The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket
The __sock_diag_rcv_msg() function in net/core/sock_diag.c of the Linux kernel does not validate the value of the sdiag_family field, which is used to index the sock_diag_handlers array. This can be exploited by a local unprivileged attacker to gain root privileges by sending a specially crafted Netlink message to the kernel.
This module exploits a local vulnerability in the set_fs function in the Linux kernel prior to 2.6.37.
Improper input validation in the RDS protocol implementation in the Linux kernel allows local unprivileged users to escalate their privileges and execute arbitrary code with root permissions. The RDS protocol does not properly check that the base address of a user-provided iovec struct points to a valid userspace address before using the __copy_to_user_inatomic() function to copy the data. By providing a kernel address as an iovec base and issuing a recvmsg() style socket call, a local user could write arbitrary data into kernel memory, thus escalating privileges to root.
This module exploits a vulnerability in the Linux kernel. The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.
This module exploits a vulnerability in the Linux Kernel. The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the LECHO & !OPOST case, which allows local attackers to escalate privileges triggering a race condition involving read and write operations with long strings.
As stated in the advisory published by iSEC Security Research: "A critical security vulnerability has been found in the Linux kernel memory management code inside the mremap(2) system call due to missing function return value check. [...] Proper exploitation of this vulnerability leads to local privilege escalation giving an attacker full super-user privileges." Vulnerable versions of the Linux kernel: "2.2 up to and including 2.2.25, 2.4 up to to and including 2.4.24, 2.6 up to to and including 2.6.2". Upon successful exploitation, this module will deploy a new agent.
This module exploits a vulnerability in the Linux Kernel. The futex_requeue function in kernel/futex.c in the Linux kernel does not ensure that calls have two different futex addresses, which allows local attackers to gain privileges via a crafted FUTEX_REQUEUE command.
This module exploits a vulnerability in Linux for x86-64. The IA32 system call emulation functionality does not zero-extend the EAX register after the 32bit entry path to ptrace is used, which might allow local users to trigger an out-of-bounds access to the system call table using the RAX register and gain root privileges. This vulnerability is a regression of CVE-2007-4573.
A local user can invoke the Ext4 'move extents' ioctl call, with certain options to execute arbitrary code and gain privileged access.