Exploits a missing verification of parameters within the "vmsplice_to_user()", "copy_from_user_mmap_sem()", and "get_iovec_page_array()" functions in fs/splice.c before using them to perform certain memory operations. This can be exploited to e.g. read or write to arbitrary kernel memory via a specially crafted "vmsplice()" system call, and allows an unprivileged process to elevate privileges to root.
This module exploits a vulnerability in the udp_sendmsg function in the UDP implementation in net/ipv4/udp.c and net/ipv6/udp.c in the Linux kernel before 2.6.19 allowing local users to gain privileges via vectors involving the MSG_MORE flag and a UDP socket.
This module exploits a vulnerability in KOBJECT_UEVENT through an installed unprivileged agent, allowing the execution of arbitrary code with superuser privileges.
The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket
The __sock_diag_rcv_msg() function in net/core/sock_diag.c of the Linux kernel does not validate the value of the sdiag_family field, which is used to index the sock_diag_handlers array. This can be exploited by a local unprivileged attacker to gain root privileges by sending a specially crafted Netlink message to the kernel.
This module exploits a local vulnerability in the set_fs function in the Linux kernel prior to 2.6.37.
Improper input validation in the RDS protocol implementation in the Linux kernel allows local unprivileged users to escalate their privileges and execute arbitrary code with root permissions. The RDS protocol does not properly check that the base address of a user-provided iovec struct points to a valid userspace address before using the __copy_to_user_inatomic() function to copy the data. By providing a kernel address as an iovec base and issuing a recvmsg() style socket call, a local user could write arbitrary data into kernel memory, thus escalating privileges to root.
This module exploits a vulnerability in the Linux kernel. The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.
This module exploits a vulnerability in the Linux Kernel. The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the LECHO & !OPOST case, which allows local attackers to escalate privileges triggering a race condition involving read and write operations with long strings.
As stated in the advisory published by iSEC Security Research: "A critical security vulnerability has been found in the Linux kernel memory management code inside the mremap(2) system call due to missing function return value check. [...] Proper exploitation of this vulnerability leads to local privilege escalation giving an attacker full super-user privileges." Vulnerable versions of the Linux kernel: "2.2 up to and including 2.2.25, 2.4 up to to and including 2.4.24, 2.6 up to to and including 2.6.2". Upon successful exploitation, this module will deploy a new agent.