Whitepaper called Encrypted Linux x86-64 Loadable Kernel Modules (ELKM). The aim is to protect kernel-based rootkits and implants against observation by EndpointDetection and Response (EDR) software and to neutralize the effects of recovery by disk forensics tooling.
71edce142a1b2975b9d4d10c1398f3b2Machosec is a script that checks the security of Mach-O 64-bit executables and application bundles for dyld injection vulnerabilities, LC_RPATH vulnerabilities leading to dyld injection, symlinks pointing to attacker controlled locations, writable by others vulnerabilities, missing stack canaries, disabled PIE (ASLR), and disabled FORTIFY_SOURCE (keeping insecure functions such as strcpy, memcpy etc.).
616de38eab130c2b3c305a77384bb705In this paper, the author presents ELKM, a Linux tool that provides a mechanism to securely transport and load encrypted Loadable Kernel Modules (LKM). The aim is to protect kernel-based rootkits and implants against observation by Endpoint Detection and Response (EDR) software and to neutralize the effects of recovery by disk forensics tooling. The tool as well as the whitepaper is provided in this archive.
eb8470252a6b4d9620877f82a1676c7eThis Metasploit module attempts to gain root privileges on QNX 6.4.x and 6.5.x systems by exploiting the ifwatchd suid executable. ifwatchd allows users to specify scripts to execute using the '-A' command line argument; however, it does not drop privileges when executing user-supplied scripts, resulting in execution of arbitrary commands as root. This Metasploit module has been tested successfully on QNX Neutrino 6.5.0 (x86) and 6.5.0 SP1 (x86).
7a562f56fafb417de6cf725f6b38c71dNEC EXPRESS CLUSTER comes with Cluster Manager, a Java applet for cluster configuration and management. The underlying webserver 'clpwebmc' runs as root and accepts connections on TCP port 29003 which can be initiated without authentication in the default installation.
26dd4a65030970268243b44404d0f359Tails versions 1.6 and below suffers from an information leak vulnerability via a symlink attack.
bc48a42fdeccaf9fad9deef2cdc28947The setuid root FinderLoadBundle that was included in older DropboxHelperTools versions for OS X allows loading of dynamically linked shared libraries that are residing in the same directory. The directory in which FinderLoadBundle is located is owned by root and that prevents placing arbitrary files there. But creating a hard link from FinderLoadBundle to somewhere in a directory in /tmp circumvents that protection thus making it possible to load a shared library containing a payload which creates a root shell.
04b4586c44bb0dd781367933375dfb86QNX versions 6.4.x and 6.5.x suffer from a ppoectl vulnerability that allows for disclosure of /etc/shadow.
22443ed5c49330d6954b168938571792QNX version 6.5.0 local root exploit that leverages a buffer overflow in /usr/photon/bin/phfont.
c622cb89628b18bd06acac00a54aebd1QNX version 6.5.0 x86 io-graphics local root exploit that leverages a buffer overflow vulnerability.
e96f523966a9c8f8ecbc41009ab3027fQNX versions 6.4.x and 6.5.x ifwatchd local root exploit.
246ae1fba6336a6e1204bea4db303fe5QNX version 6.x Photon functionality allows for an arbitrary file overwrite with root level privileges allowing for denial of service and privilege escalation for a local user.
3e5fa1f9c482c4ed2a0e34d54214ff3cQNX version 6.x suffers from an enumeration vulnerability using the setuid /usr/photon/bin/phfont binary.
109a251e480dd502cd7c0d3d808f30e0QNX version 6.x suffers from a file enumeration vulnerability that leverages the setuid /usr/photon/bin/phgrafx binary.
db62222eb859b41cc83f2d6a55169e45
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed