This is a thorough analysis of how Qualys approached exploiting three vulnerabilities in systemd-journald. Although they have not released formal exploits yet, they detail in here is useful in understanding the flaws.
19a689d664d755e0625285bb3e35b7cb5791449a424da89709b8ef0bf6fdcb91
This Metasploit module exploits a vulnerability in RSH on unpatched Solaris systems which allows users to gain root privileges. The stack guard page on unpatched Solaris systems is of insufficient size to prevent collisions between the stack and heap memory, aka Stack Clash. This Metasploit module uploads and executes Qualys' Solaris_rsh.c exploit, which exploits a vulnerability in RSH to bypass the stack guard page to write to the stack and create a SUID root shell. This Metasploit module has offsets for Solaris versions 11.1 (x86) and Solaris 11.3 (x86). Exploitation will usually complete within a few minutes using the default number of worker threads (10). Occasionally, exploitation will fail. If the target system is vulnerable, usually re-running the exploit will be successful. This Metasploit module has been tested successfully on Solaris 11.1 (x86) and Solaris 11.3 (x86).
1e59da07b25c5d7ed7f7081baca4d6ef68b592b7e64e01af24769ec5d101e1a3
Linux suffers from an integer overflow vulnerability in create_elf_tables(). Multiple exploits provided.
96f76be0c1dab33a40b6145fd293ceab661f631350fcf639a1e4bdb1faedbb92
This Metasploit module attempts to gain root privileges on Red Hat based Linux systems, including RHEL, Fedora and CentOS, by exploiting a newline injection vulnerability in libuser and userhelper versions prior to 0.56.13-8 and version 0.60 before 0.60-7. This Metasploit module makes use of the roothelper.c exploit from Qualys to insert a new user with UID=0 in /etc/passwd. Note, the password for the current user is required by userhelper. Note, on some systems, such as Fedora 11, the user entry for the current user in /etc/passwd will become corrupted and exploitation will fail. This Metasploit module has been tested successfully on libuser packaged versions 0.56.13-4.el6 on CentOS 6.0 (x86_64); 0.56.13-5.el6 on CentOS 6.5 (x86_64); 0.60-5.el7 on CentOS 7.1-1503 (x86_64); 0.56.16-1.fc13 on Fedora 13 (i686); 0.59-1.fc19 on Fedora Desktop 19 (x86_64); 0.60-3.fc20 on Fedora Desktop 20 (x86_64); 0.60-6.fc21 on Fedora Desktop 21 (x86_64); 0.60-6.fc22 on Fedora Desktop 22 (x86_64); 0.56.13-5.el6 on Red Hat 6.6 (x86_64); and 0.60-5.el7 on Red Hat 7.0 (x86_64). RHEL 5 is vulnerable, however the installed version of glibc (2.5) is missing various functions required by roothelper.c.
ce28cd945d7001cbd85762b794a3e30da40438ee327042dacf17e52946e63f92
Qualys has discovered a memory leak and a buffer overflow in the dynamic loader (ld.so) of the GNU C Library (glibc).
ab2ee457cd217c4af1e191968f48de6c5ef96258d1fcf05193b1e417d462e8ef
A Linux PIE/stack corruption vulnerability exists. Most notably, all versions of CentOS 7 before 1708 (released on September 13, 2017), all versions of Red Hat Enterprise Linux 7 before 7.4 (released on August 1, 2017), and all versions of CentOS 6 and Red Hat Enterprise Linux 6 are exploitable.
e629fc1437f3afd0ad4608b004f8c31a78825d7d031176a742308b19fc02b46d
Since version 5.4 (released on March 8, 2010), the OpenSSH client supports an undocumented feature called roaming: if the connection to an SSH server breaks unexpectedly, and if the server supports roaming as well, the client is able to reconnect to the server and resume the suspended SSH session. Although roaming is not supported by the OpenSSH server, it is enabled by default in the OpenSSH client, and contains two vulnerabilities that can be exploited by a malicious SSH server (or a trusted but compromised server): an information leak (memory disclosure), and a buffer overflow (heap-based).
6d98389560de3c7942fe87c17e680b28f2ad90ec6c5d8f9a0f59e153dff5d23e
Qualys discovered various vulnerabilities in LibreSSL. These include a memory leak and a buffer overflow.
b0de9f18c202a6ac93d7fb4c44048d40aa246b6dbb04fa3756ef345d6a3bb3ef
Qualys discovered various vulnerabilities in OpenSMTPD. These include, but are not limited to, denial of service, buffer overflow, hardlink attack and use-after-free vulnerabilities.
a0a4071e027cd0032bb15321814e2500f5dbd461a8b3356d921e787243fd6c28
The libuser library implements a standardized interface for manipulating and administering user and group accounts, and is installed by default on Linux distributions derived from Red Hat's codebase. During an internal code audit at Qualys, they discovered multiple libuser-related vulnerabilities that allow local users to perform denial-of-service and privilege-escalation attacks. As a proof of concept, they developed an unusual local root exploit against one of libuser's applications. Both the advisory and exploit are included in this post.
8ca265d19600f642e0b8538ca2edb894bbc57f28b26136e6f5ea36ae5e348827
This Metasploit module remotely exploits CVE-2015-0235 (a.k.a. GHOST, a heap-based buffer overflow in the GNU C Library's gethostbyname functions) on x86 and x86_64 GNU/Linux systems that run the Exim mail server.
a904662b081b766808bd7e6e1ad410a102718e996535c406d1a81766eee34d73
Qualys Security Advisory - During a code audit performed internally at Qualys, they discovered a buffer overflow in the __nss_hostname_digits_dots() function of the GNU C Library (glibc). This bug is reachable both locally and remotely via the gethostbyname*() functions, so they decided to analyze it -- and its impact -- thoroughly, and named this vulnerability "GHOST".
ffa8d4a79d99689d850b8267b77bc648e3bd73f6426baa39b73870777ee69adb