OpenSSH can forward TCP sockets and UNIX domain sockets. If privilege separation is disabled, then on the server side, the forwarding is handled by a child of sshd that has root privileges. For TCP server sockets, sshd explicitly checks whether an attempt is made to bind to a low port (below IPPORT_RESERVED) and, if so, requires the client to authenticate as root. However, for UNIX domain sockets, no such security measures are implemented. This means that, using "ssh -L", an attacker who is permitted to log in as a normal user over SSH can effectively connect to non-abstract unix domain sockets with root privileges. On systems that run systemd, this can for example be exploited by asking systemd to add an LD_PRELOAD environment variable for all following daemon launches and then asking it to restart cron or so. The attached exploit demonstrates this - if it is executed on a system with systemd where the user is allowed to ssh to his own account and where privsep is disabled, it yields a root shell.
e76185809315ccb4de20af9908f94cf1d0c88a604c2850502c670e5b10961415
The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked. For these commands, the client has to specify a provider name. Th e agent passes this provider name to a subprocess (via ssh-agent.c:process_add_smartcard_key -> ssh-pkcs11-client.c:pkcs11_add_provider -> ssh-pkcs11-client.c:s end_msg), and the subprocess receives it and passes it to dlopen() (via ssh-pkcs 11-helper.c:process -> ssh-pkcs11-helper.c:process_add -> ssh-pkcs11.c:pkcs11_ad d_provider -> dlopen). No checks are performed on the provider name, apart from testing whether that provider is already loaded. This means that, if a user connects to a malicious SSH server with agent forwarding enabled and the malicious server has the ability to place a file with attacker-controlled contents in the victim's filesystem, the SSH server can execute code on the user's machine.
10d0d2808ffc63e1409341e7f4cd4e55ad32bf60b055a0cd27d7b6b8a3fa45ab
Nidesoft MP3 Converter version 2.6.18 suffers from a dll hijacking vulnerability.
d5fcb9355a6f626a251596d55177683140ebbb8704664b94025b396c5b0a98e9
Vesta Control Panel versions 0.9.7 through 0.9.8-16 suffer from a local privilege escalation vulnerability.
92b3241e8441af834584c0d465c45d6ae5c0868954554b3b59ef1a096edb42da
IBM AIX versions 6.1, 7.1, and 7.2 suffer from a Bellmail privilege escalation vulnerability.
577087b11048468d456a5ce063092a8f85bcb6d7399a0d04a31068c2aecaf02a
Mac OS suffers from a kernel code execution vulnerability due to writable privileged IOKit registry properties.
a68b5ccbfb9fc13755fd889600a87bb8e5605b88270d85bc52f265ebd895419a
Microsoft Edge suffers from a type confusion vulnerability in internationalization initialization.
0be320830419d4d413759485f8f9434390d748bbadbe6240c606e8d40c43b5f1
syslogd on Mac OS and iOS suffers from an arbitrary port replacement vulnerability.
99a94dcd03523d376a072610f043b1209de8f254832968af4d257e80e30721f3
Android suffers from a stack overflow vulnerability in WifiNative::setHotlist.
cd3a91f7963d6333306d556e62ac5339d4d9c7785ac58b5b1dbe108c918528b9
Microsoft Edge suffers from an uninitialized memory vulnerability in SIMD.toLocaleString.
643bb73906252ab5624064b3341377969b656d9e7c0942f2729b87dab962bac4
powerd on Mac OS and iOS suffers from an arbitrary port replacement vulnerability.
3e5a21bc29ff1a558770231e308bd600e6410b4a304e2859b2163f3dd2cd5cdf
MacOS Sierra version 10.12 16A323 allows a double vm_deallocate in userspace MIG code that can lead to a use-after-free vulnerability in mach services.
58a7ed2e19c9a5fce731f15aa8b83ace30921a87bf6431e44964fdb9a6e2d1d9
A lack of error checking leads to a reference count leak and OS X / iOS kernel use-after-free vulnerability in _kernelrpc_mach_port_insert_right_trap.
cac9c1a81d04f178479bf07a83852204325d3d8036f55cdb5e9e23a10b46cb54
A broken kernel mach port name uref handling on iOS and Mac OS can lead to privileged port name replacement in other processes.
ec46204069f275edad54bb9993ef3883c9de93719d666d76af2753a535b88de9
This Metasploit module achieves persistence by executing payloads via at(1).
eec5ec5ef01a82dae2c5cd893e51333a0196cb32b3048342445a1aa8c944a00f
There is an ipc_port_t reference count leak due to incorrect externalMethod overrides that lead to a Mac OS X / iOS kernel use-after-free vulnerability.
67d8687d9545ab1a2ccd1bda5d239a1cd88fcab8e19837adaef0762100aedf39
Netgear WNR2000 suffers from a remote code execution vulnerability and various other security issues.
4d840ad95b6a4e6ffcfbdc06d54203748e463cde9adb5d6be5be3a975216ee2e
WordPress Copy-Me plugin version 1.0.0 suffers from a cross site request forgery vulnerability.
0f71f5e7759396da0da6cf867dfaa526d9638e8c6acf7187329c685417d8fdd3
SAP Solman versions 7.1 through 7.31 suffer from an information disclosure vulnerability.
dea88ed2dc6890d3807c60232c4e9445c0386d1bcd4e0b05e177b4ee284efcce
SIMATIC Manager Step7 version 5.5 SP1 suffers a dll hijacking vulnerability.
ddad2b2fdbce31e4817c2d302d69fee5c22b023791e6fced5b6e4b53324b0972
This is a shellshock exploit for RSSMON and BEAM, network services for Red Star OS version 3.0 SERVER edition.
bbdf7dd5e3730d17196110e9505289469c26b6f29655125d1177485822c140de
Naenara Browser version 3.5 exploit (JACKRABBIT) that uses a known Firefox bug to obtain code execution on Red Star OS 3.0 desktop.
c4b4b34b00cd3c056e46e8970c599fc698341f1def3f5d9c4ca35d64efaf0e59
Apport version 2.x on Ubuntu Desktop versions 12.10 up to 16.04 local code execution exploit.
58f056541314215738fc565a181c0095886482addab3394cc2cc59a0b2938a0f
Chrome suffers from an HTTP 1xx base::String-Tokenizer-T<...>::Quick-Get-Next out of bounds read vulnerability.
1e98ef1c15cfbb5403ae431bbabeb470f15d7ef4d514ed6d6a693821d7b957b6
WordPress Support Plus Responsive Ticket System plugin version 7.1.3 suffers from a remote SQL injection vulnerability.
b583e950585a6eb789ef5b3a6a7e6e2710c3f8b81b7caa7b7b078e5179e566eb