Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/bcoles/local-exploits

Various local exploits
https://github.com/bcoles/local-exploits

exploit linux local local-exploits root

Last synced: about 1 month ago
JSON representation

Various local exploits

Host: GitHub
URL: https://github.com/bcoles/local-exploits
Owner: bcoles
Created: 2018-12-30T14:40:28.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2022-04-24T02:42:59.000Z (over 2 years ago)
Last Synced: 2024-05-31T09:37:41.911Z (4 months ago)
Topics: exploit, linux, local, local-exploits, root
Language: Shell
Homepage:
Size: 61.5 KB
Stars: 131
Watchers: 7
Forks: 57
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - bcoles/local-exploits - Various local exploits (Shell)

README

# Local Exploits
Various local exploits

## CVE-2020-8793

opensmptd-makemap-lpe - Fedora 31 OpenSMTPD makemap local root exploit.

Code mostly taken from [Qualys advisory](https://www.openwall.com/lists/oss-security/2020/02/24/4) (2020-02-24) for
[CVE-2020-8793](https://nvd.nist.gov/vuln/detail/CVE-2020-8793).

> opensmtpd: Reading of arbitrary file by unprivileged attacker can result in information disclosure or privilege escalation [fedora-all]

## CVE-2020-7247

root66 OpenBSD 6.6 OpenSMTPD 6.6 local root exploit.

Code mostly taken from [Qualys PoCs](https://www.openwall.com/lists/oss-security/2020/01/28/3) (2020-01-28) for
[CVE-2020-7247](https://nvd.nist.gov/vuln/detail/CVE-2020-7247).

> OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted `MAIL FROM` address.

## CVE-2019-19726

openbsd-dynamic-loader-chpass OpenBSD local root exploit.

Code mostly taken from [Qualys PoCs](https://www.openwall.com/lists/oss-security/2019/12/11/9) (2019-12-11) for
[CVE-2019-19726](https://nvd.nist.gov/vuln/detail/CVE-2019-19726).

> OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.

## CVE-2019-19520

openbsd-authroot OpenBSD local root exploit.

Code mostly taken from [Qualys PoCs](https://www.openwall.com/lists/oss-security/2019/12/04/5) (2019-12-04) for [CVE-2019-19520](https://nvd.nist.gov/vuln/detail/CVE-2019-19520) / [CVE-2019-19522](https://nvd.nist.gov/vuln/detail/CVE-2019-19522).

> `xlock` in OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing a `LIBGL_DRIVERS_PATH` environment variable, because `xenocara/lib/mesa/src/loader/loader.c` mishandles `dlopen`.
> OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root's file can be written to `/etc/skey` or `/var/db/yubikey`, and need not be owned by root.

## CVE-2019-18862

GNU Mailutils 2.0 <= 3.7 maidag url local root.

Based on Mike Gualtieri's [research and PoC](https://www.mike-gualtieri.com/posts/finding-a-decade-old-flaw-in-gnu-mailutils) (2019-11-11) for [CVE-2019-18862](https://nvd.nist.gov/vuln/detail/CVE-2019-18862).

> maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.

## CVE-2019-12181

Local root exploit for Serv-U FTP Server versions prior to 15.1.7

Bash variant of Guy Levin's Serv-U FTP Server [exploit](https://github.com/guywhataguy/CVE-2019-12181) (2019-06-13) for [CVE-2019-12181](https://nvd.nist.gov/vuln/detail/CVE-2019-12181).

> A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.

## CVE-2017-5899

S-nail local root exploit.

Wrapper for @wapiflapi's s-nail-privget.c local root [exploit](https://www.openwall.com/lists/oss-security/2017/01/27/7/1) (2017-01-27) for [CVE-2017-5899](https://nvd.nist.gov/vuln/detail/CVE-2017-5899).

> Directory traversal vulnerability in the setuid root helper binary in S-nail (later S-mailx) before 14.8.16 allows local users to write to arbitrary files and consequently gain root privileges via a .. (dot dot) in the randstr argument.

## CVE-2017-4915

VMWare Workstation / Player local root exploit.

Based on Jann Horn's [PoC](https://bugs.chromium.org/p/project-zero/issues/detail?id=1142) (2017-05-21) for [CVE-2017-4915](https://nvd.nist.gov/vuln/detail/CVE-2017-4915).

> VMware Workstation Pro/Player contains an insecure library loading vulnerability via ALSA sound driver configuration files. Successful exploitation of this issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine.

## CVE-2011-2921

ktsuss <= 1.4 setuid local root exploit.

Wrapper for John Lightsey's [PoC](https://www.openwall.com/lists/oss-security/2011/08/13/2) (2011-08-13) for [CVE-2011-2921](https://nvd.nist.gov/vuln/detail/CVE-2011-2921).

Independently rediscovered CVE-2011-2921 while auditing SparkyLinux.

> The `ktsuss` executable is setuid `root` and does not drop
> privileges prior to executing user specified commands,
> resulting in command execution with `root` privileges.
>
> SparkyLinux 2019.08 and prior package a vulnerable version of `ktsuss` installed by default.

## CVE-2002-0526

InterNetNews (inn) rnews file disclosure exploit.

Based on Paul "IhaQueR" Starzetz's [advisory](http://web.archive.org/web/20020602000140/http://archives.neohapsis.com/archives/bugtraq/2002-04/0140.html) (2002-04-11) for for [CVE-2002-0526](https://nvd.nist.gov/vuln/detail/CVE-2002-0526).

Independently rediscovered CVE-2002-0526 on Debian 10 / Ubuntu 20.04 in 2020 (!)

> INN (InterNetNews) could allow a local attacker to obtain sensitive information.
> The rnews binaries fail to drop privileges. A local attacker could exploit this
> vulnerability to gain unauthorized access to sensitive configuration files.

## antix-mxlinux-sudo-persist-config-lpe

antiX / MX Linux default sudo configuration `persist-config` local root exploit.

> antiX / MX Linux default `sudo` configuration permits users in the `users` group
> to execute `/usr/local/bin/persist-config` as root without providing a password,
> resulting in trivial privilege escalation.
>
> Execution via `sudo` requires `users` group privileges. By default,
> the first user created on the system is a member of the `users` group.

## asan-suid-root

Local root exploit for SUID executables compiled with AddressSanitizer (ASan).

Based on 0x27's [exploit](https://gist.github.com/0x27/9ff2c8fb445b6ab9c94e) (2016-02-18) for Szabolcs Nagy's [Address Sanitizer local root PoC](https://seclists.org/oss-sec/2016/q1/363) (2016-02-17).

> Use of ASan configuration related environment variables is not restricted
> when executing setuid executables built with ASan. The `log_path` option
> can be set using the `ASAN_OPTIONS` environment variable, allowing clobbering
> of arbitrary files, with the privileges of the setuid user.

## emmabuntus-sudo-autologin-lightdm-exec-lpe

Emmabuntüs default sudo configuration `autologin_lightdm_exec.sh` local root exploit.

> Emmabuntüs default `sudo` configuration permits any user to execute
> `/usr/bin/autologin_lightdm_exec.sh` as root without providing a password.
>
> The `autologin_lightdm_exec.sh` script calls `cp` with user supplied arguments,
> resulting in trivial privilege escalation.

## lastore-daemon-root

lastore-daemon local root exploit.

Based on King's Way's [exploit](https://www.exploit-db.com/exploits/39433/) (2016-02-10).

> The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user
> in the sudo group to install arbitrary packages without providing a password,
> resulting in code execution as root. By default, the first user created on
> the system is a member of the sudo group.

## sudo-blkid-root

sudo-blkid-root local root exploit.

> The default `sudo` configuration on some Linux distributions permits
> low-privileged users to execute `blkid` as root.
> This configuration is unsafe, as blkid allows users to specify the `-c` flag
> to write cache data to file, allowing clobbering of arbitrary files.

## sudo-chkrootkit-root

sudo-chkrootkit-root local root exploit.

> Sometimes administrators allow users to execute `chkrootkit` via `sudo`,
> as `chkrootkit` requires root privileges.
>
> This is unsafe, as `chkrootkit` offers a `-p` flag to specify a path to
> trusted system utilities (system utilities may have been compromised),
> allowing execution of arbitrary executables with root privileges.