cbcvebase.
CVE-2017-1000372
published 2017-06-19

CVE-2017-1000372: A flaw exists in OpenBSD's implementation of the stack guard page that allows attackers to bypass it resulting in arbitrary code execution using setuid…

PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.96%
89.1th percentile
A flaw exists in OpenBSD's implementation of the stack guard page that allows attackers to bypass it resulting in arbitrary code execution using setuid binaries such as /usr/bin/at. This affects OpenBSD 6.1 and possibly earlier versions.

Affected

1 ranges
VendorProductVersion rangeFixed in
openbsdopenbsd<= 6.1

Detection & IOCsextracted from sources · hover to see the quote

path/usr/bin/at
filenameOpenBSD_at.c
  • Exploit abuses the setuid binary /usr/bin/at to perform a Stack Clash local privilege escalation; monitor for unexpected privilege escalation via at(1) invocations by non-root users.
  • The exploit injects a malicious shared library that hooks readdir() via dlsym(RTLD_NEXT, "readdir"); monitor for unexpected LD_PRELOAD or dlsym usage in processes spawned by setuid binaries.
  • The exploit uses a slowsort routine with a tuned STACK_FRAME_SIZE of 176 bytes and SET_KEYS of 4 to deliberately exhaust stack space and clash with the guard page; anomalous deep recursion in sort-like call stacks under at(1) is suspicious.
  • ·The exploit targets OpenBSD 6.1 and possibly earlier versions only; the stack guard page bypass is specific to OpenBSD's mmap/stack layout.
  • ·The NUMJOBS and STACK_FRAME_SIZE constants (176 bytes per frame) are tuned for a specific OpenBSD kernel/libc build; these values may need adjustment for other builds or patch levels.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.