Vulnerability Details : CVE-2019-19726
Public exploit exists!
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.
Exploit prediction scoring system (EPSS) score for CVE-2019-19726
Probability of exploitation activity in the next 30 days: 0.06%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 21 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2019-19726
-
OpenBSD Dynamic Loader chpass Privilege Escalation
Disclosure Date: 2019-12-11First seen: 2020-04-26exploit/openbsd/local/dynamic_loader_chpass_privescThis module exploits a vulnerability in the OpenBSD `ld.so` dynamic loader (CVE-2019-19726). The `_dl_getenv()` function fails to reset the `LD_LIBRARY_PATH` environment variable when set with approximately `ARG_MAX` colons. This can be abused to
CVSS scores for CVE-2019-19726
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2019-19726
-
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-19726
-
http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html
glibc ld.so Local Privilege Escalation ≈ Packet Storm
-
http://seclists.org/fulldisclosure/2019/Dec/31
Full Disclosure: Local Privilege Escalation in OpenBSD's dynamic loader (CVE-2019-19726)Exploit;Mailing List;Third Party Advisory
-
http://packetstormsecurity.com/files/155658/Qualys-Security-Advisory-OpenBSD-Dynamic-Loader-Privilege-Escalation.html
Qualys Security Advisory - OpenBSD Dynamic Loader Privilege Escalation ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://www.openwall.com/lists/oss-security/2019/12/11/9
oss-security - Local Privilege Escalation in OpenBSD's dynamic loader (CVE-2019-19726)Mailing List;Third Party Advisory
-
http://seclists.org/fulldisclosure/2023/Oct/11
Full Disclosure: CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so
-
http://www.openwall.com/lists/oss-security/2023/10/03/2
oss-security - CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so
-
https://seclists.org/bugtraq/2019/Dec/25
Bugtraq: Local Privilege Escalation in OpenBSD's dynamic loader (CVE-2019-19726)Exploit;Mailing List;Third Party Advisory
-
https://www.openbsd.org/errata66.html
OpenBSD 6.6 ErrataPatch;Vendor Advisory
-
http://packetstormsecurity.com/files/155764/OpenBSD-Dynamic-Loader-chpass-Privilege-Escalation.html
OpenBSD Dynamic Loader chpass Privilege Escalation ≈ Packet StormThird Party Advisory;VDB Entry
Products affected by CVE-2019-19726
- cpe:2.3:o:openbsd:openbsd:*:*:*:*:*:*:*:*