lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 Mar 2014 20:34:19 +0000
From: Tim Brown <timb@...-dimension.org.uk>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
 moderators@...db.org
Subject: Medium severity flaw in BlackBerry QNX Neutrino
	RTOS

Summary

This advisory concerns the forced disclosure of 2 vulnerabilities that were
previously disclosed to BlackBerry.  Disclosure has been forced since these
vulnerabilities have been publicly disclosed (with PoC) on the exploit-db
web site.

Two local privilege escalation vulnerabilities have been identified that would
ultimately result in malicious code being executed in a trusted context. The 
first allows direct code execution (http://www.exploit-db.com/exploits/32153/)
whilst the second allows for the root password to be disclosed
(http://www.exploit-db.com/exploits/32156/).

It should be noted that Nth Dimension do not believe that the bug collision
are due to a leak within BlackBerry but rather that these are the simply 
instances of multiple researchers identifying the same vulnerable code paths.

Current

As of the 11th March 2014, both the privilege escalation attacks have been 
disclosed by a 3rd party.  In light of this and in the absence of any timely 
response from BlackBerry, Nth Dimension have opted to make full details 
public.
-- 
Tim Brown
<mailto:timb@...-dimension.org.uk>
<http://www.nth-dimension.org.uk/>
Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists