This module exploits a vulnerability in the Linux kernel related to the netfilter target_offset field. This vulnerability can be exploited by a local unprivileged attacker to gain root privileges.
This module exploits a user-after-free vulnerability in the Linux Kernel. When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode references a non-map file descriptor as a map file descriptor, the error handling code called fdput() twice instead of once (in __bpf_map_get() and in replace_map_fd_with_map_ptr()). If the file descriptor table of the current task is shared, this causes f_count to be decremented too much, allowing the struct file to be freed while it is still in use (use-after-free). This can be exploited to gain root privileges by an unprivileged user.
The default error page in Spring Boot (also know as "Whitelabel Error Page"), when a type error is detected in a parameter configured in a controller, will display the provided value. The page's rendering expands Spring Expression Language (SPEL) expressions found in the page, and it does so recursively. Because of this, a string containing an expression language provided as the value for an URL parameter may be evaluated server side while rendering the page if it's from a different type to the expected for said parameter. The "Whitelabel Error Page" is provided by default, but it can be customized. This attack has only been tested with the default error page. In particular, if SPEL is not used a the templating language for another page, or if the page doesn't print the exception due to type mismatch, the attack is not possible.
An authenticated user may inject arbitrary xauth commands by sending an x11 channel request that includes a newline character in the x11 cookie. The newline acts as a command separator to the xauth binary. The injected xauth commands are performed with the effective permissions of the logged in user. This attack requires the server to have 'X11Forwarding yes' enabled. This module injects source xauth command to retrieve arbitrary files.
Jenkins is prone to a remote vulnerability that allows attackers to take advantage of a deserialization vulnerability present in the XStream Java library. By exploiting known methods, it is possible to remotely load a ProcessBuilder Java class, which allows the execution of system commands.
Exim installations compiled with Perl support do not perform sanitation of the environment before loading a perl script defined with perl_startup setting in exim config file. This can be exploited by malicious local attackers to gain root privileges.
This module exploits a SQL Injection vulnerability in Joomla which allows gathering of users and password hashes by parsing SQL output errors
The join_session_keyring() function in security/keys/process_keys.c in the Linux kernel is prone to a reference counter overflow that occurs when a process repeatedly tries to join an already existing keyring. This vulnerability can be leveraged by local unprivileged attackers to gain root privileges on the affected systems.
An OS Command Injection vulnerability exists in the "Landing Pages" plugin for WordPress. This module verifies the vulnerability and provides a OS Command Inection Agent.
The EnableNetwork method in the org.blueman.Mechanism D-Bus service of Blueman, a Bluetooth Manager, receives untrusted Python code provided by unprivileged users and evaluates it as root. This can be leveraged by a local unprivileged attacker to gain root privileges.