Local Privilege Escalation in OpenBSD’s dynamic loader

buy disulfiram tablets Overview :
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.
Dalmine Affected Product(s) :
  • OpenBSD through 6.6
Vulnerability Details :
CVE ID : CVE-2019-19726
We discovered a Local Privilege Escalation in OpenBSD’s dynamic loader (ld.so): this vulnerability is exploitable in the default installation (via the set-user-ID executable chpass or passwd) and yields full root privileges.

We developed a simple proof of concept and successfully tested it against OpenBSD 6.6 (the current release), 6.5, 6.2, and 6.1, on both amd64 and i386; other releases and architectures are probably also exploitable.

Solution :

Upgrade to latest version of OpenBSD

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2024-2558 : TENDA AC18 15.03.05.05 /GOFORM/EXECCOMMAND FORMEXECOMMAND CMDINPUT STACK-BASED OVERFLOW

CVE-2024-2558 : TENDA AC18 15.03.05.05 /GOFORM/EXECCOMMAND FORMEXECOMMAND CMDINPUT STACK-BASED OVERFLOW

Description A vulnerability was found in Tenda AC18 15.03.05.05. It has been rated as critical. This issue affects the function

CVE-2024-28746 : APACHE AIRFLOW 2.8.0/2.8.1/2.8.2 UI IMPROPER AUTHENTICATION

CVE-2024-28746 : APACHE AIRFLOW 2.8.0/2.8.1/2.8.2 UI IMPROPER AUTHENTICATION

Description Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access

CVE-2024-2413 : INTUMIT SMARTROBOT UP TO 6.1.2-202212TW HARD-CODED KEY

CVE-2024-2413 : INTUMIT SMARTROBOT UP TO 6.1.2-202212TW HARD-CODED KEY

Description Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string