Bugs :: pwning.systems

The following are some of the bugs I discovered:

2022⌗

CVE-2022-26743: An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Monterey 12.4. An attacker that has already achieved code execution in macOS Recovery may be able to escalate to kernel privileges. - Self note: This was both a write and a read of a user controlled size at a user controlled offset.
CVE-2022-26490: st21nfca_connectivity_event_received in drivers/nfc/st21nfca/se.c in the Linux kernel through 5.16.12 has EVT_TRANSACTION buffer overflows because of untrusted length parameters.

CVE-2021-3177: Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
CVE-2020-29622: A race condition was addressed with additional validation. This issue is fixed in Security Update 2021-005 Catalina. Mounting a maliciously crafted NFS network share may lead to arbitrary code execution with system privileges. (This vulnerability has a CVE from 2020 but it was actually fixed in 2021)

CVE-2020-12105: OpenConnect through 8.08 mishandles negative return values from X509_check_ function calls, which allows an attacker that is able to get valid certificates from a CA with a specially crafted CommonName to perform a person-in-the-middle attack against VPN clients.
CVE-2020-9383: An issue was discovered in the Linux kernel through 5.5.6. set_fdc in drivers / block / floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.
CVE-2020-8432: In Das U-Boot through 2020.01, a double free has been found in the cmd / gpt.c do_rename_gpt_parts () function. Double freeing may result in a write-what-where condition, allowing an attacker to execute arbitrary code. NOTE: this vulnerability was introduced when attempting to fix a memory leak identified by static analysis.

CVE-2019-9675: An issue was discovered in PHP 7.x before 7.1.27 and 7.3.x before 7.3.3. phar_tar_writeheaders_int in ext / phar / tar.c has a buffer overflow via a long link value.

CVE-2018-19497: In The Sleuth Kit (TSK) through 4.6.4, hfs_cat_traverse in tsk / fs / hfs.c does not properly determine when a key length is too large, which allows attackers to cause a denial of service (SEGV on unknown address with READ memory access in a tsk_getu16 call in hfs_dir_open_meta_cb in tsk / fs / hfs_dent.c).