Cypress Solutions CTM-200 wireless gateway version 2.7.1 suffers from an authenticated semi-blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'ctm-config-upgrade.sh' script leveraging the 'fw_url' POST parameter used in the cmd upgreadefw as argument, called by ctmsys() as pointer to execv() and make_wget_url() function to the wget command in /usr/bin/cmdmain ELF binary.
5443c1ca578d802c9f7cf55428781490Cypress Solutions CTM-200/CTM-ONE suffers from a hard-coded credential remote root vulnerability via telnet and ssh.
4dc0da6ff777de3e071d0c7c9de1dabaThis Metasploit module exploits a file upload in VMware vCenter Server's analytics/telemetry (CEIP) service to write a system crontab and execute shell commands as the root user. Note that CEIP must be enabled for the target to be exploitable by this module. CEIP is enabled by default.
d46c0245ccc36fc657f9f4ef1767092aUbuntu Security Notice 5100-1 - It was discovered that containerd insufficiently restricted permissions on container root and plugin directories. If a user or automated system were tricked into launching a specially crafted container image, a remote attacker could traverse directory contents and modify files and execute programs on the host filesystem, possibly leading to privilege escalation.
bc2839346203abd22e30f4ef10721232Mitrastar GPT-2541GNAC-N1 suffers from a privilege escalation vulnerability that provides root privileges.
7476572a4f2ed2d140db93215e304ccfUbuntu Security Notice 5089-2 - USN-5089-1 updated ca-certificates. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. The ca-certificates package contained a CA certificate that will expire on 2021-09-30 and will cause connectivity issues. This update removes the “DST Root CA X3” CA. Various other issues were also addressed.
3f6bb8efe435926053d369372e5d95d0Ubuntu Security Notice 5089-1 - The ca-certificates package contained a CA certificate that will expire on 2021-09-30 and will cause connectivity issues. This update removes the “DST Root CA X3” CA.
b174669d6d445a62c0d3499d26d1c223This Metasploit module exploits a buffer overflow within the 'action' parameter of the /uapi-cgi/instantrec.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions equal to 1.12.0.27 as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as the root user.
d9314dc3eccdf88cc68ce0fe7246fa85This Metasploit module bypasses the HTTP basic authentication used to access the /uapi-cgi/ folder and exploits multiple authenticated arbitrary command execution vulnerabilities within the parameters of various pages on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions 1.12.0.27 and below as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as the root user.
92b73b5927fb8541093395f2793bd346CyberArk Credential Providers can be configured to retain passwords, password metadata, and other application properties in a local, encrypted cache file. Under certain conditions, the effective key space used to encrypt the cache is significantly reduced. For an attacker who understands the key derivation scheme and encryption mechanics, full access to the information used to derive the encryption key is sufficient to reduce effective key space to one. Even in cases where the information is not known, the encrypted cache files will likely be unable to withstand a brute force attack. However, the severity of this issue is partially mitigated by the privilege level required (root) for access. Versions prior to 12.1 are affected.
584fe77e2ea6857a7616d3364bb329f1Linux kernels from 5.7-rc1 prior to 5.13-rc4, 5.12.4, 5.11.21, and 5.10.37 are vulnerable to a bug in the eBPF verifier's verification of ALU32 operations in the scalar32_min_max_and function when performing AND operations, whereby under certain conditions the bounds of a 32 bit register would not be properly updated. This can be abused by attackers to conduct an out of bounds read and write in the Linux kernel and therefore achieve arbitrary code execution as the root user. The target system must be compiled with eBPF support and not have kernel.unprivileged_bpf_disabled set, which prevents unprivileged users from loading eBPF programs into the kernel. Note that if kernel.unprivileged_bpf_disabled is enabled this module can still be utilized to bypass protections such as SELinux, however the user must already be logged as a privileged user such as root.
6ead3e5e5296fe145b5eb92da7ae8088Pi-Hole versions 3.0 through 5.3 allows for command line input to the removecustomcname, removecustomdns, and removestaticdhcp functions without properly validating the parameters before passing to sed. When executed as the www-data user, this allows for a privilege escalation to root since www-data is in the sudoers.d/pihole file with no password.
dac4dfce514725aab909b2548e85e3eeQualys discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer: by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer. They successfully exploited this uncontrolled out-of-bounds write, and obtained full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation; other Linux distributions are certainly vulnerable, and probably exploitable. A basic proof of concept (a crasher) is attached to this advisory.
2739ab8c7448e7ea41f28d5e97efa32aGentoo Linux Security Advisory 202107-31 - A vulnerability in polkit could lead to local root privilege escalation. Versions less than 0.119 are affected.
ce9a4968c78b1f7a6e75b5e89c26d6c6Gentoo Linux Security Advisory 202107-23 - Multiple vulnerabilities have been found in Docker, the worst of which could result in privilege escalation to root on the host. Versions less than 20.10.3 are affected.
9390ca9117d9ad7cd727fcfb060430dbA vulnerability exists within the polkit system service that can be leveraged by a local, unprivileged attacker to perform privileged operations. In order to leverage the vulnerability, the attacker invokes a method over D-Bus and kills the client process. This will occasionally cause the operation to complete without being subjected to all of the necessary authentication. The exploit module leverages this to add a new user with a sudo access and a known password. The new account is then leveraged to execute a payload with root privileges.
c913dad2bd458ed34f93845cd04f9bafOkta Access Gateway version 2020.5.5 suffers from multiple authenticated remote root command injection vulnerabilities.
117cdacc6c045a9f6239a8f7082bfc82Ricon Industrial Cellular Router S9922XL suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the admin (root) user via the ping_server_ip POST parameter. It is also vulnerable to Heartbleed.
23fc8665a81e1f9a6166b3c13847b608This Metasploit module leverages a flaw in runc to escape a Docker container and get command execution on the host as root. This vulnerability is identified as CVE-2019-5736. It overwrites the runc binary with the payload and waits for someone to use docker exec to get into the container. This will trigger the payload execution. Note that executing this exploit carries important risks regarding the Docker installation integrity on the target and inside the container.
54b0ec13cde2be7ef0f09cb5fd1fa5d3Android version 2.0 exploit for FreeCIV versions 2.2 before 2.2.1 and 2.3 before 2.3.0 that achieves root.
3a7206dc1575a4f0e04e17dc57297340F5 BIG-IQ VE version 8.0.0-2923215 post-authentication remote root code execution exploit.
a11dfe5c02989bd70fe132ae0aa3fd92Solaris SunSSH version 11.0 on x86 libpam remote root exploit.
ad6170fd6c91ea4241f7bcc669da3838This Metasploit module exploits an authenticated command injection vulnerability in the /cgi-bin/pakfire.cgi web page of IPFire devices running versions 2.25 Core Update 156 and prior to execute arbitrary code as the root user.
69d36ee1b60ffec6d31a6ebc94e2dc1eCisco SD-WAN vManage version 19.2.2 remote root shell proof of concept exploit that leverages multiple vulnerabilities.
a4bd588c350b9a327fc445d03fadab85The document in this archive illustrates using the included proof of concept exploit to achieve root on Ubuntu systems using a flaw in the OverlayFS file system. The exploit itself does not have author attribution as the proof of concept came through SSD Disclosures.
f594195ba35e11d203cb280d4aa0e967
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed