CVE-2016-15045 Information

Jul 24, 2025 cve

Description

A local privilege escalation vulnerability exists in lastore-daemon the system package manager daemon used in Deepin Linux (developed by Wuhan Deepin Technology Co. Ltd.). In versions 0.9.53-1 (Deepin 15.5) and 0.9.66-1 (Deepin 15.7) the D-Bus configuration permits any user in the sudo group to invoke the InstallPackage method without password authentication. By default the first user created on Deepin is in the sudo group. An attacker with shell access can craft a .deb package containing a malicious post-install script and use dbus-send to install it via lastore-daemon resulting in arbitrary code execution as root.

Reference

https://github.com/linuxdeepin/lastore-daemon https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/local/lastore_daemon_dbus_priv_esc.rb https://www.deepin.org/en/mirrors/releases/ https://www.exploit-db.com/exploits/39433 https://www.exploit-db.com/exploits/39433 https://www.exploit-db.com/exploits/44523 https://www.vulncheck.com/advisories/deepin-lastore-daemon-priv-esc

CNNVD-202507-3017 (Published: 2025-07-23)

Share on:

CVE-2016-15045 Information

Description

Reference

Related CNNVD