Vulnerabilities tagged "vuln"

Nimbuspwn - A Linux Elevation of Privilege

Blogpost by Microsoft that details a few vulnerabilities in the `networkd-dispatcher` component in `systemd` which can be chained for LPE.When looking at the code flow, they noticed it would register a signal receiver on the system bus, and the handler would receive a `state` path followed by some data...
 

[Nextcloud] Bypass the protection lock in andoid app

Simple bypass of the (optional) password lock screen by force-killing the application a few times.The exact cause of this is unclear, I have seen something previously where it was a "feature" because the developers thought it was crashing on that point so disabled it to let the user continue to use the application...
 

Container escape on public GitLab CI Runners

Container escape within GitLab CI Runners abusing cgroup's `release_agent` functionality as CI jobs are allowed to mount file-systems.The `release_agent` is a script that will be executed when a cgroup heirachy becomes empty...
 

2FA Bypass by Forcing Use of the non-2FA Endpoint

Probably as easy of a 2FA bypass as I've seen, effectively if the account had 2FA the second stage of the password reset form would submit to `/reset2fa` and if there was no 2FA registered for the account, it would submit to `/reset` so the attack was just to modify the submission to point to `/reset` instead of `/reset2fa` and it wouldn't prompt for the 2FA token.
 

FUSE allows UAF reads or write() buffers in Linux < v5.17

With a FUSE (Filesystem in USErspace) there are two modes of IO, either the normal kernel page cache can be used for handling read/write attempts or using `FOPEN_DIRECT_IO` in the open call the read/write requests can be sent directly to the userspace filesystem.In this mode the kernel will grab a reference to the userspace pages rather than copying them into kernel mode and map those pages over to the FUSE process...
 

Exploiting Struts RCE on 2.5.26

For some `UIBean` tags the `name` field was vulnerable to a double OGNL evaluation when there was no corresponding `value` field which could lead to remote code execution.
 
2
3
4
5
6
7
8