This Metasploit module exploits a post-auth command injection in the Pulse Secure VPN server to execute commands as root. The env(1) command is used to bypass application whitelisting and run arbitrary commands. Please see related module auxiliary/gather/pulse_secure_file_disclosure for a pre-auth file read that is able to obtain plaintext and hashed credentials, plus session IDs that may be used with this exploit. A valid administrator session ID is required in lieu of untested SSRF.
c74c7def1a1eed3c783bc01c33aa4259This Metasploit module has been tested with AIX 7.1 and 7.2, and should also work with 6.1. Due to permission restrictions of the crontab in AIX, this module does not use cron, and instead overwrites /etc/passwd in order to create a new user with root privileges. All currently logged in users need to be included when /etc/passwd is overwritten, else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user. The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX, and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when overwriting /etc/passwd.
441242f216fc75457eaee333db550449Prima Access Control version 2.3.35 authenticated python script upload remote root code execution exploit.
117f749e7f2c75221ff5de44fb05a88aFlexAir Access Control version 2.3.38 authenticated remote root exploit that leverages command injection via a SetNTPServer request.
cf54608f4937667e47f6bc6cb218dd77FlexAir Access Control versions 2.3.38 and below remote root command injection exploit.
bda839dcfe5896e2d89cbe0e3d1f28f1Optergy versions 2.3.0a and below authenticated file upload remote root code execution exploit.
f65d6a3bb4f0613c29b924c18b98dc3dNortek Linear eMerge E3 Access Controller versions 1.00-06 and below SSH/FTP remote root exploit.
5dbb8f18038e0e3939eb86697d0a7207Optergy BMS versions 2.0.3a and below unauthenticated remote root exploit. Related CVE number: CVE-2019-7276.
828db05389246ed7db50064512079555Linear eMerge E3 versions 1.00-06 and below unauthenticated command injection remote root exploit that leverages card_scan_decoder.php.
44a9793e2a7284d735e5ee358d786e4bLinear eMerge E3 versions 1.00-06 and below unauthenticated command injection remote root exploit that leverages card_scan.php.
6bc7028052702f5b76c1733414371eb8Linear eMerge E3 versions 1.00-06 and below arbitrary file upload remote root code execution exploit.
7cb54d49b3539c9a3b2258832481a863Red Hat Security Advisory 2019-3755-01 - The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. A privilege escalation vulnerability has been addressed.
319b3da38661d4f2123191192a6df573Red Hat Security Advisory 2019-3754-01 - The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. A privilege escalation vulnerability was addressed.
46835b80662d2b715b83c9c0ea271830Red Hat Security Advisory 2019-3694-01 - The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. A privilege escalation vulnerability was addressed.
bd7e4be6350837b85ec0c14b544253f7Ubuntu Security Notice 4171-4 - USN-4171-2 fixed a vulnerability in Apport. The update caused a regression in the Python Apport library. This update fixes the problem for Ubuntu 14.04 ESM. Kevin Backhouse discovered Apport would read its user-controlled settings file as the root user. This could be used by a local attacker to possibly crash Apport or have other unspecified consequences. Various other issues were also addressed.
1f07f6de70fdeb3fd7690f336bc3cfb3Ubuntu Security Notice 4171-3 - USN-4171-1 fixed vulnerabilities in Apport. The update caused a regression in the Python Apport library. This update fixes the problem. Kevin Backhouse discovered Apport would read its user-controlled settings file as the root user. This could be used by a local attacker to possibly crash Apport or have other unspecified consequences. Various other issues were also addressed.
e549544faf81ebbea551c9f8be0a7a87Ubuntu Security Notice 4171-2 - USN-4171-1 fixed several vulnerabilities in apport. This update provides the corresponding update for Ubuntu 14.04 ESM. Kevin Backhouse discovered Apport would read its user-controlled settings file as the root user. This could be used by a local attacker to possibly crash Apport or have other unspecified consequences. Various other issues were also addressed.
9001ec2123f134738345960ba8a47141This Metasploit module exploits the trusted $PATH environment variable of the SUID binary omniresolve in Micro Focus (HPE) Data Protector versions A.10.40 and below. The omniresolve executable calls the oracleasm binary using a relative path and the trusted environment $PATH, which allows an attacker to execute a custom binary with root privileges.
176176eb167f93f37396bef2dc4cc6a0Red Hat Security Advisory 2019-3278-01 - The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. A privilege escalation vulnerability has been addressed.
48dfb6453f3477d2a9b70fa56cba7fe4Ubuntu Security Notice 4171-1 - Kevin Backhouse discovered Apport would read its user-controlled settings file as the root user. This could be used by a local attacker to possibly crash Apport or have other unspecified consequences. Sander Bos discovered a race-condition in Apport during core dump creation. This could be used by a local attacker to generate a crash report for a privileged process that is readable by an unprivileged user. Various other issues were also addressed.
4435b79c84276bd5e52920e950cd2986Red Hat Security Advisory 2019-3225-01 - Java Security Services provides an interface between Java Virtual Machine and Network Security Services. It supports most of the security standards and encryption technologies supported by NSS including communication through SSL/TLS network protocols. JSS is primarily utilized by the Certificate Server as a part of the Identity Management System. The OCSP policy Leaf and Chain implicitly trusts the root certificate.
041a48e4265ed01347d8984710428491Red Hat Security Advisory 2019-3219-01 - The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. A privilege escalation vulnerability has been addressed.
7f68ee711bca7c2c5e2efd6a5655cebcRed Hat Security Advisory 2019-3209-01 - The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. A privilege escalation vulnerability was addressed.
ebf26ca1d7d153319f0462b216f5e312Red Hat Security Advisory 2019-3205-01 - The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. A privilege escalation issue was addressed.
7dbf3a069d1178a5fe9c748d6a5bc455Red Hat Security Advisory 2019-3204-01 - The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. A privilege escalation issue was addressed.
51d166ccec3a43da307e53c089688d74
© 2019 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed