Qualys discovered a minor vulnerability in OpenSMTPD, OpenBSD's mail server. An unprivileged local attacker can read the first line of an arbitrary file (for example, root's password hash in /etc/master.passwd) or the entire contents of another user's file (if this file and /var/spool/smtpd/ are on the same filesystem). A proof of concept exploit is included in this archive.

Microsoft Windows WizardOpium local privilege escalation exploit.

Microsoft Windows 10 SMB version 3.1.1 SMBGhost local privilege escalation exploit.

Folder Lock version 3.4.5 for iOS suffers from multiple cross site scripting vulnerabilities.

The Megamos Crypto transponder is used in one of the most widely deployed electronic vehicle immobilizers. It is used among others in most Audi, Fiat, Honda, Volkswagen and Volvo cars. Such an immobilizer is an anti-theft device which prevents the engine of the vehicle from starting when the corresponding transponder is not present. This transponder is a passive RFID tag which is embedded in the key of the vehicle. In this paper, the authors have reverse-engineered all proprietary security mechanisms of the transponder, including the cipher and the authentication protocol which we publish here in full detail. This article reveals several weaknesses in the design of the cipher, the authentication protocol and also in their implementation.

Whitepaper called Android Security Research: Crypto Wallet Local Storage Attack.

Lotus Core CMS version 1.0.1 suffers from a local file inclusion vulnerability.

SuiteCRM versions 7.11.11 and below suffer from an add_to_prospect_list broken access control that allows for local file inclusion attacks.

Microsoft Windows 7 Build 7601 (x86) local privilege escalation exploit.

9 bytes small Microsoft Windows 7 screen locking shellcode.

This Metasploit module exploits a NULL pointer dereference vulnerability in MNGetpItemFromIndex(), which is reachable via a NtUserMNDragOver() system call. The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint() function does not effectively check the validity of the tagPOPUPMENU objects it processes before passing them on to MNGetpItemFromIndex(), where the NULL pointer dereference will occur. This module has been tested against Windows 7 x86 SP0 and SP1. Offsets within the solution may need to be adjusted to work with other versions of Windows, such as Windows Server 2008.

MINIX version 3.3.0 suffers from multiple local denial of service vulnerabilities.

Linux kernel versions starting at 4.10 and below 5.1.7 PTRACE_TRACEME local root exploit that uses the pkexec technique.

WordPress Media Library Assistant plugin version 2.81 suffers from a local file inclusion vulnerability.

BoltWire version 6.03 suffers from a local file inclusion vulnerability.

NetBSD mail.local(8) local root exploit that leverages a race condition as noted in NetBSD-SA2016-006.

This Metasploit module attempts to exploit a race condition in mail.local with the SUID bit set on: NetBSD 7.0 - 7.0.1 (verified on 7.0.1), NetBSD 6.1 - 6.1.5, and NetBSD 6.0 - 6.0.6. Successful exploitation relies on a crontab job with root privilege, which may take up to 10min to execute.

SGI IRIX 6.5 local root exploit that makes use of /usr/sysadm/bin/lezririx.

IRIX suffers from local kernel memory disclosure and denial of service vulnerabilities.

AIX versions 6.1, 7.1, and 7.2.0.2 lsmcode local root exploit.

This exploit takes advantage of known issues with debugging functions within the AIX linker library. It takes advantage of known functionality, and focuses on badly coded SUID binaries which do not adhere to proper security checks prior to seteuid/open/writes.

Xorg X11 server on AIX local privilege escalation exploit.

This Metasploit module has been tested with AIX 7.1 and 7.2, and should also work with 6.1. Due to permission restrictions of the crontab in AIX, this module does not use cron, and instead overwrites /etc/passwd in order to create a new user with root privileges. All currently logged in users need to be included when /etc/passwd is overwritten, else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user. The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX, and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when overwriting /etc/passwd.

Devicelock gives network administrators control over which users can access what removable devices (floppies, Magneto-Optical disks, CD-ROMs, ZIPs, etc.) on a local computer. It can protect network and local computers against viruses, trojans and other malicious programs often injected from removable disks. This version is for Windows 2000/NT. Windows ME version available here.