In the kernel code for the setitimer() system call the 'which' parameter (which is a signed integer) is validated with the mistaken assumption that the value cannot be negative. Passing a negative value for this parameter results in writing into an array indexed with the 'which' parameter and overwriting memory outside the array. This exploit overwrites the current credential structure of the current process to set the user id to 0 (root) then launches a new agent.
CVE Link
Exploit Platform
Exploit Type
Product Name