Dubbed Looney Tunables, Qualys discovered a buffer overflow vulnerability in the glibc dynamic loader's processing of the GLIBC_TUNABLES environment variable. This vulnerability was introduced in April 2021 (glibc 2.34) by commit 2ed18c.
b12ee8e52aaf3d3287a35bb3ed77d6ea42f79734e21c6428997ffd1749823961
The PKCS#11 feature in ssh-agent in OpenSSH versions prior to 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system.
e93ab81da334d2b2c5f8f662d87f396041e5e366d8b286e3907b5cb137de0e8e
RenderDoc versions 1.26 and below suffer from integer underflow, integer overflow, and symlink vulnerabilities.
cc497579b678adb0532eece7bf7f32783a2ff614acf426c5981789ff6293796c
Qualys discovered a race condition (CVE-2022-3328) in snap-confine, a SUID-root program installed by default on Ubuntu. In this advisory,they tell the story of this vulnerability (which was introduced in February 2022 by the patch for CVE-2021-44731) and detail how they exploited it in Ubuntu Server (a local privilege escalation, from any user to root) by combining it with two vulnerabilities in multipathd (an authorization bypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973).
ae9802d4db6010e09c5ca96ad72cd8f9bb70aff4d7af8a1ec00cebd3203d1f95
The Qualys Research Team has discovered authorization bypass and symlink vulnerabilities in multipathd. The authorization bypass was introduced in version 0.7.0 and the symlink vulnerability was introduced in version 0.7.7.
9fd49ad2d42596cc152f6771bcdd491b37e2986a01a0b0cdb2f997469ee1fdec
This is a Metasploit module for the argument processing bug in the polkit pkexec binary that leads to privilege escalation. It leverages the raw C exploit.
1e2f8340bf5c06e18aed602ee5becbfef6a47c0a4897f17f3c055799a62b8410
This is a Metasploit module for the argument processing bug in the polkit pkexec binary. If the binary is provided with no arguments, it will continue to process environment variables as argument variables, but without any security checking. By using the execve call we can specify a null argument list and populate the proper environment variables. This exploit is architecture independent.
45168e34096e858ea0c2f1c2c12695c4121ec633a36c09aef6de9a8d95de3371
Qualys discovered a local privilege escalation (from any user to root) in polkit's pkexec, a SUID-root program that is installed by default on every major Linux distribution.
23ec1cb3b1b5fe5409bb892ba3ae31bb746e06cafdf7afafd72fd7d4b136ebba
Qualys discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer: by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer. They successfully exploited this uncontrolled out-of-bounds write, and obtained full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation; other Linux distributions are certainly vulnerable, and probably exploitable. A basic proof of concept (a crasher) is attached to this advisory.
0c0b69962c7c4951fd574d5a8b85049490d77ada7568b05cfb4bce7ca40aa09a
A heap based buffer overflow exists in the sudo command line utility that can be exploited by a local attacker to gain elevated privileges. The vulnerability was introduced in July of 2011 and affects version 1.8.2 through 1.8.31p2 as well as 1.9.0 through 1.9.5p1 in their default configurations. The technique used by this implementation leverages the overflow to overwrite a service_user struct in memory to reference an attacker controlled library which results in it being loaded with the elevated privileges held by sudo.
cdf458fa2ff6a679afd1037bdb879758b301305b20f223b3aade629bb97b04bc
Qualys has released extensive research details regarding a heap-based buffer overflow vulnerability in sudo. The issue was introduced in July 2011 (commit 8255ed69), and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1, in their default configuration.
49c51fff2702ea3bb7dc155cf79d48dec6f6a7a00b13a95caf7f36a3f59b319f
Qualys has released their local privilege escalation and remote code execution exploit for qmail that leverages the vulnerability as described in CVE-2005-1513.
aeddf83bcc9a800cd02239af4a54d57183ef075fb1b760208db0cc07f6338385
In 2005, three vulnerabilities were discovered in qmail but were never fixed because they were believed to be unexploitable in a default installation. Qualys recently re-discovered these vulnerabilities and were able to exploit one of them remotely in a default installation.
b40bd18472de68aa880c0372a9f3305689c40f370d5468a34516ef9530fd6906
This Metasploit module exploits an out-of-bounds read of an attacker-controlled string in OpenSMTPD's MTA implementation to execute a command as the root or nobody user, depending on the kind of grammar OpenSMTPD uses.
eaae80dd2ec7c12121e43d82f332898ca6bf36eb080cf1316770e1ef1e93f2f0
Qualys discovered a vulnerability in OpenSMTPD, OpenBSD's mail server. This vulnerability, an out-of-bounds read introduced in December 2015, is exploitable remotely and leads to the execution of arbitrary shell commands.
2c58b82819510289b2fd55d1c6a82b81b279777abd6a6b0db391f990ec12b148
Qualys discovered a minor vulnerability in OpenSMTPD, OpenBSD's mail server. An unprivileged local attacker can read the first line of an arbitrary file (for example, root's password hash in /etc/master.passwd) or the entire contents of another user's file (if this file and /var/spool/smtpd/ are on the same filesystem). A proof of concept exploit is included in this archive.
3617b8854e485e1d063e08764e96429e54c6b7bb0467d127e819133f80c925d5
This Metasploit module exploits a command injection in the MAIL FROM field during SMTP interaction with OpenSMTPD to execute code as the root user.
57c3324e249d1cbd264a76ba4f846f6f97ae95eb20be6fe751558e8ce2444825
OpenSMTPD version 6.6.2 remote code execution exploit.
abe43f7110bb331986cc5d9ed522108c73061ac20671c668b7da6fcdfb9996c1
Qualys discovered a vulnerability in OpenSMTPD, OpenBSD's mail server. This vulnerability is exploitable since May 2018 (commit a8e222352f, "switch smtpd to new grammar") and allows an attacker to execute arbitrary shell commands, as root.
9415f92980a964e9430ed555502126d19de735d2acfd5db27d83bb342e5a8b2c
This Metasploit module exploits a vulnerability in the OpenBSD ld.so dynamic loader (CVE-2019-19726). The _dl_getenv() function fails to reset the LD_LIBRARY_PATH environment variable when set with approximately ARG_MAX colons. This can be abused to load libutil.so from an untrusted path, using LD_LIBRARY_PATH in combination with the chpass set-uid executable, resulting in privileged code execution. This module has been tested successfully on OpenBSD 6.1 (amd64) and OpenBSD 6.6 (amd64).
3e6540f0f1a2e09ac135f635d113e22b32dffae061cff0c1ae9ba68f036aa0a2
Qualys discovered a local privilege escalation in OpenBSD's dynamic loader (ld.so). This vulnerability is exploitable in the default installation (via the set-user-ID executable chpass or passwd) and yields full root privileges. They developed a simple proof of concept and successfully tested it against OpenBSD 6.6 (the current release), 6.5, 6.2, and 6.1, on both amd64 and i386; other releases and architectures are probably also exploitable.
4e1f695e83c851f4826c356e0fbe52865163d4b41d6d1a6675fca7178914287b
Qualys discovered a remote command execution vulnerability in Exim versions 4.87 to 4.91.
ccf81b809451dabd0ae35b330095955b9998319116314052fc75a06a7dd5e3e8
This is the systemd-journald exploit produced by Qualys that demonstrates the vulnerabilities as highlighted in CVE-2018-16865 and CVE-2018-16866.
d1b7894dd26a8b8f09a1ab5daecbd7e72976370c01e517c417e68ce0cbf49297
This is a thorough analysis of how Qualys approached exploiting three vulnerabilities in systemd-journald. Although they have not released formal exploits yet, they detail in here is useful in understanding the flaws.
19a689d664d755e0625285bb3e35b7cb5791449a424da89709b8ef0bf6fdcb91
This Metasploit module exploits a vulnerability in RSH on unpatched Solaris systems which allows users to gain root privileges. The stack guard page on unpatched Solaris systems is of insufficient size to prevent collisions between the stack and heap memory, aka Stack Clash. This Metasploit module uploads and executes Qualys' Solaris_rsh.c exploit, which exploits a vulnerability in RSH to bypass the stack guard page to write to the stack and create a SUID root shell. This Metasploit module has offsets for Solaris versions 11.1 (x86) and Solaris 11.3 (x86). Exploitation will usually complete within a few minutes using the default number of worker threads (10). Occasionally, exploitation will fail. If the target system is vulnerable, usually re-running the exploit will be successful. This Metasploit module has been tested successfully on Solaris 11.1 (x86) and Solaris 11.3 (x86).
1e59da07b25c5d7ed7f7081baca4d6ef68b592b7e64e01af24769ec5d101e1a3