Metasploit Exploits
3,315 exploits tracked across all sources.
Linux Kernel recvmmsg Privilege Escalation
The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter.
by h00die <[email protected]>, rebel
runc (docker) File Descriptor Leak Privilege Escalation
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
by h00die, SickMcNugget, jheysel-r7, Rory McNamara
CVSS 8.6
VMware Cloud Foundation 3.0-5.0 and vCenter Server - Local Privilege Escalation via Improper File Permissions
The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. An authenticated local user with non-administrative privilege may exploit these issues to elevate their privileges to root on vCenter Server Appliance.
by h00die, Yuval Lazar
CVSS 7.8
polkit < 0.119 - Unauthenticated Privilege Escalation via D-Bus Request
It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
by Kevin Backhouse, Spencer McIntyre, jheysel-r7
CVSS 7.8
netdata 1.44.0-60-1.45.0-169 and 1.45.0-1.45.3 - Local Privilege Escalation via PATH Environment Variable Manipulation
Netdata is an open source observability tool. In affected versions the `ndsudo` tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions. The `ndsudo` tool is packaged as a `root`-owned executable with the SUID bit set. It only runs a restricted set of external commands, but its search paths are supplied by the `PATH` environment variable. This allows an attacker to control where `ndsudo` looks for these commands, which may be a path the attacker has write access to. This may lead to local privilege escalation. This vulnerability has been addressed in versions 1.45.3 and 1.45.2-169. Users are advised to upgrade. There are no known workarounds for this vulnerability.
by msutovsky-r7, mia-0
CVSS 8.8
LoadMaster 7.2.48.1-7.2.48.9 - Unauthenticated OS Command Injection
Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.
by Dave Yesland with Rhino Security Labs, bwatters-r7
CVSS 10.0
HP Performance Monitoring xglance Priv Esc
Unspecified vulnerability in HP Operations Agent 11.00, when Glance is used, allows local users to gain privileges via unknown vectors.
by h00die, Tim Brown, Robert Jaroszuk, Marco Ortisi
Sudo Heap-Based Buffer Overflow
Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
by Qualys, Spencer McIntyre, bwatters-r7, smashery, blasty <[email protected]>, worawit, Alexander Krog
CVSS 7.8
VMware Workstation 8.x-9.x and Player 4.x-5.x - Privilege Escalation via PATH lsb_release Hijacking
vmware-mount in VMware Workstation 8.x and 9.x and VMware Player 4.x and 5.x, on systems based on Debian GNU/Linux, allows host OS users to gain host OS privileges via a crafted lsb_release binary in a directory in the PATH, related to use of the popen library function.
by Tavis Ormandy, egypt
AF_PACKET packet_set_ring Privilege Escalation
The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.
by Andrey Konovalov, bcoles
CVSS 7.8
io_uring Same Type Object Reuse Priv Esc
A flaw was found in the Linux kernel’s io_uring implementation. This flaw allows an attacker with a local account to corrupt system memory, crash the system or escalate privileges.
by h00die, Ryota Shiga, Mathias Krause
CVSS 8.8
Cisco Small Business Switches - Unauthenticated Bypass via Hard-coded Credentials
A vulnerability in the Cisco Small Business Switches software could allow an unauthenticated, remote attacker to bypass the user authentication mechanism of an affected device. The vulnerability exists because under specific circumstances, the affected software enables a privileged user account without notifying administrators of the system. An attacker could exploit this vulnerability by using this account to log in to an affected device and execute commands with full admin rights. Cisco has not released software updates that address this vulnerability. This advisory will be updated with fixed software information once fixed software becomes available. There is a workaround to address this vulnerability.
CVSS 9.8
Debian/Ubuntu ntfs-3g Local Privilege Escalation
Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with elevated privileges. A local user can take advantage of this flaw for local root privilege escalation.
by [email protected], h00die <[email protected]>
CVSS 7.8
Apache Tomcat on RedHat Based Systems Insecure Temp Config Privilege Escalation
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
by h00die, Dawid Golunski <[email protected]>
CVSS 7.8
Linux eBPF ALU32 32-bit Invalid Bounds Tracking LPE
The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 ("bpf:Fix a verifier failure with xor") ( 5.10-rc1).
by Manfred Paul, chompie1337, Grant Willcox
CVSS 7.8
Watch Queue Out of Bounds Write
An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.
by Jann Horn, bonfee, bwatters-r7
CVSS 7.8
Zyxel Firewall Firmware - Privilege Escalation via CLI Command
A privilege escalation vulnerability was identified in the CLI command of Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, USG FLEX 200 firmware versions 4.50 through 5.30, USG FLEX 500 firmware versions 4.50 through 5.30, USG FLEX 700 firmware versions 4.50 through 5.30, USG FLEX 50(W) firmware versions 4.16 through 5.30, USG20(W)-VPN firmware versions 4.16 through 5.30, ATP series firmware versions 4.32 through 5.30, VPN series firmware versions 4.30 through 5.30, USG/ZyWALL series firmware versions 4.09 through 4.72, which could allow a local attacker to execute some OS commands with root privileges in some directories on a vulnerable device.
by jbaines-r7
CVSS 7.8
libuser < 0.56.13-8 and 0.60 < 0.60-7 - Denial of Service via GECOS Field Newline Injection
Incomplete blacklist vulnerability in the chfn function in libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, allows local users to cause a denial of service (/etc/passwd corruption) via a newline character in the GECOS field.
by Qualys, bcoles
Linux kernel <2.6.30.4, <2.4.37.4 - Privilege Escalation
The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.
by Tavis Ormandy, Julien Tinnes <julien at cr0.org>, spender, rcvalle, egypt
CVSS 7.8
Kloxo <6.1.12 - Privilege Escalation
Kloxo versions 6.1.12 and earlier contain two setuid root binaries—lxsuexec and lxrestart—that allow local privilege escalation from uid 48. The lxsuexec binary performs a uid check and permits execution of arbitrary commands as root if the invoking user matches uid 48. This flaw enables attackers with Apache-level access to escalate privileges to root without authentication.
by HTP, juan vazquez
VMware Workspace ONE Access CVE-2022-31660
VMware Workspace ONE Access, Identity Manager and vRealize Automation contains a privilege escalation vulnerability. A malicious actor with local access can escalate privileges to 'root'.
by Spencer McIntyre
CVSS 7.8
Network Manager VPNC Username Privilege Escalation
Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1.2.6 is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root.
by Denis Andzakovic, bcoles
CVSS 7.8
Microsoft OMI Management Interface Authentication Bypass
Open Management Infrastructure Elevation of Privilege Vulnerability
by Nir Ohfeld, Shir Tamari, Spencer McIntyre
CVSS 7.8
Netfilter nft_set_elem_init Heap Overflow Privilege Escalation
An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.
CVSS 7.8
ktsuss suid Privilege Escalation
ktsuss versions 1.4 and prior has the uid set to root and does not drop privileges prior to executing user specified commands, which can result in command execution with root privileges.
by John Lightsey, bcoles
CVSS 9.8
By Source