exploit the possibilities
Showing 1 - 25 of 30 RSS Feed

Files from Qualys Security Advisory

Email addressqsa at qualys.com
First Active2015-01-27
Last Active2022-03-04
Polkit pkexec Privilege Escalation
Posted Mar 4, 2022
Authored by Qualys Security Advisory, Andris Raugulis, Giovanni Heward

This is a Metasploit module for the argument processing bug in the polkit pkexec binary that leads to privilege escalation. It leverages the raw C exploit.

tags | exploit
advisories | CVE-2021-4034
SHA-256 | 1e2f8340bf5c06e18aed602ee5becbfef6a47c0a4897f17f3c055799a62b8410
Polkit pkexec Local Privilege Escalation
Posted Mar 3, 2022
Authored by Qualys Security Advisory, Dhiraj Mishra, bwatters-r7, Andris Raugulis | Site metasploit.com

This is a Metasploit module for the argument processing bug in the polkit pkexec binary. If the binary is provided with no arguments, it will continue to process environment variables as argument variables, but without any security checking. By using the execve call we can specify a null argument list and populate the proper environment variables. This exploit is architecture independent.

tags | exploit
advisories | CVE-2021-4034
SHA-256 | 45168e34096e858ea0c2f1c2c12695c4121ec633a36c09aef6de9a8d95de3371
Polkit pkexec Local Privilege Escalation
Posted Jan 26, 2022
Authored by Qualys Security Advisory | Site qualys.com

Qualys discovered a local privilege escalation (from any user to root) in polkit's pkexec, a SUID-root program that is installed by default on every major Linux distribution.

tags | advisory, local, root
systems | linux
advisories | CVE-2021-4034
SHA-256 | 23ec1cb3b1b5fe5409bb892ba3ae31bb746e06cafdf7afafd72fd7d4b136ebba
Sequoia: A Deep Root In Linux's Filesystem Layer
Posted Jul 21, 2021
Authored by Qualys Security Advisory

Qualys discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer: by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer. They successfully exploited this uncontrolled out-of-bounds write, and obtained full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation; other Linux distributions are certainly vulnerable, and probably exploitable. A basic proof of concept (a crasher) is attached to this advisory.

tags | exploit, kernel, local, root, proof of concept
systems | linux, debian, fedora, ubuntu
advisories | CVE-2021-33909, CVE-2021-33910
SHA-256 | 0c0b69962c7c4951fd574d5a8b85049490d77ada7568b05cfb4bce7ca40aa09a
Sudo 1.8.31p2 / 1.9.5p1 Buffer Overflow
Posted Feb 5, 2021
Authored by Blasty, Spencer McIntyre, Qualys Security Advisory, bwatters-r7, Alexander Krog | Site metasploit.com

A heap based buffer overflow exists in the sudo command line utility that can be exploited by a local attacker to gain elevated privileges. The vulnerability was introduced in July of 2011 and affects version 1.8.2 through 1.8.31p2 as well as 1.9.0 through 1.9.5p1 in their default configurations. The technique used by this implementation leverages the overflow to overwrite a service_user struct in memory to reference an attacker controlled library which results in it being loaded with the elevated privileges held by sudo.

tags | exploit, overflow, local
advisories | CVE-2021-3156
SHA-256 | cdf458fa2ff6a679afd1037bdb879758b301305b20f223b3aade629bb97b04bc
Sudo Heap-Based Buffer Overflow
Posted Jan 27, 2021
Authored by Qualys Security Advisory

Qualys has released extensive research details regarding a heap-based buffer overflow vulnerability in sudo. The issue was introduced in July 2011 (commit 8255ed69), and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1, in their default configuration.

tags | exploit, overflow
advisories | CVE-2021-3156
SHA-256 | 49c51fff2702ea3bb7dc155cf79d48dec6f6a7a00b13a95caf7f36a3f59b319f
Qmail Local Privilege Escalation / Remote Code Execution
Posted Jun 23, 2020
Authored by Qualys Security Advisory

Qualys has released their local privilege escalation and remote code execution exploit for qmail that leverages the vulnerability as described in CVE-2005-1513.

tags | exploit, remote, local, code execution
systems | unix
advisories | CVE-2005-1513
SHA-256 | aeddf83bcc9a800cd02239af4a54d57183ef075fb1b760208db0cc07f6338385
Qualys Security Advisory - Qmail Remote Code Execution
Posted May 21, 2020
Authored by Alexander Peslyak, Qualys Security Advisory, Stephane Bellenger, Jean-Paul Michel, Julien Barthelemy, Andrew Richards

In 2005, three vulnerabilities were discovered in qmail but were never fixed because they were believed to be unexploitable in a default installation. Qualys recently re-discovered these vulnerabilities and were able to exploit one of them remotely in a default installation.

tags | exploit, vulnerability
advisories | CVE-2005-1513, CVE-2005-1514, CVE-2005-1515, CVE-2020-3811, CVE-2020-3812
SHA-256 | b40bd18472de68aa880c0372a9f3305689c40f370d5468a34516ef9530fd6906
OpenSMTPD Out-Of-Bounds Read / Local Privilege Escalation
Posted Mar 5, 2020
Authored by wvu, Qualys Security Advisory | Site metasploit.com

This Metasploit module exploits an out-of-bounds read of an attacker-controlled string in OpenSMTPD's MTA implementation to execute a command as the root or nobody user, depending on the kind of grammar OpenSMTPD uses.

tags | exploit, root
advisories | CVE-2020-8794
SHA-256 | eaae80dd2ec7c12121e43d82f332898ca6bf36eb080cf1316770e1ef1e93f2f0
OpenSMTPD Out-Of-Bounds Read
Posted Feb 25, 2020
Authored by Qualys Security Advisory

Qualys discovered a vulnerability in OpenSMTPD, OpenBSD's mail server. This vulnerability, an out-of-bounds read introduced in December 2015, is exploitable remotely and leads to the execution of arbitrary shell commands.

tags | exploit, arbitrary, shell
systems | openbsd
advisories | CVE-2020-8794
SHA-256 | 2c58b82819510289b2fd55d1c6a82b81b279777abd6a6b0db391f990ec12b148
OpenSMTPD Local Information Disclosure
Posted Feb 25, 2020
Authored by Qualys Security Advisory

Qualys discovered a minor vulnerability in OpenSMTPD, OpenBSD's mail server. An unprivileged local attacker can read the first line of an arbitrary file (for example, root's password hash in /etc/master.passwd) or the entire contents of another user's file (if this file and /var/spool/smtpd/ are on the same filesystem). A proof of concept exploit is included in this archive.

tags | exploit, arbitrary, local, root, proof of concept
systems | openbsd
advisories | CVE-2020-8793
SHA-256 | 3617b8854e485e1d063e08764e96429e54c6b7bb0467d127e819133f80c925d5
OpenSMTPD MAIL FROM Remote Code Execution
Posted Feb 7, 2020
Authored by wvu, Qualys Security Advisory | Site metasploit.com

This Metasploit module exploits a command injection in the MAIL FROM field during SMTP interaction with OpenSMTPD to execute code as the root user.

tags | exploit, root
advisories | CVE-2020-7247
SHA-256 | 57c3324e249d1cbd264a76ba4f846f6f97ae95eb20be6fe751558e8ce2444825
OpenSMTPD 6.6.2 Remote Code Execution
Posted Jan 30, 2020
Authored by Qualys Security Advisory, 1F98D

OpenSMTPD version 6.6.2 remote code execution exploit.

tags | exploit, remote, code execution
advisories | CVE-2020-7247
SHA-256 | abe43f7110bb331986cc5d9ed522108c73061ac20671c668b7da6fcdfb9996c1
OpenBSD OpenSMTPD Privilege Escalation / Code Execution
Posted Jan 29, 2020
Authored by Qualys Security Advisory

Qualys discovered a vulnerability in OpenSMTPD, OpenBSD's mail server. This vulnerability is exploitable since May 2018 (commit a8e222352f, "switch smtpd to new grammar") and allows an attacker to execute arbitrary shell commands, as root.

tags | exploit, arbitrary, shell, root
systems | openbsd
advisories | CVE-2020-7247
SHA-256 | 9415f92980a964e9430ed555502126d19de735d2acfd5db27d83bb342e5a8b2c
OpenBSD Dynamic Loader chpass Privilege Escalation
Posted Dec 27, 2019
Authored by Brendan Coles, Qualys Security Advisory | Site metasploit.com

This Metasploit module exploits a vulnerability in the OpenBSD ld.so dynamic loader (CVE-2019-19726). The _dl_getenv() function fails to reset the LD_LIBRARY_PATH environment variable when set with approximately ARG_MAX colons. This can be abused to load libutil.so from an untrusted path, using LD_LIBRARY_PATH in combination with the chpass set-uid executable, resulting in privileged code execution. This module has been tested successfully on OpenBSD 6.1 (amd64) and OpenBSD 6.6 (amd64).

tags | exploit, code execution
systems | openbsd
advisories | CVE-2019-19726
SHA-256 | 3e6540f0f1a2e09ac135f635d113e22b32dffae061cff0c1ae9ba68f036aa0a2
Qualys Security Advisory - OpenBSD Dynamic Loader Privilege Escalation
Posted Dec 12, 2019
Authored by Qualys Security Advisory

Qualys discovered a local privilege escalation in OpenBSD's dynamic loader (ld.so). This vulnerability is exploitable in the default installation (via the set-user-ID executable chpass or passwd) and yields full root privileges. They developed a simple proof of concept and successfully tested it against OpenBSD 6.6 (the current release), 6.5, 6.2, and 6.1, on both amd64 and i386; other releases and architectures are probably also exploitable.

tags | exploit, local, root, proof of concept
systems | openbsd
advisories | CVE-2019-19726
SHA-256 | 4e1f695e83c851f4826c356e0fbe52865163d4b41d6d1a6675fca7178914287b
Exim 4.9.1 Remote Command Execution
Posted Jun 6, 2019
Authored by Qualys Security Advisory

Qualys discovered a remote command execution vulnerability in Exim versions 4.87 to 4.91.

tags | advisory, remote
advisories | CVE-2019-10149
SHA-256 | ccf81b809451dabd0ae35b330095955b9998319116314052fc75a06a7dd5e3e8
System Down: A systemd-journald Exploit
Posted May 13, 2019
Authored by Qualys Security Advisory

This is the systemd-journald exploit produced by Qualys that demonstrates the vulnerabilities as highlighted in CVE-2018-16865 and CVE-2018-16866.

tags | exploit, vulnerability
systems | unix
advisories | CVE-2018-16865, CVE-2018-16866
SHA-256 | d1b7894dd26a8b8f09a1ab5daecbd7e72976370c01e517c417e68ce0cbf49297
systemd-journald Memory Corruption / Information Leak
Posted Jan 9, 2019
Authored by Qualys Security Advisory

This is a thorough analysis of how Qualys approached exploiting three vulnerabilities in systemd-journald. Although they have not released formal exploits yet, they detail in here is useful in understanding the flaws.

tags | advisory, vulnerability
advisories | CVE-2018-16864, CVE-2018-16865, CVE-2018-16866
SHA-256 | 19a689d664d755e0625285bb3e35b7cb5791449a424da89709b8ef0bf6fdcb91
Solaris RSH Stack Clash Privilege Escalation
Posted Oct 15, 2018
Authored by Brendan Coles, Qualys Security Advisory | Site metasploit.com

This Metasploit module exploits a vulnerability in RSH on unpatched Solaris systems which allows users to gain root privileges. The stack guard page on unpatched Solaris systems is of insufficient size to prevent collisions between the stack and heap memory, aka Stack Clash. This Metasploit module uploads and executes Qualys' Solaris_rsh.c exploit, which exploits a vulnerability in RSH to bypass the stack guard page to write to the stack and create a SUID root shell. This Metasploit module has offsets for Solaris versions 11.1 (x86) and Solaris 11.3 (x86). Exploitation will usually complete within a few minutes using the default number of worker threads (10). Occasionally, exploitation will fail. If the target system is vulnerable, usually re-running the exploit will be successful. This Metasploit module has been tested successfully on Solaris 11.1 (x86) and Solaris 11.3 (x86).

tags | exploit, shell, x86, root
systems | solaris
advisories | CVE-2017-1000364, CVE-2017-3629, CVE-2017-3630, CVE-2017-3631
SHA-256 | 1e59da07b25c5d7ed7f7081baca4d6ef68b592b7e64e01af24769ec5d101e1a3
Linux create_elf_tables() Integer Overflow
Posted Sep 26, 2018
Authored by Qualys Security Advisory

Linux suffers from an integer overflow vulnerability in create_elf_tables(). Multiple exploits provided.

tags | exploit, overflow
systems | linux
advisories | CVE-2018-14634
SHA-256 | 96f76be0c1dab33a40b6145fd293ceab661f631350fcf639a1e4bdb1faedbb92
Libuser roothelper Privilege Escalation
Posted May 13, 2018
Authored by Brendan Coles, Qualys Security Advisory | Site metasploit.com

This Metasploit module attempts to gain root privileges on Red Hat based Linux systems, including RHEL, Fedora and CentOS, by exploiting a newline injection vulnerability in libuser and userhelper versions prior to 0.56.13-8 and version 0.60 before 0.60-7. This Metasploit module makes use of the roothelper.c exploit from Qualys to insert a new user with UID=0 in /etc/passwd. Note, the password for the current user is required by userhelper. Note, on some systems, such as Fedora 11, the user entry for the current user in /etc/passwd will become corrupted and exploitation will fail. This Metasploit module has been tested successfully on libuser packaged versions 0.56.13-4.el6 on CentOS 6.0 (x86_64); 0.56.13-5.el6 on CentOS 6.5 (x86_64); 0.60-5.el7 on CentOS 7.1-1503 (x86_64); 0.56.16-1.fc13 on Fedora 13 (i686); 0.59-1.fc19 on Fedora Desktop 19 (x86_64); 0.60-3.fc20 on Fedora Desktop 20 (x86_64); 0.60-6.fc21 on Fedora Desktop 21 (x86_64); 0.60-6.fc22 on Fedora Desktop 22 (x86_64); 0.56.13-5.el6 on Red Hat 6.6 (x86_64); and 0.60-5.el7 on Red Hat 7.0 (x86_64). RHEL 5 is vulnerable, however the installed version of glibc (2.5) is missing various functions required by roothelper.c.

tags | exploit, root
systems | linux, redhat, fedora, centos
advisories | CVE-2015-3245, CVE-2015-3246
SHA-256 | ce28cd945d7001cbd85762b794a3e30da40438ee327042dacf17e52946e63f92
Qualys Security Advisory - GNU C Library Memory Leak / Buffer Overflow
Posted Dec 13, 2017
Authored by Qualys Security Advisory

Qualys has discovered a memory leak and a buffer overflow in the dynamic loader (ld.so) of the GNU C Library (glibc).

tags | exploit, overflow, memory leak
advisories | CVE-2017-1000408, CVE-2017-1000409
SHA-256 | ab2ee457cd217c4af1e191968f48de6c5ef96258d1fcf05193b1e417d462e8ef
Linux Local Privilege Escalation
Posted Sep 28, 2017
Authored by Qualys Security Advisory

A Linux PIE/stack corruption vulnerability exists. Most notably, all versions of CentOS 7 before 1708 (released on September 13, 2017), all versions of Red Hat Enterprise Linux 7 before 7.4 (released on August 1, 2017), and all versions of CentOS 6 and Red Hat Enterprise Linux 6 are exploitable.

tags | advisory
systems | linux, redhat, centos
advisories | CVE-2017-1000253
SHA-256 | e629fc1437f3afd0ad4608b004f8c31a78825d7d031176a742308b19fc02b46d
Qualys Security Advisory - OpenSSH Overflow / Leak
Posted Jan 15, 2016
Authored by Qualys Security Advisory

Since version 5.4 (released on March 8, 2010), the OpenSSH client supports an undocumented feature called roaming: if the connection to an SSH server breaks unexpectedly, and if the server supports roaming as well, the client is able to reconnect to the server and resume the suspended SSH session. Although roaming is not supported by the OpenSSH server, it is enabled by default in the OpenSSH client, and contains two vulnerabilities that can be exploited by a malicious SSH server (or a trusted but compromised server): an information leak (memory disclosure), and a buffer overflow (heap-based).

tags | advisory, overflow, vulnerability
advisories | CVE-2016-0777, CVE-2016-0778
SHA-256 | 6d98389560de3c7942fe87c17e680b28f2ad90ec6c5d8f9a0f59e153dff5d23e
Page 1 of 2
Back12Next

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    19 Files
  • 25
    May 25th
    5 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close