-
OpenBSD Dynamic Loader chpass Privilege Escalation
Disclosure Date: 2019-12-11First seen: 2020-04-26exploit/openbsd/local/dynamic_loader_chpass_privescThis module exploits a vulnerability in the OpenBSD `ld.so` dynamic loader (CVE-2019-19726). The `_dl_getenv()` function fails to reset the `LD_LIBRARY_PATH` environment variable when set with approximately `ARG_MAX` colons. This can be abused to load `libutil.so` from an untrusted path, using `LD_LIBRARY_PATH` in combination with the `chpass` set-uid executable, resulting in privileged code execution. This module has been tested successfully on: OpenBSD 6.1 (amd64); and OpenBSD 6.6 (amd64) Authors: - Qualys - bcoles <bcoles@gmail.com>
1 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers.
Visit metasploit web site for more details