CVE-2015-3245

libuser < 0.56.13-8 and 0.60 < 0.60-7 - Denial of Service via GECOS Field Newline Injection

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2015-3245. PoCs published by Metasploit, Qualys, bcoles, including Metasploit module exploits/linux/local/libuser_roothelper_priv_esc.

AI-analyzed exploit summary This Metasploit module exploits a newline injection vulnerability in libuser and userhelper to gain root privileges by inserting a new user with UID=0 in /etc/passwd. It requires the current user's password and targets Red Hat-based systems.

Description

Incomplete blacklist vulnerability in the chfn function in libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, allows local users to cause a denial of service (/etc/passwd corruption) via a newline character in the GECOS field.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocallinux

https://www.exploit-db.com/exploits/44633

View Code ZIP pw:eip

This Metasploit module exploits a newline injection vulnerability in libuser and userhelper to gain root privileges by inserting a new user with UID=0 in /etc/passwd. It requires the current user's password and targets Red Hat-based systems.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: libuser and userhelper versions prior to 0.56.13-8 and version 0.60 before 0.60-7

Auth required

Prerequisites: Current user's password · Writable directory · GCC for live compilation (optional)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP

doslinux

https://www.exploit-db.com/exploits/37706

View Code ZIP pw:eip

This is a detailed technical analysis of CVE-2015-3245 and CVE-2015-3246, focusing on vulnerabilities in libuser and userhelper. It explains the root cause, exploitation techniques, and includes a proof-of-concept for privilege escalation via /etc/passwd manipulation.

Classification

Writeup 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Theoretical

Target: libuser, userhelper (usermode package)

Auth required

Prerequisites: Local user access · Ability to execute userhelper or chfn

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1555 - Credentials from Password Stores

devstral-2 · analyzed Feb 19, 2026 Full analysis →

metasploit WORKING POC GREAT

by Qualys, bcoles · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/libuser_roothelper_priv_esc.rb

View Code ZIP pw:eip

This Metasploit module exploits a newline injection vulnerability in libuser and userhelper to gain root privileges by inserting a new user with UID=0 in /etc/passwd. It supports both live compilation and pre-compiled binaries for various Red Hat-based systems.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: libuser and userhelper versions prior to 0.56.13-8 and 0.60 before 0.60-7

Auth required

Prerequisites: gcc (for live compilation) · current user password · writable directory · setuid userhelper binary

MITRE ATT&CK