Skip to content

Latest commit

 

History

History
173 lines (97 loc) · 7.82 KB

README.md

File metadata and controls

173 lines (97 loc) · 7.82 KB

Local Exploits

Various local exploits

CVE-2020-8793

opensmptd-makemap-lpe - Fedora 31 OpenSMTPD makemap local root exploit.

Code mostly taken from Qualys advisory (2020-02-24) for CVE-2020-8793.

opensmtpd: Reading of arbitrary file by unprivileged attacker can result in information disclosure or privilege escalation [fedora-all]

CVE-2020-7247

root66 OpenBSD 6.6 OpenSMTPD 6.6 local root exploit.

Code mostly taken from Qualys PoCs (2020-01-28) for CVE-2020-7247.

OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted MAIL FROM address.

CVE-2019-19726

openbsd-dynamic-loader-chpass OpenBSD local root exploit.

Code mostly taken from Qualys PoCs (2019-12-11) for CVE-2019-19726.

OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.

CVE-2019-19520

openbsd-authroot OpenBSD local root exploit.

Code mostly taken from Qualys PoCs (2019-12-04) for CVE-2019-19520 / CVE-2019-19522.

xlock in OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing a LIBGL_DRIVERS_PATH environment variable, because xenocara/lib/mesa/src/loader/loader.c mishandles dlopen. OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root's file can be written to /etc/skey or /var/db/yubikey, and need not be owned by root.

CVE-2019-18862

GNU Mailutils 2.0 <= 3.7 maidag url local root.

Based on Mike Gualtieri's research and PoC (2019-11-11) for CVE-2019-18862.

maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.

CVE-2019-12181

Local root exploit for Serv-U FTP Server versions prior to 15.1.7

Bash variant of Guy Levin's Serv-U FTP Server exploit (2019-06-13) for CVE-2019-12181.

A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.

CVE-2017-5899

S-nail local root exploit.

Wrapper for @wapiflapi's s-nail-privget.c local root exploit (2017-01-27) for CVE-2017-5899.

Directory traversal vulnerability in the setuid root helper binary in S-nail (later S-mailx) before 14.8.16 allows local users to write to arbitrary files and consequently gain root privileges via a .. (dot dot) in the randstr argument.

CVE-2017-4915

VMWare Workstation / Player local root exploit.

Based on Jann Horn's PoC (2017-05-21) for CVE-2017-4915.

VMware Workstation Pro/Player contains an insecure library loading vulnerability via ALSA sound driver configuration files. Successful exploitation of this issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine.

CVE-2011-2921

ktsuss <= 1.4 setuid local root exploit.

Wrapper for John Lightsey's PoC (2011-08-13) for CVE-2011-2921.

Independently rediscovered CVE-2011-2921 while auditing SparkyLinux.

The ktsuss executable is setuid root and does not drop privileges prior to executing user specified commands, resulting in command execution with root privileges.

SparkyLinux 2019.08 and prior package a vulnerable version of ktsuss installed by default.

CVE-2002-0526

InterNetNews (inn) rnews file disclosure exploit.

Based on Paul "IhaQueR" Starzetz's advisory (2002-04-11) for for CVE-2002-0526.

Independently rediscovered CVE-2002-0526 on Debian 10 / Ubuntu 20.04 in 2020 (!)

INN (InterNetNews) could allow a local attacker to obtain sensitive information. The rnews binaries fail to drop privileges. A local attacker could exploit this vulnerability to gain unauthorized access to sensitive configuration files.

antix-mxlinux-sudo-persist-config-lpe

antiX / MX Linux default sudo configuration persist-config local root exploit.

antiX / MX Linux default sudo configuration permits users in the users group to execute /usr/local/bin/persist-config as root without providing a password, resulting in trivial privilege escalation.

Execution via sudo requires users group privileges. By default, the first user created on the system is a member of the users group.

asan-suid-root

Local root exploit for SUID executables compiled with AddressSanitizer (ASan).

Based on 0x27's exploit (2016-02-18) for Szabolcs Nagy's Address Sanitizer local root PoC (2016-02-17).

Use of ASan configuration related environment variables is not restricted when executing setuid executables built with ASan. The log_path option can be set using the ASAN_OPTIONS environment variable, allowing clobbering of arbitrary files, with the privileges of the setuid user.

emmabuntus-sudo-autologin-lightdm-exec-lpe

Emmabuntüs default sudo configuration autologin_lightdm_exec.sh local root exploit.

Emmabuntüs default sudo configuration permits any user to execute /usr/bin/autologin_lightdm_exec.sh as root without providing a password.

The autologin_lightdm_exec.sh script calls cp with user supplied arguments, resulting in trivial privilege escalation.

lastore-daemon-root

lastore-daemon local root exploit.

Based on King's Way's exploit (2016-02-10).

The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user in the sudo group to install arbitrary packages without providing a password, resulting in code execution as root. By default, the first user created on the system is a member of the sudo group.

sudo-blkid-root

sudo-blkid-root local root exploit.

The default sudo configuration on some Linux distributions permits low-privileged users to execute blkid as root. This configuration is unsafe, as blkid allows users to specify the -c flag to write cache data to file, allowing clobbering of arbitrary files.

sudo-chkrootkit-root

sudo-chkrootkit-root local root exploit.

Sometimes administrators allow users to execute chkrootkit via sudo, as chkrootkit requires root privileges.

This is unsafe, as chkrootkit offers a -p flag to specify a path to trusted system utilities (system utilities may have been compromised), allowing execution of arbitrary executables with root privileges.