Various local exploits
opensmptd-makemap-lpe - Fedora 31 OpenSMTPD makemap local root exploit.
Code mostly taken from Qualys advisory (2020-02-24) for CVE-2020-8793.
opensmtpd: Reading of arbitrary file by unprivileged attacker can result in information disclosure or privilege escalation [fedora-all]
root66 OpenBSD 6.6 OpenSMTPD 6.6 local root exploit.
Code mostly taken from Qualys PoCs (2020-01-28) for CVE-2020-7247.
OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted
MAIL FROMaddress.
openbsd-dynamic-loader-chpass OpenBSD local root exploit.
Code mostly taken from Qualys PoCs (2019-12-11) for CVE-2019-19726.
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.
openbsd-authroot OpenBSD local root exploit.
Code mostly taken from Qualys PoCs (2019-12-04) for CVE-2019-19520 / CVE-2019-19522.
xlockin OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing aLIBGL_DRIVERS_PATHenvironment variable, becausexenocara/lib/mesa/src/loader/loader.cmishandlesdlopen. OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root's file can be written to/etc/skeyor/var/db/yubikey, and need not be owned by root.
GNU Mailutils 2.0 <= 3.7 maidag url local root.
Based on Mike Gualtieri's research and PoC (2019-11-11) for CVE-2019-18862.
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.
Local root exploit for Serv-U FTP Server versions prior to 15.1.7
Bash variant of Guy Levin's Serv-U FTP Server exploit (2019-06-13) for CVE-2019-12181.
A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.
S-nail local root exploit.
Wrapper for @wapiflapi's s-nail-privget.c local root exploit (2017-01-27) for CVE-2017-5899.
Directory traversal vulnerability in the setuid root helper binary in S-nail (later S-mailx) before 14.8.16 allows local users to write to arbitrary files and consequently gain root privileges via a .. (dot dot) in the randstr argument.
VMWare Workstation / Player local root exploit.
Based on Jann Horn's PoC (2017-05-21) for CVE-2017-4915.
VMware Workstation Pro/Player contains an insecure library loading vulnerability via ALSA sound driver configuration files. Successful exploitation of this issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine.
ktsuss <= 1.4 setuid local root exploit.
Wrapper for John Lightsey's PoC (2011-08-13) for CVE-2011-2921.
Independently rediscovered CVE-2011-2921 while auditing SparkyLinux.
The
ktsussexecutable is setuidrootand does not drop privileges prior to executing user specified commands, resulting in command execution withrootprivileges.SparkyLinux 2019.08 and prior package a vulnerable version of
ktsussinstalled by default.
InterNetNews (inn) rnews file disclosure exploit.
Based on Paul "IhaQueR" Starzetz's advisory (2002-04-11) for for CVE-2002-0526.
Independently rediscovered CVE-2002-0526 on Debian 10 / Ubuntu 20.04 in 2020 (!)
INN (InterNetNews) could allow a local attacker to obtain sensitive information. The rnews binaries fail to drop privileges. A local attacker could exploit this vulnerability to gain unauthorized access to sensitive configuration files.
antiX / MX Linux default sudo configuration persist-config local root exploit.
antiX / MX Linux default
sudoconfiguration permits users in theusersgroup to execute/usr/local/bin/persist-configas root without providing a password, resulting in trivial privilege escalation.Execution via
sudorequiresusersgroup privileges. By default, the first user created on the system is a member of theusersgroup.
Local root exploit for SUID executables compiled with AddressSanitizer (ASan).
Based on 0x27's exploit (2016-02-18) for Szabolcs Nagy's Address Sanitizer local root PoC (2016-02-17).
Use of ASan configuration related environment variables is not restricted when executing setuid executables built with ASan. The
log_pathoption can be set using theASAN_OPTIONSenvironment variable, allowing clobbering of arbitrary files, with the privileges of the setuid user.
Emmabuntüs default sudo configuration autologin_lightdm_exec.sh local root exploit.
Emmabuntüs default
sudoconfiguration permits any user to execute/usr/bin/autologin_lightdm_exec.shas root without providing a password.The
autologin_lightdm_exec.shscript callscpwith user supplied arguments, resulting in trivial privilege escalation.
lastore-daemon local root exploit.
Based on King's Way's exploit (2016-02-10).
The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user in the sudo group to install arbitrary packages without providing a password, resulting in code execution as root. By default, the first user created on the system is a member of the sudo group.
sudo-blkid-root local root exploit.
The default
sudoconfiguration on some Linux distributions permits low-privileged users to executeblkidas root. This configuration is unsafe, as blkid allows users to specify the-cflag to write cache data to file, allowing clobbering of arbitrary files.
sudo-chkrootkit-root local root exploit.
Sometimes administrators allow users to execute
chkrootkitviasudo, aschkrootkitrequires root privileges.This is unsafe, as
chkrootkitoffers a-pflag to specify a path to trusted system utilities (system utilities may have been compromised), allowing execution of arbitrary executables with root privileges.