Local Exploits
Various local exploits
CVE-2020-8793
opensmptd-makemap-lpe - Fedora 31 OpenSMTPD makemap local root exploit.
Code mostly taken from Qualys advisory (2020-02-24) for CVE-2020-8793.
opensmtpd: Reading of arbitrary file by unprivileged attacker can result in information disclosure or privilege escalation [fedora-all]
CVE-2020-7247
root66 OpenBSD 6.6 OpenSMTPD 6.6 local root exploit.
Code mostly taken from Qualys PoCs (2020-01-28) for CVE-2020-7247.
OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted
MAIL FROM
address.
CVE-2019-19726
openbsd-dynamic-loader-chpass OpenBSD local root exploit.
Code mostly taken from Qualys PoCs (2019-12-11) for CVE-2019-19726.
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.
CVE-2019-19520
openbsd-authroot OpenBSD local root exploit.
Code mostly taken from Qualys PoCs (2019-12-04) for CVE-2019-19520 / CVE-2019-19522.
xlock
in OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing aLIBGL_DRIVERS_PATH
environment variable, becausexenocara/lib/mesa/src/loader/loader.c
mishandlesdlopen
. OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root's file can be written to/etc/skey
or/var/db/yubikey
, and need not be owned by root.
CVE-2019-18862
GNU Mailutils 2.0 <= 3.7 maidag url local root.
Based on Mike Gualtieri's research and PoC (2019-11-11) for CVE-2019-18862.
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.
CVE-2019-12181
Local root exploit for Serv-U FTP Server versions prior to 15.1.7
Bash variant of Guy Levin's Serv-U FTP Server exploit (2019-06-13) for CVE-2019-12181.
A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.
CVE-2017-5899
S-nail local root exploit.
Wrapper for @wapiflapi's s-nail-privget.c local root exploit (2017-01-27) for CVE-2017-5899.
Directory traversal vulnerability in the setuid root helper binary in S-nail (later S-mailx) before 14.8.16 allows local users to write to arbitrary files and consequently gain root privileges via a .. (dot dot) in the randstr argument.
CVE-2017-4915
VMWare Workstation / Player local root exploit.
Based on Jann Horn's PoC (2017-05-21) for CVE-2017-4915.
VMware Workstation Pro/Player contains an insecure library loading vulnerability via ALSA sound driver configuration files. Successful exploitation of this issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine.
CVE-2011-2921
ktsuss <= 1.4 setuid local root exploit.
Wrapper for John Lightsey's PoC (2011-08-13) for CVE-2011-2921.
Independently rediscovered CVE-2011-2921 while auditing SparkyLinux.
The
ktsuss
executable is setuidroot
and does not drop privileges prior to executing user specified commands, resulting in command execution withroot
privileges.SparkyLinux 2019.08 and prior package a vulnerable version of
ktsuss
installed by default.
CVE-2002-0526
InterNetNews (inn) rnews file disclosure exploit.
Based on Paul "IhaQueR" Starzetz's advisory (2002-04-11) for for CVE-2002-0526.
Independently rediscovered CVE-2002-0526 on Debian 10 / Ubuntu 20.04 in 2020 (!)
INN (InterNetNews) could allow a local attacker to obtain sensitive information. The rnews binaries fail to drop privileges. A local attacker could exploit this vulnerability to gain unauthorized access to sensitive configuration files.
antix-mxlinux-sudo-persist-config-lpe
antiX / MX Linux default sudo configuration persist-config
local root exploit.
antiX / MX Linux default
sudo
configuration permits users in theusers
group to execute/usr/local/bin/persist-config
as root without providing a password, resulting in trivial privilege escalation.Execution via
sudo
requiresusers
group privileges. By default, the first user created on the system is a member of theusers
group.
asan-suid-root
Local root exploit for SUID executables compiled with AddressSanitizer (ASan).
Based on 0x27's exploit (2016-02-18) for Szabolcs Nagy's Address Sanitizer local root PoC (2016-02-17).
Use of ASan configuration related environment variables is not restricted when executing setuid executables built with ASan. The
log_path
option can be set using theASAN_OPTIONS
environment variable, allowing clobbering of arbitrary files, with the privileges of the setuid user.
emmabuntus-sudo-autologin-lightdm-exec-lpe
Emmabuntüs default sudo configuration autologin_lightdm_exec.sh
local root exploit.
Emmabuntüs default
sudo
configuration permits any user to execute/usr/bin/autologin_lightdm_exec.sh
as root without providing a password.The
autologin_lightdm_exec.sh
script callscp
with user supplied arguments, resulting in trivial privilege escalation.
lastore-daemon-root
lastore-daemon local root exploit.
Based on King's Way's exploit (2016-02-10).
The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user in the sudo group to install arbitrary packages without providing a password, resulting in code execution as root. By default, the first user created on the system is a member of the sudo group.
sudo-blkid-root
sudo-blkid-root local root exploit.
The default
sudo
configuration on some Linux distributions permits low-privileged users to executeblkid
as root. This configuration is unsafe, as blkid allows users to specify the-c
flag to write cache data to file, allowing clobbering of arbitrary files.
sudo-chkrootkit-root
sudo-chkrootkit-root local root exploit.
Sometimes administrators allow users to execute
chkrootkit
viasudo
, aschkrootkit
requires root privileges.This is unsafe, as
chkrootkit
offers a-p
flag to specify a path to trusted system utilities (system utilities may have been compromised), allowing execution of arbitrary executables with root privileges.