Privilege Escalation

Pluggable Authentication Modules PAM is vulnerable to Privilege Escalation. The attack exists because pamnamespace.c in the pamnamespace module in Linux-PAM uses the environment of the invoking application or service during execution of the namespace.init script, which might allow local users to...

Denial Of Service (DoS)

The kernel is vulnerable to denial of service DoS.The ADDRCOMPATLAYOUT and MMAPPAGEZERO flags were not cleared when a setuid or setgid program was executed. A local, unprivileged user could use this flaw to bypass the mmapminaddr protection mechanism and perform a NULL pointer dereference attack,...

Privilege Escalation

util-linux is vulnerable to privilege escalation. The vulnerability exists as a flaw was discovered in the way that the mount and umount utilities used the setuid and setgid functions, which could lead to privileges being dropped improperly. A local user could use this flaw to run mount helper...

The vulnerability of the PAM module’s Python interpreter allows attackers to increase their privileges.

The vulnerability of the PAM module’s Python interpreter involves insecure management of privileges. Exploiting this vulnerability allows attackers to elevate their privileges using a specially created binary file with a setuid flag...

CVE-2019-11191

The Linux kernel allows local users to bypass ASLR protections for setuid a.out programs when CONFIGIA32AOUT is enabled and ia32aout module is loaded, because installexeccreds is called too late in the loadaoutbinary in fs/binfmtaout.c. Due to this, the ptracemayaccess check may have a race...

Arbitrary Code Execution

kernel is vulnerable to arbitrary code execution. The vulnerability exists through an ASLR bypass for setuid binaries due to late installexeccreds...

VMware Fusion USB Arbitrator Setuid Privilege Escalation Exploit

This Metasploit module exploits an improper use of setuid binaries within VMware Fusion versions 10.1.3 through 11.5.3. The Open VMware USB Arbitrator Service can be launched outside of its standard path which allows loading of an attacker controlled binary. By creating a payload in the user home...

VMware Fusion USB Arbitrator Setuid Privilege Escalation

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VMware Fusion USB Arbitrator Setuid Privilege Escalation', 'Description' = %q This exploits an improper use of setuid binaries within VMware Fusi...

EulerOS Virtualization for ARM 64 3.0.6.0 : bash (EulerOS-SA-2020-1343)

According to the version of the bash package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - A privilege escalation vulnerability was found in bash in the way it dropped privileges when started with an effective user ...

[SECURITY] Fedora 32 Update: bubblewrap-0.4.1-1.fc32

Bubblewrap /usr/bin/bwrap is a core execution engine for unprivileged containers that works as a setuid binary on kernels without user namespaces...

kernel: perf_event_open() and execve() race in setuid programs allows a data leak

A race condition in perfeventopen allows local attackers to leak sensitive data from setuid programs. As no relevant locks in particular the credguardmutex are held during the ptracemayaccess call, it is possible for the specified target task to perform an execve syscall with setuid execution...

kernel: ASLR bypass for setuid binaries due to late install_exec_creds()

A flaw in the loadelfbinary function in the Linux kernel allows a local attacker to leak the base address of .text and stack sections for setuid binaries and bypass ASLR because installexeccreds is called too late in this function...

kernel: perf_event_open() and execve() race in setuid programs allows a data leak

A race condition in perfeventopen allows local attackers to leak sensitive data from setuid programs. As no relevant locks in particular the credguardmutex are held during the ptracemayaccess call, it is possible for the specified target task to perform an execve syscall with setuid execution...

ALPINE-CVE-2020-5291

Bubblewrap bwrap before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the bwrap --userns2 option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that...

DEBIAN-CVE-2020-5291

Bubblewrap bwrap before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the bwrap --userns2 option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that...

CVE-2020-5291

Bubblewrap bwrap before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the bwrap --userns2 option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that...

UBUNTU-CVE-2020-5291

Bubblewrap bwrap before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the bwrap --userns2 option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that...

CVE-2020-5291 Privilege escalation in setuid mode via user namespaces in Bubblewrap

Bubblewrap bwrap before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the bwrap --userns2 option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that...

CVE-2020-5291

Bubblewrap (bwrap)

CVE-2020-5291

Bubblewrap bwrap before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the bwrap --userns2 option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that...