Description
This module exploits a vulnerability in `xscreensaver` versions since 5.06 on unpatched Solaris 11 systems which allows users to gain root privileges.
`xscreensaver` allows users to create a user-owned file at any location on the filesystem using the `-log` command line argument introduced in version 5.06.
This module uses `xscreensaver` to create a log file in `/usr/lib/secure/`, overwrites the log file with a shared object, and executes the shared object using the `LD_PRELOAD` environment variable.
This module has been tested successfully on:
xscreensaver version 5.15 on Solaris 11.1 (x86); and xscreensaver version 5.15 on Solaris 11.3 (x86).
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/solaris/local/xscreensaver_log_priv_escmsf undefined(xscreensaver_log_priv_esc) > show actions ...actions...msf undefined(xscreensaver_log_priv_esc) > set ACTION < action-name >msf undefined(xscreensaver_log_priv_esc) > show options ...show and set options...msf undefined(xscreensaver_log_priv_esc) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub