cve

Este año está siendo una locura, espero que todos estéis bien y que el resto del año vaya mejor. Este es mi primer y probablemente único post del año (y el primero en español). Voy a hablar sobre una vulnerabilidad que hallé en Postgresql, y que afecta a todas las versiones desde la 9.5, y probablemente también, las versiones anteriores. La vulnerabilidad es similar a una “time-of-check to time-of-use (TOCTOU)” que también puede ser descrita como la falta de reinicio del estado antes de salir de una operación restringida....

It has been quite a year, I hope everyone is well and staying safe. This is my first and probably only post for the year, and covers a fun privilege escalation vulnerability I found in Postgresql. This affects all supported versions of Postgresql going back to 9.5, it is likely it affects most earlier versions as well. The vulnerability is similar to a time-of-check to time-of-use (TOCTOU) issue, however in this case it relates to state not being fully cleared/reset before exiting a security restricted operation....

Last year I stumbled across a vulnerability in Go’s go get command, which could lead to code execution when a malicious Go package was downloaded. I reported this to the Go team and it was subsequently assigned CVE-2018-16873. The actual vulnerability was really interesting since it was solely a logic vulnerability, where I abused the order in which packages were cloned by the go get command and how these would be laid out on disk. This makes it one of my personal favourite bugs. ...

Remote code execution through malicious submodules.

The FTP library in Ruby did not validate remote filenames and blindly passed these to the kernel.open function. This created a remotely exploitable vulnerability. Since the filenames were supplied by the remote FTP server, it was possible to create a malicious server that could exploit this vulnerability when a vulnerable Ruby client connected and tried to download a file. ...