CVE Reproduction

CVE Reproduction > Reproducing Nimbuspwn: Linux Privilege Escalation via Path Traversal and TOCTOU in networkd-dispatcher

Vulnerability: Nimbuspwn breaks the invariant that “networkd-dispatcher only executes trusted root-owned scripts from its own hooks directory,” which is violated when an attacker first escapes the hooks path via directory traversal and then swaps the checked script path between validation and execution via a TOCTOU race to get arbitrary code run as root.

CVE Reproduction > Reproducing CVE-2020-8831: Privilege Escalation via Symlink Attack on Apport's Lock File Implementation

Vulnerability: CVE-2020-8831 breaks the invariant that Apport’s lock file is created atomically as a real file in a trusted location (without following symlinks), which is violated when an attacker pre-creates a symlink at the lock path so Apport opens/writes the symlink target and enables local privilege escalation.

CVE Reproduction > Reproducing CVE-2022-0324: Buffer Overflow in dhcp6relay of SONiC

Vulnerability: CVE-2022-0324 breaks the invariant that SONiC’s dhcp6relay must validate DHCPv6 option/payload lengths so it never copies more bytes than the destination buffer can hold.​The invariant is violated when a remote attacker sends a crafted DHCPv6 packet that reaches a memcpy with an unchecked length, causing an out-of-bounds write (buffer overflow).

CVE Reproduction > Fuzzing libexif 0.6.14: Reproducing CVE-2009-3895 (Heap Buffer Overflow) and CVE-2012-2836 (Out-of-Bounds Read) (Draft)

CVE Reproduction > Reproducing and Patching CVE-2019-13288 - XPDF Infinite recursion & Null pointer dereference

Vulnerability: CVE-2019-13288 breaks Xpdf’s invariant that the “object stream” referenced by a compressed object must be an uncompressed stream, because the fetch path doesn’t enforce that rule and a crafted xref can make the supposed object stream itself compressed, causing unbounded recursive fetching and a crash.