(CVE-2021-30868) macOS smbfs Race Condition leading to Use-After-Free Vulnerability

CVE: CVE-2021-30868 Tested Versions: macOS BigSur 11.0 - 11.2.3 Product URL(s): https://apple.com/ Description of the vulnerability smbfs is a kext driver which handles SMB connection between the user and SMB Server. This vulnerability occurs in smbfs, which allows attacker can escalate from user permission into root privilege. smbfs kext was implemented with chardev device styles. User can interact with smbfs kext via ioctl syscall to do some task....

June 18, 2021 · 12 min · Peter Nguyễn Vũ Hoàng

(CVE-2021-30745) Apple macOS QuartzCore Type Confusion Vulnerability

CVE: CVE-2021-30745 Tested Versions: macOS Catalina 10.15.5 (19F101) Product URL(s): https://apple.com Description of the vulnerability This vulnerability exists in QuartzCore Framework, which is used by _windowserver process that allows other applications to interact with OS by mach message that allows attacker can bypass sandbox to get system privilege on the victim’s computer. _windowserver is a process run as higher privilege act as a server to receive any messages from other applications and handle some system privilege actions for them....

May 20, 2021 · 3 min · Peter Nguyễn Vũ Hoàng

(CVE-2021-0204) Juniper Junos OS Local Privilege Escalation vulnerability in dexp

CVE: CVE-2021-0204 Tested Versions: Junos OS 15.1 to 20.4R1 (Tested on Juniper MX960 device) Product URL(s): https://juniper.net Description of the vulnerability On the Juniper OS, there are a few binaries that have the setuid permission bit enabled. These binaries will run as the owner of the executable (typically as “root”) and inherit their privileges. Hence, these binary files can be used to escalate privileges to disclose sensitive information or execute arbitrary command as root....

April 14, 2021 · 2 min · Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss)

(CVE-2021-0223) Juniper Junos OS Local Privilege Escalation vulnerability in telnetd

CVE: CVE-2021-0223 Tested Versions: Junos OS 15.1 to 20.4R1 (Tested on Juniper MX960 device) Product URL(s): https://www.juniper.net/ Description of the vulnerability On the Juniper OS, there are a few binaries that have the setuid permission bit enabled. These binaries will run as the owner of the executable (typically as “root”) and inherit their privileges. Hence, these binary files can be used to escalate privileges to disclose sensitive information or execute arbitrary command as root....

April 14, 2021 · 2 min · Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss)

(CVE-2021-0254) Junos OS overlayd service bss Buffer Overflow

CVE: CVE-2021-0254 Tested Versions: Junos OS 15.1 to 20.4R1 (Tested on Juniper MX960 device) Product URL(s): https://www.juniper.net/ Description of the vulnerability overlayd is a service that handles Overlay OAM Packet send to Juniper device. This service runs as root by default when the device starts and listens to the UDP connection on port 4789. Port 4789 is exposed to the internet, and everyone can connect to this port and send data....

April 14, 2021 · 7 min · Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss)

(CVE-2021-0255) Juniper Junos OS Local Privilege Escalation vulnerability in ethtraceroute

CVE: CVE-2021-0255 Tested Versions: Junos OS 15.1 to 20.4R1 (Tested on Juniper MX960 device) Product URL(s): https://www.juniper.net/ Description of the vulnerability On the Juniper OS, there are a few binaries that have the setuid permission bit enabled. These binaries will run as the owner of the executable (typically as “root”) and inherit their privileges. Hence, these binary files can be used to escalate privileges to disclose sensitive information or execute arbitrary command as root....

April 14, 2021 · 3 min · Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss)

(CVE-2021-0256) Juniper Junos OS Local Privilege Escalation vulnerability in mosquitto

CVE: CVE-2021-0256 Tested Versions: Junos OS 15.1 to 20.4R1 (Tested on Juniper MX960 device) Product URL(s): https://www.juniper.net/ Description of the vulnerability On the Juniper OS, there are a few binaries that have the setuid permission bit enabled. These binaries will run as the owner of the executable (typically as “root”) and inherit their privileges. Hence, these binary files can be used to escalate privileges to disclose sensitive information or execute arbitrary command as root....

April 14, 2021 · 2 min · Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss)