exploit the possibilities
Showing 1 - 25 of 3,395 RSS Feed

Root Files

Sequoia: A Deep Root In Linux's Filesystem Layer
Posted Jul 21, 2021
Authored by Qualys Security Advisory

Qualys discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer: by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer. They successfully exploited this uncontrolled out-of-bounds write, and obtained full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation; other Linux distributions are certainly vulnerable, and probably exploitable. A basic proof of concept (a crasher) is attached to this advisory.

tags | exploit, kernel, local, root, proof of concept
systems | linux, debian, fedora, ubuntu
advisories | CVE-2021-33909, CVE-2021-33910
MD5 | 2739ab8c7448e7ea41f28d5e97efa32a
Gentoo Linux Security Advisory 202107-31
Posted Jul 13, 2021
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 202107-31 - A vulnerability in polkit could lead to local root privilege escalation. Versions less than 0.119 are affected.

tags | advisory, local, root
systems | linux, gentoo
advisories | CVE-2021-3560
MD5 | ce9a4968c78b1f7a6e75b5e89c26d6c6
Gentoo Linux Security Advisory 202107-23
Posted Jul 11, 2021
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 202107-23 - Multiple vulnerabilities have been found in Docker, the worst of which could result in privilege escalation to root on the host. Versions less than 20.10.3 are affected.

tags | advisory, root, vulnerability
systems | linux, gentoo
advisories | CVE-2021-21284, CVE-2021-21285
MD5 | 9390ca9117d9ad7cd727fcfb060430db
Polkit D-Bus Authentication Bypass
Posted Jul 9, 2021
Authored by Spencer McIntyre, jheysel-r7, Kevin Backhouse | Site metasploit.com

A vulnerability exists within the polkit system service that can be leveraged by a local, unprivileged attacker to perform privileged operations. In order to leverage the vulnerability, the attacker invokes a method over D-Bus and kills the client process. This will occasionally cause the operation to complete without being subjected to all of the necessary authentication. The exploit module leverages this to add a new user with a sudo access and a known password. The new account is then leveraged to execute a payload with root privileges.

tags | exploit, local, root
advisories | CVE-2021-3560
MD5 | c913dad2bd458ed34f93845cd04f9baf
Okta Access Gateway 2020.5.5 Authenticated Remote Root
Posted Jul 7, 2021
Authored by Jeremy Brown

Okta Access Gateway version 2020.5.5 suffers from multiple authenticated remote root command injection vulnerabilities.

tags | exploit, remote, root, vulnerability
advisories | CVE-2021-28113
MD5 | 117cdacc6c045a9f6239a8f7082bfc82
Ricon Industrial Cellular Router S9922XL Remote Command Execution
Posted Jul 5, 2021
Authored by LiquidWorm | Site zeroscience.mk

Ricon Industrial Cellular Router S9922XL suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the admin (root) user via the ping_server_ip POST parameter. It is also vulnerable to Heartbleed.

tags | exploit, arbitrary, shell, root
MD5 | 23fc8665a81e1f9a6166b3c13847b608
Docker Container Escape
Posted Jul 1, 2021
Authored by Christophe de la Fuente, Spencer McIntyre, Nick Frichette, Borys Poplawski, Adam Iwaniuk | Site metasploit.com

This Metasploit module leverages a flaw in runc to escape a Docker container and get command execution on the host as root. This vulnerability is identified as CVE-2019-5736. It overwrites the runc binary with the payload and waits for someone to use docker exec to get into the container. This will trigger the payload execution. Note that executing this exploit carries important risks regarding the Docker installation integrity on the target and inside the container.

tags | exploit, root
advisories | CVE-2019-5736
MD5 | 54b0ec13cde2be7ef0f09cb5fd1fa5d3
Android 2.0 FreeCIV Arbitrary Code Execution
Posted Jun 28, 2021
Authored by Raed Ahsan

Android version 2.0 exploit for FreeCIV versions 2.2 before 2.2.1 and 2.3 before 2.3.0 that achieves root.

tags | exploit, root
advisories | CVE-2010-2445
MD5 | 3a7206dc1575a4f0e04e17dc57297340
F5 BIG-IQ VE 8.0.0-2923215 Remote Root
Posted Jun 23, 2021
Authored by Jeremy Brown

F5 BIG-IQ VE version 8.0.0-2923215 post-authentication remote root code execution exploit.

tags | exploit, remote, root, code execution
advisories | CVE-2021-23024
MD5 | a11dfe5c02989bd70fe132ae0aa3fd92
Solaris SunSSH 11.0 Remote Root
Posted Jun 22, 2021
Authored by Joe Rozner, Nathaniel Singer

Solaris SunSSH version 11.0 on x86 libpam remote root exploit.

tags | exploit, remote, x86, root
systems | solaris
advisories | CVE-2020-14871
MD5 | ad6170fd6c91ea4241f7bcc669da3838
IPFire 2.25 Remote Code Execution
Posted Jun 15, 2021
Authored by Grant Willcox, Mucahit Saratar | Site metasploit.com

This Metasploit module exploits an authenticated command injection vulnerability in the /cgi-bin/pakfire.cgi web page of IPFire devices running versions 2.25 Core Update 156 and prior to execute arbitrary code as the root user.

tags | exploit, web, arbitrary, cgi, root
advisories | CVE-2021-33393
MD5 | 69d36ee1b60ffec6d31a6ebc94e2dc1e
Cisco SD-WAN vManage 19.2.2 Remote Root
Posted Jun 3, 2021
Authored by Johnny Yu | Site github.com

Cisco SD-WAN vManage version 19.2.2 remote root shell proof of concept exploit that leverages multiple vulnerabilities.

tags | exploit, remote, shell, root, vulnerability, proof of concept
systems | cisco
advisories | CVE-2020-3387, CVE-2020-3437
MD5 | a4bd588c350b9a327fc445d03fadab85
Ubuntu OverlayFS Local Privilege Escalation
Posted May 31, 2021
Authored by Chris Wild, Sudhanshu Kumar, Rohit Verma

The document in this archive illustrates using the included proof of concept exploit to achieve root on Ubuntu systems using a flaw in the OverlayFS file system. The exploit itself does not have author attribution as the proof of concept came through SSD Disclosures.

tags | exploit, paper, root, proof of concept
systems | linux, ubuntu
advisories | CVE-2021-3493
MD5 | f594195ba35e11d203cb280d4aa0e967
QNAP MusicStation / MalwareRemover File Upload / Command Injection
Posted May 28, 2021
Authored by polict | Site shielder.it

QNAP MusicStation and MalwareRemover are affected by arbitrary file upload and command injection vulnerabilities, leading to pre-authentication remote command execution with root privileges on the NAS.

tags | advisory, remote, arbitrary, root, vulnerability, file upload
advisories | CVE-2020-36197, CVE-2020-36198
MD5 | e0f4de64c7524a918a49796c1ab9986e
Gentoo Linux Security Advisory 202105-19
Posted May 26, 2021
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 202105-19 - A vulnerability was discovered in Firejail which may allow local attackers to gain root privileges. Versions less than are affected.

tags | advisory, local, root
systems | linux, gentoo
advisories | CVE-2021-26910
MD5 | ccf7fef48e4b912c3e0ba5a3c5710b67
Red Hat Security Advisory 2021-1723-01
Posted May 19, 2021
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2021-1723-01 - The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.

tags | advisory, root
systems | linux, redhat
advisories | CVE-2021-23239, CVE-2021-23240
MD5 | 60a3de8a0dd3e296b798eb47d1d51b8d
Root Detection Bypass With frida-push And Objection For iOS And Android
Posted Apr 28, 2021
Authored by Ahmet Recep Saglam

Whitepaper called Root Detection Bypass with frida-push and Objection for iOS and Android. Written in Turkish.

tags | paper, root, bypass
systems | ios
MD5 | cf2857b86392f6fbfb8a1f549f8da9ec
Nagios XI getprofile.sh Remote Command Execution
Posted Apr 14, 2021
Authored by Erik Wynter, Jak Gibb | Site metasploit.com

This Metasploit module exploits a vulnerability in the getprofile.sh script of Nagios XI versions prior to 5.6.6 in order to upload a malicious check_ping plugin and thereby execute arbitrary commands. For Nagios XI 5.2.0 through 5.4.13, the commands are run as the nagios user. For versions 5.5.0 through 5.6.5, the commands are run as root. Note that versions prior to 5.2.0 will still be marked as being vulnerable however this module does not presently support exploiting these targets. The module uploads a malicious check_ping plugin to the Nagios XI server via /admin/monitoringplugins.php and then executes this plugin by issuing a HTTP GET request to download a system profile from the server. For all supported targets except Linux (cmd), the module uses a command stager to write the exploit to the target via the malicious plugin. This may not work if Nagios XI is running in a restricted Unix environment, so in that case the target must be set to Linux (cmd). The module then writes the payload to the malicious plugin while avoiding commands that may not be supported. Valid credentials for a user with administrative privileges are required. This module was successfully tested on Nagios XI 5.3.0 and Nagios 5.6.5, both running on CentOS 7. For vulnerable versions before 5.5.0, it may take a significant amount of time for the payload to get back (up to 5 minutes). If exploitation fails against an older system, it is recommended to increase the WfsDelay setting (default is 300 seconds).

tags | exploit, web, arbitrary, root, php
systems | linux, unix, osx, centos
advisories | CVE-2019-15949
MD5 | c535c12509a747d756650bedc5b31fca
SAP Host Control Local Privilege Escalation
Posted Apr 5, 2021
Site onapsis.com

A malicious authenticated attacker, with privileges of SAP SMD Agent access, can exploit certain SAP Host Control functions due to missing input checking, in order to escalate its privileges and execute commands as root/system user. SAPHOSTAGENT versions 7.21 SP045 and lower are affected.

tags | advisory, root
advisories | CVE-2020-6234
MD5 | cd82c2decad0c6dcc50f95839bfbec49
F5 iControl Server-Side Request Forgery / Remote Command Execution
Posted Apr 1, 2021
Authored by wvu, Rich Warren | Site metasploit.com

This Metasploit module exploits a pre-authentication server-side request forgery vulnerability in the F5 iControl REST API's /mgmt/shared/authn/login endpoint to generate an X-F5-Auth-Token that can be used to execute root commands on an affected BIG-IP or BIG-IQ device.

tags | exploit, root
advisories | CVE-2021-22986
MD5 | babad085c5ec0276c04a4de6f8676674
SaltStack Salt API Unauthenticated Remote Command Execution
Posted Apr 1, 2021
Authored by Christophe de la Fuente, Alex Seymour | Site metasploit.com

This Metasploit module leverages an authentication bypass and directory traversal vulnerabilities in Saltstack Salt's REST API to execute commands remotely on the master as the root user. Every 60 seconds, salt-master service performs a maintenance process check that reloads and executes all the grains on the master, including custom grain modules in the Extension Module directory. So, this module simply creates a Python script at this location and waits for it to be executed. The time interval is set to 60 seconds by default but can be changed in the master configuration file with the loop_interval option. Note that, if an administrator executes commands locally on the master, the maintenance process check will also be performed. It has been fixed in the following installation packages: 3002.5, 3001.6 and 3000.8. Also, a patch is available for the following versions: 3002.2, 3001.4, 3000.6, 2019.2.8, 2019.2.5, 2018.3.5, 2017.7.8, 2016.11.10, 2016.11.6, 2016.11.5, 2016.11.3, 2016.3.8, 2016.3.6, 2016.3.4, 2015.8.13 and 2015.8.10. This module has been tested successfully against versions 3001.4, 3002 and 3002.2 on Ubuntu 18.04.

tags | exploit, root, vulnerability, python
systems | linux, ubuntu
advisories | CVE-2021-25281, CVE-2021-25282
MD5 | c836d9acbeb076642702599310fe13a4
Microsoft Windows Containers AppSilo Object Manager Privilege Escalation
Posted Mar 10, 2021
Authored by James Forshaw, Google Security Research

Microsoft Windows has an issue with containers where the kernel incorrectly chooses the wrong silo when looking up the root object manager directory leading to elevation of privilege.

tags | exploit, kernel, root
systems | windows
advisories | CVE-2021-26865
MD5 | d249fdb9dab1efdef449b7c32504cdc9
Micro Focus Operations Bridge Manager Remote Code Execution
Posted Feb 10, 2021
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits an authenticated Java deserialization that affects a truckload of Micro Focus products: Operations Bridge Manager, Application Performance Management, Data Center Automation, Universal CMDB, Hybrid Cloud Management and Service Management Automation. However, this module was only tested on Operations Bridge Manager. Exploiting this vulnerability will result in remote code execution as the root user on Linux or the SYSTEM user on Windows. Authentication is required as the module user needs to login to the application and obtain the authenticated LWSSO_COOKIE_KEY, which should be fed to the module. Any authenticated user can exploit this vulnerability, even the lowest privileged ones.

tags | exploit, java, remote, root, code execution
systems | linux, windows
advisories | CVE-2020-11853
MD5 | f6552551b0f335ef518698e89a9caa30
Mandos Encrypted File System Unattended Reboot Utility 1.8.14
Posted Feb 3, 2021
Authored by Teddy | Site fukt.bsnet.se

The Mandos system allows computers to have encrypted root file systems and at the same time be capable of remote or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key that is unique to each client. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system.

Changes: Created /dev/fd symlink if necessary in plugin-runner and mandos-client.
tags | tool, remote, root
systems | linux, unix
MD5 | c8120978ea9929e12fc3a174e9657162
Red Hat Security Advisory 2021-0223-01
Posted Jan 27, 2021
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2021-0223-01 - The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Issues addressed include a buffer overflow vulnerability.

tags | advisory, overflow, root
systems | linux, redhat
advisories | CVE-2021-3156
MD5 | 3340cd05b0a77290105fc2a1999fb567
Page 1 of 136

File Archive:

July 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    13 Files
  • 2
    Jul 2nd
    12 Files
  • 3
    Jul 3rd
    1 Files
  • 4
    Jul 4th
    2 Files
  • 5
    Jul 5th
    34 Files
  • 6
    Jul 6th
    21 Files
  • 7
    Jul 7th
    21 Files
  • 8
    Jul 8th
    13 Files
  • 9
    Jul 9th
    6 Files
  • 10
    Jul 10th
    1 Files
  • 11
    Jul 11th
    3 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    19 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    15 Files
  • 16
    Jul 16th
    9 Files
  • 17
    Jul 17th
    2 Files
  • 18
    Jul 18th
    2 Files
  • 19
    Jul 19th
    19 Files
  • 20
    Jul 20th
    21 Files
  • 21
    Jul 21st
    53 Files
  • 22
    Jul 22nd
    14 Files
  • 23
    Jul 23rd
    14 Files
  • 24
    Jul 24th
    1 Files
  • 25
    Jul 25th
    1 Files
  • 26
    Jul 26th
    21 Files
  • 27
    Jul 27th
    8 Files
  • 28
    Jul 28th
    9 Files
  • 29
    Jul 29th
    12 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By