Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode (31 bytes)

;The MIT License MIT ;Copyright c 2017 Robert L. Taylor ;Permission is hereby granted, free of charge, to any person obtaining a ;copy of this software and associated documentation files the “Software”, ;to deal in the Software without restriction, including without limitation ;the rights to use,...

DEBIAN-CVE-2016-10151

The hesiodinit function in lib/hesiod.c in Hesiod 3.2.1 compares EUID with UID to determine whether to use configurations from environment variables, which allows local users to gain privileges via the 1 HESIODCONFIG or 2 HESDOMAIN environment variable and leveraging certain SUID/SGUID binary...

VirtualBox Privilege Escalation

Privilege Escalation in VirtualBox CVE-2017-3316 == Overview === System affected: VirtualBox Software-Version: prior to 5.0.32, prior to 5.1.14 User-Interaction: Required Impact: A Man-In-The-Middle could infiltrate an Extension-Pack-Update to gain a root-shell === Detailed description === In my...

UBUNTU-CVE-2016-10156

A flaw in systemd v228 in /src/basic/fs-util.c caused world writable suid files to be created when using the systemd timers features, allowing local attackers to escalate their privileges to root. This is fixed in v229...

Auto Backdooring Utility: backdoorme

Auto Backdooring Utility Backdoorme is a powerful utility capable of backdooring Unix machines with a slew of backdoors. Backdoorme uses a familiar metasploit interface with tremendous extensibility.Backdoorme relies on having an existing SSH connection or credentials to the victim, through which...

CVE-2016-9638

In BMC Patrol before 9.13.10.02, the binary "listguests64" is configured with the setuid bit. However, when executing it, it will look for a binary named "virsh" using the PATH environment variable. The "listguests64" program will then run "virsh" using root privileges. This allows local users to...

Design/Logic Flaw

In BMC Patrol before 9.13.10.02, the binary "listguests64" is configured with the setuid bit. However, when executing it, it will look for a binary named "virsh" using the PATH environment variable. The "listguests64" program will then run "virsh" using root privileges. This allows local users to...

CVE-2016-9638

In BMC Patrol before 9.13.10.02, the binary "listguests64" is configured with the setuid bit. However, when executing it, it will look for a binary named "virsh" using the PATH environment variable. The "listguests64" program will then run "virsh" using root privileges. This allows local users to...

DavFS2: Local privilege escalation

Background DavFS2 is a file system driver that allows you to mount a WebDAV server as a local disk drive. Description DavFS2 installs “/usr/sbin/mount.davfs” as setuid root. This utility uses “system” to call “/sbin/modprobe”. While the call to “modprobe” itself cannot be manipulated, a local...

CVE-2016-2984

IBM Spectrum Scale 4.1.1.x before 4.1.1.8 and 4.2.x before 4.2.0.4 and General Parallel File System GPFS 3.5.x before 3.5.0.32 and 4.1.x before 4.1.1.8 allow local users to gain privileges via crafted command-line parameters to a /usr/lpp/mmfs/bin/ setuid program...

CVE-2016-2984

IBM Spectrum Scale 4.1.1.x before 4.1.1.8 and 4.2.x before 4.2.0.4 and General Parallel File System GPFS 3.5.x before 3.5.0.32 and 4.1.x before 4.1.1.8 allow local users to gain privileges via crafted command-line parameters to a /usr/lpp/mmfs/bin/ setuid program...

Design/Logic Flaw

IBM Spectrum Scale 4.1.1.x before 4.1.1.8 and 4.2.x before 4.2.0.4 and General Parallel File System GPFS 3.5.x before 3.5.0.32 and 4.1.x before 4.1.1.8 allow local users to gain privileges via crafted command-line parameters to a /usr/lpp/mmfs/bin/ setuid program...

Palo Alto Networks PanOS root_trace - Privilege Escalation Vulnerability

Exploit for linux platform in category local exploits Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=912 The setuid root executable /usr/local/bin/roottrace essentially just does setuid0 then system"/usr/local/bin/masterd", which is a python script: $ ls -l...

Palo Alto Networks PanOS root_reboot - Privilege Escalation Vulnerability

Exploit for linux platform in category local exploits Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=913 This was fixed by PAN: http://securityadvisories.paloaltonetworks.com/Home/Detail/67 The rootreboot utility is setuid root, but performs multiple calls to system with attack...

Palo Alto Networks PanOS - 'root_trace' Local Privilege Escalation

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=912 The setuid root executable /usr/local/bin/roottrace essentially just does setuid0 then system"/usr/local/bin/masterd", which is a python script: $ ls -l /usr/local/bin/roottrace -rwsr-xr-x 1 root root 12376 Oct 17 2014...

Palo Alto Networks PanOS - root_reboot Local Privilege Escalation

Palo Alto Networks PanOS - rootreboot Local Privilege Escalation Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=913 This was fixed by PAN: http://securityadvisories.paloaltonetworks.com/Home/Detail/67 The rootreboot utility is setuid root, but performs multiple calls to system...

GLSA-201611-10 : libuv: Privilege escalation

The remote host is affected by the vulnerability described in GLSA-201611-10 libuv: Privilege escalation It was discovered that libuv does not call setgroups before calling setuid/setgid. If this is not called, then even though the uid has been dropped, there may still be groups associated that...

LifeSize Room 5.0.9 - Multiple Vulnerabilities

LifeSize Room 5.0.9 - Multiple Vulnerabilities Source: https://github.com/XiphosResearch/exploits/tree/master/deathsize LifeSize Room 5.0.9, remote config disclosure, code execution & local privilege escalation Ultimately the Lifesize Room products have fundamentally flawed firmware, many similar...

PT-2019-16759 · Linux +3 · Linux Kernel +3

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 4.8 Description: A race condition in the perf event open function allows local attackers to leak sensitive data from setuid programs. This occurs because no relevant locks, specifically the cred guard mutex, are...

[SECURITY] [DLA 680-2] bash version number correction

Package : bash Version : 4.2+dfsg-0.1+deb7u4 CVE ID : CVE-2016-7543 This is a correction of DLA 680-1 that mentioned that bash 4.2+dfsg-0.1+deb7u3 was corrected. The corrected package version was 4.2+dfsg-0.1+deb7u4. For completeness the text from DLA 680-1 available below with only corrected...