Sebastian Krahmer

24 exploits Active since May 2000
CVE-2013-0292 GITHUB c WORKING POC
dbus-glib < 0.100 - Privilege Escalation via Spoofed NameOwnerChanged Signal
The dbus_g_proxy_manager_filter function in dbus-gproxy in Dbus-glib before 0.100.1 does not properly verify the sender of NameOwnerChanged signals, which allows local users to gain privileges via a spoofed signal.
CVE-2017-8422 EXPLOITDB HIGH c WORKING POC
KDE kdelibs < 4.14.32 and KAuth < 5.34 - Authentication Bypass via CallerID Spoofing
KDE kdelibs before 4.14.32 and KAuth before 5.34 allow local users to gain root privileges by spoofing a callerID and leveraging a privileged helper app.
CVSS 7.8
CVE-2012-4425 EXPLOITDB c WORKING POC
spice-gtk - Privilege Escalation via DBUS_SYSTEM_BUS_ADDRESS Environment Variable
libgio, when used in setuid or other privileged programs in spice-gtk and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: it could be argued that this is a vulnerability in the applications that do not cleanse environment variables, not in libgio itself.
CVE-2017-1000083 METASPLOIT HIGH ruby WORKING POC
Evince CBT File Command Injection
backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a "--" command-line option substring, as demonstrated by a --checkpoint-action=exec=bash at the beginning of the filename.
CVSS 7.8
CVE-2015-8612 METASPLOIT HIGH ruby WORKING POC
Blueman <2.0.3 - Privilege Escalation
The EnableNetwork method in the Network class in plugins/mechanism/Network.py in Blueman before 2.0.3 allows local users to gain privileges via the dhcp_handler argument.
CVSS 8.4
CVE-2002-1275 EXPLOITDB perl WORKING POC
html2ps 1.0 - Remote Code Execution
Unknown vulnerability in html2ps HTML/PostScript converter 1.0, when used within LPRng, allows remote attackers to execute arbitrary code via "unsanitized input."
CVE-2003-0886 EXPLOITDB c WORKING POC
Hylafax <= 4.1.7 - Remote Code Execution via Format String Vulnerability
Format string vulnerability in hfaxd for Hylafax 4.1.7 and earlier allows remote attackers to execute arbitrary code.
CVE-2017-8849 EXPLOITDB HIGH c WORKING POC
smb4k < 2.0.1 - Privilege Escalation via Mount Helper DBUS Service
smb4k before 2.0.1 allows local users to gain root privileges by leveraging failure to verify arguments to the mount helper DBUS service.
CVSS 7.8
CVE-2012-3524 EXPLOITDB c WORKING POC
libdbus < 1.5.12 - Local Privilege Escalation via DBUS_SYSTEM_BUS_ADDRESS Environment Variable
libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables, not in libdbus itself: "we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus."
EIP-2026-102907 EXPLOITDB c WORKING POC
Linux Kernel 3.0 < 3.3.5 - 'CLONE_NEWUSER|CLONE_FS' Local Privilege Escalation
EIP-2026-102920 EXPLOITDB perl WORKING POC
Man Utility 2.3.19 - Local Compression Program Privilege Escalation
CVE-2004-2303 EXPLOITDB perl WORKING POC
MTools Mformat <3.9.9 - Info Disclosure
MTools Mformat before 3.9.9, when installed setuid root, creates files with world-readable and world-writable permissions, which allows local users to read and overwrite files.
CVE-2000-0703 EXPLOITDB perl WORKING POC
perl - Local Privilege Escalation via suidperl Escape Sequence Injection
suidperl (aka sperl) does not properly cleanse the escape sequence "~!" before calling /bin/mail to send an error report, which allows local users to gain privileges by setting the "interactive" environmental variable and calling suidperl with a filename that contains the escape sequence.
CVE-2016-10156 EXPLOITDB HIGH text WORKING POC
systemd <v229 - Privilege Escalation
A flaw in systemd v228 in /src/basic/fs-util.c caused world writable suid files to be created when using the systemd timers features, allowing local attackers to escalate their privileges to root. This is fixed in v229.
CVSS 7.8
CVE-2001-0559 EXPLOITDB bash WORKING POC
Vixie cron <3.0.1 - Privilege Escalation
crontab in Vixie cron 3.0.1 and earlier does not properly drop privileges after the failed parsing of a modification operation, which could allow a local attacker to gain additional privileges when an editor is called to correct the error.
CVE-2002-0658 EXPLOITDB c WORKING POC
OSSP mm <1.2.0 - Privilege Escalation
OSSP mm library (libmm) before 1.2.0 allows the local Apache user to gain privileges via temporary files, possibly via a symbolic link attack.
EIP-2026-102821 EXPLOITDB c WORKING POC
Docker 0.11 - VMM-Container Breakout
CVE-2017-1000083 EXPLOITDB HIGH ruby WORKING POC
Evince CBT File Command Injection
backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a "--" command-line option substring, as demonstrated by a --checkpoint-action=exec=bash at the beginning of the filename.
CVSS 7.8
CVE-2015-1815 EXPLOITDB text WORKING POC
setroubleshoot < 3.2.22 - Remote Code Execution via Filename Shell Metacharacters
The get_rpm_nvr_by_file_path_temporary function in util.py in setroubleshoot before 3.2.22 allows remote attackers to execute arbitrary commands via shell metacharacters in a file name.
CVE-2017-5180 EXPLOITDB HIGH c WORKING POC
Firejail <0.9.44.4 & 0.9.38.x LTS <0.9.38.8 - Sandbox-Escape
Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not consider the .Xauthority case during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option.
CVSS 8.8
CVE-2000-0530 EXPLOITDB perl WORKING POC
KDE 1.1.2 - Local Privilege Escalation
The KApplication class in the KDE 1.1.2 configuration file management capability allows local users to overwrite arbitrary files.
CVE-2000-0530 EXPLOITDB perl WORKING POC
KDE 1.1.2 - Local Privilege Escalation
The KApplication class in the KDE 1.1.2 configuration file management capability allows local users to overwrite arbitrary files.
CVE-2013-0292 EXPLOITDB c WORKING POC
dbus-glib < 0.100 - Privilege Escalation via Spoofed NameOwnerChanged Signal
The dbus_g_proxy_manager_filter function in dbus-gproxy in Dbus-glib before 0.100.1 does not properly verify the sender of NameOwnerChanged signals, which allows local users to gain privileges via a spoofed signal.
CVE-2002-0824 EXPLOITDB perl WORKING POC
Freebsd Point-to-point Protocol Daemon - Symlink Following
BSD pppd allows local users to change the permissions of arbitrary files via a symlink attack on a file that is specified as a tty device.