Ubuntu Security Notice 5427-1 - Muqing Liu and neoni discovered that Apport incorrectly handled detecting if an executable was replaced after a crash. A local attacker could possibly use this issue to execute arbitrary code as the root user. Gerrit Venema discovered that Apport incorrectly handled connections to Apport sockets inside containers. A local attacker could possibly use this issue to connect to arbitrary sockets as the root user.
4a7a1a4b4a53f12a5e131a2b8e72000ea9e3e0b7606d2ddd406b23a06bd16806
Multiple Konica Minolta bizhub MFP printer terminals suffer from a sandbox escape with root access and have clear-text password vulnerabilities.
57e210f71bf42a3b11e36e7813fbbb82fccbd07555cd2d876285ea9c410da45c
This Metasploit module exploits an authentication bypass vulnerability in the F5 BIG-IP iControl REST service to gain access to the admin account, which is capable of executing commands through the /mgmt/tm/util/bash endpoint. Successful exploitation results in remote code execution as the root user.
bb3a5bef34f53053f0da7eec9cad038bc4f47a0997b2e9cd601a17a1f034a0ad
This Metasploit module exploits a stack buffer overflow in the Cisco RV series router's SSL VPN functionality. The default SSL VPN configuration is exploitable, with no authentication required and works over the Internet! The stack is executable and no ASLR is in place, which makes exploitation easier. Successful execution of this module results in a reverse root shell. A custom payload is used as Metasploit does not have ARMLE null free shellcode. This vulnerability was presented by the Flashback Team in Pwn2Own Austin 2021 and OffensiveCon 2022. For more information check the referenced advisory. This module has been tested in firmware versions 1.0.03.15 and above and works with around 65% reliability. The service restarts automatically so you can keep trying until you pwn it. Only the RV340 router was tested, but other RV series routers should work out of the box.
619682621429d96cd23a1e1bcd69a008398c5244223265886c52e2e417242d02
The Mandos system allows computers to have encrypted root file systems and at the same time be capable of remote or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key that is unique to each client. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system.
74e7e1915cb5cb3617d80c379d9ecac315cfe154c815faf6a226ae482383f03f
Kramer VIAware remote code execution exploit that achieves root.
8404177fc0140512f4c0692c887519b39c5ae5574106d110007ffd87f2556907
Ubuntu Security Notice 5326-1 - It was discovered that FUSE is susceptible to a restriction bypass flaw on a system that has SELinux active. A local attacker with non-root privileges could mount a FUSE file system that is accessible to other users and trick them into accessing files on that file system, which could result in a Denial of Service or other unspecified conditions.
0f13d64ecbaa2b12059bb1588f8db131119cf3c35938ac23b6462cd8d6c0c8f5
Variant proof of concept exploit for the Dirty Pipe file overwrite vulnerability. This version hijacks a SUID binary to spawn a root shell.
896e5b87da1c2dcdc6b5bf2a4c03daf9da0145521f3b205c1bcf72db8ff2340f
Proof of concept for a vulnerability in the Linux kernel existing since version 5.8 that allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes.
44e38035938b0841fe6c4b79375b95d9bdcc4665c0a63ed1dcb0ca5df0c03212
This Metasploit module exploits an arbitrary file creation vulnerability in the pfSense HTTP interface (CVE-2021-41282). The vulnerability affects versions 2.5.2 and below and can be exploited by an authenticated user if they have the "WebCfg - Diagnostics: Routing tables" privilege. This module uses the vulnerability to create a web shell and execute payloads with root privileges.
749bce942f6a26bc40cf265a69c07ac56ab2b47d26b9b02bc8c5c749e022b2a6
A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation. This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to function on a wider range of Windows 10 targets.
9902434a58e36c7838c71ee860592d8624368fc1b380cf4c9ccf530f09895fd2
This Metasploit module exploits the "Apps" feature in Axis IP cameras. The feature allows third party developers to upload and execute eap applications on the device. The system does not validate the application comes from a trusted source, so a malicious attacker can upload and execute arbitrary code. The issue has no CVE, although the technique was made public in 2018. This module uploads and executes stageless meterpreter as root. Uploading the application requires valid credentials. The default administrator credentials used to be root:root but newer firmware versions force users to provide a new password for the root user. The module was tested on an Axis M3044-V using the latest firmware (9.80.3.8: December 2021). All modules that support the "Apps" feature are presumed to be vulnerable.
3b946c3c32ffbe1237309479a6f3fbc02ff1259e17c42ed2ee33315e97a2b97e
This Metasploit module exploits an unauthenticated command injection in a variety of Hikvision IP cameras (CVE-2021-36260). The module inserts a command into an XML payload used with an HTTP PUT request sent to the /SDK/webLanguage endpoint, resulting in command execution as the root user. This module specifically attempts to exploit the blind variant of the attack. The module was successfully tested against an HWI-B120-D/W using firmware V5.5.101 build 200408. It was also tested against an unaffected DS-2CD2142FWD-I using firmware V5.5.0 build 170725. Please see the Hikvision advisory for a full list of affected products.
7bd3dd72f17285cba701691f5d8795c84e79f211db3e6ea8a840141f658935a5
Ubuntu Security Notice 5260-3 - USN-5260-1 fixed a vulnerability in Samba. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Orange Tsai discovered that the Samba vfs_fruit module incorrectly handled certain memory operations. A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service, or possibly execute arbitrary code as root.
2c75ee8163364bc261cc0476d7d873eba34c2b09d0ef92e3a26e8735310d5e88
All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit.
6ba7846654bf7c08a244dc803a03a08db25b7266912db0c581e64adf257781a6
Ubuntu Security Notice 5260-1 - Orange Tsai discovered that the Samba vfs_fruit module incorrectly handled certain memory operations. A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service, or possibly execute arbitrary code as root. Michael Hanselmann discovered that Samba incorrectly created directories. In certain configurations, a remote attacker could possibly create a directory on the server outside of the shared directory.
1150766a9f5acaee9066e266cb394d5fcb11a48e64845279538c22bdac77ac58
Ubuntu Security Notice 5260-2 - Orange Tsai discovered that the Samba vfs_fruit module incorrectly handled certain memory operations. A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service, or possibly execute arbitrary code as root.
69faabb25cfae22c65e81b78d83b23a53e6dc20c613861ebb9a20102dff021b1
Gentoo Linux Security Advisory 202201-1 - A vulnerability in polkit could lead to local root privilege escalation. Versions less than 0.120-r2 are affected.
d11426713b556943aaabfa3a7507c7905257729200bd39fec54ff2e0f803eb1f
This archive contains demo exploits for CVE-2022-0185. There are two versions here. The non-kctf version (fuse version) specifically targets Ubuntu with kernel version 5.11.0-44. It does not directly return a root shell, but makes /bin/bash suid, which will lead to trivial privilege escalation. Adjusting the single_start and modprobe_path offsets should allow it to work on most other Ubuntu versions that have kernel version 5.7 or higher; for versions between 5.1 and 5.7, the spray will need to be improved as in the kctf version. The exploitation strategy relies on FUSE and SYSVIPC elastic objects to achieve arbitrary write. The kctf version achieves code execution as the root user in the root namespace, but has at most 50% reliability - it is targeted towards Kubernetes 1.22 (1.22.3-gke.700). This exploitation strategy relies on pipes and SYSVIPC elastic objects to trigger a stack pivot and execute a ROP chain in kernelspace.
8f9e0a3bd934c75bb63bb75c98368d05ec18006a64e52a0bc3f9ae155f0b72c1
Local privilege escalation root exploit for Polkit's pkexec vulnerability as described in CVE-2021-4034 and known as PwnKit. Written in Go.
55be64db4ee1fc4cb9ff1188b66c70af217b5dc74fb821becc08afd02c1fcfb7
Local privilege escalation root exploit for Polkit's pkexec vulnerability as described in CVE-2021-4034. Verified on Debian 10 and CentOS 7. Written in C.
5c59fb8b51079e3f956e9fcbe1974b3cbb587b1887064897119332a9ecf3f86a
Qualys discovered a local privilege escalation (from any user to root) in polkit's pkexec, a SUID-root program that is installed by default on every major Linux distribution.
23ec1cb3b1b5fe5409bb892ba3ae31bb746e06cafdf7afafd72fd7d4b136ebba
Local privilege escalation root exploit for Polkit's pkexec vulnerability as described in CVE-2021-4034 and known as PwnKit.
12d83236acbffaf0f0962a4bba1234b4a0a9221ec6681b9ef274c6a8a414398c
This Metasploit module exploits an unauthenticated SQL injection vulnerability and a command injection vulnerability affecting the Grandstream UCM62xx IP PBX series of devices. The vulnerabilities allow an unauthenticated remote attacker to execute commands as root.
4066544895b5150487b562aeb10cbead4ed40ccc1b2880b31c05f426293dbef2
Ubuntu Security Notice 5249-1 - It was discovered that USBView allowed unprivileged users to run usbview as root. A local attacker could use this vulnerability to gain administrative privileges or cause a denial of service.
9f0537ab8d4fdb42da520a867ff3fd738d8c8bca5435596ed0d1ce7b4be39041