CentOS Stream 9 has a missing kernel security fix for a tun double-free amongst other missing fixes. Included is a local root exploit to demonstrate the issue.
ff7d7021860395c29340e572b9c37574d2458d361ce7c71f08cc837f0834b69e
This Metasploit module exploits an authentication bypass vulnerability in the Linux version of udadmin_server, which is an RPC service that comes with the Rocket Software UniData server. This affects versions of UniData prior to 8.2.4 build 3003. This service typically runs as root. It accepts a username of ":local:" and a password in the form of "<username>:<uid>:<gid>", where username and uid must be a valid account, but gid can be anything except 0. This exploit takes advantage of this login account to authenticate as a chosen user and run an arbitrary command (using the built-in OsCommand message).
a072b9a39317b3843159b4f19550be453c524b06398e48145609bb5afa1a4475
This Metasploit module exploits an authentication bypass vulnerability in the Linux version of udadmin_server, which is an RPC service that comes with the Rocket Software UniData server, which runs as root. This vulnerability affects UniData versions 8.2.4 build 3003 and earlier (for Linux), but this module specifically targets UniData version 8.2.4 build 3001. Other versions will crash the forked process, but will not otherwise affect the RPC server. The username and password fields are copied to a stack-based buffer using a function that's equivalent to strcpy() (ie, has no bounds checking). Additionally, the password field is encoded in such a way that we can include NUL bytes.
573fc6e16c91d795c9424c33a9909a1277e50ad02e08eb5886ceb1a2e2610251
HospitalRun version 1.0.0-beta local root exploit for macOS.
5974878a49f1ebd87d13c459e69f6e25119f1ca212ec3fb8f6659b619d908c93
NetIQ / Microfocus Performance Endpoint version 5.1 remote root / SYSTEM exploit.
1873ef6c5bd20ce923c52c185d0a39c62eea316da4d00135a50a4dbc42367c9e
Debian Linux Security Advisory 5380-1 - Jan-Niklas Sohn discovered that a user-after-free flaw in the Composite extension of the X.org X server may result in privilege escalation if the X server is running under the root user.
013d8199c96a3b7dd39b9bfe5fe4ea2bc5461ae2364515cecde74828ad3a6eb2
Outline version 1.6.0 suffers from an unquoted service path vulnerability.
c7fdf86fb00365bd53d570e0ff758cfd8ba014d2dce9b75b8d6db96e15e882ee
Human Resource Management System version 1.0 suffers from an unauthenticated remote SQL injection vulnerability.
4f80b588a513bbcbb3b08d9782eb8b87aa9be2291590ff110ec8d9d5b3b889e5
This Metasploit module exploits an undocumented backdoor vulnerability in the Optergy Proton and Enterprise Building Management System (BMS) applications. Versions 2.0.3a and below are vulnerable. Attackers can exploit this issue by directly navigating to an undocumented backdoor script called Console.jsp in the tools directory and gain full system access. Successful exploitation results in root command execution using sudo as user optergy.
33babb5810832b13a94e71c123fd7427e2dfe9cd4f92a96b062b362c7592affd
Ubuntu Security Notice 5966-2 - USN-5966-1 fixed vulnerabilities in amanda. Unfortunately it introduced a regression in GNUTAR-based backups. This update reverts all of the changes in amanda until a better fix is provided. Maher Azzouzi discovered an information disclosure vulnerability in the calcsize binary within amanda. calcsize is a suid binary owned by root that could possibly be used by a malicious local attacker to expose sensitive file system information.
4749f55afc6287a649f39b41a2552f3b688b77959973ae84bd337045e4dad07f
Ubuntu Security Notice 5966-1 - Maher Azzouzi discovered an information disclosure vulnerability in the calcsize binary within amanda. calcsize is a suid binary owned by root that could possibly be used by a malicious local attacker to expose sensitive file system information. Maher Azzouzi discovered a privilege escalation vulnerability in the rundump binary within amanda. rundump is a suid binary owned by root that did not perform adequate sanitization of environment variables or commandline options and could possibly be used by a malicious local attacker to escalate privileges.
2580ab51db5f3bf0e05ef50995b026255510f6945bca4387cdd8ab8d58501893
This Metasploit module exploits a buffer overflow in the zhttpd binary (/bin/zhttpd). It is present on more than 40 Zyxel routers and CPE devices. The code execution vulnerability can only be exploited by an attacker if the zhttp webserver is reachable. No authentication is required. After exploitation, an attacker will be able to execute any command as root, including downloading and executing a binary from another host.
fc9419af3871336277cafde42125966d876812e4e57c8b48da3a83050219381f
XNU NFSSVC suffers from root check bypass and use-after-free vulnerabilities due to insufficient locking in upcall worker threads.
dd5db6e40185f5ad1603a814730e94b92ca2cfb3086268f82937050b80986d44
This Metasploit module uploads a payload to the /tmp directory in addition to a cron job to /etc/cron.d which executes the payload in the context of the root user. The core vulnerability is an arbitrary file write issue in /configWizard/keyUpload.jsp which is accessible remotely and without authentication. When you send the vulnerable endpoint a ZIP file, it will extract an attacker controlled file to a directory of the attackers choice on the target system. This issue is exploitable on FortiNAC versions 9.4 prior to 9.4.1, FortiNAC versions 9.2 prior to 9.2.6, FortiNAC versions 9.1 prior to 9.1.8, all versions of FortiNAC 8.8, all versions of FortiNAC 8.7, all versions of FortiNAC 8.6, all versions of FortiNAC 8.5, and all versions of FortiNAC 8.3.
b72056fdc9840a37268bab3325c1941ddb0082c5918cf14fec39001b268b461d
CoreDial sipXcom sipXopenfire versions 21.04 and below suffer from XMPP message system command argument injection and insecure service file permissions that when chained together gives root.
b306297e359b80aaed39f16e6cdc8e7a70a93aff1cb4084d52e8dfcfadc31596
This Metasploit module can be used to execute a payload on Lucee servers that have an exposed administrative web interface. It's possible for an administrator to create a scheduled job that queries a remote ColdFusion file, which is then downloaded and executed when accessed. The payload is uploaded as a cfm file when queried by the target server. When executed, the payload will run as the user specified during the Lucee installation. On Windows, this is a service account; on Linux, it is either the root user or lucee.
79602ec0e4fd423056fa80073c3578efbd79976ee050388452b17b67fd38c488
ASUS ASMB8 iKVM firmware versions 1.14.51 and below suffers from a flaw where SNMPv2 can be used with write access to introduce arbitrary extensions to achieve remote code execution as root. The researchers also discovered a hardcoded administrative account.
a23c3b2021225bfb676a55bbdeafbcf1689dc045c5b50ecbfacebfc7ffe2014b
ABUS Security Camera version TVIP 20000-21150 suffers from local file inclusion, hardcoded credential, and command injection vulnerabilities. When coupled together, they can be leveraged to achieve remote access as root via ssh.
92decaa3308d461393dc637c13861ced7bcb4cd43a2c333235f9835ee562ecb9
The Mandos system allows computers to have encrypted root file systems and at the same time be capable of remote or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key that is unique to each client. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system.
e301007184eafc99517bdaa09f3c8d3f42027b9aae335158f14cfcee60bfe108
Debian Linux Security Advisory 5342-1 - Jan-Niklas Sohn discovered that a user-after-free flaw in the X Input extension of the X.org X server may result in privilege escalation if the X server is running under the root user.
d9cd986f6b68c068a98e8f263690e16240a4bad3bcee76be602630f0b4931e29
This Metasploit module targets a vulnerability in Tomcat versions 6, 7, and 8 on Debian-based distributions where these older versions provide a vulnerable tomcat init script that allows local attackers who have already gained access to the tomcat account to escalate their privileges from the tomcat user to root and fully compromise the target system.
0ac41921eb75c8008e9f94786db836a9f76e614d54c6925c606eecf1de5fb188
This Metasploit module creates a local user with a username/password and root-level privileges. Note that a root-level account is not required to do this, which makes it a privilege escalation issue. Note that this is pretty noisy, since it creates a user account and creates log files and such. Additionally, most (if not all) vulnerabilities in F5 grant root access anyways.
ec59a3d52e4d78cf9bacb372140fcd5f2f2c8928aed87fa348ad1aed6d0bcde0
This Metasploit module exploits a bug in io_uring leading to an additional put_cred() that can be exploited to hijack credentials of other processes. This exploit will spawn SUID programs to get the freed cred object reallocated by a privileged process and abuse them to create a SUID root binary that will pop a shell. The dangling cred pointer will, however, lead to a kernel panic as soon as the task terminates and its credentials are destroyed. We therefore detach from the controlling terminal, block all signals and rest in silence until the system shuts down and we get killed hard, just to cry in vain, seeing the kernel collapse. The bug affected kernels from v5.12-rc3 to v5.14-rc7. More than 1 CPU is required for exploitation. Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic.
ddab5b3975fc82e2a23c5e4e05a57af4893abfbc613df02d507c1013c62dc088
If the vmwgfx driver fails to copy the fence_rep object to userland, it tries to recover by deallocating the (already populated) file descriptor. This is wrong, as the fd gets released via put_unused_fd() which shouldn't be used, as the fd table slot was already populated via the previous call to fd_install(). This leaves userland with a valid fd table entry pointing to a freed file object. The authors use this bug to overwrite a SUID binary with their payload and gain root. Linux kernel versions 4.14-rc1 - 5.17-rc1 are vulnerable. Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic.
6360a81de99a383330c5955ece5414f2f3b254143f1a5b9246e669769aa929fc
Control Web Panel versions prior to 0.9.8.1147 are vulnerable to unauthenticated OS command injection. Successful exploitation results in code execution as the root user. The results of the command are not contained within the HTTP response and the request will block while the command is running.
00cb85e5ab25f2d5091aa8c72d9d5252d08919dce9dbd37743bea7469e5dbc51