CVE-2016-10010

HIGH

OpenSSH <7.4 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-10010. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit leverages OpenSSH's UNIX domain socket forwarding when privilege separation is disabled, allowing a non-root user to gain root privileges via systemd manipulation. The PoC demonstrates binding to a UNIX domain socket and injecting an LD_PRELOAD environment variable to escalate privileges.

Description

sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · textlocallinux

https://www.exploit-db.com/exploits/40962

View Code ZIP pw:eip

This exploit leverages OpenSSH's UNIX domain socket forwarding when privilege separation is disabled, allowing a non-root user to gain root privileges via systemd manipulation. The PoC demonstrates binding to a UNIX domain socket and injecting an LD_PRELOAD environment variable to escalate privileges.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: OpenSSH (versions with UsePrivilegeSeparation=no)

Auth required

Prerequisites: SSH access to a target system · Privilege separation disabled (UsePrivilegeSeparation=no) · Systemd running on the target

MITRE ATT&CK