64a2478b6758505b56ea79a765292e926f190b7255790d538d7a95e688fd16bb
iDEFENSE Security Advisory 2010-06-21.1
Posted Jun 29, 2010
Authored by iDefense Labs, Dan Rosenberg | Site idefense.com

iDefense Security Advisory 06.21.10 - Remote exploitation of a stack buffer overflow vulnerability in version 3.9.2 of LibTIFF, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the current user. This vulnerability is due to insufficient bounds checking when copying data into a stack allocated buffer. During the processing of a certain EXIF tag a fixed sized stack buffer is used as a destination location for a memory copy. This memory copy can cause the bounds of a stack buffer to be overflown and this condition may lead to arbitrary code execution. iDefense has confirmed the existence of this vulnerability in version 3.9.2 of libTIFF. Previous versions are not affected.

tags | advisory, remote, overflow, arbitrary, code execution
advisories | CVE-2010-2067
SHA-256 | 014d43587d44901b7350126457fa46e3ddd7be36fcae7a02d6977373e2a71713
Exim 4 Symlink / Race Condition Vulnerabilities
Posted Jun 4, 2010
Authored by Dan Rosenberg

Exim 4 suffers from local symlink and race condition vulnerabilites.

tags | advisory, local
advisories | CVE-2010-2023, CVE-2010-2024
SHA-256 | d894d9ac3680893c4de1df8deea0bb09c3c5f18e99348ec10bb3351fafdf3e38
Scientific Atlanta DPC2100 Cable Modem Cross Site Request Forgery
Posted May 25, 2010
Authored by Dan Rosenberg

The Scientific Atlanta DPC2100 Cable Modem suffers from cross site request forgery and insufficient authentication vulnerabilities.

tags | exploit, vulnerability, csrf
advisories | CVE-2010-2025, CVE-2010-2026
SHA-256 | 526edd304fca1c5a00df908a6e6c705539bd6f5e7a759e2196082becea2fc227
Ghostscript Stack Overflow
Posted May 12, 2010
Authored by Dan Rosenberg

Ghostscript suffers from code execution and stack overflow vulnerabilities.

tags | advisory, overflow, vulnerability, code execution
advisories | CVE-2010-1869
SHA-256 | 3ae78b80a2f029d3507689c46f8386059dca772b84fc5bee89098e5fb38a420b
Foritfy Arbitrary Memory Address Space
Posted Apr 28, 2010
Authored by Dan Rosenberg

Fortify (FORTIFY_SOURCE as used with gdb) suffers from a little trick that allows for reading of arbitrary address space.

tags | paper, arbitrary
SHA-256 | 5592ed45c719808d090e4002892c4abedb9388b403958b3feadde04a23960930
Deliver Race Condition
Posted Mar 25, 2010
Authored by Dan Rosenberg

The Deliver mail delivery program suffers from several race condition vulnerabilities.

tags | advisory, vulnerability
advisories | CVE-2010-0439
SHA-256 | 05333665d18be17f37a1fdfcd655bd89040d70e095e671c464fef3c39c9bf329
ncpfs Race Conditions / Denial Of Service / Disclosure
Posted Mar 6, 2010
Authored by Dan Rosenberg

The ncpmount, ncpumount, and ncplogin utilities, installed as part of the ncpfs package, contain race conditions, information disclosures, and denial of service vulnerabilities.

tags | advisory, denial of service, vulnerability, info disclosure
advisories | CVE-2010-0788, CVE-2010-0790, CVE-2010-0791
SHA-256 | bee0a8f7594f3657d6643476cfedee7d3fee1c4555768af16fe7f3bde6ab4720
Page 1 of 2
Back12Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close