Exploit-db.com lists 1,214 exploits related to Linux. The Metasploit query grep -c exploit search platform:linux returns a count of 293 Linux exploit modules. The following table summarizes some of the most notable Linux vulnerabilities of all time.

Vulnerable Feature

Description

Exploits and Tutorials

ret2libc

An existing function in the C library that eliminates the need for the attacker to inject their own shell code to take control of a target. This result allows arbitrary code execution and escalation of privilege.

https://www.exploit-db.com/docs/english/28553-linux-classic-return-to-libc-&-return-to-libc-chaining-tutorial.pdf

Insecure sudo

Under certain conditions, this vulnerability allows attackers to circumvent protections and execute commands that would normally require a password, resulting in privilege escalation.

Exploit-db.com lists 24 sudo-related exploits.

Sticky bits

Sticky bits are permission bits set on (mostly) directories. They only permit the owner to delete or rename files in that directory. They are especially useful in the shared directories of /var/tmp and /tmp. Sticky bit exploits can be disruptive and cause denial of service.

  • https://www.exploit-db.com/exploits/16216
  • https://www.thegeekdiary.com/what-is-suid-sgid-and-sticky-bit
  • https://gist.github.com/anonymous/10165224

SUID executables

SUID allows a user to run a command as another user. It is often used by administrators to change a user's password. When an application needs to run as the owner, an SUID permissions bit is set to allow this. A number of executables use SUID, but are poorly coded and can allow an attacker to escalate privilege.

Note: This same technique can be used for setting the group ID (SGID).

https://www.pentestpartners.com/security-blog/exploiting-suid-executables

Dirty COW Bug

A race condition in mm/gup.c leverages incorrect handling by the copy-on-write (COW) feature by kernel memory subsystem /proc/self/mem. Allows writing to private, read-only memory mappings. Affects Linux kernel 2.6.22 < 3.9 (x86/x64). CVE-2016-5195.

  • https://www.exploit-db.com/exploits/40839
  • https://www.exploit-db.com/exploits/40616

Five Year Bug

A race condition created by raw mode PTY local echo permits privilege escalation. Affects Linux kernel 3.14-rc1 < 3.15-rc4 (x64). CVE-2014-0196.

https://www.exploit-db.com/exploits/33516

Remote Root Flaw

Unsafe second checksum in udp.c can give a remote attacker complete control of a system via UDP traffic. Affects pre-4.5 Linux kernel. CVE-2016-10229.

https://www.rapid7.com/db/vulnerabilities/panos-cve-2016-10229