A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command.
CVE-2018-19788 Exploiting The CVE-2018-19788 PolicyKit Bug Steps to exploit PolicyKit bug on a fully patched CentOS7 installation [root@centos7 ~]# groupadd -g 4000000000 cve201819788 [root@centos7 ~]# useradd -m -c "User With High UID" -u 4000000000 -g 4000000000 -s /bin/bash cve201819788 [root@centos7 ~]# id cve201819788 uid=4000000000(cve201819788) gid=4000000000(
Leveraging CVE-2018-19788 to dump protected files without root shell CVE-2018-19788 is an issue where any user with a UID over INT_MAX (IE 4000000000) can run any systemctl command on a systemd linux box, such as Ubuntu (There is already a writeup to gain a root shell found: here) The main difference between this writeup and the full root shell writeup is that this will be ru
Proof of Concept for the CVE-2018-19788 Ansible role to check the vulnerability tracked as CVE-2018-19788 that impacts PolicyKit version 0115 which comes pre-installed on a wide range of Linux distributions such as Ubuntu, Red Hat, CentOs, to mention a few Requirements Minimum required ansible version 240 Role Variables # The user name to be provisioned to execute the explo
CVE-2018-19788 Silly easy exploit for CVE-2018-19788 To use this, you must either create a user with UID > INT_MAX in Policy Kit or already have a low-priv user with said UID UID can be specified in user creation as follows, and used before execution of the script: $ useradd -u 4000000001 PrivEsc $ passwd PrivEsc $ su PrivEsc $ chmod +x /tmp/CVE-2018-19788_PrivEscsh $
OverTheWire Advent Bonanza 2018 Writeup Enclosed is my writeup for the 2018 OTW Advent CTF (advent2018overthewireorg) The challenges were tough, but a lot of fun It seemed like the organizers created each challenge so that it had at least two pieces that needed to be solved before getting the flag I liked this approach although sometimes it was frustrating when I
Security Research A collection of files related to my personal security research Additional content will be posted on my blog blogmirchio Tools Tool Description openssldir_check Windows utility to check for potential insecure paths used by the OPENSSLDIR build parameter in OpenSSL libraries ssscache2john Convert SSSD LDAP cache files to John The Ripper form
Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :