Vulnerability identifier: #VU23831
Vulnerability risk: Low
CVSSv3.1: 8.2 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Local
Exploit availability: Yes
Vulnerable software:
OpenBSD
Operating systems & Components /
Operating system
Vendor: OpenBSD
Description
The vulnerability allows a local usre to escalate privileges on the system.
The vulnerability exists due to check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a
very small RLIMIT_DATA resource limit. When executing chpass or passwd
(which are setuid root), _dl_setup_env in ld.so tries to strip
LD_LIBRARY_PATH from the environment, but fails when it cannot allocate
memory. A local user can execute arbitrary code on the system with root privileges.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
OpenBSD: 6.0 - 6.6
External links
http://packetstormsecurity.com/files/155658/Qualys-Security-Advisory-OpenBSD-Dynamic-Loader-Privilege-Escalation.html
http://packetstormsecurity.com/files/155764/OpenBSD-Dynamic-Loader-chpass-Privilege-Escalation.html
http://seclists.org/fulldisclosure/2019/Dec/31
http://seclists.org/bugtraq/2019/Dec/25
http://www.openbsd.org/errata66.html
http://www.openwall.com/lists/oss-security/2019/12/11/9
http://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/openbsd/local/dynamic_loader_chpass_privesc.rb
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.