The amd64_set_ldt() function in sys/amd64/amd64/sys_machdep.c in the FreeBSD kernel code is prone to an integer signedness error when processing a system call with specially crafted parameters originated from user space. This issue ultimately leads to a kernel heap overflow, which can be used by unprivileged local attackers to cause a kernel panic and crash the machine.
The Adobe updater service, armsvc, exposes 2 service codes and a shared memory section. Those elements combined, allow a local attacker to execute code as SYSTEM.
The join_session_keyring() function in security/keys/process_keys.c in the Linux kernel is prone to a reference counter overflow that occurs when a process repeatedly tries to join an already existing keyring. This vulnerability can be leveraged by local unprivileged attackers to gain root privileges on the affected systems.
This module exploits a vulnerability present in Mac OS X. dyld in Apple OS X before 10.10.5 does not properly validate pathnames in the environment, which allows local users to gain root privileges via the DYLD_PRINT_TO_FILE environment variable.
A vulnerability in the Network Driver Interface Standard (NDIS) implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows local users to trigger buffer overflow. This allows unprivileged local user to cause an invalid dereference in kernel mode, which produces a BSoD.
The EnableNetwork method in the org.blueman.Mechanism D-Bus service of Blueman, a Bluetooth Manager, receives untrusted Python code provided by unprivileged users and evaluates it as root. This can be leveraged by a local unprivileged attacker to gain root privileges.
This module exploits a vulnerability in win32k.sys by calling to SetParent function with crafted parameters.
This module exploits a vulnerability in Linux. The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.
The 'sosreport' program, part of the ABRT bug reporting system used in Red Hat Enterprise Linux, does not handle symbolic links correctly when writing core dumps of ABRT programs to the ABRT dump directory (/var/tmp/abrt). This can be leveraged by local unprivileged attackers to gain root privileges on vulnerable systems.
The 'fusermount' binary, part of the FUSE system in Linux, executes the /bin/mount binary with ruid set to 0 without clearing the environment variables provided by unprivileged users. This flaw can be leveraged by local unprivileged users to gain root privileges by leveraging the functionality provided by the LIBMOUNT_MTAB environment variable to overwrite an arbitrary file on the affected system. This module will try to overwrite the /etc/bash.bashrc file, which is executed every time any user spawns an interactive Bash shell. That means that a new agent will be deployed every time any user opens a new interactive shell (either login or non-login ones) on the vulnerable machine. Note that this also means that installed agents will run with the privileges of the users that have launched interactive shells. Unlike other privilege escalation exploits, this module will not stop after installing the first agent; it will stay running until a new agent with root permissions is installed (that is, if the root user happens to run an interactive shell on the vulnerable machine), or until the user-specified time limit is reached, whatever happens first. Note that non-root agents will be kept, since they still can be valuable despite not having superuser privileges.
Pagination
- Previous page
- Page 22
- Next page