{"id":13844786,"url":"https://github.com/bcoles/local-exploits","last_synced_at":"2025-03-25T10:32:14.760Z","repository":{"id":41894688,"uuid":"163594175","full_name":"bcoles/local-exploits","owner":"bcoles","description":"Various local exploits","archived":false,"fork":false,"pushed_at":"2022-04-24T02:42:59.000Z","size":63,"stargazers_count":142,"open_issues_count":0,"forks_count":56,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-03-20T01:01:51.935Z","etag":null,"topics":["exploit","linux","local","local-exploits","root"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bcoles.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-12-30T14:40:28.000Z","updated_at":"2025-02-22T12:58:47.000Z","dependencies_parsed_at":"2022-08-11T20:31:08.547Z","dependency_job_id":null,"html_url":"https://github.com/bcoles/local-exploits","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bcoles%2Flocal-exploits","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bcoles%2Flocal-exploits/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bcoles%2Flocal-exploits/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bcoles%2Flocal-exploits/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bcoles","download_url":"https://codeload.github.com/bcoles/local-exploits/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245444233,"owners_count":20616345,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exploit","linux","local","local-exploits","root"],"created_at":"2024-08-04T17:02:56.826Z","updated_at":"2025-03-25T10:32:14.407Z","avatar_url":"https://github.com/bcoles.png","language":"Shell","readme":"# Local Exploits\nVarious local exploits\n\n\n## CVE-2020-8793\n\nopensmptd-makemap-lpe - Fedora 31 OpenSMTPD makemap local root exploit.\n\nCode mostly taken from [Qualys advisory](https://www.openwall.com/lists/oss-security/2020/02/24/4) (2020-02-24) for\n [CVE-2020-8793](https://nvd.nist.gov/vuln/detail/CVE-2020-8793).\n\n\u003e opensmtpd: Reading of arbitrary file by unprivileged attacker can result in information disclosure or privilege escalation [fedora-all]\n\n\n## CVE-2020-7247\n\nroot66 OpenBSD 6.6 OpenSMTPD 6.6 local root exploit.\n\nCode mostly taken from [Qualys PoCs](https://www.openwall.com/lists/oss-security/2020/01/28/3) (2020-01-28) for\n [CVE-2020-7247](https://nvd.nist.gov/vuln/detail/CVE-2020-7247).\n\n\u003e OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted `MAIL FROM` address.\n\n\n## CVE-2019-19726\n\nopenbsd-dynamic-loader-chpass OpenBSD local root exploit.\n\nCode mostly taken from [Qualys PoCs](https://www.openwall.com/lists/oss-security/2019/12/11/9) (2019-12-11) for\n [CVE-2019-19726](https://nvd.nist.gov/vuln/detail/CVE-2019-19726).\n\n\u003e OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.\n\n\n## CVE-2019-19520\n\nopenbsd-authroot OpenBSD local root exploit.\n\nCode mostly taken from [Qualys PoCs](https://www.openwall.com/lists/oss-security/2019/12/04/5) (2019-12-04) for [CVE-2019-19520](https://nvd.nist.gov/vuln/detail/CVE-2019-19520) / [CVE-2019-19522](https://nvd.nist.gov/vuln/detail/CVE-2019-19522).\n\n\u003e `xlock` in OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing a `LIBGL_DRIVERS_PATH` environment variable, because `xenocara/lib/mesa/src/loader/loader.c` mishandles `dlopen`.\n\u003e OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root's file can be written to `/etc/skey` or `/var/db/yubikey`, and need not be owned by root.\n\n\n## CVE-2019-18862\n\nGNU Mailutils 2.0 \u003c= 3.7 maidag url local root.\n\nBased on Mike Gualtieri's [research and PoC](https://www.mike-gualtieri.com/posts/finding-a-decade-old-flaw-in-gnu-mailutils) (2019-11-11) for [CVE-2019-18862](https://nvd.nist.gov/vuln/detail/CVE-2019-18862).\n\n\u003e maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.\n\n\n## CVE-2019-12181\n\nLocal root exploit for Serv-U FTP Server versions prior to 15.1.7 \n\nBash variant of Guy Levin's Serv-U FTP Server [exploit](https://github.com/guywhataguy/CVE-2019-12181) (2019-06-13) for [CVE-2019-12181](https://nvd.nist.gov/vuln/detail/CVE-2019-12181).\n\n\u003e A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.\n\n\n## CVE-2017-5899\n\nS-nail local root exploit.\n\nWrapper for @wapiflapi's s-nail-privget.c local root [exploit](https://www.openwall.com/lists/oss-security/2017/01/27/7/1) (2017-01-27) for [CVE-2017-5899](https://nvd.nist.gov/vuln/detail/CVE-2017-5899).\n\n\u003e Directory traversal vulnerability in the setuid root helper binary in S-nail (later S-mailx) before 14.8.16 allows local users to write to arbitrary files and consequently gain root privileges via a .. (dot dot) in the randstr argument.\n\n\n## CVE-2017-4915\n\nVMWare Workstation / Player local root exploit.\n\nBased on Jann Horn's [PoC](https://bugs.chromium.org/p/project-zero/issues/detail?id=1142) (2017-05-21) for [CVE-2017-4915](https://nvd.nist.gov/vuln/detail/CVE-2017-4915).\n\n\u003e VMware Workstation Pro/Player contains an insecure library loading vulnerability via ALSA sound driver configuration files. Successful exploitation of this issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine.\n\n\n## CVE-2011-2921\n\nktsuss \u003c= 1.4 setuid local root exploit.\n\nWrapper for John Lightsey's [PoC](https://www.openwall.com/lists/oss-security/2011/08/13/2) (2011-08-13) for [CVE-2011-2921](https://nvd.nist.gov/vuln/detail/CVE-2011-2921).\n\nIndependently rediscovered CVE-2011-2921 while auditing SparkyLinux.\n\n\u003e The `ktsuss` executable is setuid `root` and does not drop\n\u003e privileges prior to executing user specified commands,\n\u003e resulting in command execution with `root` privileges.\n\u003e\n\u003e SparkyLinux 2019.08 and prior package a vulnerable version of `ktsuss` installed by default.\n\n\n## CVE-2002-0526\n\nInterNetNews (inn) rnews file disclosure exploit.\n\nBased on Paul \"IhaQueR\" Starzetz's [advisory](http://web.archive.org/web/20020602000140/http://archives.neohapsis.com/archives/bugtraq/2002-04/0140.html) (2002-04-11) for for [CVE-2002-0526](https://nvd.nist.gov/vuln/detail/CVE-2002-0526).\n\nIndependently rediscovered CVE-2002-0526 on Debian 10 / Ubuntu 20.04 in 2020 (!)\n\n\u003e INN (InterNetNews) could allow a local attacker to obtain sensitive information.\n\u003e The rnews binaries fail to drop privileges. A local attacker could exploit this\n\u003e vulnerability to gain unauthorized access to sensitive configuration files.\n\n\n## antix-mxlinux-sudo-persist-config-lpe\n\nantiX / MX Linux default sudo configuration `persist-config` local root exploit.\n\n\u003e antiX / MX Linux default `sudo` configuration permits users in the `users` group\n\u003e to execute `/usr/local/bin/persist-config` as root without providing a password,\n\u003e resulting in trivial privilege escalation.\n\u003e\n\u003e Execution via `sudo` requires `users` group privileges. By default,\n\u003e the first user created on the system is a member of the `users` group.\n\n\n## asan-suid-root\n\nLocal root exploit for SUID executables compiled with AddressSanitizer (ASan).\n\nBased on 0x27's [exploit](https://gist.github.com/0x27/9ff2c8fb445b6ab9c94e) (2016-02-18) for Szabolcs Nagy's [Address Sanitizer local root PoC](https://seclists.org/oss-sec/2016/q1/363) (2016-02-17).\n\n\u003e Use of ASan configuration related environment variables is not restricted\n\u003e when executing setuid executables built with ASan. The `log_path` option\n\u003e can be set using the `ASAN_OPTIONS` environment variable, allowing clobbering\n\u003e of arbitrary files, with the privileges of the setuid user.\n\n\n## emmabuntus-sudo-autologin-lightdm-exec-lpe\n\nEmmabuntüs default sudo configuration `autologin_lightdm_exec.sh` local root exploit.\n\n\u003e Emmabuntüs default `sudo` configuration permits any user to execute\n\u003e `/usr/bin/autologin_lightdm_exec.sh` as root without providing a password.\n\u003e\n\u003e The `autologin_lightdm_exec.sh` script calls `cp` with user supplied arguments,\n\u003e resulting in trivial privilege escalation.\n\n\n## lastore-daemon-root\n\nlastore-daemon local root exploit.\n\nBased on King's Way's [exploit](https://www.exploit-db.com/exploits/39433/) (2016-02-10).\n\n\u003e The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user\n\u003e in the sudo group to install arbitrary packages without providing a password,\n\u003e resulting in code execution as root. By default, the first user created on\n\u003e the system is a member of the sudo group.\n\n## sudo-blkid-root\n\nsudo-blkid-root local root exploit.\n\n\u003e The default `sudo` configuration on some Linux distributions permits\n\u003e low-privileged users to execute `blkid` as root.\n\u003e This configuration is unsafe, as blkid allows users to specify the `-c` flag\n\u003e to write cache data to file, allowing clobbering of arbitrary files.\n\n## sudo-chkrootkit-root\n\nsudo-chkrootkit-root local root exploit.\n\n\u003e Sometimes administrators allow users to execute `chkrootkit` via `sudo`,\n\u003e as `chkrootkit` requires root privileges.\n\u003e\n\u003e This is unsafe, as `chkrootkit` offers a `-p` flag to specify a path to\n\u003e trusted system utilities (system utilities may have been compromised),\n\u003e allowing execution of arbitrary executables with root privileges.\n","funding_links":[],"categories":["Shell (473)","Shell"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbcoles%2Flocal-exploits","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbcoles%2Flocal-exploits","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbcoles%2Flocal-exploits/lists"}