CVE-2019-19726
published 2019-12-12CVE-2019-19726: OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small…
PriorityP350high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.52%
87.8th percentile
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openbsd | openbsd | <= 6.6 | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
OpenBSD - Dynamic Loader chpass Privilege Escalation (Metasploit)
exploitdb·2019-12-30·CVSS 7.8
CVE-2019-19726 [HIGH] OpenBSD - Dynamic Loader chpass Privilege Escalation (Metasploit)
OpenBSD - Dynamic Loader chpass Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'OpenBSD Dynamic Loader chpass Privilege Escalation',
'Description' => %q{
This module exploits a vulnerability in the OpenBSD `ld.so`
dynamic loader (CVE-2019-19726).
The `_dl_getenv()` function fails to reset the `LD_LIBRARY_PATH`
environment variable when set with approximately `ARG_MAX` colons.
This can be abused to load `libutil.so` from an untrusted path,
using `LD_LIBRARY_PATH` in combination with the `chpass` set-uid
executable, resulting in privileged code execution.
This module has been tested successfully on:
OpenBSD 6.1 (amd64); and
OpenBSD 6.6
Exploit-DB
OpenBSD 6.x - Dynamic Loader Privilege Escalation
exploitdb·2019-12-16·CVSS 7.8
CVE-2019-19726 [HIGH] OpenBSD 6.x - Dynamic Loader Privilege Escalation
OpenBSD 6.x - Dynamic Loader Privilege Escalation
---
Qualys Security Advisory
Local Privilege Escalation in OpenBSD's dynamic loader (CVE-2019-19726)
Contents
Summary
Analysis
Demonstration
Acknowledgments
Summary
We discovered a Local Privilege Escalation in OpenBSD's dynamic loader
(ld.so): this vulnerability is exploitable in the default installation
(via the set-user-ID executable chpass or passwd) and yields full root
privileges.
We developed a simple proof of concept and successfully tested it
against OpenBSD 6.6 (the current release), 6.5, 6.2, and 6.1, on both
amd64 and i386; other releases and architectures are probably also
exploitable.
Analysis
In this section, we analyze a step-by-step execution of our proof of
concept:
1/ We execve() the set-user-ID /usr/bin/ch
Metasploit
OpenBSD Dynamic Loader chpass Privilege Escalation
metasploit·CVSS 7.8
CVE-2019-19726 [HIGH] OpenBSD Dynamic Loader chpass Privilege Escalation
OpenBSD Dynamic Loader chpass Privilege Escalation
This module exploits a vulnerability in the OpenBSD `ld.so` dynamic loader (CVE-2019-19726). The `_dl_getenv()` function fails to reset the `LD_LIBRARY_PATH` environment variable when set with approximately `ARG_MAX` colons. This can be abused to load `libutil.so` from an untrusted path, using `LD_LIBRARY_PATH` in combination with the `chpass` set-uid executable, resulting in privileged code execution. This module has been tested successfully on: OpenBSD 6.1 (amd64); and OpenBSD 6.6 (amd64)
Qualys
OpenBSD Local Privilege Escalation Vulnerability (CVE-2019-19726) | Qualys
blogs_qualys·2019-12-12·CVSS 7.8
CVE-2019-19726 [HIGH] OpenBSD Local Privilege Escalation Vulnerability (CVE-2019-19726) | Qualys
Qualys Research Labs discovered a local privilege escalation vulnerability in OpenBSD’s dynamic loader. The vulnerability could allow local users or malicious software to gain full root privileges. OpenBSD developers have confirmed the vulnerability and released security patches in less than 3 hours.
Qualys Research Labs also provided proof-of-concept exploits in the security advisory.
### Vulnerability Details
This vulnerability exists in OpenBSD’s dynamic loader versions of OpenBSD 6.5 and OpenBSD 6.6. It is exploitable in the default installation (via the set-user-ID executable chpass or passwd) and could allow local users or malicious software to gain full root privileges. For more technical details on this vulnerability, please see our security advisory. Also refer to our recently
Qualys
OpenBSD Local Privilege Escalation Vulnerability (CVE-2019-19726)
blogs_qualys·2019-12-12·CVSS 7.8
[HIGH] OpenBSD Local Privilege Escalation Vulnerability (CVE-2019-19726)
Qualys Research Labs discovered a local privilege escalation vulnerability in OpenBSD’s dynamic loader. The vulnerability could allow local users or malicious software to gain full root privileges. OpenBSD developers have confirmed the vulnerability and released security patches in less than 3 hours.
Qualys Research Labs also provided proof-of-concept exploits in the security advisory .
## Vulnerability Details
This vulnerability exists in OpenBSD’s dynamic loader versions of OpenBSD 6.5 and OpenBSD 6.6 . It is exploitable in the default installation (via the set-user-ID executable chpass or passwd) and could allow local users or malicious software to gain full root privileges. For more technical details on this vulnerability, please see our security advisory . Also refer to our recentl
http://packetstormsecurity.com/files/155658/Qualys-Security-Advisory-OpenBSD-Dynamic-Loader-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/155764/OpenBSD-Dynamic-Loader-chpass-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2019/Dec/31http://seclists.org/fulldisclosure/2023/Oct/11http://www.openwall.com/lists/oss-security/2023/10/03/2https://seclists.org/bugtraq/2019/Dec/25https://www.openbsd.org/errata66.htmlhttps://www.openwall.com/lists/oss-security/2019/12/11/9http://packetstormsecurity.com/files/155658/Qualys-Security-Advisory-OpenBSD-Dynamic-Loader-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/155764/OpenBSD-Dynamic-Loader-chpass-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2019/Dec/31http://seclists.org/fulldisclosure/2023/Oct/11http://www.openwall.com/lists/oss-security/2023/10/03/2https://seclists.org/bugtraq/2019/Dec/25https://www.openbsd.org/errata66.htmlhttps://www.openwall.com/lists/oss-security/2019/12/11/9
2019-12-12
Published