This module takes advantage of this issue to escape the virtualized environment (Guest OS) and install an agent on the on the system that runs it (Host OS). This module searches all user Desktop folders on the host machine and modifies '.lnk' files in each one referencing the '.lnk' file to a new executable program (an agent file). When the user executes this '.lnk' file, an agent is installed and all '.lnk' files are restored to its previous reference.
The KVMTest method in the com.ubuntu.USBCreator D-Bus service in Ubuntu Linux can invoke the 'kvm' binary with root privileges using an arbitrary environment provided by an unprivileged user. This flaw can be leveraged by a local unprivileged attacker to gain root privileges. The target system must have the 'kvm' binary in the search path (that usually means that the qemu-kvm package must be installed). Also, the system must have at least 768 Mb of free RAM at the moment the exploit is executed; otherwise the vulnerable service will refuse to run.
This module exploits a privilege escalation vulnerability in the tmtdi.sys driver of Trend Micro Titanium Maximum Security and OfficeScan products. The vulnerable driver trusts a dword passed from user mode via IOCTL 0x220404, and interprets it as a function pointer without performing validations. This vulnerability allows unprivileged local users to execute code with SYSTEM privileges.
This module exploits a vulnerability in Symantec products when the 0x83022323 function is invoked with a specially crafted parameter. The IOCTL 0x83022323 handler in the SYMTDI.SYS device driver in Symantec products allows local users to overwrite memory and execute arbitrary code via malformed Interrupt Request Packet (Irp) parameters to obtain system privileges.
This module creates a new user with root privileges using a vulnerability of the chfn command. After successful exploitation a new agent will be deployed on the target host with root privileges.
Subscribe to Privilege Escalation