CVE-2015-3246

libuser <0.56.13-8 & 0.60 <0.60-7 - DoS

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2015-3246. PoCs published by Metasploit, Qualys Corporation, Qualys, bcoles, including Metasploit module exploits/linux/local/libuser_roothelper_priv_esc.

AI-analyzed exploit summary This Metasploit module exploits a newline injection vulnerability in libuser and userhelper to gain root privileges by inserting a new user with UID=0 in /etc/passwd. It requires the current user's password and targets Red Hat-based systems.

Description

libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local users to cause a denial of service (inconsistent file state) by causing an error during the modification. NOTE: this issue can be combined with CVE-2015-3245 to gain privileges.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocallinux

https://www.exploit-db.com/exploits/44633

View Code ZIP pw:eip

This Metasploit module exploits a newline injection vulnerability in libuser and userhelper to gain root privileges by inserting a new user with UID=0 in /etc/passwd. It requires the current user's password and targets Red Hat-based systems.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: libuser and userhelper versions prior to 0.56.13-8 and version 0.60 before 0.60-7

Auth required

Prerequisites: Current user's password · Writable directory · GCC for live compilation (optional)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP VERIFIED

by Qualys Corporation · textdoslinux

https://www.exploit-db.com/exploits/37706

View Code ZIP pw:eip

This is a detailed advisory from Qualys describing two vulnerabilities (CVE-2015-3245 and CVE-2015-3246) in libuser and userhelper, including exploitation techniques for local privilege escalation via /etc/passwd manipulation. It explains the technical mechanics but does not include executable exploit code.

Classification

Writeup 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Theoretical

Target: libuser (Red Hat-based distributions), userhelper (usermode package)

Auth required

Prerequisites: Local user access · userhelper or chfn linked with libuser

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1555 - Credentials from Password Stores

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GREAT

by Qualys, bcoles · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/libuser_roothelper_priv_esc.rb

View Code ZIP pw:eip

This Metasploit module exploits a newline injection vulnerability in libuser and userhelper to gain root privileges by inserting a new user with UID=0 in /etc/passwd. It uses the roothelper.c exploit from Qualys and has been tested on multiple Red Hat-based systems.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: libuser and userhelper versions prior to 0.56.13-8 and version 0.60 before 0.60-7

Auth required

Prerequisites: gcc for live compilation · current user's password · writable directory · setuid userhelper binary

MITRE ATT&CK