Rapid7 Vulnerability & Exploit Database

Desktop Linux Password Stealer and Privilege Escalation

Back to Search

Desktop Linux Password Stealer and Privilege Escalation



This module steals the user password of an administrative user on a desktop Linux system when it is entered for unlocking the screen or for doing administrative actions using PolicyKit. Then, it escalates to root privileges using sudo and the stolen user password. It exploits the design weakness that there is no trusted channel for transferring the password from the keyboard to the actual password verification against the shadow file (which is running as root since /etc/shadow is only readable to the root user). Both screensavers (xscreensaver/gnome-screensaver) and PolicyKit use a component running under the current user account to query for the password and then pass it to a setuid-root binary to do the password verification. Therefore, it is possible to inject a password stealer after compromising the user account. Since sudo requires only the user password (and not the root password of the system), stealing the user password of an administrative user directly allows escalating to root privileges. Please note, you have to start a handler as a background job before running this exploit since the exploit will only create a shell when the user actually enters the password (which may be hours after launching the exploit). Using exploit/multi/handler with the option ExitOnSession set to false should do the job.


  • Jakob Lell




x86, x64


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/local/desktop_privilege_escalation
msf exploit(desktop_privilege_escalation) > show targets
msf exploit(desktop_privilege_escalation) > set TARGET < target-id >
msf exploit(desktop_privilege_escalation) > show options
    ...show and set options...
msf exploit(desktop_privilege_escalation) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security