Allele Security Alert
ASA-2019-00669
Identifier(s)
ASA-2019-00669, CVE-2019-19726
Title
Dynamic Loader Privilege Escalation
Vendor(s)
The OpenBSD Project
Product(s)
OpenBSD
Affected version(s)
OpenBSD version 6.6 before errata 013
OpenBSD version 6.5 before errata 024
Fixed version(s)
OpenBSD version 6.6 errata 013
OpenBSD version 6.5 errata 024
OpenBSD versions 6.6 with the following patch applied:
OpenBSD 6.6 errata
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/013_ldso.patch.sig
OpenBSD 6.5 errata
https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/024_ldso.patch.sig
Proof of concept
Unknown
Description
OpenBSD allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.
Technical details
Unknown
Credits
Qualys Research Team
Reference(s)
OpenBSD 6.6 Errata
https://www.openbsd.org/errata66.html
OpenBSD 6.5 Errata
https://www.openbsd.org/errata65.html
013_ldso.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/013_ldso.patch.sig
024_ldso.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/024_ldso.patch.sig
ld.so may fail to remove the LD_LIBRARY_PATH environment variable for
https://github.com/openbsd/src/commit/eee3c75f9abd5ea51e066dd0fe6b1efa470e4d0c
Don’t look up env variables until we know we’ll trust them. Otherwise, just delete them without looking.
https://github.com/openbsd/src/commit/4b65c70c5e05dc7a3d5ef502a5b4dc938ecf3bc5
oss-security – Local Privilege Escalation in OpenBSD’s dynamic loader
(CVE-2019-19726)
https://www.openwall.com/lists/oss-security/2019/12/11/9
Local Privilege Escalation in OpenBSD’s dynamic loader (CVE-2019-19726)
https://seclists.org/fulldisclosure/2019/Dec/31
CVE-2019-19726
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19726
CVE-2019-19726
https://nvd.nist.gov/vuln/detail/CVE-2019-19726
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: December 18, 2019