Whitepaper called Encrypted Linux x86-64 Loadable Kernel Modules (ELKM). The aim is to protect kernel-based rootkits and implants against observation by EndpointDetection and Response (EDR) software and to neutralize the effects of recovery by disk forensics tooling.
71edce142a1b2975b9d4d10c1398f3b2
Machosec is a script that checks the security of Mach-O 64-bit executables and application bundles for dyld injection vulnerabilities, LC_RPATH vulnerabilities leading to dyld injection, symlinks pointing to attacker controlled locations, writable by others vulnerabilities, missing stack canaries, disabled PIE (ASLR), and disabled FORTIFY_SOURCE (keeping insecure functions such as strcpy, memcpy etc.).
616de38eab130c2b3c305a77384bb705
In this paper, the author presents ELKM, a Linux tool that provides a mechanism to securely transport and load encrypted Loadable Kernel Modules (LKM). The aim is to protect kernel-based rootkits and implants against observation by Endpoint Detection and Response (EDR) software and to neutralize the effects of recovery by disk forensics tooling. The tool as well as the whitepaper is provided in this archive.
eb8470252a6b4d9620877f82a1676c7e
This Metasploit module attempts to gain root privileges on QNX 6.4.x and 6.5.x systems by exploiting the ifwatchd suid executable. ifwatchd allows users to specify scripts to execute using the '-A' command line argument; however, it does not drop privileges when executing user-supplied scripts, resulting in execution of arbitrary commands as root. This Metasploit module has been tested successfully on QNX Neutrino 6.5.0 (x86) and 6.5.0 SP1 (x86).
7a562f56fafb417de6cf725f6b38c71d
NEC EXPRESS CLUSTER comes with Cluster Manager, a Java applet for cluster configuration and management. The underlying webserver 'clpwebmc' runs as root and accepts connections on TCP port 29003 which can be initiated without authentication in the default installation.
26dd4a65030970268243b44404d0f359
Tails versions 1.6 and below suffers from an information leak vulnerability via a symlink attack.
bc48a42fdeccaf9fad9deef2cdc28947
The setuid root FinderLoadBundle that was included in older DropboxHelperTools versions for OS X allows loading of dynamically linked shared libraries that are residing in the same directory. The directory in which FinderLoadBundle is located is owned by root and that prevents placing arbitrary files there. But creating a hard link from FinderLoadBundle to somewhere in a directory in /tmp circumvents that protection thus making it possible to load a shared library containing a payload which creates a root shell.
04b4586c44bb0dd781367933375dfb86
QNX versions 6.4.x and 6.5.x suffer from a ppoectl vulnerability that allows for disclosure of /etc/shadow.
22443ed5c49330d6954b168938571792
QNX version 6.5.0 local root exploit that leverages a buffer overflow in /usr/photon/bin/phfont.
c622cb89628b18bd06acac00a54aebd1
QNX version 6.5.0 x86 io-graphics local root exploit that leverages a buffer overflow vulnerability.
e96f523966a9c8f8ecbc41009ab3027f
QNX versions 6.4.x and 6.5.x ifwatchd local root exploit.
246ae1fba6336a6e1204bea4db303fe5
QNX version 6.x Photon functionality allows for an arbitrary file overwrite with root level privileges allowing for denial of service and privilege escalation for a local user.
3e5fa1f9c482c4ed2a0e34d54214ff3c
QNX version 6.x suffers from an enumeration vulnerability using the setuid /usr/photon/bin/phfont binary.
109a251e480dd502cd7c0d3d808f30e0
QNX version 6.x suffers from a file enumeration vulnerability that leverages the setuid /usr/photon/bin/phgrafx binary.
db62222eb859b41cc83f2d6a55169e45