I hunt for vulnerabilities in open and closed source software.  Below is a list for some of my publicly acknowledged vulnerabilities.

CVE-2023-41904 ManageEngine ADManger Plus

Details Pending

CVE-2021-43035 Kaseya Unitrends Unauthenticated SQL Injection

An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Two unauthenticated SQL injection vulnerabilities were discovered, allowing arbitrary SQL queries to be injected and executed under the postgres superuser account. Remote code execution was possible, leading to full access to the postgres user account.

CVE-2021-43033 Kaseya Unitrends Unauthenticated Remote Code Execution – bpserverd

An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Multiple functions in the Unitrends Backup Appliance bpserverd daemon were vulnerable to remote code execution, resulting in arbitrary code execution as root. The vulnerability was caused by untrusted input (received by the server) being passed to system calls.

CVE-2020-35659 Pi-hole Patches Critical Stored XSS Vulnerability

Pi-hole v5.2.1 is vulnerable to a critical stored cross site scripting vulnerability. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator accesses the Query Log or Long-term Query Log pages on the web portal.

The Pi-hole project released a fix on 12/24/2020 in v5.2.2. Shodan reports over 7,500 Pi-hole instances. This could be remotely exploited if these instances permit external DNS queries. Other possibilities may exist if a malformed DNS query is allowed. Vendor Advisory: https://github.com/pi-hole/AdminLTE/pull/1665.

CVE-2020-2032 – GlobalProtect App: File race condition vulnerability leads to local privilege escalation during upgrade

A race condition vulnerability Palo Alto Networks GlobalProtect app on Windows allows a local limited Windows user to execute programs with SYSTEM privileges.

CVE-2020-3957 – VMware Fusion Elevation of Privilege Vulnerability.

VMware Fusion, VMRC and Horizon Client contain a local privilege escalation vulnerability due to a Time-of-check Time-of-use (TOCTOU) issue in the service opener.  PoC: CVE-2020-3957.sh Poc: CVE-2020-3957-TOCTOU.sh Blog Post: Local Privilege Escalation Discovered In VMware Fusion

CVE-2020-3950 – VMware Fusion Elevation of Privilege Vulnerability.

VMware Fusion, VMRC for Mac and Horizon Client for Mac contain a privilege escalation vulnerability due to improper use of setuid binaries. PoC CVE-2020-3950.sh

CVE-2020-0757 – Windows SSH Elevation of Privilege Vulnerability.

An elevation of privilege vulnerability exists when Windows improperly handles Secure Socket Shell remote commands. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.

CVE-2020-5180 – Viscosity macOS, Windows Limited Elevation of Privilege Vulnerability.

An attacker with local access could potentially run arbitrary code within Viscosity’s OpenVPN sandbox by using a maliciously crafted OpenSSL engine and associated command. Such an attack is successfully contained within Viscosity’s sandbox, which has de-elevated permissions and access restrictions, and so an attacker does not gain elevated local permissions (such as root or SYSTEM) on the machine and their actions are severely limited.

However, under macOS an attacker may be able to access on-disk VPN credentials (such as a certificate and private key) from other active OpenVPN connections that run within the sandbox at the same time. This does not apply to the Windows version. Because of this, we encourage those in multi-user macOS environments to update as soon as possible.

CVE-2019-19151 – K21711352: F5 BIG-IP , BIG-IQ ITMOS Shell vulnerability

Authenticated users granted TMOS Shell (tmsh) privileges can access objects on the file system, which would normally be disallowed by tmsh restrictions. This allows for authenticated, low privileged attackers to access objects on the file system, which would not normally be allowed

CVE-2019-4606 – IBM Db2 High Performance Unload is affected by 3RD PARTY – Unquoted Service Path vulnerability

IBM DB2 High Performance Unload could allow a local attacker to execute arbitrary code on the system, caused by an untrusted search path vulnerability. By using a executable file, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2019-4587 – IBM® Db2® is vulnerable to privilege escalation

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow a local authenticated attacker to gain elevated privileges on the system, caused by an unquoted search path in sshd_worker.exe. By inserting arbitrary file in the path, an attacker could exploit this vulnerability to execute arbitrary code with SYSTEM privileges

CVE-PENDING – VMWare Fusion arbitrary file overwrite

VMWare Fusion v11.5.0 and earlier is vulnerable to an arbitrary file overwrite. Certain operations open a file insecurely in a world writable location which can allow a local unprivileged user the ability cause an arbitrary file to be overwritten.

CVE-2019-3466 – CVE-2019-3466 Debian / Ubuntu Privilege Escalation via pg_ctlcluster

pg_ctlcluster script didn’t drop privileges when creating socket/statistics temporary directories, which could result in local privilege escalation

CVE-2019-4523 – IBM Db2 High Performance Unload is affected by 3RD PARTY – Buffer Overflow in –credential keystore vulnerability

IBM DB2 High Performance Unload is vulnerable to a buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code on the system with root privileges.

CVE-2019-2390 – mongoDB Elevation of Privilege Vulnerability

An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server versions less than 4.0.11, 3.6.14, and 3.4.22 to run attacker defined code as the user running the utility.

CVE-2019-1211 – Git for Visual Studio Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists in Git for Visual Studio when it improperly parses configuration files. An attacker who successfully exploited the vulnerability could execute code in the context of another local user.

CVE-2019-4447 – Privilege escalation in IBM DB2 HPU via loading DB2 library

IBM DB2 High Performance Unload load shared libraries from an untrusted path potentially giving low privilege user full access to root by loading a malicious shared library.

CVE-2019-4448 – Privilege escalation in IBM DB2 HPU debug binary via trusted PATH

IBM DB2 High Performance Unload debug binary is a setuid root binary which trusts the PATH environment variable. A low privileged user can execute arbitrary commands as root by altering the PATH variable to point to a user controlled location.

CVE-2019-1552 – OpenSSL Windows builds with insecure path defaults

OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the –prefix / –openssldir configuration options.

However, mingw programs are Windows programs, and as such, find
themselves looking at sub-directories of ‘C:/usr/local’, which may be
world writable, which enables untrusted users to modify OpenSSL’s
default configuration, insert CA certificates, modify (or even
replace) existing engine modules, etc.

CVE-2019-4154 – IBM® Db2® is vulnerable to buffer overflow leading to potential arbitrary code execution as root.

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root.

CVE-2019-4057 – IBM® Db2® is vulnerable to privilege escalation to root via malicious use of fenced user.

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root.

CVE-2019-5443 – cURL libcurl for Windows OpenSSL engine code execution

A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl automatically run the code (as an openssl “engine”) on invocation. If that curl is invoked by a privileged user it can do anything it wants.

Blog Post: OPENSSL ENGINE CODE INJECTION IN CURL

HackerOne Report: 608577

stunnel Windows stunnel Elevation of Privilege Vulnerability via malicious OpenSSL Engine loading

A low privileged user can create a openssl.cnf configuration file to load a malicious OpenSSL engine library resulting in arbitrary code execution with the full authority of as the account running stunnel. If the Stunnel TLS wrapper service is used, this will be SYSTEM.

Vendor Advisory: stunnel 5.55 released

CVE-2019-12571 – PIA Beta macOS Arbitrary File Overwrite

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v0.9.8 beta (build 02099) for macOS could allow an authenticated, local attacker to overwrite arbitrary files.

CVE-2019-12572 – PIA Windows Elevation of Privilege: Malicious OpenSSL engine

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client 1.0.2 (build 02363) for Windows could allow an authenticated, local attacker to run arbitrary code with elevated privileges.

CVE-2019-12573PIA Linux, macOS Arbitrary File Overwrite

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to overwrite arbitrary files.

CVE-2019-12574PIA Stable, Beta Windows Elevation of Privilege: DLL Injection

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v1.0 for Windows could allow an authenticated, local attacker to run arbitrary code with elevated privileges. The PIA client is vulnerable to a DLL injection vulnerability during the software update process.

CVE-2019-12575PIA Linux Elevation of Privilege: Insecure Library Paths

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux could allow an authenticated, local attacker to run arbitrary code with elevated privileges.

CVE-2019-12576PIA macOS Elevation of Privilege:  Insecure PATH

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges.

CVE-2019-12577PIA macOS Elevation of Privilege: Insecure umask

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges.

CVE-2019-12578PIA Linux Elevation of Privilege: Exposed Dangerous Parameter

 A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux could allow an authenticated, local attacker to run arbitrary code with elevated privileges.

CVE-2019-12579 – PIA Linux/macOS  Elevation of Privilege: OS Command injection

 A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges.

CVE-2019-6617 – F5 BIG-IP Resource Administrator vulnerability

A user with the Resource Administrator role is able to overwrite sensitive low-level files, such as /etc/passwd, using SFTP to modify user permissions, without Advanced Shell access. This is contrary to our definition for the Resource Administrator role restrictions.

CVE-2019-4094 – IBM® Db2® is vulnerable to privilege escalation via loading libraries from an untrusted path

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) binaries load shared libraries from an untrusted path potentially giving low privilege user full access to root by loading a malicious shared library.

CVE-2019-6724 – Barracuda VPN Client Privilege Escalation on Linux and macOS

The barracudavpn component of the Barracuda VPN Client prior to version 5.0.2.7 for Linux, macOS, and OpenBSD runs as a privileged process and can allow an unprivileged local attacker to load a malicious library, resulting in arbitrary code executing as root.

CVE-2019-7249 – Local Privilege Escalation in MacOS via Keybase Helper

In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn’t have root access) to tamper with another’s installs. View the Hackerone report 471739

CVE-2018-18629 – Local Privilege Escalation on Linux via keybase-redirector

An issue was discovered in the Keybase command-line client 2.8.0.20181017144746.3efc4cbf3c for Linux. An untrusted search path vulnerability in the keybase-redirector application allows a local, unprivileged user on Linux to gain root privileges via a Trojan horse binary. View the Hackerone report 426944, write-up and PoC CVE-2018-18629.sh.

CVE-2018-15332 BIG-IP APM client for Linux and macOS vulnerability

The svpn component of the F5 BIG-IP APM client prior to version 7.1.7.2 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host in a race condition. A malicious, local, unprivileged user may gain knowledge of sensitive information, manipulate certain data, or assume super-user privileges on the local client host.

CVE-2018-1792 – IBM MQ can allow an attacker to execute a privilege escalation attack on a local machine.

A problem within IBM MQ libraries could allow an attacker who has access to a local machine to use IBM MQ to escalate their privileges on that system and gain access to the root user. Write-up: CVE-2018-1792 – IBM MQ Privilege Escalation: Fun with RUNPATH. PoC: CVE-2018-1792.sh

CVE-2018-1802 – IBM® Db2® is vulnerable to privilege escalation via loading libraries from an untrusted path

Db2 binaries load shared libraries from an untrusted path, potentially giving Db2 Instance Owner root access.

CVE-2018-18555 – VyOS Multiple restricted shell escapes for operators

A sandbox escape issue was discovered in VyOS 1.1.8. It provides a restricted management shell for operator users to administer the device. By issuing various shell special characters with certain commands, an authenticated operator user can break out of the management shell and gain access to the underlying Linux shell. The user can then run arbitrary operating system commands with the privileges afforded by their account.

CVE-2018-18556 – VyOS Privilege escalation via sudo pppd

A privilege escalation issue was discovered in VyOS 1.1.8. The default configuration also allows operator users to execute the pppd binary with elevated (sudo) permissions. Certain input parameters are not properly validated. A malicious operator user can run the binary with elevated permissions and leverage its improper input validation condition to spawn an attacker-controlled shell with root privileges. View the write-up and PoC CVE-2018-18556.sh.

CVE-2018-1710 – Buffer overflow in IBM® Db2® tool db2licm

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) tool db2licm is affected by buffer overflow vulnerability that can potentially result in arbitrary code execution.

CVE-2018-5546 – BIG-IP APM client for Linux and macOS vulnerability

The svpn and policyserver components of the F5 BIG-IP APM client prior to version 7.1.7.1 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host.

CVE-2018-2939 – Oracle DBMS arbitrary file overwrite vulnerabilities

Vulnerability in the Core RDBMS component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18.1 and 18.2. Easily exploitable vulnerability allows low privileged attacker having Local Logon privilege with logon to the infrastructure where Core RDBMS executes to compromise Core RDBMS. While the vulnerability is in Core RDBMS, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Core RDBMS accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Core RDBMS.

CVE-2018-5529 – F5 BIG-IP APM client for Linux and Mac OS X vulnerability

The svpn component of the BIG-IP APM client for Linux and Mac OS X runs as a privileged process and can allow an unprivileged user to assume super-user privileges on the local client host.

CVE-2018-1458 – Multiple untrusted search path vulnerabilities in the IBM® Db2® DAS component on Windows

Multiple untrusted search path vulnerabilities in the Db2 Administration Server (DAS) component of Db2 on Windows could allow a local user to execute arbitrary code.

CVE-2018-1487 – Privilege escalation in IBM® Db2® via loading libraries from untrusted path

Db2 loads shared libraries from an untrusted path potentially giving low privilege user full access to the DB2 instance account by loading a malicious shared library. All instance owner executables that run with elevated privileges (setuid) are affected. Root setuid executables are not affected. The implication is that if the customer has implemented their own applications which run with elevated privileges (setuid) those are affected as well, and it is up to the customer to ensure that the DB2INSTANCE environment variable is correctly set to the Db2 instance owner, and not modified by a malicious user.

CVE-2018-1488 – Buffer overflow in IBM® Db2® tool db2licm

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root.

CVE-2018-1449, CVE-2018-1450, CVE-2018-1451, CVE-2018-1452 – IBM® Db2® is affected by multiple file overwrite vulnerabilities

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the DB2 instance owner.

CVE-2018-1448 – IBM® Db2® vulnerability allows local user to overwrite Db2 files

IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1 (includes DB2 Connect Server) contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the DB2 instance owner.

CVE-2017-12337– Cisco Voice Operating System-Based Products Unauthorized Access Vulnerability

A vulnerability in the upgrade mechanism of Cisco collaboration products based on the Cisco Voice Operating System software platform could allow an unauthenticated, remote attacker to gain unauthorized, elevated access to an affected device.

CVE-2017-1452 – IBM® Db2® vulnerability allows local user to overwrite Db2 files

IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user to obtain elevated privilege and overwrite DB2 files.

CVE-2017-1438 – Privilege escalation vulnerabilities affect IBM® Db2®

IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access.

CVE-2017-1439, CVE-2017-1451 – Privilege escalation vulnerabilities affect IBM® Db2®

IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access.