The KVMTest method in the com.ubuntu.USBCreator D-Bus service in Ubuntu Linux can invoke the 'kvm' binary with root privileges using an arbitrary environment provided by an unprivileged user. This flaw can be leveraged by a local unprivileged attacker to gain root privileges. The target system must have the 'kvm' binary in the search path (that usually means that the qemu-kvm package must be installed). Also, the system must have at least 768 Mb of free RAM at the moment the exploit is executed; otherwise the vulnerable service will refuse to run.
The Ubuntu 5.10 installer does not properly clear passwords from the installer log file (questions.dat), and leaves the log file with world-readable permissions, which allows local users to gain privileges.
This module exploits a local vulnerability in Trend Micro IWSS to gain elevated privileges on the affected computer.
This module creates a new user with root privileges using a vulnerability of the chfn command. After successful exploitation a new agent will be deployed on the target host with root privileges.
Exploits a missing verification of the path in the command "sudoedit", provided by the sudo package. This can be exploited to e.g. execute any command as root including a shell, allowing an unprivileged process to elevate privileges to root.
The PulseAudio reload functionality has an exploitable race condition vulnerability. The executable file pulseaudio is seteuid root, therefore exploiting this bug allows to gain root privileges. This module uploads a binary exploit to the target machine and executes it with different parameters to try to exploit the vulnerability. As race conditions are sensitive to hardware and CPU load changes, this module may fail on some vulnerable machines.
The internal stack may be overrun using the controls module with a special crafted control sequence. This condition can be exploited by attackers to ultimately execute instructions with the privileges of the ProFTPD process, typically administrator or system. Exploitation requires valid local user, with access to the controls socket. After successful exploitation an agent will be deployed. This agent will inherit the user identity and capabilities of the abused service, usually those of the ftp server. However, the euid (as opposite to the uid) of the agent may be not that of the super user (usually is "nobody"), and by using the setuid module (see setuid module documentation), it can be changed to zero (root). This exploit may cause a Denial of Service on the target ProFTPD server.
This module exploits a local race-condition vulnerability in PolicyKit, which allows local users to execute arbitrary code with root privileges.
The PAM MOTD module in Ubuntu does not correctly handle path permissions when creating user file stamps. A local attacker can exploit this to gain root privileges.
The MIT-SHM extension for the X.org X11 server before 1.4 is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root. The error is located in the compNewPixmap function. This module triggers the overflow while creating a window with a high bit depth and a second child window with a lower bit depth. The overflow is only possible when windows of different depth can be created on the display, so most servers on 24 or 32 bit modes are not vulnerable, because the X server usually stores 24 bit pixels in 4 bytes. After successful exploitation an agent will be installed with root privileges.