When the "CreateWindow" function is called, the Windows kernel calls to user through callbacks pushing in the stack many arguments to be used for the callback function. One argument of these is the hParent Window. After that, the windows kernel re-uses this argument. If this argument is seted with the pseudo-handle 0xfffffffe or 0xffffffff by the callback function, the bug is triggered.
When the "CreateWindow" function is called, the Windows kernel calls to user through callbacks pushing in the stack many arguments to be used for the callback function. One argument of these is the hParent Window. After that, the windows kernel re-uses this argument. If this argument is modified by the callback function, the bug is triggered.
This module exploits a format string vulnerability in CUPS lppasswd in Apple Mac OS X 10.5.6 that allows local users to get code execution with elevated privileges. Exploitation requires valid local user, with access to the lppasswd command. After successful exploitation an agent will be deployed. This agent will inherit the user identity and capabilities of the previous agent. However, the euid (as opposite to the uid) of the agent may be not that of the super user (usually is "nobody"), and by using the setuid module (see setuid module documentation), it can be changed to zero (root).
When a process executes a setuid executable, all existing rights to the task port are invalidated, to make sure unauthorized processes do not retain control of the process. Exception handlers however remain installed, and when some kind of hardware exception occurs, the exception handler can receive a new right to the task port as one of its arguments, and thus regain full control over the process. Interestingly, the code to reset the exception handlers (and hence thwart this attack) upon exec() of a setuid executable has been present in the kernel since OSX 10.3, but is disabled (#if 0) for unspecified reasons.
The MIT-SHM extension for the X.org X11 server before 1.4 is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root. The error is located in the compNewPixmap function. This module triggers the overflow while creating a window with a high bit depth and a second child window with a lower bit depth. The overflow is only possible when windows of different depth can be created on the display, so most servers on 24 or 32 bit modes are not vulnerable, because the X server usually stores 24 bit pixels in 4 bytes. After successful exploitation an agent will be installed with root privileges.
Subscribe to Privilege Escalation