Apple macOS 10.12 - 'task_t' Local Privilege Escalation

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=837 TL;DR you cannot hold or use a task struct pointer and expect the euid of that task to stay the same. Many many places in the kernel do this and there are a great many very exploitable bugs as a result. taskt is just a typedef...

Race you to the kernel!

Posted by Ian Beer of Google Project Zero The OS X and iOS kernel code responsible for loading a setuid root binary invalidates the old task port after first swapping the new virtual memory map pointer into the old task object, leaving a short race window where you can manipulate the memory of an...

Apple Mac OSX Install.Framework - SUID Root Runner Binary Privilege Escalation

Source: https://code.google.com/p/google-security-research/issues/detail?id=478 The Install.framework runner suid root binary does not correctly account for the fact that Distributed Objects can be connected to by multiple clients at the same time. By connecting two proxy objects to an...

QNX 6.5.0 x86 io-graphics - Local root Exploit

Exploit for QNX platform in category local exploits / QNX 6.5.0 x86 io-graphics local root exploit by cenobyte 2013 - vulnerability description: Setuid root /usr/photon/bin/io-graphics on QNX is prone to a buffer overflow. The vulnerability is due to insufficent bounds checking of the PHOTON2HOME...

QNX 6.5.0 x86 phfont - Local root Exploit

Exploit for QNX platform in category local exploits / QNX 6.5.0 x86 phfont local root exploit by cenobyte 2013 - vulnerability description: Setuid root /usr/photon/bin/phfont on QNX is prone to a buffer overflow. The vulnerability is due to insufficent bounds checking of the PHOTONHOME environmen...

Design/Logic Flaw

The z90cryptunlockedioctl function in the z90crypt driver in the Linux kernel 2.6.9 does not perform a capability check for the Z90QUIESCE operation, which allows local users to leverage euid 0 privileges to force a driver outage...

FreeBSD 6x/7 protosw kernel Local Privledge Escalation Exploit

No description provided by source. / This is a quick and very dirty exploit for the FreeBSD protosw vulnerability defined here: http://security.freebsd.org/advisories/FreeBSD-SA-08:13.protosw.asc This will overwrite your credential structure in the kernel. This will affect more than just the...

UNIX 7th Edition /bin/mkdir Local Buffer Overflow Exploit

No description provided by source. / Exploit for /bin/mkdir Unix V7 PDP-11. mkdir has a buffer overflow when checking if the directory in /arg/with/slashes/fname exists. This will run /bin/sh with euid 0, but not uid 0. Since the shell doesn't do anything special about this, we don't really care...

BSDi suidperl Local Stack Buffer Overflow Exploit

No description provided by source. / BSDisuidperl buffer overflow, by [email protected]. this is that old buffer overflow in suidperl, but i never saw any version of it for BSDi. so, here it is. this gives euid=0. BSDi/3.0 / define PATH "/usr/bin/suidperl" / path to suidperl on BSDi/3.0. / define...