This module exploits a command injection error in the function _AddPrinterW in Samba 3, reached through an AddPrinter remote request. For this exploit to work, the "addprinter command" option must be enabled on smb.conf, the samba configuration file. The agent will normally run as the "nobody" user, and will have limited capabilities.
A vulnerability has been identified in HP Linux Imaging and Printing System (HPLIP), which could be exploited by remote attackers to install an agent with root privileges. This issue is caused by input validation errors in the hpssd daemon that does not validate user-supplied data before being passed to a "popen3()" call, which could be exploited by malicious users to inject and execute arbitrary commands.
A vulnerability has been identified in HP Linux Imaging and Printing System (HPLIP), which could be exploited by local attackers to obtain elevated privileges. This issue is caused by input validation errors in the hpssd daemon that does not validate user-supplied data before being passed to a "popen3()" call, which could be exploited by malicious users to inject and execute arbitrary commands.
This module exploits a vulnerability in Citrix NetScaler server. Citrix NetScaler is prone to a memory-corruption vulnerability when handling certain SOAP requests.
Exploits a missing verification of the path in the command "sudoedit", provided by the sudo package. This can be exploited to e.g. execute any command as root including a shell, allowing an unprivileged process to elevate privileges to root.
The bdfReadCharacters() function in the libXfont component of X.Org is prone to a stack-based buffer overflow vulnerability when parsing a specially crafted BDF font file. This vulnerability can be exploited by a local unprivileged attacker to gain root privileges.
Local attackers can exploit this issue to execute arbitrary code with superuser privileges. Successfully exploiting this issue will facilitate the complete compromise of affected computers.
On Intel CPUs, sysret to non-canonical addresses causes a fault on the sysret instruction itself after the stack pointer is set to guest value but before the current privilege level (CPL) is changed. FreeBSD is vulnerable to this issue due to insufficient sanity checks when returning from a system call. This module exploits the vulnerability and installs an agent with root privileges.
Due to spurious call to pfs_unlock() in pfs_getattr() (as defined in sys/fs/pseudofs/pseudofs_vnops.c), null pointer is dereferenced after calling extattr_get_attribute() on pseudofs vnode. By allocating page at address 0x0, attacker can overwrite arbitrarily chosen portion of kernel memory, leading to crash or local root escalation. This module exploits the vulnerability via the procfs file system, obtaining root privileges.
Improper input validation in the FreeBSD kernel's NFS client-side implementation allows local unprivileged users to escalate their privileges and execute arbitrary code with root permissions. The function nfs_mount() in file src/sys/nfsclient/nfs_vfsops.c, which is reachable from the mount and nmount system calls, employs an insufficient input validation method for copying data passed in a structure of type nfs_args from userspace to kernel. Specifically, the file handle buffer to be mounted (args.fh) and its size (args.fhsize) are completely user-controllable. This vulnerability can cause a kernel stack overflow which leads to privilege escalation.