Various local exploits
root66 OpenBSD 6.6 OpenSMTPD 6.6 local root exploit.
OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted
openbsd-dynamic-loader-chpass OpenBSD local root exploit.
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.
openbsd-authroot OpenBSD local root exploit.
xlockin OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing a
LIBGL_DRIVERS_PATHenvironment variable, because
dlopen. OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root's file can be written to
/var/db/yubikey, and need not be owned by root.
GNU Mailutils 2.0 <= 3.7 maidag url local root.
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.
Local root exploit for Serv-U FTP Server versions prior to 15.1.7
A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.
S-nail local root exploit.
Directory traversal vulnerability in the setuid root helper binary in S-nail (later S-mailx) before 14.8.16 allows local users to write to arbitrary files and consequently gain root privileges via a .. (dot dot) in the randstr argument.
VMWare Workstation / Player local root exploit.
VMware Workstation Pro/Player contains an insecure library loading vulnerability via ALSA sound driver configuration files. Successful exploitation of this issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine.
ktsuss <= 1.4 setuid local root exploit.
Independently rediscovered CVE-2011-2921 while auditing SparkyLinux.
ktsussexecutable is setuid
rootand does not drop privileges prior to executing user specified commands, resulting in command execution with
SparkyLinux 2019.08 and prior package a vulnerable version of
ktsussinstalled by default.
InterNetNews (inn) rnews file disclosure exploit.
Independently rediscovered CVE-2002-0526 on Debian 10 / Ubuntu 20.04 in 2020 (!)
INN (InterNetNews) could allow a local attacker to obtain sensitive information. The rnews binaries fail to drop privileges. A local attacker could exploit this vulnerability to gain unauthorized access to sensitive configuration files.
antiX / MX Linux default sudo configuration
persist-config local root exploit.
antiX / MX Linux default
sudoconfiguration permits users in the
usersgroup to execute
/usr/local/bin/persist-configas root without providing a password, resulting in trivial privilege escalation.
usersgroup privileges. By default, the first user created on the system is a member of the
Local root exploit for SUID executables compiled with AddressSanitizer (ASan).
Use of ASan configuration related environment variables is not restricted when executing setuid executables built with ASan. The
log_pathoption can be set using the
ASAN_OPTIONSenvironment variable, allowing clobbering of arbitrary files, with the privileges of the setuid user.
Emmabuntüs default sudo configuration
autologin_lightdm_exec.sh local root exploit.
sudoconfiguration permits any user to execute
/usr/bin/autologin_lightdm_exec.shas root without providing a password.
cpwith user supplied arguments, resulting in trivial privilege escalation.
lastore-daemon local root exploit.
Based on King's Way's exploit (2016-02-10).
The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user in the sudo group to install arbitrary packages without providing a password, resulting in code execution as root. By default, the first user created on the system is a member of the sudo group.
sudo-blkid-root local root exploit.
sudoconfiguration on some Linux distributions permits low-privileged users to execute
blkidas root. This configuration is unsafe, as blkid allows users to specify the
-cflag to write cache data to file, allowing clobbering of arbitrary files.
sudo-chkrootkit-root local root exploit.
Sometimes administrators allow users to execute
chkrootkitrequires root privileges.
This is unsafe, as
-pflag to specify a path to trusted system utilities (system utilities may have been compromised), allowing execution of arbitrary executables with root privileges.