156 matches found
Exploit for Out-of-bounds Write in Polkit_Project Polkit
PwnKit Vulnerability - Local Privilege Escalation - Title:...
Check Point Response to CVE-2021-4034 - local privilege escalation in polkit's pkexec
Symptoms - A Local Privilege Escalation from any user to root was discovered in polkit's pkexec, a SUID-root program that is installed by default on every major Linux distribution. The vulnerability allows unprivileged users to run commands as privileged users according to predefined policies. Fo...
polkit -- Local Privilege Escalation
Qualys reports: We discovered a Local Privilege Escalation from any user to root in polkit's pkexec, a SUID-root program that is installed by default on every major Linux distribution...
SUSE SLES11 Security Update : kernel (SUSE-SU-2018:2907-1)
The SUSE Linux Enterprise 11 SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-14634: Prevent integer overflow in createelftables that allowed a local attacker to exploit this vulnerability via a SUID-root binary and obtain full roo...
Local-Privilege Escalation Flaw in Linux Kernel Allows Root Access
A local-privilege escalation vulnerability in the Linux kernel affects all current versions of Red Hat Enterprise Linux and CentOS, even in their default/minimal installations. It would allow an attacker to obtain full administrator privileges over the targeted system, and from there potentially...
glibc - realpath() Privilege Escalation Exploit
Exploit for linux platform in category local exploits This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "glibc 'realpath' Privilege Escalation", 'Description' = %q This module attempts to gain roo...
glibc 'realpath()' Privilege Escalation
This module attempts to gain root privileges on Linux systems by abusing a vulnerability in GNU C Library glibc version 2.26 and prior. This module uses halfdog's RationalLove exploit to exploit a buffer underflow in glibc realpath and create a SUID root shell. The exploit has offsets for glibc...
Hashicorp vagrant-vmware-fusion 5.0.3 - Local root Privilege Escalation Exploit
Exploit for macOS platform in category local exploits Another day, another root privesc bug in this plugin. Not quite so serious this time - this one is only exploitable if the user has the plugin installed but VMware Fusion not installed. This is a fairly unlikely scenario but it's a straight to...
Arq 5.9.7 - Local Privilege Escalation
Arq 5.9.7 - Local Privilege Escalation =begin As well as the other bugs affecting Arq " backupset = "0" 40 hmac = "0" 40 payload = sprintf "%s%s%s%s$%s%s\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00" + "...
Arq 5.9.7 - Local Privilege Escalation
=begin As well as the other bugs affecting Arq " backupset = "0" 40 hmac = "0" 40 payload = sprintf "%s%s%s%s$%s%s\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00" +...
Proxifier for Mac 2.19 - Local Privilege Escalation
With CVE-2017-7643 I disclosed a command injection vulnerablity in the KLoader binary that ships with Proxifier = 2.18. Unfortunately 2.19 is also vulnerable to a slightly different attack that yields the same result. When Proxifier is first run, if the KLoader binary is not suid root it gets...
Hashicorp vagrant-vmware-fusion 5.0.3 - Local Privilege Escalation
Another day, another root privesc bug in this plugin. Not quite so serious this time - this one is only exploitable if the user has the plugin installed but VMware Fusion not installed. This is a fairly unlikely scenario but it's a straight to root privesc with no user interaction so isn't the ki...
Hashicorp vagrant-vmware-fusion <= 4.0.20 - Local root Privilege Esclation Exploit
Exploit for macOS platform in category local exploits I'm a big fan of Hashicorp but this is an awful bug to have in software of their calibre. Their vagrant plugin for vmware fusion uses a product called Ruby Encoder to protect their proprietary ruby code. It does this by turning the ruby code...
Hashicorp vagrant-vmware-fusion 4.0.20 - Local Privilege Escalation
Hashicorp vagrant-vmware-fusion 4.0.20 - Local Privilege Escalation I'm a big fan of Hashicorp but this is an awful bug to have in software of their calibre. Their vagrant plugin for vmware fusion uses a product called Ruby Encoder to protect their proprietary ruby code. It does this by turning t...
Proxifier for Mac 2.17 / 2.18 - Privelege Escalation Exploit
Exploit for macOS platform in category local exploits Source: https://m4.rkw.io/blog/cve20177643-local-root-privesc-in-proxifier-for-mac--218.html Proxifier 2.18 also 2.17 and possibly some earlier version ships with a KLoader binary which it installs suid root the first time Proxifier is run. Th...
Apple OS XiOS Kernel - IOSurface Use-After-Free
Apple OS XiOS Kernel - IOSurface Use-After-Free Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=831 IOSurfaceRootUserClient stores a task struct pointer passed in via IOServiceOpen in the field at +0xf0 without taking a reference. By killing the corrisponding task we can free th...
Apple Mac OSX / iOS - SUID Binary Logic Error Kernel Code Execution
Exploit for multiple platform in category local exploits Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=676 tl;dr The code responsible for loading a suid-binary following a call to the execve syscall invalidates the task port after first swapping the new vmmap into the old task...
OS X Install.framework suid root Runner Binary Privilege Escalation Vulnerability
Exploit for macOS platform in category local exploits Source: https://code.google.com/p/google-security-research/issues/detail?id=478 The Install.framework runner suid root binary does not correctly account for the fact that Distributed Objects can be connected to by multiple clients at the same...
Apple Mac OSX Install.Framework - SUID Root Runner Binary Privilege Escalation
Apple Mac OSX Install.Framework - SUID Root Runner Binary Privilege Escalation Source: https://code.google.com/p/google-security-research/issues/detail?id=478 The Install.framework runner suid root binary does not correctly account for the fact that Distributed Objects can be connected to by...
Apple Mac OSX Install.Framework - Arbitrary mkdir unlink and chown to Admin Group
Apple Mac OSX Install.Framework - Arbitrary mkdir unlink and chown to Admin Group Source: https://code.google.com/p/google-security-research/issues/detail?id=477 Install.framework has a suid root binary here: /System/Library/PrivateFrameworks/Install.framework/Resources/runner This binary vends t...