Ubuntu Security Notice 2908-3 - halfdog discovered that OverlayFS, when mounting on top of a FUSE mount, incorrectly propagated file attributes, including setuid. A local unprivileged attacker could use this to gain privileges. halfdog discovered that OverlayFS in the Linux kernel incorrectly propagated security sensitive extended attributes, such as POSIX ACLs. A local unprivileged attacker could use this to gain privileges. Various other issues were also addressed.
8716f9dfa5387ac6e3e6ff94510d7161d98367b8036548e12a2e1d81732e1f1c
Ubuntu Security Notice 2908-1 - halfdog discovered that OverlayFS, when mounting on top of a FUSE mount, incorrectly propagated file attributes, including setuid. A local unprivileged attacker could use this to gain privileges. halfdog discovered that OverlayFS in the Linux kernel incorrectly propagated security sensitive extended attributes, such as POSIX ACLs. A local unprivileged attacker could use this to gain privileges. Various other issues were also addressed.
07596e6ec12eeb907c4ab0d2cdc1c2ab789da78a8039e9d891d2a3f13f37c5f4
Ubuntu Security Notice 2907-2 - halfdog discovered that OverlayFS, when mounting on top of a FUSE mount, incorrectly propagated file attributes, including setuid. A local unprivileged attacker could use this to gain privileges. halfdog discovered that OverlayFS in the Linux kernel incorrectly propagated security sensitive extended attributes, such as POSIX ACLs. A local unprivileged attacker could use this to gain privileges. Various other issues were also addressed.
963e536d218f0e81e41ebb8a8147fbedb301ff6538499599412b9b5c1093f890
Ubuntu Security Notice 2907-1 - halfdog discovered that OverlayFS, when mounting on top of a FUSE mount, incorrectly propagated file attributes, including setuid. A local unprivileged attacker could use this to gain privileges. halfdog discovered that OverlayFS in the Linux kernel incorrectly propagated security sensitive extended attributes, such as POSIX ACLs. A local unprivileged attacker could use this to gain privileges. Various other issues were also addressed.
fdac4052fa0c407475c40375a8f0dfb58fed0c920779bbb4203e890183fb094e
Red Hat Security Advisory 2016-0225-01 - The glibc packages provide the standard C libraries, POSIX thread libraries, standard math libraries, and the Name Server Caching Daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Note: this issue is only exposed when libresolv is called from the nss_dns NSS service module.
36bb67815bd7e37f3beda38548970f1dc500e60b18ee2344ee80be50c5f3fdc6
Red Hat Security Advisory 2016-0176-01 - The glibc packages provide the standard C libraries, POSIX thread libraries, standard math libraries, and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Note: this issue is only exposed when libresolv is called from the nss_dns NSS service module.
cb26d916df37d2282250c405f15e20226153e6df9e8e3e0b9d8911eda607768a
Red Hat Security Advisory 2016-0175-01 - The glibc packages provide the standard C libraries, POSIX thread libraries, standard math libraries, and the Name Server Caching Daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Note: this issue is only exposed when libresolv is called from the nss_dns NSS service module.
250da49162f89ae85605b47646659f001c5b45318d448d14ed1f4d5a1b608c74
OS X suffers from a privilege escalation vulnerability due to XPC type confusion in sysmond.
84ce6959cd03e4fc99b8bddfeb6aeb14ae2f9faa1682d524c3ff80126ea1fdfe
iOS / OS X kernels suffer from a use-after-free / double free vulnerability due to lack of locking in IOHDIXControllUserClient:clientClose.
adb1b7847f70f13cf0c6ea874eee96b6c0668190e0c8da0a1d59183341cb8770
iOS / OS X suffer from a kernel double free due to lack of locking in Iokit registry iterator manipulation.
8165a567612f28c0b556478f27c6f67dcb0caeb69b674c8e9e622681a9e157de
iOS and OS X suffers from a kernel code execution vulnerability due to an integer overflow in NECP system control socket packet parsing.
a90f8ff051275e3a2763ebcc399a8891e5415fd85649de1e7df1f7d097d14c5e
iOS and OS X suffer from a kernel code execution vulnerability via double-delete in IOHIDEventQueue:start due to incorrect error handling.
6ac15af258a146b8752ac818073462c4ae8b5c574c8d1f8ee6cb3d0d6bc85d9f
Apple Security Advisory 2016-01-19-2 - OS X El Capitan 10.11.3 and Security Update 2016-001 are now available and address memory corruption, code execution, and privilege escalation vulnerabilities.
100bff59d0f404f5edd70e97d638dbeff75a49bfaed850a3f6f6bf7da7f8c8fa
Apple Security Advisory 2015-12-08-3 - OS X El Capitan 10.11.2 and Security Update 2015-008 is now available and addresses 54 vulnerabilities.
78e2a97a16b2ff481c45ddbbba9833cf2d0f52000284853fc1795caaaf5b2c92
Red Hat Security Advisory 2015-2589-01 - The glibc packages provide the standard C libraries, POSIX thread libraries, standard math libraries, and the Name Server Caching Daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. It was discovered that the nss_files backend for the Name Service Switch in glibc would return incorrect data to applications or corrupt the heap. A local attacker could potentially use this flaw to execute arbitrary code on the system. It was discovered that, under certain circumstances, glibc's getaddrinfo() function would send DNS queries to random file descriptors. An attacker could potentially use this flaw to send DNS queries to unintended recipients, resulting in information disclosure or data loss due to the application encountering corrupted data.
500d94725a7bca027910198d11bcaf63c36b7385c61ae995036c7436f222d112
Mac OS X version 10.11 suffered from an FTS deep structure of the file system buffer overflow vulnerability.
ae3851256e0ee57573fd3cac02fe7bcf26b41cfc7bbf09ad64cb3dfcdae81556
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. Mac OS X release.
581e1746384263a01a8d4def828d291e707fca3788d9302c1e57edb457db18ae
Red Hat Security Advisory 2015-2172-01 - The glibc packages provide the standard C libraries, POSIX thread libraries, standard math libraries, and the Name Server Caching Daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. It was discovered that the nss_files backend for the Name Service Switch in glibc would return incorrect data to applications or corrupt the heap in certain cases. A local attacker could potentially use this flaw to escalate their privileges.
85b19fac93010af8ff49962e528a4a1656adaf223c5b448e01bf25afe054dd99
Red Hat Security Advisory 2015-2199-07 - The glibc packages provide the standard C libraries, POSIX thread libraries, standard math libraries, and the Name Server Caching Daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. It was discovered that, under certain circumstances, glibc's getaddrinfo() function would send DNS queries to random file descriptors. An attacker could potentially use this flaw to send DNS queries to unintended recipients, resulting in information disclosure or data loss due to the application encountering corrupted data.
f94e9bae1ee9312a7c4a7f82ecb9725f410c0b7a137de93a1b8c44897482e087
This Metasploit module writes to the sudoers file without root access by exploiting rsh and malloc log files. Makes sudo require no password, giving access to su even if root is disabled. Works on OS X 10.9.5 to 10.10.5 (patched on 10.11).
1959cf26f98a303dd73293b46328a6156cc9e858b22283d3803da877cf76e849
In versions of Mac OS X before 10.11.1, the applescript:// URL scheme is provided, which opens the provided script in the Applescript Editor. Pressing cmd-R in the Editor executes the code without any additional confirmation from the user. By getting the user to press cmd-R in Safari, and by hooking the cmd-key keypress event, a user can be tricked into running arbitrary Applescript code. Gatekeeper should be disabled from Security and Privacy in order to avoid the unidentified Developer prompt.
9ce25e64b927af84c807e90aff34d53a6d9d3e37334d7f8087944eb2e190924f
Apple Security Advisory 2015-10-21-8 - OS X Server 5.0.15 is now available and addresses BIND and bypass vulnerabilities.
412ab3e71955416d2cd012b8f149b98e2a4f5c4bbbe6020dfd2cfa90f0615729
Apple Security Advisory 2015-10-21-4 - OS X El Capitan 10.11.1 and Security Update 2015-007 are now available and address memory corruption, code execution, and various other vulnerabilities.
29b89a7f94c21f47037df252cf87e2917cad436a38b6f9faf840a0c7ee609335
The default root-suid binary /usr/bin/rsh on Mac OS X uses execv() in an insecure manner. /usr/bin/rsh will invoke /usr/bin/rlogin if launched with only a host argument, without dropping privileges or clearing the environment. This exploit will pass "MallocLogFile" to /usr/bin/rsh, which is then passed on to rlogin and interpreted by libmalloc to create a root-owned file with partially controlled contents at /etc/crontab which gives a rootshell via sudo. Tested on 10.9.5 / 10.10.5 but it most likely works on much older versions too.
57369dae3073aa171e586034196b70f67cf18695ca619dddcbe2f77bfce377a9
Apple Security Advisory 2015-09-30-03 - OS X El Capitan 10.11 is now available and addresses close to 100 vulnerabilities that may exist in prior releases.
7a0709c784a5d4fb9ea404af89915bb4719339d731eebc17ca1e750e0b02747c