CVE-2024-41111 – BishopFox Sliver Authenticated Remote Code Execution

https://notcve.org/view.php?id=CVE-2024-41111

18 Jul 2024 — Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. Sliver version 1.6.0 (prerelease) is vulnerable to RCE on the teamserver by a low-privileged "operator" user. The RCE is as the system root user. The exploit is pretty fun as we make the Sliver server pwn itself. As described in a past issue (#65), "there is a clear security boundary between the operator and server, an operator should not inherently be abl... • https://github.com/BishopFox/sliver/commit/5016fb8d7cdff38c79e22e8293e58300f8d3bd57 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •