This module exploits a format string vulnerability in CUPS lppasswd in Apple Mac OS X 10.5.6 that allows local users to get code execution with elevated privileges. Exploitation requires valid local user, with access to the lppasswd command. After successful exploitation an agent will be deployed. This agent will inherit the user identity and capabilities of the previous agent. However, the euid (as opposite to the uid) of the agent may be not that of the super user (usually is "nobody"), and by using the setuid module (see setuid module documentation), it can be changed to zero (root).
When a process executes a setuid executable, all existing rights to the task port are invalidated, to make sure unauthorized processes do not retain control of the process. Exception handlers however remain installed, and when some kind of hardware exception occurs, the exception handler can receive a new right to the task port as one of its arguments, and thus regain full control over the process. Interestingly, the code to reset the exception handlers (and hence thwart this attack) upon exec() of a setuid executable has been present in the kernel since OSX 10.3, but is disabled (#if 0) for unspecified reasons.
The MIT-SHM extension for the X.org X11 server before 1.4 is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root. The error is located in the compNewPixmap function. This module triggers the overflow while creating a window with a high bit depth and a second child window with a lower bit depth. The overflow is only possible when windows of different depth can be created on the display, so most servers on 24 or 32 bit modes are not vulnerable, because the X server usually stores 24 bit pixels in 4 bytes. After successful exploitation an agent will be installed with root privileges.
As explained in the description of the CVE entry associated with this vulnerability: "do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the process limits as defined in /etc/security/limits.conf." This exploit will create new processes until the limit of available processes is exceeded, this will cause the setuid() system call to fail instead of dropping privileges, forcing the exploitable condition.
The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to [...] gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions. Note: you should remove the core file created in the "/etc/cron.d" directory after this bug was successfully exploited.
A logical error in sudo when the env_reset option is disabled allows local attackers to define environment variables that were supposed to be blacklisted by sudo. This can be exploited by a local unprivileged attacker to gain root privileges by manipulating the environment of a command that the user is legitimately allowed to run with sudo.
Subscribe to Privilege Escalation