Linux Privilege Escalation

Linux Privilege Escalation > CVE-2021-3156 > (Draft)

Linux Privilege Escalation > Nimbuspwn > Linux LPE via Path Traversal and TOCTOU in networkd-dispatcher

Vuln: Nimbuspwn breaks the invariant that “networkd-dispatcher only executes trusted root-owned scripts from its own hooks directory,” which is violated when an attacker first escapes the hooks path via directory traversal and then swaps the checked script path between validation and execution via a TOCTOU race to get arbitrary code run as root.