| Name/Filename | Description | SHA1/MD5 | Download | References |
|---|---|---|---|---|
| fsfuzzer-0.6 | Linux version of fsfuzzer. Supports most popular filesystems (ntfs, ext3, ext2, vfat, iso9660, etc). | MD5=d4d435cbaafcbcb5d352e9cb2ba242b6 SHA1=a7746bd11e98d22980250f09077d884ec085943a |
fsfuzzer-0.6.tgz |
Announcement: SecurityFocus
Announcement: DailyDave |
| fs-bugs-23-10-2006 | GPG encrypted (with symmetric cipher) list of the bugs found in Linux as of 23 October 2006. | MD5=e5f67372212460af659919a54fa87059 SHA1=6ea27c562d3f791276559b69fcbacef877fe5f1a |
fs-bugs-23-10-2006.txt.asc | |
| fsfuzzer-bsd-0.1 | *BSD (FreeBSD, NetBSD...) version of fsfuzzer. Supports most popular filesystems (ntfs, ext3, ext2, iso9660, ufs, etc). | MD5=7431927597a76237433b188eebcc77af SHA1=6adf1437ec3f9271deb07ea17403573a832bc2c0 |
fsfuzzer-bsd-0.1.tgz |
| # | Title | Description | Proof of concept | Affected systems | References |
|---|---|---|---|---|---|
| 1 | Apple Airport 802.11 Probe Response Kernel Memory Corruption | The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) is vulnerable to a remote memory corruption flaw that can lead to arbitrary code execution. | Metasploit Exploit Module | Mac OS X with Apple Airport 802.11 (Orinoco-based) |
MOKB-01-11-2006 CVE-2006-5710 |
| 2 | Linux 2.6.x squashfs double free | The squashfs module of the Linux kernel (2.6.x) fails to properly handle corrupted fs structures, leading to a denial of service and possible data corruption condition. | MOKB-02-11-2006.img.gz | Linux 2.6.x squashfs |
MOKB-02-11-2006 CVE-2006-5701 |
| 3 | FreeBSD 6.1 UFS filesystem ffs_mountfs() integer overflow | The UFS filesystem handling code of the FreeBSD 6.1 kernel fails to properly handle corrupted data structures, leading to exploitable memory corruption (DoS) issues and possible arbitrary code execution. This particular vulnerability is caused by an integer overflow at ffs_mountfs() function. | Check MOKB-08-11-2006 and/or debug information. | FreeBSD 6.1 (STABLE) and probably 7 (HEAD) |
MOKB-03-11-2006 CVE-2006-5679 |
| 4 | Solaris 10 UFS filesystem alloccgblk denial of service | The UFS filesystem handling code of the Solaris 10 kernel fails to properly handle corrupted data structures, leading to an exploitable denial of service issue and potential loss of data or corruption of the local UFS filesystems, due to memory corruption. | MOKB-04-11-2006.img.gz | SunOS 5.10 Generic_118855-19 and previous (not verified). |
MOKB-04-11-2006 CVE-2006-5726 |
| 5 | Linux 2.6.x ISO9660 __find_get_block_slow() denial of service | The ISO9660 filesystem handling code of the Linux 2.6.x kernel fails to properly handle corrupted data structures, leading to an exploitable denial of service condition. This particular vulnerability seems to be caused by a race condition and a signedness issue. | MOKB-05-11-2006.iso.bz2 | Linux kernel 2.6.18 and previous (2.6.x). Probably 2.4.x (not verified). |
MOKB-05-11-2006 CVE-2006-5757 |
| 6 | Microsoft Windows kernel GDI local privilege escalation | A vulnerability in the handling of GDI kernel structures of Microsoft Windows leads to an exploitable memory corruption condition, causing a denial of service (so-called BSoD) or arbitrary code execution on successful exploitation. | GDIKernelPoC.cpp | Microsoft Windows 2000 SP0-SP4, XP SP0-SP2. |
MOKB-06-11-2006 CVE-2006-5758 |
| 7 | Linux 2.6.x zlib_inflate memory corruption | Linux 2.6.x zlib_inflate function can be abused by filesystems that depend on zlib compression, such as cramfs. A failure to handle crafted data, result of a read operation in a corrupted filesystem stream, may lead to memory corruption and potential arbitrary code execution. | MOKB-07-11-2006.img.bz2 | Linux kernel 2.6.18 and previous (2.6.x). |
MOKB-07-11-2006 CVE-2006-5823 |
| 8 | FreeBSD 6.1 UFS filesystem ffs_rdextattr() integer overflow | The UFS filesystem handling code of the FreeBSD 6.1 kernel fails to properly handle corrupted data structures, leading to exploitable memory corruption (DoS) issues and possible arbitrary code execution. This particular vulnerability is caused by an integer overflow, similar to MOKB-03-11-2006. | MOKB-08-11-2006.img.bz2 | FreeBSD 6.1 (STABLE) and probably 7 (HEAD) |
MOKB-08-11-2006 CVE-2006-5824 |
| 9 | Mac OS X fpathconf() syscall denial of service | Failure to handle unknown file types by the Mac OS X kernel (XNU) fpathconf() syscall causes a kernel panic, leading to an exploitable local denial of service by non-privileged users. | Check release page. | Mac OS X 10.3.x, 10.4.x (tested x86 and PPC). |
MOKB-09-11-2006 CVE-2006-5836 |
| 10 | Linux 2.6.x ext3fs_dirhash denial of service | Linux 2.6.x ext3 filesystem code fails to properly handle corrupted data structures, leading to an exploitable denial of service issue with potential fs corruption, when a read operation is done on a crafted ext3 stream. | MOKB-10-11-2006.img.bz2 | Linux kernel 2.6.18 and previous (2.6.x). |
MOKB-10-11-2006 CVE-2006-6053 |
| 11 | Broadcom Wireless Driver Probe Response SSID Overflow | The Broadcom BCMWL5.SYS wireless device driver is vulnerable to a stack-based buffer overflow that can lead to arbitrary kernel-mode code execution. This particular vulnerability is caused by improper handling of 802.11 probe responses containing a long SSID field | broadcom_wifi_ssid.rb | Unpatched BCMWL5.SYS (ex. version 3.50.21.10) |
MOKB-11-11-2006 CVE-2006-5882 |
| 12 | Linux 2.6.x ext2_check_page denial of service | Linux 2.6.x ext2 filesystem code fails to properly handle corrupted data structures, leading to an exploitable denial of service issue when read operation is being done on a crafted fs stream. | MOKB-12-11-2006.img.bz2 | Linux kernel 2.6.18 and previous (2.6.x). |
MOKB-12-11-2006 CVE-2006-6054 |
| 13 | D-Link DWL-G132 Wireless Driver Beacon Rates Overflow | The D-Link DWL-G132 wireless adapter (USB) ships with a version of A5AGU.SYS that is vulnerable to a stack-based buffer overflow. This overflow can lead to arbitrary kernel-mode code execution. The overflow occurs when a 802.11 beacon request is received that contains over 36 bytes in the Rates information element (IE). | dlink_wifi_rates.rb | Unpatched A5AGU.SYS (ex. version 1.0.1.41, DWL-G132 driver) |
MOKB-13-11-2006 CVE-2006-6055 |
| 14 | Linux 2.6.x SELinux superblock_doinit denial of service | Failure to handle mounting of corrupt filesystem streams may lead to a local denial of service condition when SELinux hooks are enabled. This particular vulnerability is caused by a null pointer dereference in the superblock_doinit function. | MOKB-14-11-2006.img.bz2 | Linux kernel 2.6.18 and previous (2.6.x). |
MOKB-14-11-2006 CVE-2006-6056 |
| 15 | Linux 2.6.x gfs2 init_journal denial of service | Linux 2.6.x gfs2 filesystem code fails to properly handle corrupted data structures, leading to an exploitable denial of service issue when a crafted stream is being mounted. | MOKB-15-11-2006.img.bz2 | Linux kernel 2.6.18 and previous (2.6.x) with GFS2 support. |
MOKB-15-11-2006 CVE-2006-6057 |
| 16 | NetGear WG111v2 Wireless Driver Long Beacon Overflow | The NetGear WG111v2 wireless adapter (USB) ships with a version of WG111v2.SYS that is vulnerable to a stack-based buffer overflow. This overflow can lead to arbitrary kernel-mode code execution. The overflow occurs when a 802.11 beacon request is received that contains over 1100 bytes of information elements. | netgear_wg111_beacon.rb | NetGear WG111v2 wireless adapter (USB) driver (WG111v2.SYS), tested version 5.1213.6.316. |
MOKB-16-11-2006 CVE-2006-5972 |
| 17 | Linux 2.6.x minix_bmap denial of service | Linux 2.6.x minix filesystem code fails to properly handle corrupted data structures, leading to an exploitable denial of service issue when a crafted fs stream is being mounted. | MOKB-17-11-2006.img.bz2 | Linux kernel 2.6.18 and previous (2.6.x). |
MOKB-17-11-2006 CVE-2006-6058 |
| 18 | NetGear MA521 Wireless Driver Long Rates Overflow | The NetGear MA521 wireless adapter (CARDBUS) ships with a version of MA521nd5.SYS that is vulnerable to a memory corruption condition. This issue may lead to arbitrary kernel-mode code execution. | netgear_ma521_rates.rb | NetGear MA521 wireless adapter (CARDBUS) driver (MA521nd5.SYS), tested version 5.148.724.2003. |
MOKB-18-11-2006 CVE-2006-6059 |
| 19 | Linux 2.6.x NTFS __find_get_block_slow() denial of service | The NTFS filesystem module of the Linux 2.6.x kernel fails to properly handle corrupted data structures, leading to an exploitable denial of service condition. This issue is similar to that explained in MOKB-05-11-2006. | MOKB-19-11-2006.img.bz2 | Linux kernel 2.6.18 and previous (2.6.x). |
MOKB-19-11-2006 CVE-2006-6060 |
| 20 | Mac OS X Apple UDIF Disk Image Kernel Memory Corruption (1) | Mac OS X com.apple.AppleDiskImageController fails to properly handle corrupted DMG image structures, leading to an exploitable memory corruption condition with potential kernel-mode arbitrary code execution by unprivileged users. | MOKB-20-11-2006.dmg.bz2 | Mac OS X 10.3.x, 10.4.x (tested x86 and PPC) |
MOKB-20-11-2006 CVE-2006-6061 |
| 21 | Mac OS X Apple UDTO HFS+ Disk Image Denial of Service (1) | Mac OS X fails to properly handle corrupted UDTO HFS+ image structures (ex. bad sectors), leading to an exploitable denial of service condition. Although it hasn't been checked further, memory corruption is present under certain conditions (in this particular case, unlikely to allow arbitrary code execution). | MOKB-21-11-2006.dmg.bz2 | Mac OS X 10.3.x, 10.4.x (tested x86 and PPC), code present in FreeBSD (details in future release). |
MOKB-21-11-2006 CVE-2006-6062 |
| 22 | NetGear WG311v1 Wireless Driver Long SSID Overflow | The NetGear WG311v1 wireless adapter (PCI) ships with a version of WG311ND5.SYS that is vulnerable to a heap-based buffer overflow condition. This issue may lead to arbitrary kernel-mode code execution. | netgear_wg311pci.rb | NetGear WG311v1 wireless adapter (PCI) driver (WG311ND5.SYS), tested version 2.3.1.10. |
MOKB-22-11-2006 CVE-2006-6125 |
| 23 | Mac OS X Mach-O Binary Loading Memory Corruption | Mac OS X fails to properly handle corrupted Mach-O binaries, leading to an exploitable memory corruption condition. This is triggered by execution of a Mach-O binary with a valid mach_header structure and corrupted load_command data structures. | MOKB-23-11-2006.bz2 | Mac OS X 10.3.x, 10.4.x (tested x86). |
MOKB-23-11-2006 CVE-2006-6126 |
| 24 | Mac OS X kqueue Local Denial of Service | Inconsistent handling of kqueue and kevent interfaces in the Mac OS X kernel, allows local unprivileged users to cause a denial of service condition. | MOKB-24-11-2006.c.bz2 | Mac OS X 10.3.x, 10.4.x (tested x86 and PPC). |
MOKB-24-11-2006 CVE-2006-6127 |
| 25 | Linux 2.6.x ReiserFS Sync Memory Corruption | The ReiserFS support code of Linux 2.6.x fails to properly handle crafted data structures, leading to an exploitable memory corruption condition when a sync is being done in a corrupted ReiserFS filesystem. | MOKB-25-11-2006.img.bz2 | Linux kernel 2.6.18 and previous (2.6.x, tested on up-to-date Fedora Core 6). |
MOKB-25-11-2006 CVE-2006-6128 |
| 26 | Mac OS X Universal Binary Loading Memory Corruption | Mac OS X fails to properly handle corrupted Universal Binaries, leading to an exploitable memory corruption condition with potential risk of kernel-mode arbitrary code execution. | MOKB-26-11-2006.bz2 | Mac OS X 10.3.x, 10.4.x (tested x86). |
MOKB-26-11-2006 CVE-2006-6129 |
| 27 | Mac OS X AppleTalk AIOCREGLOCALZN Ioctl Memory Corruption | Mac OS X AppleTalk protocol handling code is vulnerable to an exploitable memory corruption issue. This particular vulnerability is caused by failure to validate input data in the AIOCREGLOCALZN ioctl command. | MOKB-27-11-2006.c | Mac OS X 10.3.x, 10.4.x (tested x86). |
MOKB-27-11-2006 CVE-2006-6130 |
| 28 | Mac OS X shared_region_make_private_np() Memory Corruption | Mac OS X shared_region_make_private_np() system call fails to handle crafted user input, leading to an exploitable memory corruption condition. Unprivileged local users can abuse this issue in order to escalate privileges (via arbitrary code execution) or cause a denial of service. | MOKB-28-11-2006.c | Mac OS X 10.3.x, 10.4.x (tested x86). |
MOKB-27-11-2006 CVE-NO-NAME |
| 29 | Linux 2.6.7-18.3 get_fdb_entries() integer overflow | Linux 2.6.7-18.3 get_fdb_entries() function is vulnerable to an integer overflow condition. This could be abused to force memory allocation of an attacker controlled size. Successful exploitation could allow arbitrary code execution. | N/A, check advisory. | Linux 2.6.7 - 2.6.18.3. |
MOKB-29-11-2006 CVE-2006-5751 |
| 30 | Apple Airport Extreme Beacon Frame Denial of Service | Apple Airport Extreme driver fails to handle certain beacon frames, leading to an out of bounds memory access, resulting in a so-called kernel panic. This issue is being coordinated with Apple, and under common agreement it's been decided to keep the details private until a fix has been made available to end-users. | N/A, check advisory. Won't be released until Apple provides a fix. | Mac OS X 10.3.x, 10.4.x (tested x86). |
MOKB-30-11-2006 CVE-NO-NAME |
The following is a (not complete, not necessarily up-to-date) list of articles and other related media coverage about the MoKB: