This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in GNU C Library (glibc) version 2.26 and prior. This Metasploit module uses halfdog's RationalLove exploit to exploit a buffer underflow in glibc realpath() and create a SUID root shell. The exploit has offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1. The target system must have unprivileged user namespaces enabled. This Metasploit module has been tested successfully on Ubuntu Linux 16.04.3 (x86_64) with glibc version 2.23-0ubuntu9; and Debian 9.0 (x86_64) with glibc version 2.24-11+deb9u1.
80545f11c3dbaf619131e029fba6bb2504458083b7b4795f41fd9210ad2c35daglibc suffers from a getcwd() local privilege escalation vulnerability.
b441728a6b8ed19a7661442e1bc22c727e93a78e559d6c68e57e3d8ca1f50f52Ubuntu versions prior to 15.10 suffer from a PT chown arbitrary PTs access via user namespace privilege escalation vulnerability.
ebfda6a018f1d7bdcee1fac1fe9bffc5393c7667fb1b61ffa9a97d92473d2f4fNTP suffers from a privilege escalation vulnerability.
8d030faabc096e431057616fc15a37c36b8595519b0f4b3b9895b50fc5eea65dAUFS (Ubuntu 15.10) suffers from an allow_userns fuse/xattr user namespaces privilege escalation vulnerability.
20b06274c846785d08a17e0785b09b252e022b89872f6b1806dfba387493b3c6Linux kernel version 2.6.32 (Ubuntu 10.04) suffers from a /proc handling setuid privilege escalation vulnerability.
3594c9413e10a2969f55206fd998c42d9a560202fece7a9015817bf484936e19Man-db version 2.6.7.1 suffers from a privilege escalation vulnerability.
f3321c2590d0256d676629cb16846a5fc76289a0847e035b3cf4b146833e2461Exim4 in some variants is started as root but switches to uid/gid Debian-exim/Debian-exim. But as Exim might need to store received messages in user mailboxes, it has to have the ability to regain privileges. This is also true when Exim is started as "sendmail". During internal operation, sendmail (Exim) will manipulate message spool files in directory structures owned by user "Debian-exim" without caring about symlink attacks. Thus execution of code as user "Debian-exim" can be used to gain root privileges by invoking "sendmail" as user "Debian-exim".
bd74c62b27f39b7f46709bc09cd8804cada21ce8799966cc4bc67706ff142d5bThe Linux kernel suffers from multiple privilege escalation vulnerabilities.
0b1307cf1bccf05f7afed496f827ea994587f2a9aabae71db2922ee6a1d127fdThis program demonstrates how to escalate privileges using an overlayfs mount within a user namespace.
245a67dc153f223afb9bd229d16d9f5c37310e1f46c7558980b40f8cb6ac3420This is a short article on how to escalate privileges from man/man to root/root via the "catman" cron job.
175278cb086bb0f7bb489a8359cc3e5d03b693facbe6d7c758563828b7199624This is a short article how to use the setgid directory /var/cache/man to escalate privileges from man/man to man/root on Ubuntu Vivid.
3814fe1e9b83323aa0084f50fe299d22950a17ddb5de4ff5dab6bed52b7cc86cThis is a short write-up of the Ubuntu Apport kernel_crashdump symlink vulnerabilities along with some proof of concept code.
6ad9dbf653da822a763a4a0ee8845d1ea92def27b988d96ac422f942ecd40aacUbuntu Vivid Upstart suffers from a logrotate privilege escalation vulnerability.
57ba2d59b5541f853776351cd1d83860c51f823ac02e23145009c9b6c6f926b2The initial observation was, that the linux vm86 syscall, which allows to use the virtual-8086 mode from userspace for emulating of old 8086 software as done with dosemu, was prone to trigger FPU errors. Closer analysis showed, that in general, the handling of the FPU control register and unhandled FPU-exception could trigger CPU-exceptions at unexpected locations, also in ring-0 code. Proof of concept code included.
c0d7b7b3940841dcb9f666f46a4adb35352ef1442a9a3e3f3fde132e5689e1efThis program maps memory pages to the low range above 64k to avoid conflicts with /proc/sys/vm/mmap_min_addr and then triggers the virtual-86 mode. Due to unhandled FPU errors, task switch will fail afterwards, kernel will attempt to kill other tasks when switching.
ad658d72431edc17d84f7ede3e6041ec2ef755c6e9a6f0e063d9951b0dd8656fLinux kernel binfmt_script handling in combination with CONFIG_MODULES can lead to disclosure of kernel stack data during execve via copy of data from dangling pointer to stack to growing argv list. Apart from that, the BINPRM_MAX_RECURSION can be exceeded: the maximum of 4 recursions is ignored, instead a maximum of roughly 2^6 recursions is in place. Proof of concept included.
7bd378909366bd639a1af332dc8a07b872f1dbfc3c0f252621b3c7a24e1876abOracle VM VirtualBox version 4.1 suffers from a local denial of service vulnerability.
25f2cbb5e9534b8b6dade71c9587a5ad6a4181529ef1f4caa5a558b8f5d28627Modification of Apache Scoreboard data, shared by root (uid=0) and www-data process, allows triggering of invalid free in root process during apache shutdown, exploitation seems impossible except for really broken chroot configs.
c4fca211361fbba0c2cbccb0c6f798909ec36dbe33e746db01cba353100298ffAn exploitable integer overflow in Apache allows a remote attacker to crash the process or perform execution of arbitrary code as the user running Apache. To exploit the vulnerability, a crafted .htaccess file has to be placed on the server.
de93709165ae3da045b8b7cd8bcaa006e9c80ce8ed576e25755ced04b4c304ffAt least on ubuntu lucid, the fusermount tool contains a timerace mounting a user filesystem and updating mtab, thus mtab entries with arbitrary paths can be created. Crafted mtab entries can then be used to unmount live parts of the filesystem. Proof of concept code included.
042dadda335de672c21630853a0e117fb84f2a7885909c01be5c0e5ea8732cd2
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed