CVE-2011-2921
published 2019-11-19CVE-2011-2921: ktsuss versions 1.4 and prior has the uid set to root and does not drop privileges prior to executing user specified commands, which can result in command…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
82.83%
99.6th percentile
ktsuss versions 1.4 and prior has the uid set to root and does not drop privileges prior to executing user specified commands, which can result in command execution with root privileges.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ktsuss | ktsuss | — | — |
| ktsuss_project | ktsuss | <= 1.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect setuid execution of /usr/bin/ktsuss followed by spawning a child process with uid=0, indicating privilege escalation abuse. ↗
- →Alert on ktsuss spawning processes from writable directories such as /tmp, especially randomly named hidden executables (dot-prefixed alphanumeric filenames). ↗
- →Monitor for ktsuss invoked with the -u flag where the specified user matches the current unprivileged user (self-escalation pattern), and the child process resolves to uid=0. ↗
- →Check for ktsuss binary being setuid root on the filesystem as a prerequisite indicator of a vulnerable installation. ↗
- ·The Metasploit module targets ktsuss 1.3 specifically on SparkyLinux 6 (2019.08) LXQT x64 and SparkyLinux 5.8 LXQT x64; exploitation on other distributions or architectures may require adjustment. ↗
- ·The module requires a writable directory (default /tmp) to drop and execute the payload; environments where /tmp is mounted noexec will block exploitation. ↗
- ·The module prepends multiple privilege-setting syscalls (setresuid, setresgid, setreuid, setuid) and forks before executing the payload; detection logic must account for these process tree characteristics. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ktsuss 1.4 - suid Privilege Escalation (Metasploit)
exploitdb·2019-09-03·CVSS 9.8
CVE-2011-2921 [CRITICAL] ktsuss 1.4 - suid Privilege Escalation (Metasploit)
ktsuss 1.4 - suid Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'ktsuss suid Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges by exploiting
a vulnerability in ktsuss versions 1.4 and prior.
The ktsuss executable is setuid root and does not drop
privileges prior to executing user specified commands,
resulting in command execution with root privileges.
This module has been tested successfully on:
ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64); and
ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64).
},
'License' => MSF_LICENSE,
'Author' =>
[
'John Lightsey', # Discovery and exploit
'bcoles' # Metasplo
Metasploit
ktsuss suid Privilege Escalation
metasploit
ktsuss suid Privilege Escalation
ktsuss suid Privilege Escalation
This module attempts to gain root privileges by exploiting a vulnerability in ktsuss versions 1.4 and prior. The ktsuss executable is setuid root and does not drop privileges prior to executing user specified commands, resulting in command execution with root privileges. This module has been tested successfully on: ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64); and ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64).
No writeups or analysis indexed.
http://packetstormsecurity.com/files/154307/ktsuss-Suid-Privilege-Escalation.htmlhttps://access.redhat.com/security/cve/cve-2011-2921https://security-tracker.debian.org/tracker/CVE-2011-2921http://packetstormsecurity.com/files/154307/ktsuss-Suid-Privilege-Escalation.htmlhttps://access.redhat.com/security/cve/cve-2011-2921https://security-tracker.debian.org/tracker/CVE-2011-2921
2019-11-19
Published