This Metasploit module exploits a vulnerability in the OpenBSD ld.so dynamic loader (CVE-2019-19726). The _dl_getenv() function fails to reset the LD_LIBRARY_PATH environment variable when set with approximately ARG_MAX colons. This can be abused to load libutil.so from an untrusted path, using LD_LIBRARY_PATH in combination with the chpass set-uid executable, resulting in privileged code execution. This module has been tested successfully on OpenBSD 6.1 (amd64) and OpenBSD 6.6 (amd64).
3e6540f0f1a2e09ac135f635d113e22b32dffae061cff0c1ae9ba68f036aa0a2Qualys discovered a local privilege escalation in OpenBSD's dynamic loader (ld.so). This vulnerability is exploitable in the default installation (via the set-user-ID executable chpass or passwd) and yields full root privileges. They developed a simple proof of concept and successfully tested it against OpenBSD 6.6 (the current release), 6.5, 6.2, and 6.1, on both amd64 and i386; other releases and architectures are probably also exploitable.
4e1f695e83c851f4826c356e0fbe52865163d4b41d6d1a6675fca7178914287bQualys has discovered that OpenBSD suffers from multiple authentication bypass and local privilege escalation vulnerabilities.
f17dd04f6e2715e22520176b0b9b59af9523bd1f17067f5a5814eb8675c0497dThis Metasploit module has been tested with AIX 7.1 and 7.2, and should also work with 6.1. Due to permission restrictions of the crontab in AIX, this module does not use cron, and instead overwrites /etc/passwd in order to create a new user with root privileges. All currently logged in users need to be included when /etc/passwd is overwritten, else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user. The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX, and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when overwriting /etc/passwd.
cdb60dbe662ae825c2e68b4e3467951ff4065037e1a4c7ab93afe4fd720eaf44This is a Linux/portable port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups.
02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ffThis is a Linux/portable port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups.
bd943879e69498e8031eb6b7f44d08cdc37d59a7ab689aa0b437320c3481fd68This Metasploit module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 up to 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This Metasploit module has been tested with OpenBSD 6.3, 6.4, and CentOS 7 (1708). CentOS default install will require console auth for the users session. Cron launches the payload so if Selinux is enforcing exploitation may still be possible, but the module will bail. Xorg must have SUID permissions and may not start if running. On exploitation a crontab.old backup file will be created by Xorg. This Metasploit module will remove the .old file and restore crontab after successful exploitation. Failed exploitation may result in a corrupted crontab. On successful exploitation artifacts will be created consistent with starting Xorg and running a cron.
720e628b35284931ff0424715e648634cd3ec31db1a89c8b1fff88eddfb6f4abThis is a Linux/portable port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups.
6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aadThis is a Linux/portable port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups.
1a484bb15152c183bb2514e112aa30dd34138c3cfb032eee5490a66c507144carldns is an open source lightweight DNS server for linux, netbsd, freebsd, and openbsd. Runs on x86 and x86_64 architectures.
3ef0107cfa51f2818c05a51cce9b22d87404ba178c87f4441cf3b73f5957e175This is a Linux/portable port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups.
d73be7e684e99efcd024be15a30bffcbe41b012b2f7b3c9084aed621775e6b8fThis is a Linux/portable port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups.
a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723OpenBSD 'at' local stack clash privilege escalation exploit.
a80fd36081b8074669422ec386b383f6b02e6147e8b26cd6b180b8bcfaa859d2rldns is an open source lightweight DNS server for linux, netbsd, freebsd, and openbsd. Runs on x86 and x86_64 architectures.
fa02006cf534737a5fc492d24fc79aa7e37c09d5a4c386dd069f865cfe8b126aThis is a Linux/portable port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups.
9846e3c5fab9f0547400b4d2c017992f914222b3fd1f8eee6c7dc6bc5e59f9f0rldns is an open source lightweight DNS server for linux, netbsd, freebsd, and openbsd. Runs on x86 and x86_64 architectures.
c71120177f5b183bcef952217dff5bd599a68f725f3425068bd2537d987c5c04OpenBSD HTTP server versions up to 6.0 suffer from a denial of service vulnerability.
8cb179fc0c44b36068a2fb1ea7d4c3cb44fce813eaf3de73953f10a2bfceac82This is a Linux/portable port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups.
1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1This is a Linux/portable port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups.
efc912a2ef7e938fa36df6787cd9d21b45463cd4f9d70764e9e61a961786691bRed Hat Security Advisory 2016-0466-01 - OpenSSH is OpenBSD's SSH protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks.
93381a3609cbd40ea19fd90f3d6532393c3c33d49bf30bab516193963789fd55Red Hat Security Advisory 2016-0465-01 - OpenSSH is OpenBSD's SSH protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested.
ec747fbcdba74a44a4ea458f9664256110da65f71f30774569e157e19509d8deThis is a Linux/portable port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups.
a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548cThis is a Linux/portable port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups.
973cc37b2f3597e4cf599b09e604e79c0fe5d9b6f595a24e91ed0662860b4ac3This is a Linux/portable port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups.
dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbdRed Hat Security Advisory 2016-0043-01 - OpenSSH is OpenBSD's SSH protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory of a successfully authenticated OpenSSH client. A buffer overflow flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to execute arbitrary code on a successfully authenticated OpenSSH client if that client used certain non-default configuration options.
3ce7d8e13f6ac4af2d35ebb62eb062b0e3db89ea4ad51c709407b958ae9fd6c9
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed