Privilege escalation in OpenBSD dynamic loader
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU23831
Risk: Low
CVSSv4.0: 8.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear]
CVE-ID: CVE-2019-19726
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a local usre to escalate privileges on the system.
The vulnerability exists due to check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a
very small RLIMIT_DATA resource limit. When executing chpass or passwd
(which are setuid root), _dl_setup_env in ld.so tries to strip
LD_LIBRARY_PATH from the environment, but fails when it cannot allocate
memory. A local user can execute arbitrary code on the system with root privileges.
Install updates from vendor's website.
Vulnerable software versionsOpenBSD: 6.0 - 6.6
CPE2.3- cpe:2.3:o:openbsd:openbsd:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:6.1:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:6.2:*:*:*:*:*:*:*
http://packetstormsecurity.com/files/155658/Qualys-Security-Advisory-OpenBSD-Dynamic-Loader-Privilege-Escalation.html
http://packetstormsecurity.com/files/155764/OpenBSD-Dynamic-Loader-chpass-Privilege-Escalation.html
http://seclists.org/fulldisclosure/2019/Dec/31
http://seclists.org/bugtraq/2019/Dec/25
http://www.openbsd.org/errata66.html
http://www.openwall.com/lists/oss-security/2019/12/11/9
http://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/openbsd/local/dynamic_loader_chpass_privesc.rb
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
