module
Solaris xscreensaver log Privilege Escalation
| Disclosed | Created |
|---|---|
| 2019-10-16 | 2019-10-24 |
Disclosed
2019-10-16
Created
2019-10-24
Description
This module exploits a vulnerability in `xscreensaver` versions
since 5.06 on unpatched Solaris 11 systems which allows users
to gain root privileges.
`xscreensaver` allows users to create a user-owned file at any
location on the filesystem using the `-log` command line argument
introduced in version 5.06.
This module uses `xscreensaver` to create a log file in `/usr/lib/secure/`,
overwrites the log file with a shared object, and executes the shared
object using the `LD_PRELOAD` environment variable.
This module has been tested successfully on:
xscreensaver version 5.15 on Solaris 11.1 (x86); and
xscreensaver version 5.15 on Solaris 11.3 (x86).
since 5.06 on unpatched Solaris 11 systems which allows users
to gain root privileges.
`xscreensaver` allows users to create a user-owned file at any
location on the filesystem using the `-log` command line argument
introduced in version 5.06.
This module uses `xscreensaver` to create a log file in `/usr/lib/secure/`,
overwrites the log file with a shared object, and executes the shared
object using the `LD_PRELOAD` environment variable.
This module has been tested successfully on:
xscreensaver version 5.15 on Solaris 11.1 (x86); and
xscreensaver version 5.15 on Solaris 11.3 (x86).
Authors
Marco Ivaldi
bcoles bcoles@gmail.com
bcoles bcoles@gmail.com
Platform
Solaris,Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.