Todd C. Miller

11 exploits Active since Mar 2013
CVE-2019-14287 NOMISEC HIGH WRITEUP
Sudo <1.8.28 - Privilege Escalation
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
1 stars
CVSS 8.8
CVE-2021-3156 NOMISEC HIGH WRITEUP
Sudo Heap-Based Buffer Overflow
Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
CVSS 7.8
CVE-2026-35535 WRITEUP HIGH WRITEUP
Sudo < 3e474c2f201484be83d994ae10a4e20e8c81bb69 - Privilege Escalation via Failed Privilege Drop
In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.
CVSS 7.4
CVE-2022-43995 WRITEUP HIGH WRITEUP
sudo 1.8.0-1.9.12 - Heap-Based Buffer Over-Read via Password Input
Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture.
CVSS 7.1
CVE-2022-48468 WRITEUP MEDIUM WRITEUP
protobuf-c < 1.4.1 - Integer Overflow in parse_required_member
protobuf-c before 1.4.1 has an unsigned integer overflow in parse_required_member.
CVSS 5.5
CVE-2023-28486 WRITEUP MEDIUM WRITEUP
sudo < 1.9.13 - Log Injection via Unescaped Control Characters
Sudo before 1.9.13 does not escape control characters in log messages.
CVSS 5.3
CVE-2023-28487 WRITEUP MEDIUM WRITEUP
sudo < 1.9.13 - Improper Output Escaping in sudoreplay
Sudo before 1.9.13 does not escape control characters in sudoreplay output.
CVSS 5.3
CVE-2023-42465 WRITEUP HIGH WRITEUP
sudo < 1.9.15 - Authentication Bypass and Privilege Escalation via Row Hammer Bit Flip
Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit.
CVSS 7.0
CVE-2024-43688 WRITEUP HIGH WRITEUP
vixie cron <9cc8ab1 - Buffer Overflow
cron/entry.c in vixie cron before 9cc8ab1, as used in OpenBSD 7.4 and 7.5, allows a heap-based buffer underflow and memory corruption. NOTE: this issue was introduced during a May 2023 refactoring.
CVSS 7.3
CVE-2013-1775 METASPLOIT ruby WORKING POC
Mac OS X Sudo Password Bypass
sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 allows local users or physically proximate attackers to bypass intended time restrictions and retain privileges without re-authenticating by setting the system clock and sudo user timestamp to the epoch.
CVE-2013-1775 EXPLOITDB ruby WORKING POC
Mac OS X Sudo Password Bypass
sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 allows local users or physically proximate attackers to bypass intended time restrictions and retain privileges without re-authenticating by setting the system clock and sudo user timestamp to the epoch.