bcoles

168 exploits Active since Mar 1998
CVE-2017-1000112 EXPLOITDB HIGH c WORKING POC
Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.
CVSS 7.0
CVE-2019-13272 EXPLOITDB HIGH c WORKING POC
Linux Polkit pkexec helper PTRACE_TRACEME local root exploit
In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.
CVSS 7.8
CVE-2017-7308 EXPLOITDB HIGH c WORKING POC
AF_PACKET packet_set_ring Privilege Escalation
The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.
CVSS 7.8
CVE-2018-18955 EXPLOITDB HIGH bash WORKING POC
Linux Nested User Namespace idmap Limit Local Privilege Escalation
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.
CVSS 7.0
CVE-2018-18955 EXPLOITDB HIGH bash WORKING POC
Linux Nested User Namespace idmap Limit Local Privilege Escalation
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.
CVSS 7.0
CVE-2018-18955 EXPLOITDB HIGH bash WORKING POC
Linux Nested User Namespace idmap Limit Local Privilege Escalation
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.
CVSS 7.0
CVE-2018-18955 EXPLOITDB HIGH bash WORKING POC
Linux Nested User Namespace idmap Limit Local Privilege Escalation
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.
CVSS 7.0
CVE-2017-16995 EXPLOITDB HIGH ruby WORKING POC
Linux BPF Sign Extension Local Privilege Escalation
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.
CVSS 7.8
CVE-2011-2921 EXPLOITDB CRITICAL ruby WORKING POC
ktsuss suid Privilege Escalation
ktsuss versions 1.4 and prior has the uid set to root and does not drop privileges prior to executing user specified commands, which can result in command execution with root privileges.
CVSS 9.8
CVE-2017-1000083 EXPLOITDB HIGH ruby WORKING POC
Evince CBT File Command Injection
backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a "--" command-line option substring, as demonstrated by a --checkpoint-action=exec=bash at the beginning of the filename.
CVSS 7.8
EIP-2026-102819 EXPLOITDB ruby WORKING POC
Diamorphine Rootkit - Signal Privilege Escalation (Metasploit)
EIP-2026-102818 EXPLOITDB ruby WORKING POC
Diamorphine Rootkit - Signal Privilege Escalation (Metasploit)
CVE-2018-18955 EXPLOITDB HIGH ruby WORKING POC
Linux Nested User Namespace idmap Limit Local Privilege Escalation
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.
CVSS 7.0
EIP-2026-102771 EXPLOITDB ruby WORKING POC
AddressSanitizer (ASan) - SUID Executable Privilege Escalation (Metasploit)
CVE-2015-5287 EXPLOITDB ruby WORKING POC
ABRT sosreport Privilege Escalation
The abrt-hook-ccpp help program in Automatic Bug Reporting Tool (ABRT) before 2.7.1 allows local users with certain permissions to gain privileges via a symlink attack on a file with a predictable name, as demonstrated by /var/tmp/abrt/abrt-hax-coredump or /var/spool/abrt/abrt-hax-coredump.
CVE-2015-8612 EXPLOITDB HIGH ruby WORKING POC
Blueman <2.0.3 - Privilege Escalation
The EnableNetwork method in the Network class in plugins/mechanism/Network.py in Blueman before 2.0.3 allows local users to gain privileges via the dhcp_handler argument.
CVSS 8.4
EIP-2026-102772 EXPLOITDB ruby WORKING POC
AddressSanitizer (ASan) - SUID Executable Privilege Escalation (Metasploit)
CVE-2012-0217 EXPLOITDB ruby WORKING POC
FreeBSD Intel SYSRET Privilege Escalation
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: because this issue is due to incorrect use of the Intel specification, it should have been split into separate identifiers; however, there was some value in preserving the original mapping of the multi-codebase coordinated-disclosure effort to a single identifier.