This Metasploit module has been tested with AIX 7.1 and 7.2, and should also work with 6.1. Due to permission restrictions of the crontab in AIX, this module does not use cron, and instead overwrites /etc/passwd in order to create a new user with root privileges. All currently logged in users need to be included when /etc/passwd is overwritten, else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user. The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX, and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when overwriting /etc/passwd.
cdb60dbe662ae825c2e68b4e3467951ff4065037e1a4c7ab93afe4fd720eaf44This Metasploit module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 up to 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with CentOS 7 (1708). CentOS default install will require console auth for the users session. Xorg must have SUID permissions and may not start if running. On successful exploitation artifacts will be created consistent with starting Xorg.
9377740962fb859c56e4c74db8eb408580293ddee8808bfba3b45eda70d58cd2xorg-x11-server versions prior to 1.20.3 Solaris 11 inittab local privilege escalation exploit.
f395fa6075c97d0f6a5281e7569a3262f4c8a507bf9f6ed087f0ecc2779560efXorg X11 server on AIX local privilege escalation exploit.
fdeb1b36f96691504fb5e84f75c6cdb5cd0544822f4eee060f585ebb37ee6e2dxorg-x11-server versions prior to 1.20.3 modulepath local privilege escalation exploit.
c9a8fc53361d358a0cff26b98407e45b20d095dc75d70b378fb8eea42a279036This Metasploit module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 up to 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This Metasploit module has been tested with OpenBSD 6.3, 6.4, and CentOS 7 (1708). CentOS default install will require console auth for the users session. Cron launches the payload so if Selinux is enforcing exploitation may still be possible, but the module will bail. Xorg must have SUID permissions and may not start if running. On exploitation a crontab.old backup file will be created by Xorg. This Metasploit module will remove the .old file and restore crontab after successful exploitation. Failed exploitation may result in a corrupted crontab. On successful exploitation artifacts will be created consistent with starting Xorg and running a cron.
720e628b35284931ff0424715e648634cd3ec31db1a89c8b1fff88eddfb6f4abxorg-x11-server versions prior to 1.20.1 local privilege escalation exploit.
fb77fab828d8d0bab406044be7355eb91d3ce8026b117ae80f463ff6657192d5Red Hat Security Advisory 2018-3410-01 - X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Issues addressed include a privilege escalation vulnerability.
57de9c4177c68c1ac4cae9bd9b25328f8ef9de465badf48b6c789d6d9b258ab5Gentoo Linux Security Advisory 201810-9 - A vulnerability in X.Org X Server allows local users to escalate privileges. Versions less than 1.20.3 are affected.
29cdffb4731e8b668eef2cc7319c30aaf59b87a69d7e98f2b69c2c590b4b2b8cxorg-x11-server version 1.20.3 privilege escalation exploit.
44e3595b1823ca1e39ba5878cc28006b66ed111988fc108df3838c650e54ef1bUbuntu Security Notice 3802-1 - Narendra Shinde discovered that the X.Org X server incorrectly handled certain command line parameters when running as root with the legacy wrapper. When certain graphics drivers are being used, a local attacker could possibly use this issue to overwrite arbitrary files and escalate privileges.
3e1800b73c06b9c5d9e9432c23ff8f3942aa93d0c796d9685eac915ed9e32c29Debian Linux Security Advisory 4328-1 - Narendra Shinde discovered that incorrect command-line parameter validation in the Xorg X server may result in arbitrary file overwrite, which can result in privilege escalation.
ff2d18b1e14df09f902ec8b06d02f0b9342bf4aeb06bcfc17a2725b769fef697xorg-x11-server versions prior to 1.20.3 local root exploit.
04fb5107a3446c9f4277d7db1e505e471ef5b483f8fd1dad9ec5583b8566c268xorg-x11-server versions prior to 1.20.3 local privilege escalation exploit.
f3cd2959f68332bfa2c323ef0adaf0aa7a1128133e424075a042a879dc030265
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed