The MIT-SHM extension for the X.org X11 server before 1.4 is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root. The error is located in the compNewPixmap function. This module triggers the overflow while creating a window with a high bit depth and a second child window with a lower bit depth. The overflow is only possible when windows of different depth can be created on the display, so most servers on 24 or 32 bit modes are not vulnerable, because the X server usually stores 24 bit pixels in 4 bytes. After successful exploitation an agent will be installed with root privileges.
As explained in the description of the CVE entry associated with this vulnerability: "do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the process limits as defined in /etc/security/limits.conf." This exploit will create new processes until the limit of available processes is exceeded, this will cause the setuid() system call to fail instead of dropping privileges, forcing the exploitable condition.
The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to [...] gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions. Note: you should remove the core file created in the "/etc/cron.d" directory after this bug was successfully exploited.
A logical error in sudo when the env_reset option is disabled allows local attackers to define environment variables that were supposed to be blacklisted by sudo. This can be exploited by a local unprivileged attacker to gain root privileges by manipulating the environment of a command that the user is legitimately allowed to run with sudo.
This module exploits a vulnerability in Linux for x86_64. The IA32 system call emulation functionality does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to trigger an out-of-bounds access to the system call table using the %RAX register and escalate privileges.
Linux contains a vulnerability in it's exec() implementation that may allow for modification of a setuid process memory via ptrace(). The vulnerability is due to the fact that it is possible for a traced process to exec() a setuid image even when the tracing process is setuid.
The NVIDIA Binary Graphics Driver for Linux is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root. This bug can be exploited locally. NOTE: The user logged on the X server must be the same user of the installed local agent.
Subscribe to Linux