System Down: A systemd-journald Exploit
This is the systemd-journald exploit produced by Qualys that demonstrates the vulnerabilities as highlighted in CVE-2018-16865 and CVE-2018-16866.
View ArticleExim 4.9.1 Remote Command Execution
Qualys discovered a remote command execution vulnerability in Exim versions 4.87 to 4.91.
View ArticleQualys Security Advisory - OpenBSD Dynamic Loader Privilege Escalation
Qualys discovered a local privilege escalation in OpenBSD's dynamic loader (ld.so). This vulnerability is exploitable in the default installation (via the set-user-ID executable chpass or passwd) and...
View ArticleOpenBSD Dynamic Loader chpass Privilege Escalation
This Metasploit module exploits a vulnerability in the OpenBSD ld.so dynamic loader (CVE-2019-19726). The _dl_getenv() function fails to reset the LD_LIBRARY_PATH environment variable when set with...
View ArticleOpenBSD OpenSMTPD Privilege Escalation / Code Execution
Qualys discovered a vulnerability in OpenSMTPD, OpenBSD's mail server. This vulnerability is exploitable since May 2018 (commit a8e222352f, "switch smtpd to new grammar") and allows an attacker to...
View ArticleOpenSMTPD 6.6.2 Remote Code Execution
OpenSMTPD version 6.6.2 remote code execution exploit.
View ArticleOpenSMTPD MAIL FROM Remote Code Execution
This Metasploit module exploits a command injection in the MAIL FROM field during SMTP interaction with OpenSMTPD to execute code as the root user.
View ArticleOpenSMTPD Local Information Disclosure
Qualys discovered a minor vulnerability in OpenSMTPD, OpenBSD's mail server. An unprivileged local attacker can read the first line of an arbitrary file (for example, root's password hash in...
View ArticleOpenSMTPD Out-Of-Bounds Read
Qualys discovered a vulnerability in OpenSMTPD, OpenBSD's mail server. This vulnerability, an out-of-bounds read introduced in December 2015, is exploitable remotely and leads to the execution of...
View ArticleOpenSMTPD Out-Of-Bounds Read / Local Privilege Escalation
This Metasploit module exploits an out-of-bounds read of an attacker-controlled string in OpenSMTPD's MTA implementation to execute a command as the root or nobody user, depending on the kind of...
View ArticleQualys Security Advisory - Qmail Remote Code Execution
In 2005, three vulnerabilities were discovered in qmail but were never fixed because they were believed to be unexploitable in a default installation. Qualys recently re-discovered these...
View ArticleQmail Local Privilege Escalation / Remote Code Execution
Qualys has released their local privilege escalation and remote code execution exploit for qmail that leverages the vulnerability as described in CVE-2005-1513.
View ArticleSudo Heap-Based Buffer Overflow
Qualys has released extensive research details regarding a heap-based buffer overflow vulnerability in sudo. The issue was introduced in July 2011 (commit 8255ed69), and affects all legacy versions...
View ArticleSudo 1.8.31p2 / 1.9.5p1 Buffer Overflow
A heap based buffer overflow exists in the sudo command line utility that can be exploited by a local attacker to gain elevated privileges. The vulnerability was introduced in July of 2011 and affects...
View ArticleSequoia: A Deep Root In Linux's Filesystem Layer
Qualys discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer: by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an...
View ArticlePolkit pkexec Local Privilege Escalation
Qualys discovered a local privilege escalation (from any user to root) in polkit's pkexec, a SUID-root program that is installed by default on every major Linux distribution.
View ArticlePolkit pkexec Local Privilege Escalation
This is a Metasploit module for the argument processing bug in the polkit pkexec binary. If the binary is provided with no arguments, it will continue to process environment variables as argument...
View ArticlePolkit pkexec Privilege Escalation
This is a Metasploit module for the argument processing bug in the polkit pkexec binary that leads to privilege escalation. It leverages the raw C exploit.
View ArticleLeeloo Multipath Authorization Bypass / Symlink Attack
The Qualys Research Team has discovered authorization bypass and symlink vulnerabilities in multipathd. The authorization bypass was introduced in version 0.7.0 and the symlink vulnerability was...
View Articlesnap-confine must_mkdir_and_open_with_perms() Race Condition
Qualys discovered a race condition (CVE-2022-3328) in snap-confine, a SUID-root program installed by default on Ubuntu. In this advisory,they tell the story of this vulnerability (which was introduced...
View ArticleRenderDoc 1.26 Local Privilege Escalation / Remote Code Execution
RenderDoc versions 1.26 and below suffer from integer underflow, integer overflow, and symlink vulnerabilities.
View ArticleOpenSSH Forwarded SSH-Agent Remote Code Execution
The PKCS#11 feature in ssh-agent in OpenSSH versions prior to 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled...
View Articleglibc ld.so Local Privilege Escalation
Dubbed Looney Tunables, Qualys discovered a buffer overflow vulnerability in the glibc dynamic loader's processing of the GLIBC_TUNABLES environment variable. This vulnerability was introduced in April...
View Articleglibc qsort() Out-Of-Bounds Read / Write
Qualys discovered a memory corruption in the glibc's qsort() function, due to a missing bounds check. To be vulnerable, a program must call qsort() with a nontransitive comparison function (a function...
View Articleglibc syslog() Heap-Based Buffer Overflow
Qualys discovered a heap-based buffer overflow in the GNU C Library's __vsyslog_internal() function, which is called by both syslog() and vsyslog(). This vulnerability was introduced in glibc 2.37 (in...
View Article
