| # |
Title |
Description |
Proof
of concept |
Affected
systems |
References |
| 1 |
Apple
Airport 802.11 Probe Response Kernel Memory Corruption |
The Apple Airport driver
provided with Orinoco-based Airport cards (1999-2003
PowerBooks, iMacs) is vulnerable to a remote memory
corruption flaw that can lead to arbitrary code
execution. |
Metasploit
Exploit Module |
Mac OS X with Apple
Airport 802.11 (Orinoco-based) |
MOKB-01-11-2006
CVE-2006-5710 |
| 2 |
Linux
2.6.x squashfs double free |
The squashfs module of
the Linux kernel (2.6.x) fails to properly handle
corrupted fs structures, leading to a denial of service
and possible data corruption condition. |
MOKB-02-11-2006.img.gz |
Linux 2.6.x squashfs |
MOKB-02-11-2006
CVE-2006-5701 |
| 3 |
FreeBSD
6.1 UFS filesystem ffs_mountfs() integer overflow |
The UFS filesystem
handling code of the FreeBSD 6.1 kernel fails to
properly handle corrupted data structures, leading to
exploitable memory corruption (DoS) issues and possible
arbitrary code execution. This particular vulnerability
is caused by an integer overflow at ffs_mountfs()
function. |
Check MOKB-08-11-2006
and/or debug information. |
FreeBSD 6.1 (STABLE) and
probably 7 (HEAD) |
MOKB-03-11-2006
CVE-2006-5679 |
| 4 |
Solaris
10 UFS filesystem alloccgblk denial of service |
The UFS filesystem
handling code of the Solaris 10 kernel fails to properly
handle corrupted data structures, leading to an
exploitable denial of service issue and potential loss
of data or corruption of the local UFS filesystems, due
to memory corruption. |
MOKB-04-11-2006.img.gz |
SunOS 5.10
Generic_118855-19 and previous (not verified). |
MOKB-04-11-2006
CVE-2006-5726 |
| 5 |
Linux
2.6.x ISO9660 __find_get_block_slow() denial of
service |
The ISO9660 filesystem
handling code of the Linux 2.6.x kernel fails to
properly handle corrupted data structures, leading to an
exploitable denial of service condition. This particular
vulnerability seems to be caused by a race condition and
a signedness issue. |
MOKB-05-11-2006.iso.bz2 |
Linux kernel 2.6.18 and
previous (2.6.x). Probably 2.4.x (not verified). |
MOKB-05-11-2006
CVE-2006-5757 |
| 6 |
Microsoft
Windows kernel GDI local privilege escalation |
A vulnerability in the
handling of GDI kernel structures of Microsoft Windows
leads to an exploitable memory corruption condition,
causing a denial of service (so-called BSoD) or
arbitrary code execution on successful exploitation. |
GDIKernelPoC.cpp |
Microsoft Windows 2000
SP0-SP4, XP SP0-SP2. |
MOKB-06-11-2006
CVE-2006-5758 |
| 7 |
Linux
2.6.x zlib_inflate memory corruption |
Linux 2.6.x zlib_inflate
function can be abused by filesystems that depend on
zlib compression, such as cramfs. A failure to handle
crafted data, result of a read operation in a corrupted
filesystem stream, may lead to memory corruption and
potential arbitrary code execution. |
MOKB-07-11-2006.img.bz2 |
Linux kernel 2.6.18 and
previous (2.6.x). |
MOKB-07-11-2006
CVE-2006-5823 |
| 8 |
FreeBSD
6.1 UFS filesystem ffs_rdextattr() integer overflow |
The UFS filesystem
handling code of the FreeBSD 6.1 kernel fails to
properly handle corrupted data structures, leading to
exploitable memory corruption (DoS) issues and possible
arbitrary code execution. This particular vulnerability
is caused by an integer overflow, similar to MOKB-03-11-2006. |
MOKB-08-11-2006.img.bz2 |
FreeBSD 6.1 (STABLE) and
probably 7 (HEAD) |
MOKB-08-11-2006
CVE-2006-5824 |
| 9 |
Mac
OS X fpathconf() syscall denial of service |
Failure to handle
unknown file types by the Mac OS X kernel (XNU)
fpathconf() syscall causes a kernel panic, leading to an
exploitable local denial of service by non-privileged
users. |
Check release page. |
Mac OS X 10.3.x, 10.4.x
(tested x86 and PPC). |
MOKB-09-11-2006
CVE-2006-5836 |
| 10 |
Linux
2.6.x ext3fs_dirhash denial of service |
Linux 2.6.x ext3
filesystem code fails to properly handle corrupted data
structures, leading to an exploitable denial of service
issue with potential fs corruption, when a read
operation is done on a crafted ext3 stream. |
MOKB-10-11-2006.img.bz2 |
Linux kernel 2.6.18 and
previous (2.6.x). |
MOKB-10-11-2006
CVE-2006-6053 |
| 11 |
Broadcom
Wireless Driver Probe Response SSID Overflow |
The Broadcom BCMWL5.SYS
wireless device driver is vulnerable to a stack-based
buffer overflow that can lead to arbitrary kernel-mode
code execution. This particular vulnerability is caused
by improper handling of 802.11 probe responses
containing a long SSID field |
broadcom_wifi_ssid.rb |
Unpatched BCMWL5.SYS
(ex. version 3.50.21.10) |
MOKB-11-11-2006
CVE-2006-5882 |
| 12 |
Linux
2.6.x ext2_check_page denial of service |
Linux 2.6.x ext2
filesystem code fails to properly handle corrupted data
structures, leading to an exploitable denial of service
issue when read operation is being done on a crafted fs
stream. |
MOKB-12-11-2006.img.bz2 |
Linux kernel 2.6.18 and
previous (2.6.x). |
MOKB-12-11-2006
CVE-2006-6054 |
| 13 |
D-Link
DWL-G132 Wireless Driver Beacon Rates Overflow |
The D-Link DWL-G132
wireless adapter (USB) ships with a version of A5AGU.SYS
that is vulnerable to a stack-based buffer overflow.
This overflow can lead to arbitrary kernel-mode code
execution. The overflow occurs when a 802.11 beacon
request is received that contains over 36 bytes in the
Rates information element (IE). |
dlink_wifi_rates.rb |
Unpatched A5AGU.SYS (ex.
version 1.0.1.41, DWL-G132 driver) |
MOKB-13-11-2006
CVE-2006-6055 |
| 14 |
Linux
2.6.x SELinux superblock_doinit denial of service |
Failure to handle
mounting of corrupt filesystem streams may lead to a
local denial of service condition when SELinux hooks are
enabled. This particular vulnerability is caused by a
null pointer dereference in the superblock_doinit
function. |
MOKB-14-11-2006.img.bz2 |
Linux kernel 2.6.18 and
previous (2.6.x). |
MOKB-14-11-2006
CVE-2006-6056 |
| 15 |
Linux
2.6.x gfs2 init_journal denial of service |
Linux 2.6.x gfs2
filesystem code fails to properly handle corrupted data
structures, leading to an exploitable denial of service
issue when a crafted stream is being mounted. |
MOKB-15-11-2006.img.bz2 |
Linux kernel 2.6.18 and
previous (2.6.x) with GFS2 support. |
MOKB-15-11-2006
CVE-2006-6057 |
| 16 |
NetGear
WG111v2 Wireless Driver Long Beacon Overflow |
The NetGear WG111v2
wireless adapter (USB) ships with a version of
WG111v2.SYS that is vulnerable to a stack-based buffer
overflow. This overflow can lead to arbitrary
kernel-mode code execution. The overflow occurs when a
802.11 beacon request is received that contains over
1100 bytes of information elements. |
netgear_wg111_beacon.rb |
NetGear WG111v2 wireless
adapter (USB) driver (WG111v2.SYS), tested version
5.1213.6.316. |
MOKB-16-11-2006
CVE-2006-5972 |
| 17 |
Linux
2.6.x minix_bmap denial of service |
Linux 2.6.x minix
filesystem code fails to properly handle corrupted data
structures, leading to an exploitable denial of service
issue when a crafted fs stream is being mounted. |
MOKB-17-11-2006.img.bz2 |
Linux kernel 2.6.18 and
previous (2.6.x). |
MOKB-17-11-2006
CVE-2006-6058 |
| 18 |
NetGear
MA521 Wireless Driver Long Rates Overflow |
The NetGear MA521
wireless adapter (CARDBUS) ships with a version of
MA521nd5.SYS that is vulnerable to a memory corruption
condition. This issue may lead to arbitrary kernel-mode
code execution. |
netgear_ma521_rates.rb |
NetGear MA521 wireless
adapter (CARDBUS) driver (MA521nd5.SYS), tested version
5.148.724.2003. |
MOKB-18-11-2006
CVE-2006-6059 |
| 19 |
Linux
2.6.x NTFS __find_get_block_slow() denial of service |
The NTFS filesystem
module of the Linux 2.6.x kernel fails to properly
handle corrupted data structures, leading to an
exploitable denial of service condition. This issue is
similar to that explained in MOKB-05-11-2006. |
MOKB-19-11-2006.img.bz2 |
Linux kernel 2.6.18 and
previous (2.6.x). |
MOKB-19-11-2006
CVE-2006-6060 |
| 20 |
Mac
OS X Apple UDIF Disk Image Kernel Memory Corruption
(1) |
Mac OS X
com.apple.AppleDiskImageController fails to properly
handle corrupted DMG image structures, leading to an
exploitable memory corruption condition with potential
kernel-mode arbitrary code execution by unprivileged
users. |
MOKB-20-11-2006.dmg.bz2 |
Mac OS X 10.3.x, 10.4.x
(tested x86 and PPC) |
MOKB-20-11-2006
CVE-2006-6061 |
| 21 |
Mac
OS X Apple UDTO HFS+ Disk Image Denial of Service (1) |
Mac OS X fails to
properly handle corrupted UDTO HFS+ image structures
(ex. bad sectors), leading to an exploitable denial of
service condition. Although it hasn't been checked
further, memory corruption is present under certain
conditions (in this particular case, unlikely to allow
arbitrary code execution). |
MOKB-21-11-2006.dmg.bz2 |
Mac OS X 10.3.x, 10.4.x
(tested x86 and PPC), code present in FreeBSD (details
in future release). |
MOKB-21-11-2006
CVE-2006-6062 |
| 22 |
NetGear
WG311v1 Wireless Driver Long SSID Overflow |
The NetGear WG311v1
wireless adapter (PCI) ships with a version of
WG311ND5.SYS that is vulnerable to a heap-based buffer
overflow condition. This issue may lead to arbitrary
kernel-mode code execution. |
netgear_wg311pci.rb |
NetGear WG311v1 wireless
adapter (PCI) driver (WG311ND5.SYS), tested version
2.3.1.10. |
MOKB-22-11-2006
CVE-2006-6125 |
| 23 |
Mac
OS X Mach-O Binary Loading Memory Corruption |
Mac OS X fails to
properly handle corrupted Mach-O binaries, leading to an
exploitable memory corruption condition. This is
triggered by execution of a Mach-O binary with a valid
mach_header structure and corrupted load_command data
structures. |
MOKB-23-11-2006.bz2 |
Mac OS X 10.3.x, 10.4.x
(tested x86). |
MOKB-23-11-2006
CVE-2006-6126 |
| 24 |
Mac
OS X kqueue Local Denial of Service |
Inconsistent handling of
kqueue and kevent interfaces in the Mac OS X kernel,
allows local unprivileged users to cause a denial of
service condition. |
MOKB-24-11-2006.c.bz2 |
Mac OS X 10.3.x, 10.4.x
(tested x86 and PPC). |
MOKB-24-11-2006
CVE-2006-6127 |
| 25 |
Linux
2.6.x ReiserFS Sync Memory Corruption |
The ReiserFS support
code of Linux 2.6.x fails to properly handle crafted
data structures, leading to an exploitable memory
corruption condition when a sync is being done in a
corrupted ReiserFS filesystem. |
MOKB-25-11-2006.img.bz2 |
Linux kernel 2.6.18 and
previous (2.6.x, tested on up-to-date Fedora Core 6). |
MOKB-25-11-2006
CVE-2006-6128 |
| 26 |
Mac
OS X Universal Binary Loading Memory Corruption |
Mac OS X fails to
properly handle corrupted Universal Binaries, leading to
an exploitable memory corruption condition with
potential risk of kernel-mode arbitrary code execution. |
MOKB-26-11-2006.bz2 |
Mac OS X 10.3.x, 10.4.x
(tested x86). |
MOKB-26-11-2006
CVE-2006-6129 |
| 27 |
Mac
OS X AppleTalk AIOCREGLOCALZN Ioctl Memory Corruption |
Mac OS X AppleTalk
protocol handling code is vulnerable to an exploitable
memory corruption issue. This particular vulnerability
is caused by failure to validate input data in the
AIOCREGLOCALZN ioctl command. |
MOKB-27-11-2006.c |
Mac OS X 10.3.x, 10.4.x
(tested x86). |
MOKB-27-11-2006
CVE-2006-6130 |
| 28 |
Mac
OS X shared_region_make_private_np() Memory Corruption |
Mac OS X
shared_region_make_private_np() system call fails to
handle crafted user input, leading to an exploitable
memory corruption condition. Unprivileged local users
can abuse this issue in order to escalate privileges
(via arbitrary code execution) or cause a denial of
service. |
MOKB-28-11-2006.c |
Mac OS X 10.3.x, 10.4.x
(tested x86). |
MOKB-27-11-2006
CVE-NO-NAME |
| 29 |
Linux
2.6.7-18.3 get_fdb_entries() integer overflow |
Linux 2.6.7-18.3
get_fdb_entries() function is vulnerable to an integer
overflow condition. This could be abused to force memory
allocation of an attacker controlled size. Successful
exploitation could allow arbitrary code execution. |
N/A, check advisory. |
Linux 2.6.7 - 2.6.18.3. |
MOKB-29-11-2006
CVE-2006-5751 |
| 30 |
Apple
Airport Extreme Beacon Frame Denial of Service |
Apple Airport Extreme
driver fails to handle certain beacon frames, leading to
an out of bounds memory access, resulting in a so-called
kernel panic. This issue is being coordinated with
Apple, and under common agreement it's been decided to
keep the details private until a fix has been made
available to end-users. |
N/A, check advisory.
Won't be released until Apple provides a fix. |
Mac OS X 10.3.x, 10.4.x
(tested x86). |
MOKB-30-11-2006
CVE-NO-NAME |
