module
OpenBSD Dynamic Loader chpass Privilege Escalation
| Disclosed | Created |
|---|---|
| 2019-12-11 | 2019-12-27 |
Disclosed
2019-12-11
Created
2019-12-27
Description
This module exploits a vulnerability in the OpenBSD `ld.so`
dynamic loader (CVE-2019-19726).
The `_dl_getenv()` function fails to reset the `LD_LIBRARY_PATH`
environment variable when set with approximately `ARG_MAX` colons.
This can be abused to load `libutil.so` from an untrusted path,
using `LD_LIBRARY_PATH` in combination with the `chpass` set-uid
executable, resulting in privileged code execution.
This module has been tested successfully on:
OpenBSD 6.1 (amd64); and
OpenBSD 6.6 (amd64)
dynamic loader (CVE-2019-19726).
The `_dl_getenv()` function fails to reset the `LD_LIBRARY_PATH`
environment variable when set with approximately `ARG_MAX` colons.
This can be abused to load `libutil.so` from an untrusted path,
using `LD_LIBRARY_PATH` in combination with the `chpass` set-uid
executable, resulting in privileged code execution.
This module has been tested successfully on:
OpenBSD 6.1 (amd64); and
OpenBSD 6.6 (amd64)
Authors
Qualys
bcoles bcoles@gmail.com
bcoles bcoles@gmail.com
Platform
BSD,Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.