cbcvebase.
CVE-2011-2921
published 2019-11-19

CVE-2011-2921: ktsuss versions 1.4 and prior has the uid set to root and does not drop privileges prior to executing user specified commands, which can result in command…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
82.83%
99.6th percentile
ktsuss versions 1.4 and prior has the uid set to root and does not drop privileges prior to executing user specified commands, which can result in command execution with root privileges.

Affected

2 ranges
VendorProductVersion rangeFixed in
ktsussktsuss
ktsuss_projectktsuss<= 1.4

Detection & IOCsextracted from sources · hover to see the quote

path/usr/bin/ktsuss
commandktsuss -u <current_user> <payload_path>
commandktsuss -u <id> id
  • Detect setuid execution of /usr/bin/ktsuss followed by spawning a child process with uid=0, indicating privilege escalation abuse.
  • Alert on ktsuss spawning processes from writable directories such as /tmp, especially randomly named hidden executables (dot-prefixed alphanumeric filenames).
  • Monitor for ktsuss invoked with the -u flag where the specified user matches the current unprivileged user (self-escalation pattern), and the child process resolves to uid=0.
  • Check for ktsuss binary being setuid root on the filesystem as a prerequisite indicator of a vulnerable installation.
  • ·The Metasploit module targets ktsuss 1.3 specifically on SparkyLinux 6 (2019.08) LXQT x64 and SparkyLinux 5.8 LXQT x64; exploitation on other distributions or architectures may require adjustment.
  • ·The module requires a writable directory (default /tmp) to drop and execute the payload; environments where /tmp is mounted noexec will block exploitation.
  • ·The module prepends multiple privilege-setting syscalls (setresuid, setresgid, setreuid, setuid) and forks before executing the payload; detection logic must account for these process tree characteristics.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.