Buffer overflows in brouted in FreeBSD and possibly other OSes allows local users to gain root privileges via long command line arguments.
Buffer overflow in the dump utility in the Linux ext2fs backup package allows local users to gain privileges via a long command line argument.
Buffer overflow in the lprm command in the lprold lpr package on SuSE 7.1 through 7.3, OpenBSD 3.2 and earlier, and possibly other operating systems, allows local users to gain root privileges via long command line arguments such as (1) request ID or (2) user name.
FreeBSD kernel 4.6 and earlier closes the file descriptors 0, 1, and 2 after they have already been assigned to /dev/null when the descriptors reference procfs or linprocfs, which could allow local users to reuse the file descriptors in a setuid or setgid program to modify critical data and gain privileges.
Kerberos 5 su (k5su) in FreeBSD 4.4 and earlier relies on the getlogin system call to determine if the user running k5su is root, which could allow a root-initiated process to regain its privileges after it has dropped them.
FreeBSD 4.5 and earlier, and possibly other BSD-based operating systems, allows local users to write to or read from restricted files by closing the file descriptors 0 (standard input), 1 (standard output), or 2 (standard error), which may then be reused by a called setuid process that intended to perform I/O on normal files.
Buffer overflow in the Linux binary compatibility module in FreeBSD 3.x through 5.x allows local users to gain root privileges via long filenames in the linux shadow file system.
Kerberos 5 su (k5su) in FreeBSD 4.5 and earlier does not verify that a user is a member of the wheel group before granting superuser privileges, which could allow unauthorized users to execute commands as root.
rmuser utility in FreeBSD 4.2 and 4.3 creates a copy of the master.passwd file with world-readable permissions while updating the original file, which could allow local users to gain privileges by reading the copied file while rmuser is running, obtain the password hashes, and crack the passwords.
FreeBSD: Input Validation Flaw allows local users to gain elevated privileges
Format string vulnerability in pw_error function in BSD libutil library allows local users to gain root privileges via a malformed password in commands such as chpass or passwd.
BubbleMon 1.31 does not properly drop group privileges before executing programs, which allows local users to execute arbitrary commands with the kmem group id.
Zope before 2.2.4 does not properly compute local roles, which could allow users to bypass specified access restrictions and gain privileges.
The catopen function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to read arbitrary files via the LANG environmental variable.
Buffer overflow in kdc_reply_cipher of libkrb (Kerberos 4 authentication library) in NetBSD 1.5 and FreeBSD 4.2 and earlier, as used in Kerberised applications such as telnetd and login, allows local users to gain root privileges.
procfs in FreeBSD and possibly other operating systems does not properly restrict access to per-process mem and ctl files, which allows local users to gain root privileges by forking a child process and executing a privileged process from the child, while the parent retains access to the child's address space.
Format string vulnerability in top program allows local attackers to gain root privileges via the "kill" or "renice" function.
Buffer overflow in the huh program in the orville-write package allows local users to gain root privileges.
KDE allows local users to execute arbitrary commands by setting the KDEDIR environmental variable to modify the search path that KDE uses to locate its executables.
Buffer overflow in FreeBSD setlocale in the libc module allows attackers to execute arbitrary code via a long PATH_LOCALE environment variable.
Buffer overflow in ppp program in FreeBSD 2.1 and earlier allows local users to gain privileges via a long HOME environment variable.
Buffer overflow in FreeBSD gdc program.
xsoldier program allows local users to gain root access via a long argument.
mmap function in BSD allows local attackers in the kmem group to modify memory through devices.
OpenZFS before 2.0.0-rc1, when used on FreeBSD, allows execute permissions for all directories.
A buffer overflow in lsof allows local users to obtain root privilege.
bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as demonstrated by a root user in a container on an Intel system, who can gain privileges by modifying VMCS_HOST_RIP.
The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access.
Local user gains root privileges via buffer overflow in rdist, via expstr() function.
Local users can start Sendmail in daemon mode and gain root privileges.
Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option.
Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges.
Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable.
OpenZFS before 2.0.0-rc1, when used on FreeBSD, misinterprets group permissions as user permissions, as demonstrated by mode 0770 being equivalent to mode 0777.
In FreeBSD 12.0-STABLE before r349805, 12.0-RELEASE before 12.0-RELEASE-p8, 11.3-STABLE before r349806, 11.3-RELEASE before 11.3-RELEASE-p1, and 11.2-RELEASE before 11.2-RELEASE-p12, code which handles close of a descriptor created by posix_openpt fails to undo a signal configuration. This causes an incorrect signal to be raised leading to a write after free of kernel memory allowing a malicious user to gain root privileges or escape a jail.
In FreeBSD 11.2-STABLE after r338618 and before r343786, 12.0-STABLE before r343781, and 12.0-RELEASE before 12.0-RELEASE-p3, a bug in the reference count implementation for UNIX domain sockets can cause a file structure to be incorrectly released potentially allowing a malicious local user to gain root privileges or escape from a jail.
Weak file permissions applied to the Aviatrix VPN Client through 2.2.10 installation directory on Windows and Linux allow a local attacker to execute arbitrary code by gaining elevated privileges through file modifications.
In FreeBSD 12.1-STABLE before r352509, 11.3-STABLE before r352509, and 11.3-RELEASE before p9, an unprivileged local user can trigger a use-after-free situation due to improper checking in SCTP when an application tries to update an SCTP-AUTH shared key.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: because this issue is due to incorrect use of the Intel specification, it should have been split into separate identifiers; however, there was some value in preserving the original mapping of the multi-codebase coordinated-disclosure effort to a single identifier.
Buffer overflow in the kernel in FreeBSD 7.3 through 9.0-RC1 allows local users to cause a denial of service (panic) or possibly gain privileges via a bind system call with a long pathname for a UNIX socket.
Buffer overflow in ncurses library allows local users to execute arbitrary commands via long environmental information such as TERM or TERMINFO_DIRS.
procfs in FreeBSD and possibly other operating systems allows local users to bypass access control restrictions for a jail environment and gain additional privileges.
Buffer overflow in catopen() function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to gain root privileges via a long environmental variable.
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.
NVIDIA GPU Display Driver contains a vulnerability in kernel mode layer handler where a NULL pointer dereference may lead to denial of service or potential escalation of privileges.
Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Other heap content would be overwritten if the specified size was too small. Users with access to the mpr, mps or mpt device node may overwrite heap data, potentially resulting in privilege escalation. Note that the device node is only accessible to root and members of the operator group.
NVIDIA GPU Display Driver contains a vulnerability in the kernel mode layer handler where a NULL pointer dereference may lead to denial of service or potential escalation of privileges
In FreeBSD 13.0-STABLE before n246941-20f96f215562, 12.2-STABLE before r370400, 11.4-STABLE before r370399, 13.0-RELEASE before p4, 12.2-RELEASE before p10, and 11.4-RELEASE before p13, certain VirtIO-based device models in bhyve failed to handle errors when fetching I/O descriptors. A malicious guest may cause the device model to operate on uninitialized I/O vectors leading to memory corruption, crashing of the bhyve process, and possibly arbitrary code execution in the bhyve process.
The issetugid system call in the Linux compatibility layer in FreeBSD 9.3, 10.1, and 10.2 allows local users to gain privilege via unspecified vectors.
arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn't have the valid bit set. It is possible to have a valid pagetable entry without the valid bit set when a guest operating system uses set/way cache maintenance instructions. For instance, a guest issuing a set/way cache maintenance instruction, then calling the XENMEM_decrease_reservation hypercall to give back memory pages to Xen, might be able to retain access to those pages even after Xen started reusing them for other purposes.