As explained in the description of the CVE entry associated with this vulnerability: "do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the process limits as defined in /etc/security/limits.conf." This exploit will create new processes until the limit of available processes is exceeded, this will cause the setuid() system call to fail instead of dropping privileges, forcing the exploitable condition.
The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to [...] gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions. Note: you should remove the core file created in the "/etc/cron.d" directory after this bug was successfully exploited.
A logical error in sudo when the env_reset option is disabled allows local attackers to define environment variables that were supposed to be blacklisted by sudo. This can be exploited by a local unprivileged attacker to gain root privileges by manipulating the environment of a command that the user is legitimately allowed to run with sudo.
This module exploits a vulnerability in Linux for x86_64. The IA32 system call emulation functionality does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to trigger an out-of-bounds access to the system call table using the %RAX register and escalate privileges.
Linux contains a vulnerability in it's exec() implementation that may allow for modification of a setuid process memory via ptrace(). The vulnerability is due to the fact that it is possible for a traced process to exec() a setuid image even when the tracing process is setuid.
The NVIDIA Binary Graphics Driver for Linux is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root. This bug can be exploited locally. NOTE: The user logged on the X server must be the same user of the installed local agent.
The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel. This module exploits this vulnerability and if is successful, install a new agent with root privileges.
On x86_64 Intel CPUs, sysret to a non-canonical address causes a fault on the sysret instruction itself after the stack pointer has been set to a usermode-controlled value, but before the current privilege level (CPL) is changed. A flaw in the ptrace subsystem of the Linux kernel allows a tracer process to set the RIP register of the tracee to a non-canonical address, which is later used when returning to user space with a sysret instruction instead of iret after a system call, thus bypassing sanity checks that were previously introduced to fix related vulnerabilities. This vulnerability can be used by a local unprivileged attacker to corrupt kernel memory and gain root privileges on the affected system.
Subscribe to Privilege Escalation