Privilege escalation in OpenBSD dynamic loader

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU23831

Risk: Low

CVSSv3.1: 8.2 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]

CVE-ID: CVE-2019-19726

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a local usre to escalate privileges on the system.

The vulnerability exists due to check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. A local user can execute arbitrary code on the system with root privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

OpenBSD: 6.0 - 6.6

External links

http://packetstormsecurity.com/files/155658/Qualys-Security-Advisory-OpenBSD-Dynamic-Loader-Privilege-Escalation.html
http://packetstormsecurity.com/files/155764/OpenBSD-Dynamic-Loader-chpass-Privilege-Escalation.html
http://seclists.org/fulldisclosure/2019/Dec/31
http://seclists.org/bugtraq/2019/Dec/25
http://www.openbsd.org/errata66.html
http://www.openwall.com/lists/oss-security/2019/12/11/9
http://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/openbsd/local/dynamic_loader_chpass_privesc.rb

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.