This module exploits a vulnerability in the Linux Kernel. The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the LECHO & !OPOST case, which allows local attackers to escalate privileges triggering a race condition involving read and write operations with long strings.
As stated in the advisory published by iSEC Security Research: "A critical security vulnerability has been found in the Linux kernel memory management code inside the mremap(2) system call due to missing function return value check. [...] Proper exploitation of this vulnerability leads to local privilege escalation giving an attacker full super-user privileges." Vulnerable versions of the Linux kernel: "2.2 up to and including 2.2.25, 2.4 up to to and including 2.4.24, 2.6 up to to and including 2.6.2". Upon successful exploitation, this module will deploy a new agent.
This module exploits a vulnerability in the Linux Kernel. The futex_requeue function in kernel/futex.c in the Linux kernel does not ensure that calls have two different futex addresses, which allows local attackers to gain privileges via a crafted FUTEX_REQUEUE command.
This module exploits a vulnerability in Linux for x86-64. The IA32 system call emulation functionality does not zero-extend the EAX register after the 32bit entry path to ptrace is used, which might allow local users to trigger an out-of-bounds access to the system call table using the RAX register and gain root privileges. This vulnerability is a regression of CVE-2007-4573.
The Linux kernel function do_brk(), which handles the brk() syscall used by programs to increase or decrease the amount of heap memory they are using, does not sanity-check its argument. This module exploits this bug and writes to kernel memory in order to execute privileged code. This bug can even be exploited on a hardened Linux kernel, patched with PaX or grsecurity for instance.
The "compat_alloc_user_space" function, which belongs to the 32-bit compatibility layer for 64-bit versions of Linux, can produce a stack pointer underflow when it's called with an arbitrary length input. This vulnerability can be used by local unprivileged users to corrupt the kernel memory in order to gain root privileges.
The Composite extension for the X.org X11 server before 1.4 is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root. The error is located in the compNewPixmap function. This module triggers the overflow while creating a window with a high bit depth and a second child window with a lower bit depth. The overflow is only possible when windows of different depth can be created on the display, so most servers on 24 or 32 bit modes are not vulnerable, because the X server usually stores 24 bit pixels in 4 bytes. After successful exploitation an agent will be installed.
Subscribe to Linux