This Metasploit module has been tested with AIX 7.1 and 7.2, and should also work with 6.1. Due to permission restrictions of the crontab in AIX, this module does not use cron, and instead overwrites /etc/passwd in order to create a new user with root privileges. All currently logged in users need to be included when /etc/passwd is overwritten, else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user. The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX, and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when overwriting /etc/passwd.
cdb60dbe662ae825c2e68b4e3467951ff4065037e1a4c7ab93afe4fd720eaf44
This Metasploit module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 up to 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with CentOS 7 (1708). CentOS default install will require console auth for the users session. Xorg must have SUID permissions and may not start if running. On successful exploitation artifacts will be created consistent with starting Xorg.
9377740962fb859c56e4c74db8eb408580293ddee8808bfba3b45eda70d58cd2
xorg-x11-server versions prior to 1.20.3 Solaris 11 inittab local privilege escalation exploit.
f395fa6075c97d0f6a5281e7569a3262f4c8a507bf9f6ed087f0ecc2779560ef
Xorg X11 server on AIX local privilege escalation exploit.
fdeb1b36f96691504fb5e84f75c6cdb5cd0544822f4eee060f585ebb37ee6e2d
xorg-x11-server versions prior to 1.20.3 modulepath local privilege escalation exploit.
c9a8fc53361d358a0cff26b98407e45b20d095dc75d70b378fb8eea42a279036
This Metasploit module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 up to 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This Metasploit module has been tested with OpenBSD 6.3, 6.4, and CentOS 7 (1708). CentOS default install will require console auth for the users session. Cron launches the payload so if Selinux is enforcing exploitation may still be possible, but the module will bail. Xorg must have SUID permissions and may not start if running. On exploitation a crontab.old backup file will be created by Xorg. This Metasploit module will remove the .old file and restore crontab after successful exploitation. Failed exploitation may result in a corrupted crontab. On successful exploitation artifacts will be created consistent with starting Xorg and running a cron.
720e628b35284931ff0424715e648634cd3ec31db1a89c8b1fff88eddfb6f4ab
xorg-x11-server versions prior to 1.20.1 local privilege escalation exploit.
fb77fab828d8d0bab406044be7355eb91d3ce8026b117ae80f463ff6657192d5
Red Hat Security Advisory 2018-3410-01 - X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Issues addressed include a privilege escalation vulnerability.
57de9c4177c68c1ac4cae9bd9b25328f8ef9de465badf48b6c789d6d9b258ab5
Gentoo Linux Security Advisory 201810-9 - A vulnerability in X.Org X Server allows local users to escalate privileges. Versions less than 1.20.3 are affected.
29cdffb4731e8b668eef2cc7319c30aaf59b87a69d7e98f2b69c2c590b4b2b8c
xorg-x11-server version 1.20.3 privilege escalation exploit.
44e3595b1823ca1e39ba5878cc28006b66ed111988fc108df3838c650e54ef1b
Ubuntu Security Notice 3802-1 - Narendra Shinde discovered that the X.Org X server incorrectly handled certain command line parameters when running as root with the legacy wrapper. When certain graphics drivers are being used, a local attacker could possibly use this issue to overwrite arbitrary files and escalate privileges.
3e1800b73c06b9c5d9e9432c23ff8f3942aa93d0c796d9685eac915ed9e32c29
Debian Linux Security Advisory 4328-1 - Narendra Shinde discovered that incorrect command-line parameter validation in the Xorg X server may result in arbitrary file overwrite, which can result in privilege escalation.
ff2d18b1e14df09f902ec8b06d02f0b9342bf4aeb06bcfc17a2725b769fef697
xorg-x11-server versions prior to 1.20.3 local root exploit.
04fb5107a3446c9f4277d7db1e505e471ef5b483f8fd1dad9ec5583b8566c268
xorg-x11-server versions prior to 1.20.3 local privilege escalation exploit.
f3cd2959f68332bfa2c323ef0adaf0aa7a1128133e424075a042a879dc030265