CVE-2009-4146 : The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld-elf/rtld.c in FreeBSD 7.1, 7.2, and 8.0 does not c

The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld-elf/rtld.c in FreeBSD 7.1, 7.2, and 8.0 does not clear the LD_PRELOAD environment variable, which allows local users to gain privileges by executing a setuid or setguid program with a modified LD_PRELOAD variable containing an untrusted search path that points to a Trojan horse library, a different vector than CVE-2009-4147.

Published 2009-12-02 18:30:00

Updated 2019-05-22 03:29:00

Source MITRE

View at NVD, CVE.org

Threat overview for CVE-2009-4146

Top countries where our scanners detected CVE-2009-4146

Top open port discovered on systems with this issue 80

IPs affected by CVE-2009-4146 1

Find out if you^* are affected by CVE-2009-4146!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2009-4146

Probability of exploitation activity in the next 30 days: 0.04%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2009-4146

FreeBSD rtld execl() Privilege Escalation

Disclosure Date: 2009-11-30

First seen: 2020-04-26

exploit/freebsd/local/rtld_execl_priv_esc

This module exploits a vulnerability in the FreeBSD run-time link-editor (rtld). The rtld `unsetenv()` function fails to remove `LD_*` environment variables if `__findenv()` fails. This can be abused to load arbitrary shared objects using

More information

CVSS scores for CVE-2009-4146

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2009-4146

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2009-4146

http://www.securityfocus.com/archive/1/508146/100/0/threaded

CVEs referencing this url
http://www.securitytracker.com/id?1023250

CVEs referencing this url
http://www.securityfocus.com/archive/1/508142/100/0/threaded

CVEs referencing this url
http://packetstormsecurity.com/files/152997/FreeBSD-rtld-execl-Privilege-Escalation.html

CVEs referencing this url
http://people.freebsd.org/~cperciva/rtld.patch

Exploit

CVEs referencing this url
http://www.securityfocus.com/bid/37154

FreeBSD 'execl()' Local Privilege Escalation Vulnerability
Exploit

CVEs referencing this url
http://www.securityfocus.com/archive/1/508168/100/0/threaded

Products affected by CVE-2009-4146

Freebsd » Freebsd » Version: 7.1
cpe:2.3:o:freebsd:freebsd:7.1:*:*:*:*:*:*:*
Matching versions
Freebsd » Freebsd » Version: 7.2
cpe:2.3:o:freebsd:freebsd:7.2:*:*:*:*:*:*:*
Matching versions
Freebsd » Freebsd » Version: 8.0
cpe:2.3:o:freebsd:freebsd:8.0:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2009-4146