The /CFIDE/adminapi/customtags/l10n.cfm page in Adobe ColdFusion is prone to a Local File Inclusion vulnerability because it does not properly validate its attributes.file parameter. This can be abused by a remote unauthenticated attacker to execute arbitrary code on vulnerable servers. The agent may have SYSTEM privileges if ColdFusion is installed as a service on Windows.
X.Org server (xorg-server) 1.0.0 and later, X11R6.9.0, and X11R7.0 inadvertently treats the address of the geteuid function as if it is the return value of a call to geteuid, which allows local users to bypass intended restrictions and (1) execute arbitrary code via the -modulepath command line option or (2) overwrite arbitrary files via -logfile.
The KVMTest method in the com.ubuntu.USBCreator D-Bus service in Ubuntu Linux can invoke the 'kvm' binary with root privileges using an arbitrary environment provided by an unprivileged user. This flaw can be leveraged by a local unprivileged attacker to gain root privileges. The target system must have the 'kvm' binary in the search path (that usually means that the qemu-kvm package must be installed). Also, the system must have at least 768 Mb of free RAM at the moment the exploit is executed; otherwise the vulnerable service will refuse to run.
This module creates a new user with root privileges using a vulnerability of the chfn command. After successful exploitation a new agent will be deployed on the target host with root privileges.
Exploits a missing verification of the path in the command "sudoedit", provided by the sudo package. This can be exploited to e.g. execute any command as root including a shell, allowing an unprivileged process to elevate privileges to root.
The PulseAudio reload functionality has an exploitable race condition vulnerability. The executable file pulseaudio is seteuid root, therefore exploiting this bug allows to gain root privileges. This module uploads a binary exploit to the target machine and executes it with different parameters to try to exploit the vulnerability. As race conditions are sensitive to hardware and CPU load changes, this module may fail on some vulnerable machines.
The internal stack may be overrun using the controls module with a special crafted control sequence. This condition can be exploited by attackers to ultimately execute instructions with the privileges of the ProFTPD process, typically administrator or system. Exploitation requires valid local user, with access to the controls socket. After successful exploitation an agent will be deployed. This agent will inherit the user identity and capabilities of the abused service, usually those of the ftp server. However, the euid (as opposite to the uid) of the agent may be not that of the super user (usually is "nobody"), and by using the setuid module (see setuid module documentation), it can be changed to zero (root). This exploit may cause a Denial of Service on the target ProFTPD server.
Subscribe to Linux