Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.2
CVSSv2

CVE-2019-19726

Published: 12/12/2019 Updated: 06/10/2023
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 801
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Openbsd

Vulnerability Summary

OpenBSD up to and including 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

openbsd openbsd

Exploits

Exploit DB: OpenBSD Dynamic Loader chpass Privilege Escalation
This Metasploit module exploits a vulnerability in the OpenBSD ldso dynamic loader (CVE-2019-19726) The _dl_getenv() function fails to reset the LD_LIBRARY_PATH environment variable when set with approximately ARG_MAX colons This can be abused to load libutilso from an untrusted path, using LD_LIBRARY_PATH in combination with the chpass set-uid ...
Exploit DB: glibc ld.so Local Privilege Escalation
Dubbed Looney Tunables, Qualys discovered a buffer overflow vulnerability in the glibc dynamic loader's processing of the GLIBC_TUNABLES environment variable This vulnerability was introduced in April 2021 (glibc 234) by commit 2ed18c ...
Exploit DB: Qualys Security Advisory - OpenBSD Dynamic Loader Privilege Escalation
Qualys discovered a local privilege escalation in OpenBSD's dynamic loader (ldso) This vulnerability is exploitable in the default installation (via the set-user-ID executable chpass or passwd) and yields full root privileges They developed a simple proof of concept and successfully tested it against OpenBSD 66 (the current release), 65, 62, ...

Recent Articles

VMware warning, OpenBSD gimme-root hole again, telco hit with GDPR fine, Ring camera hijackings, and more
The Register • Shaun Nichols in San Francisco • 16 Dec 2019

Your quick summary of infosec news beyond everything else we've reported

Roundup Here's your Register security roundup of infosec news about stuff that's unfit for production but fit for print. Another week, another OpenBSD patch. You're not having deja vu. This time, it's CVE-2019-19726, a local elevation of privilege flaw that could let users grant themselves root clearance. The bug was discovered by researchers at Qualys, and has been patched prior to public disclosure. "We discovered a Local Privilege Escalation in OpenBSD's dynamic loader (ld.so)," the report re...

Read more...

References

CWE-269https://www.openbsd.org/errata66.htmlhttps://www.openwall.com/lists/oss-security/2019/12/11/9https://seclists.org/bugtraq/2019/Dec/25http://packetstormsecurity.com/files/155658/Qualys-Security-Advisory-OpenBSD-Dynamic-Loader-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2019/Dec/31http://packetstormsecurity.com/files/155764/OpenBSD-Dynamic-Loader-chpass-Privilege-Escalation.htmlhttp://www.openwall.com/lists/oss-security/2023/10/03/2http://seclists.org/fulldisclosure/2023/Oct/11http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.htmlhttps://nvd.nist.govhttps://www.theregister.co.uk/2019/12/16/roundup_dec13/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2022-38028CVE-2024-32406CVE-2024-25624IMAPCVE-2024-2310CVE-2024-0874CVE-2024-20359XXEremote code execution
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook