15.1K subscribers
559 photos
27 videos
24 files
901 links
This channel discusses:

— Offensive Security
— RedTeam
— Malware Research
— OSINT
— etc

Disclaimer:
t.me/APT_Notes/6

Chat Link:
t.me/APT_Notes_PublicChat
Download Telegram
Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver (CVE-2021-42008)

CVE-2021-42008 is a Slab-Out-Of-Bounds Write vulnerability in the Linux 6pack driver caused by a missing size validation check in the decode_data function. A malicious input from a process with CAP_NET_ADMIN capability can lead to an overflow in the cooked_buf field of the sixpack structure, resulting in kernel memory corruption. This, if properly exploited, can lead to root access.

https://syst3mfailure.io/sixpack-slab-out-of-bounds

#linux #6pack #lpe #cve
PwnKit: Local Privilege Escalation Vulnerability in Polkit’s Pkexec (CVE-2021-4034)

The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.

Research:
https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

PoC:
https://github.com/arthepsy/CVE-2021-4034

Exploit:
https://github.com/berdav/CVE-2021-4034

#linux #lpe #polkit #cve
👍1
CVE-2022-0995

This is my exploit for CVE-2022-0995, an heap out-of-bounds write in the watch_queue Linux kernel component.

It uses the same technique described in https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html.

The exploit targets Ubuntu 21.10 with kernel 5.13.0-37.
The exploit is not 100% reliable, you may need to run it a couple of times. It may panic the kernel, but during my tests it happened rarely.

https://github.com/Bonfee/CVE-2022-0995

#linux #lpe #exploit #cve
👍3
😈 How to Detect Linux Anti-Forensics Log Tampering

When forensically examining Linux systems for malicious intrusion, responders often rely on the following three artefacts to determine logins and logouts:

/var/run/utmp – currently logged in users
/var/run/wtmp – current, past logins and system reboot
/var/log/btmp – bad login attempts

Of course, these artefacts are not all you can forensically investigate for malicious access, however, these will be the focus of this anti-forensics blog post.

https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html

#linux #log #evasion #antiforensics
👍4
🐧 Linux Kernel Syscalls

Very useful website if you need a quick reference to Linux kernel syscalls (numbers and parameters for various architectures and kernel versions)

🌐 Details:
https://syscalls.mebeim.net/

#linux #kernel #syscall
🔥91
ssh-keysign-pwn — CVE-2026-46333

A critical race condition flaw in pre-31e62c2ebbfd Linux kernels. Due to a window during process exit where the memory management structure is cleared before file descriptors are closed, an unprivileged user can use pidfd_getfd(2) to steal open file descriptors of privileged processes, enabling unauthorized reading of root-owned files.

🔗 Exploit:
https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn

🔗 Source:
https://blog.qualys.com/vulnerabilities-threat-research/2026/05/20/cve-2026-46333-local-root-privilege-escalation-and-credential-disclosure-in-the-linux-kernel-ptrace-path

#linux #kernel #privesc #racecondition #pidfd
2🔥12❤‍🔥33
This media is not supported in your browser
VIEW IN TELEGRAM
DirtyClone — CVE-2026-43503

A Linux kernel local privilege escalation and page-cache write. DirtyClone is the fourth public member of the DirtyPipe / DirtyFrag family: it forces the kernel to run an in-place ESP (IPsec) decrypt over a file-backed page-cache page the attacker only has read access to, mutating that page in RAM. With the AES-CBC key/IV chosen so the decrypt writes attacker-controlled bytes, /usr/bin/su is rewritten with a tiny setuid(0)+execve("/bin/sh") ELF and invoking it yields root.

🔗 Research:
https://research.jfrog.com/post/dissecting-and-exploiting-linux-lpe-variant-dirtyclone-cve-2026-43503/

🔗 Exploit:
https://github.com/rafaeldtinoco/security/tree/main/exploits/dirtyclone

#linux #lpe #kernel #dirty
🔥96👍2