12 vulnerabilities found with syzkaller ( Linux kernel fuzzer) in the Linux kernel USB subsystem
1- USB: serial: console: fix use-after-free on disconnect ( CVE-2017-16525 )
Patched : https://github.com/torvalds/linux/commit/299d7572e46f98534033a9e65973f13ad1ce9047
2- uwb: properly check kthread_run return value ( CVE-2017-16526 )
Patched : https://github.com/torvalds/linux/commit/bbf26183b7a6236ba602f4d6a2f7cade35bba043
3- ALSA: usb-audio: Kill stray URB at exiting ( CVE-2017-16527 )
Patched : https://github.com/torvalds/linux/commit/124751d5e63c823092060074bd0abaae61aaa9c4
4- ALSA: seq: Cancel pending autoload work at unbinding device ( CVE-2017-16528 )
Patched : https://github.com/torvalds/linux/commit/fc27fe7e8deef2f37cba3f2be2d52b6ca5eb9d57
5- ALSA: usb-audio: Check out-of-bounds access by corrupted buffer ( CVE-2017-16529 )
Patched : https://github.com/torvalds/linux/commit/bfc81a8bc18e3c4ba0cbaa7666ff76be2f998991
6- USB: uas: fix bug in handling of alternate settings ( CVE-2017-16530 )
Patched : https://github.com/torvalds/linux/commit/786de92b3cb26012d3d0f00ee37adf14527f35c4
7- USB: fix out-of-bounds in usb_set_configuration ( CVE-2017-16531 )
Patched : https://github.com/torvalds/linux/commit/bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb
8- usb: usbtest: fix NULL pointer dereference ( CVE-2017-16532 )
Patched : https://github.com/torvalds/linux/commit/7c80f9e4a588f1925b07134bb2e3689335f6c6d8
9- HID: usbhid: fix out-of-bounds bug ( CVE-2017-16533 )
Patched : https://github.com/torvalds/linux/commit/f043bfc98c193c284e2cd768fefabe18ac2fed9b
10- USB: core: harden cdc_parse_cdc_header ( CVE-2017-16534 )
Patched : https://github.com/torvalds/linux/commit/2e1c42391ff2556387b3cb6308b24f6f65619feb
11- USB: core: fix out-of-bounds access bug in usb_get_bos_denoscriptor() ( CVE-2017-16535 )
Patched : https://github.com/torvalds/linux/commit/1c0edc3633b56000e18d82fc241e3995ca18a69e
12- dvb-usb-v2: lmedm04: Improve logic checking of warm start ( CVE-2017-16538 )
Patched : https://patchwork.linuxtv.org/patch/44566/
1- USB: serial: console: fix use-after-free on disconnect ( CVE-2017-16525 )
Patched : https://github.com/torvalds/linux/commit/299d7572e46f98534033a9e65973f13ad1ce9047
2- uwb: properly check kthread_run return value ( CVE-2017-16526 )
Patched : https://github.com/torvalds/linux/commit/bbf26183b7a6236ba602f4d6a2f7cade35bba043
3- ALSA: usb-audio: Kill stray URB at exiting ( CVE-2017-16527 )
Patched : https://github.com/torvalds/linux/commit/124751d5e63c823092060074bd0abaae61aaa9c4
4- ALSA: seq: Cancel pending autoload work at unbinding device ( CVE-2017-16528 )
Patched : https://github.com/torvalds/linux/commit/fc27fe7e8deef2f37cba3f2be2d52b6ca5eb9d57
5- ALSA: usb-audio: Check out-of-bounds access by corrupted buffer ( CVE-2017-16529 )
Patched : https://github.com/torvalds/linux/commit/bfc81a8bc18e3c4ba0cbaa7666ff76be2f998991
6- USB: uas: fix bug in handling of alternate settings ( CVE-2017-16530 )
Patched : https://github.com/torvalds/linux/commit/786de92b3cb26012d3d0f00ee37adf14527f35c4
7- USB: fix out-of-bounds in usb_set_configuration ( CVE-2017-16531 )
Patched : https://github.com/torvalds/linux/commit/bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb
8- usb: usbtest: fix NULL pointer dereference ( CVE-2017-16532 )
Patched : https://github.com/torvalds/linux/commit/7c80f9e4a588f1925b07134bb2e3689335f6c6d8
9- HID: usbhid: fix out-of-bounds bug ( CVE-2017-16533 )
Patched : https://github.com/torvalds/linux/commit/f043bfc98c193c284e2cd768fefabe18ac2fed9b
10- USB: core: harden cdc_parse_cdc_header ( CVE-2017-16534 )
Patched : https://github.com/torvalds/linux/commit/2e1c42391ff2556387b3cb6308b24f6f65619feb
11- USB: core: fix out-of-bounds access bug in usb_get_bos_denoscriptor() ( CVE-2017-16535 )
Patched : https://github.com/torvalds/linux/commit/1c0edc3633b56000e18d82fc241e3995ca18a69e
12- dvb-usb-v2: lmedm04: Improve logic checking of warm start ( CVE-2017-16538 )
Patched : https://patchwork.linuxtv.org/patch/44566/
GitHub
USB: serial: console: fix use-after-free after failed setup · torvalds/linux@299d757
Make sure to reset the USB-console port pointer when console setup fails
in order to avoid having the struct usb_serial be prematurely freed by
the console code when the device is later disconnecte...
in order to avoid having the struct usb_serial be prematurely freed by
the console code when the device is later disconnecte...
How STACKLEAK improves Linux kernel security?
https://it-events.com/system/attachments/files/000/001/376/original/Alexander_Popov_LinuxPiter2017.pdf?1509782398
https://it-events.com/system/attachments/files/000/001/376/original/Alexander_Popov_LinuxPiter2017.pdf?1509782398
Linux Kernel AF_PACKET Use-After-Free vulnerability
https://blogs.securiteam.com/index.php/archives/3484
https://blogs.securiteam.com/index.php/archives/3484
Kernelpop
kernelpop is a framework for performing automated kernel vulnerability enumeration and exploitation
https://github.com/spencerdodd/kernelpop
kernelpop is a framework for performing automated kernel vulnerability enumeration and exploitation
https://github.com/spencerdodd/kernelpop
GitHub
GitHub - spencerdodd/kernelpop: kernel privilege escalation enumeration and exploitation framework
kernel privilege escalation enumeration and exploitation framework - spencerdodd/kernelpop
Bypassing Server-Side Request Forgery filters by abusing a bug in Ruby's native resolver
https://edoverflow.com/2017/ruby-resolv-bug/
https://edoverflow.com/2017/ruby-resolv-bug/
Edoverflow
Bypassing Server-Side Request Forgery filters by abusing a bug in Ruby's native resolver
Summary This is a security advisory for a bug that I discovered in Resolv::getaddresses that enabled me to bypass multiple Server-Side Request Forgery filters. Applications such as GitLab and HackerOne were affected by this bug. The disclosure of all reports…