CVE-2002-0542

OpenBSD <3.1 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2002-0542. PoCs published by Przemyslaw Frasunek.

AI-analyzed exploit summary This exploit leverages a vulnerability in OpenBSD's default cron jobs where the mail(1) utility processes escaped characters in message text as commands. The PoC creates a file with a malicious escape sequence that, when processed by mail(1), executes a command to set /bin/sh as suid root.

Description

mail in OpenBSD 2.9 and 3.0 processes a tilde (~) escape character in a message even when it is not in interactive mode, which could allow local users to gain root privileges via calls to mail in cron.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Przemyslaw Frasunek · clocalopenbsd

https://www.exploit-db.com/exploits/21373

View Code ZIP pw:eip

This exploit leverages a vulnerability in OpenBSD's default cron jobs where the mail(1) utility processes escaped characters in message text as commands. The PoC creates a file with a malicious escape sequence that, when processed by mail(1), executes a command to set /bin/sh as suid root.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: OpenBSD 3.0 (before 08 Apr 2002)

No auth needed

Prerequisites: Access to create files in /tmp · Wait for /etc/daily cron job to execute

MITRE ATT&CK